Deployment Guide
Digi-CA™ Deployment Introduction
This Guide is intended to provide general information on the basic concepts, design, deployment and use of the Digi-CA™ Public Key Infrastructure [PKI] system. It is assumed that the audience and readers of this guide have a basic understanding of the concepts of information technology, PKI and the use of X.509 digital public key certificates.
If you are planning to deploy Digi-CA™ inside your organisation, ensure your read this document first, before attempting to perform a new standalone or distributed installation of this system.
General Information
In cryptography, a Certificate Authority or Certification Authority [CA] is an entity that issues digital certificates for use by other parties. It is an example of a trusted third party. A CA issues digital certificates that contain a public key and the identity of the public key owner. The matching private key is not similarly made available publicly, but kept secret by the end user who owns the key pair. The certificate is also an attestation by the CA that the public key contained in the certificate belongs to the person, organization, software or hardware device or other entity noted in the certificate. A CA's obligation in such schemes is to verify an applicant's credentials, so that users and relying parties can trust the information in the CA's certificates.
Digi-CA™ is the complete Certificate Authority system for organisations that would like to have their own CA, like to own and manage a PKI for digital certificates inside the organisation or over the Internet. Digi-CA™ generates and manages digital Public Key Certificates that are used for a variety of different purposes, most commonly for electronic signatures, natural person or device authentication and secure email.
The Digi-CA™ system can create multiple instances of independent Certification Authorities in a single Digi-CA™ system deployment. The Digi-CA™ model imposes delegation of trust downwards from Root CAs to their Subordinate CAs that meets the concepts of layered hierarchy. The same Digi-CA™ system also enables a CA to be cross signed by an external third party CA. As a result of this design principal, the Digi-CA™ model for trust levels increases towards the highest authority. This type of arrangement facilitates easy deployment and scalability of any PKI requirement from the smallest to the largest.
The Digi-CA™ System provides a full scale of services necessary for the management of X.509 certificates. An overview of these services is presented in the table below.
|
Digi-CA™ service overview |
|||
| End Entity registration | Time-Stamping | ||
| Certificate issuance | Online Certificate Status Protocol [OCSP] | ||
| Certificate re-signing | Multi-CA system engine | ||
| Certificate renewal | Cross-Certification management | ||
| Certificate dissemination | Certificate Revocation List [CRL] generation | ||
| Certificate revocation | CRL distribution & dissemination | ||
| Certificate suspension | Entity based multi-key management | ||
| Certificate de-suspension | Certificate profile management | ||
| Certificate expiration notification | Certificate Enrolment Policy Management | ||
| Event logging & auditing service | Support for hardware cryptographic module devices | ||
| Hierarchical CA operations | Support for Smart Cards and USB Tokens | ||
Table 0.1
In principle and in compliance with internationally recognised PKI standards, Digi-CA™ offers the following core Certification Authority services:
As an addition, Digi-CA™ offers the following supplementary services:
The core and supplementary CA services are further described in the Digi-CA™ Service Modules