Text needed here
[1] The first component in ensuring a properly configured CA is the naming document. Its formal title is the New Issuing Authority Naming Application. This document contains the information necessary to properly configure a CA:
After the Digi-CAST2™ Consultant and the customer have defined the Customer’s CA, the
Digi-CAST2™ Consultant will give you a copy of the completed naming document that has
been signed by both the Digi-CAST2™ Consultant and the Customer. You will use the information in the naming document to create the CA. Detailed information about the naming document is available in Chapter 4, "Key Ceremony Preparation".
The keys we generate today will be new keys, having no existing keys residing on the HSM device we are about to use during this ceremony. There are therefore no existing keys residing in the HSM device should this note be relevant to any party participating in this ceremony.
It is important to note, that the Key Generation and Certificate Signing operations occur entirely within the HSM device which uses a FIPS 140 approved pseudo random-number generator, which is seeded periodically from a random bit-value accumulator fed with an unpredictable input from an electronic noise source.
The prime number generator used in RSA key pair generation is entirely within the HSM and is covered by FIPS 140.
The software and the procedures were tested to ensure, that the keys were valid, and that the import and export procedures were working as required.
The source code was examined to ensure that its operation was correct.
Issue |
|
Subject Dn |
Issue Dn |
.req |
.509 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
2. The computer has a hard disk which has been pre-prepared with a fresh installation of a [Red Hat Enterprise Linux, version 5.0] operating system, the requisite HSM driver, nToken authentication PCI device, HSM device Support Software and the
Digi-CA™ PKI System, both acting as the Cryptographic Operation Control Software. The software was tested for correct operation prior to the Key Ceremony by using an HSM reserved for backup purposes.
3. The Key Access Component Cards are going to be distributed to appointed Key Access Component Holders during a later event of this ceremony. It is however important to note, that Key Access Component Holders are the only holders possessing PIN codes necessary to access the data stored on these smart cards. Before this step can be completed, each appointed Key Access Component Holder must now write down their new PIN code on a dedicated PIN paper sheet and put the PIN paper sheet with the written PIN code into an envelope, indicating their full personal name. Each envelope is to be placed on the Inventory Table and remain not sealed for the duration of the entire Key Ceremony. All attending Witnesses must ensure, that Key Access Component Holders are inserting their PIN Code paper sheets into correct envelopes, that indicate their full personal name.
Key Ceremony Administrator should now place a sufficient number of empty Key Access Component Cards on top of the envelopes containing PIN Code paper sheets. It is important to note, that the video camera should constantly record all activities related to access to the Key Access Component Cards and envelopes containing PIN Code paper sheets.
The Key Ceremony Administrator is now going to note the new Name for the newly configured Key Access Component Card Set, the Serial Number of each Key Access Component Card, that is about to be used and the details of each Key Access Component Holder (below) in this script. All attending Key Ceremony Witnesses must ensure, that the date entered into the script, the full personal name of each Key Access Component Holder and the Serial Number of the Key Access Component Card they are about to use is correct. They also must place their signature where indicated (below) in this section of the script.
Key Access Component Card Set
Name: …………………………………………………………………………………………………………………
Key Access Component Holder #1
Full Name: …………………………………………………………………………………………………………………
Card Serial Number: ……………………………………………………………………………………………
Key Access Component Holder #2
Full Name: …………………………………………………………………………………………………………………
Card Serial Number: ……………………………………………………………………………………………
Key Access Component Holder #3
Full Name: …………………………………………………………………………………………………………………
Card Serial Number: ……………………………………………………………………………………………
Key Access Component Holder #4
Full Name: …………………………………………………………………………………………………………………
Card Serial Number: ……………………………………………………………………………………………
Key Access Component Holder #5
Full Name: …………………………………………………………………………………………………………………
Card Serial Number: ……………………………………………………………………………………………
[1] During the Key Access Component Card Set Configuration, at least two people from the Key Ceremony Attendees list of personnel were present at all times. No other personnel were permitted access to the room. The Cryptographic Operation Control Software required a PIN code to be entered before the software could communicate with any smart card (holding encryption key component [Key Access Component Card]) used during the Key Access Component Card Set configuration.
[1] 4. Since the private key we are about to use is encrypted and access protected, the Key Ceremony Administrator will require any 3 (three) Key Access Component Holders from the previously created Key Access Component Card Set, to separately follow the steps below:
b. Re-read and memorize their PIN codes, that were previously written on their PIN Code paper sheet
c. Confirm to memorize their PIN code
d. Place their PIN Code paper sheet back into their envelope and place the envelope not sealed back on the Inventory Table
e. Take their smart card from the Inventory Table and when requested by the Key Generation Ceremony Administrator, walk towards the HSM device
f. When requested by the Key Generation Ceremony Administrator, insert their smart card into the smart card reader interface of the HSM device and when requested by the Key Generation Ceremony Administrator, enter their memorized PIN Code.
g. When requested by the Key Generation Ceremony Administrator, remove the smart card from the HSM smart card reader interface and place their smart card back on the Inventory Table on top of their PIN envelope.
The above sequence of steps will be repeated for the number of Key Access Component Holders, that are selected by the Key Ceremony Administrator.
All attending Witnesses must ensure, that each Key Access Component Holder accesses only their own Key Access Component Card and PIN envelope. They must also ensure, that all PIN Code paper sheets remain in envelopes, which are not sealed, and that relevant Key Access Component Cards reside on the top of each envelope on the Inventory Table at the end of this step.
Furthermore, all Witnesses must ensure, that the correct private key is used during this step. This can be achieved by cross-checking whether the private key identifier file name along with the file system path, are both entered correctly by the Key Ceremony Administrator in the command prompt. These must match the private key details stored in the Key Map Document. The private key should be dedicated for use only with the new Root CA we created today hence the cross-check.
5. The previous step left the private key used to sign the newly created Root CA Certificate offline. It also permanently associated that private key with the new Root CA we created.
6. The Root CA Signing is now declared complete.
During this step, the Key Ceremony Administrator, using the Cryptographic Operation Control Software, will create new Subordinate CA and assign it to a dedicated private key that was previously generated during this ceremony. The newly created Subordinate CA will be signed by the Root CA that was created earlier during this ceremony.
To complete this process, the Key Ceremony Administrator will use a Naming Document, that contains the details of the new Subordinate CA we are about to sign, to create a certificate profile configuration file, containing various certificate related information such as: Subject Distinguished Name, Validity Period, Signature Algorithm, Certificate Serial Number and Certificate extensions. The certificate profile configuration file will be used by the Cryptographic Operation Control Software to create the new Subordinate CA certificate.
All attending Witnesses must ensure, that the certificate details entered into the certificate profile configuration file by the Key Ceremony Administrator, match the details contained in the Naming Document used during this ceremony. The new Subordinate CA Certificate details must be taken from the section of the Naming Document specifically dedicated for the correct Subordinate CA, for which the Subordinate CA Certificate is created.
Key Ceremony Administrator will capture and store during this step any relevant informational output produced on the computer screen by the Cryptographic Operation Control Software in the Key Map Document.
8. Key Ceremony Conclusion
9. Key Ceremony Attendees Present
Name Title Company Signature
[This page printed blank to allow notes to be made]
_______________________________________________________________________
CA Owner Organization Name:
___________________________________________________________
CA Owner Organization’s Address:
___________________________________________________________
CA Owner Organization’s Telephone Number:
___________________________________________________________
I confirm that I am in receipt of the following Component(s):
Description Details:
_________________________________________________________________________
_________________________________________________________________________
I confirm that:
I have understand that I am an official Component Receipt Shareholder.
I must keep my Component information secret.
I will only reveal my Component information at scheduled Key Ceremony events.
Under penalties of perjury, I declare to the best of my knowledge and belief, that the information I have provided is true, correct, and complete.
Signature: ___________________________________ Date: ____________________
I attest that:
I have validated the identity of this Key Access Component Holder
Under penalties of perjury, I declare to the best of my knowledge and belief, that the information I have provided is true, correct, and complete.
Notary Signature: _____________________________ Date:____________________
_______________________________________________________________________
Organization Name:
___________________________________________________________
Organization Address:
___________________________________________________________
Telephone Number: ___________________________________________________________
Professional License and/or Association Number(s):_________________________
This letter of attestation is being provided on behalf of the following entity:
CA Owner Organization’s Name:
________________________________________________________________
CA Owner Organization’s Address:
________________________________________________________________
CA Owner Organization’s Telephone Number:
________________________________________________________________
I attest that:
Under penalties of perjury, I declare to the best of my knowledge and belief, that the information I have provided is true, correct, and complete.
Signature: ___________________________________ Date: ____________________
Notary Signature: _____________________________ Date: ____________________
Appendix III – Entry/Exit Log
________________________________________________________________
CA Owner Organization’s Address:
________________________________________________________________
CA Owner Organization’s Telephone Number:
________________________________________________________________
Links:
[1] https://www.digi-sign.com/downloads/digi-ca-admin-manual
[2] https://www.digi-sign.com/public+key+infrastructure