NanoCert
4 minute read
DigiCert® NanoCert provides embedded and IoT devices secure certificate handling, enrollment, and validation capabilities by integrating directly into C/C++ applications.
NanoCert delivers certificate management capabilities with a focus on efficiency and security.
- Small memory footprint optimized for embedded and IoT devices.
- Accelerated integration of complex cryptographic functions.
- FIPS 140-2 Level 1 validated cryptography (optional).
- NSA Suite B cryptography support (upgrade option).
- Open standards-based, RFC compliant implementation.
- Complete SCEP and EST client functionality.
- Automated certificate enrollment, renewal, revocation, and validation.
- OS- and platform-agnostic design for seamless portability.
- Threadless, asynchronous architecture.
- GPL-free code that protects your intellectual property.
NanoCert is available in two models:
License
This project is available under a dual-license model:
- Open Source License: GNU Affero General Public License v3 (AGPL v3): This license allows you to use, modify, and distribute the code for free in accordance with AGPL terms.
- Commercial License: If you wish to use TrustCore SDK in a proprietary or commercial product (e.g., embedded in closed-source firmware or commercial SaaS applications), a commercial license is available under DigiCert’s Master Services Agreement (MSA). Contact us at sales@digicert.com for commercial licensing details.
Before you begin
To effectively use NanoCert, you should be familiar with:
- C/C++ programming: NanoCert is provided as ANSI C source files (
.cand.h). You’ll need to integrate these with your application code and understand how to work with C-style structures and function calls. - Your operating system: While NanoCert is largely platform-independent, you should understand fundamental operations within your target environment, including networking capabilities and external device communication.
- Security concepts: This guide provides necessary background information, but assumes basic familiarity with cryptographic concepts, PKI (Public Key Infrastructure), digital certificates, and secure communication protocols.
FIPS and Suite B support
The Federal Information Processing Standard (FIPS) Publication 140‑2 and 140-3 are U.S. government computer security standards used to accredit cryptographic modules. FIPS 140‑2/3 validation is a requirement when selling products containing embedded cryptography to the U.S. government, and the standards have been increasingly adopted as baseline requirements by regulated industries such as finance, manufacturing and healthcare.
The National Institute of Standards and Technology (NIST) established the Cryptographic Module Validation Program (CMVP) that validates cryptographic modules to FIPS 140‑2/3 (see http://csrc.nist.gov/groups/STM/cmvp). For information about the FIPS 140‑2/3-certified NanoCrypto FIPS binary, refer to the NIST web site at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/1401vend.htm.
Note
To obtain FIPS 140‑2 or 140-3 certification for your product, a licensed NanoCrypto FIPS binary must be purchased, integrated and tested with your product using our FIPS Validation as a Service offering. For more information, contact Sales.Suite B cryptography is a set of cryptographic algorithms and protocols specified by NIST that are approved by the NSA for protecting classified and unclassified National Security Systems (NSS). If your TrustCore SDK product is used with the TrustCore SDK FIPS binaries, then the Suite B algorithms are already included.
Theory of operation
NanoCert uses industry-standard protocols to automate certificate management tasks that traditionally required manual administration. The solution streamlines registering end entities, revoking certificates, and publishing Certificate Revocation Lists (CRLs).
NanoCert implements public key cryptography standards including:
- PKCS #7: Specifies certificate signing and certificate request response formats
- PKCS #10: Defines certificate request formatting
- HTTP: Provides client-server transport functionality
The library also includes comprehensive certificate management utilities for:
- Key generation and management
- Certificate parsing, encoding, and decoding
- Certificate store management
Standards
NanoCert supports the following industry standards:
- X.509 v3 certificate format
- X.509 v2 CRL format
- RFC 2251 — LDAP (Lightweight Directory Access Protocol) (v3)
- RFC 2252 — LDAP (v3): Attribute Syntax Definitions
- RFC 2254 — String Representation of LDAP Search Filters
- RFC 2255 — LDAP URL Format
- RFC 2256 — A Summary of the X.500(96) User Schema for use with LDAPv3
- RFC 2560 — Online Certificate Status Protocol - OCSP
- RFC 2616 — Hypertext Transfer Protocol - HTTP/1.1
- RFC 2617 — HTTP Authentication: Basic and Digest Access
- RFC 2830 — Lightweight Directory Access Protocol (v3): Extension for Transport Layer Security
- RFC 3280 — X.509 certificate and CRL profiles
- RFC 4210 — Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)
- RFC 5759 — Suite B Certificate and Certificate Revocation List (CRL) Profile
- IETF Draft — draft-nourse-scep-14.txt
- draft-ietf-ldapext-ldap-c-api-05 — The C LDAP Application Program Interface
- 3GPP TS 33.310 — Network Domain Security/Authentication Framework (NDS/AF)
Was this page helpful?
Provide feedback