CA Application

Summary

Usage and configuration instructions for this module are available in the following associated documentation: Digi-CA™Administrator Guide.

Digi-CA™ the complete Certificate Authority [CA] system
CA Application Service [CAAS]

The CA Application Service [CAAS] Service Module is intended to provide target TSP Server and OCSP Responder services to the Time-Stamping Gateway and OCSP Gateway Service Modules.

The CA Application Service [CAAS] Service Module is intended to provide target TSP Server and OCSP Responder services to the Time-Stamping Gateway and OCSP Gateway Service Modules.

The design concept for this Service Module arose from the results of security assessments applied to RFC 3161 and RF 2560 standards and these concepts are further described in the above chapters 3.2 and 3.3.

CAAS has direct access and makes regular use of the TSA and OCSP VA Private Keys designated for certifying Time-Stamp tokens and OCSP response messages. Due to the fact that CAAS is NOT likely to be exposed for public access, the likelihood of the TSA or VA private key accidental exposure to an illegitimate party is relatively very small, regardless whether the TSA or VA private key is stored in a Software or Hardware Security Module.

CAAP was designed to remain in a protected network zone where public access is physically made impossible. It is a software library built to work with an instance of an Apache web server software – it can be therefore considered as an Apache software module. Its functionality is limited to the following purposes:

    a. Receive and serve Time-Stamp Requests
    b. Receive and serve OCSP Requests
    c. Respond to relevant requests by producing Time-Stamp tokens
    d. Respond to relevant requests by producing OCSP responses
     

Note: although CAAS will only accept legitimate requests from either of the Gateway Service Modules, it is still possible to setup the CAAS in combination with any of the Gateway Service Module in a traditional manner. Such a setup would allow you to install CAAS with TSG and/or OCSPG on a single server. This type of deployment is very useful in a closed private environment where volumes of requests are predictable and where corporate security policies are actively maintained and followed by IT personnel.

The CAAS uses the same private key storage and access techniques as the CSP Service Module and these techniques are described in more detail above.

Gateway Service Modules can connect to CAAS using secure HTTPS [HTTP over SSL/TLS] protocol with a Uniform Resource Locator [URL] method. Request messages are accepted as HTTP POST requests.

The CAAS module is configured and activated inside the Apache web server configuration and can be applied per site, virtual realm or per physical directory configuration basis. It is loaded the very moment the Apache web server is started.

Important Note: CAAS Service Module can place significant demands on your servers and IT hardware environment and should only be deployed and offered to relying parties if you have the correct infrastructure that meets the recommended model of High Availability.