NanoCert

DigiCert® NanoCert provides embedded and IoT devices secure certificate handling, enrollment, and validation capabilities by integrating directly into C/C++ applications.

NanoCert delivers certificate management capabilities with a focus on efficiency and security.

Small memory footprint optimized for embedded and IoT devices.
Accelerated integration of complex cryptographic functions.
FIPS 140-2 Level 1 validated cryptography (optional).
NSA Suite B cryptography support (upgrade option).
Open standards-based, RFC compliant implementation.
Complete SCEP and EST client functionality.
Automated certificate enrollment, renewal, revocation, and validation.
OS- and platform-agnostic design for seamless portability.
Threadless, asynchronous architecture.
GPL-free code that protects your intellectual property.

Before you begin

To effectively use NanoCert, you should be familiar with:

C/C++ programming: NanoCert is provided as ANSI C source files (.c and .h). You’ll need to integrate these with your application code and understand how to work with C-style structures and function calls.
Your operating system: While NanoCert is largely platform-independent, you should understand fundamental operations within your target environment, including networking capabilities and external device communication.
Security concepts: This guide provides necessary background information, but assumes basic familiarity with cryptographic concepts, PKI (Public Key Infrastructure), digital certificates, and secure communication protocols.

FIPS and Suite B support

The Federal Information Processing Standard (FIPS) Publication 140‑2 and 140-3 are U.S. government computer security standards used to accredit cryptographic modules. FIPS 140‑2/3 validation is a requirement when selling products containing embedded cryptography to the U.S. government, and the standards have been increasingly adopted as baseline requirements by regulated industries such as finance, manufacturing and healthcare.

The National Institute of Standards and Technology (NIST) established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to FIPS 140‑2/3 (see http://csrc.nist.gov/groups/STM/cmvp). For information about the FIPS 140‑2/3-certified NanoCrypto FIPS binary, refer to the NIST web site at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm.

Note

To claim FIPS 140‑2 or 140-3 validation for your product, a licensed NanoCrypto FIPS binary must be purchased and used with the product. Alternatively, you can conduct your own FIPS 140‑2 or 140-3 validation. For more information, contact DigiCert Sales.

Suite B cryptography is a set of cryptographic algorithms and protocols specified by NIST that are approved by the NSA for protecting classified and unclassified National Security Systems (NSS). If your TrustCore SDK product is used with the TrustCore SDK FIPS binaries, then the Suite B algorithms are already included.

Theory of operation

NanoCert uses industry-standard protocols to automate certificate management tasks that traditionally required manual administration. The solution streamlines registering end entities, revoking certificates, and publishing Certificate Revocation Lists (CRLs).

NanoCert implements public key cryptography standards including:

PKCS #7: Specifies certificate signing and certificate request response formats
PKCS #10: Defines certificate request formatting
HTTP: Provides client-server transport functionality

The library also includes comprehensive certificate management utilities for:

Key generation and management
Certificate parsing, encoding, and decoding
Certificate store management

Standards

NanoCert supports the following industry standards:

X.509 v3 certificate format
X.509 v2 CRL format
RFC 2251 — LDAP (Lightweight Directory Access Protocol) (v3)
RFC 2252 — LDAP (v3): Attribute Syntax Definitions
RFC 2254 — String Representation of LDAP Search Filters
RFC 2255 — LDAP URL Format
RFC 2256 — A Summary of the X.500(96) User Schema for use with LDAPv3
RFC 2560 — Online Certificate Status Protocol - OCSP
RFC 2616 — Hypertext Transfer Protocol - HTTP/1.1
RFC 2617 — HTTP Authentication: Basic and Digest Access
RFC 2830 — Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security
RFC 3280 — X.509 certificate and CRL profiles
RFC 4210 — Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)
RFC 5759 — Suite B Certificate and Certificate Revocation List (CRL) Profile
IETF Draft — draft-nourse-scep-14.txt
draft-ietf-ldapext-ldap-c-api-05 — The C LDAP Application Program Interface
3GPP TS 33.310 — Network Domain Security/Authentication Framework (NDS/AF)

In this section: