Digi-CA™ is the complete CA system for organisations that would like to have their own CA or would like to own and manage a Public Key Infrastructure [PKI] for digital certificates, inside the organisation, or over the Internet. Digi-CA™ generates and manages digital public key certificates that are used for a variety of different purposes, most commonly for secure server connection [1], electronic signatures, natural person and/or device authentication and for secure email.

The Digi-CA™ system can create multiple instances of independent CAs in a single Digi-CA™ system deployment. The Digi-CA™ model imposes delegation of trust downwards from Root CAs to their Subordinate CAs using a concept called ‘layered hierarchy’. The same Digi-CA™ system also enables a CA to be cross signed by an external third party CA. As a result of this design principal, the Digi-CA™ model for trust levels increases towards the highest authority. This type of arrangement facilitates easy deployment and scalability of any PKI requirement from the smallest to the largest.

Digi-CA™ can be delivered as an installed Software CA, or as a Managed CA service [9]. Uniquely, both the Managed Digi-CA™ Service and the installed Digi-CA™ Server software [10] use the same common, core technology. This is important because in selecting Digi-CA™ it is possible to begin with Digi-CA™ Service and migrate to Digi-CA™ Server with ease.

It is possible to use the distributed architectural design of Digi-CA™ to implement the concept of a ‘Shared CA’ where different modules of the system are hosted and managed in separate geographical locations.

Digi-CA™ replaces older Legacy CA systems using the latest in CA and PKI technologies and benefits from combining commercial and open source software initiatives. With Digi-CA™, all of the complexities and onerous technical overhead that were required by Legacy CAs have been simplified to a ‘user-friendly’ and usable level.

By combining the consulting and professional services [1] offered by Digi-CAST™ with the functions provided by Digi-CA™, can bring an organisation to a highly professional PKI level, meeting the criteria for internationally recognised accreditation standards such as WebTrust® and ISO 27001 certifications.

The simplicity of the design of the complete Digi-CA™ system means that the same system can be purchased initially as a service [14]. Later, if needed, the software [15] version can be deployed and later scaled for enterprise, large scale and even national PKI use, with minimum or no disruption. This is made possible by the modular architecture used in the development of the Digi-CA™ system.

The modular architecture of Digi-CA™ provides its components in Service Modules [14]. Here is the list of modules currently available (for further details, refer to the Digi-CA™ Deployment Guide).

This modular architecture permits Digi-CA™ to meet almost any requirement. The principal delivery models are:

It is possible to build [16] a custom Digi-CA™ solution that will meet all your requirements. This sophisticated online shopping cart assist you in selecting the correct Digi-CA™ and also demonstrates the many add-ons available to meet those requirements. For further information use this URL:

http://www.digi-sign.com/product/digi-ca [17]

Digi-CA™ Service is the Managed CA [9] and is the service that is provided online using the Application Service Provider [ASP] or Software-as-a-Service [SaaS] delivery model. There is no hardware or software requirement at the customer site.

Unless there is a very specific reason why your organisation must own and locate its own CA system [1], then Digi-CA™ Service will most probably meet all of your requirements. As a service offering it is more cost effective both financially and from a human resource/time consumption perspective.

Digi-CA™ Service is charged on an annual recurring fee that is based on the number of digital certificates [1] issued each year. The annual fee covers all maintenance, administration and day-to-day system support that is required to keep the Digi-CA™ operational. For further information use this URL:

http://www.digi-sign.com/product/digi-ca [17]

Digi-CA™ Server is the CA Software that is installed on a server in a data centre [10] or at the customer site. Digi-CA™ charges a ‘once off’ initial license fee that is based on the cost of the software, its configuration and installation and then the number of certificates required over the life of the product's use.

Unless there is a very specific reason why your organisation must own and locate its own CA system, then Digi-CA™ Service [9]will most probably meet all of your requirements. If ownership and specific geographic location are specific requirements, the Digi-CA™ Server is probably your best choice.

Once personnel are properly trained, they should be able to manage and administer the system with ease. Digi-CA™ Server also has the ability to be accessed using a highly secure Virtual Private Network [VPN] connection, where Digi-CAST™ personnel can assist with escalated technical matters using direct access to the system.

Apart from the initial license fee, the only other fees you pay are the annual license fee to cover upgrades, patches and application telephone support and optional annual support fees that can be purchased in ‘blocks of tickets’ where a single support case uses one support ticket until the case is solved.

When considering a centralised or distributed deployment model of Digi-CA™ [10], one must consider the fact, that Digi-CA™ requires a pre-established network infrastructure that is a key objective to a successful deployment of this system.

Although Digi-CA™ does not require, or rely on, a specific network design, careful network architecture planning [1] is strongly recommended prior to the deployment of this system. Diagrams below – as an example only - illustrate two most common deployment methodologies, one with all Service Modules centralised on a single server and the other with distributed services as an alternative.

As an installed Software CA [10], Digi-CA™ Server will require at least one, if not multiple servers, networking and at least one internet connection. The minimum software and hardware requirement to deploy a standard Digi-CA™ on a single server device is as follows:

For further information use this URL:

http://www.digi-sign.com/product/digi-ca [17]

Digi-CA™ [18] Shared was a concept conceived by Digi-Sign in 2006 that has only recently been acknowledged by potential customers as a real alternative to providing Digi-CA™ Service. Although implementations of this concept CA are limited, the capability and the option are important.

Typical enquiries come from large industry or government agencies where ownership of the entire CA is not a requirement, but ownership of specific components is preferred (e.g. data files, HSMs or the requirement to have a complete, hosted disaster recovery system). When considering Digi-CA™, the availability of this concept may not be of paramount importance, but its availability may be very useful during the continued growth and expansion of the total environment.

Digi-CA™ Shared can be a dedicated instance of the Digi-CA™ Service [19] that is completely separate from all other Digi-Sign systems; or it can be a combination of the Digi-CA™ Server system, hosted at a location of your choosing, with certain functions hosted by at one of our nominated data centres.

Estimating the annual charges and other cost considerations for Digi-CA™ Shared is calculated on a case-by-case basis. For further information use this URL:

http://www.digi-sign.com/product/digi-ca [17]

Digi-CA™ replaces older Legacy CA systems using the latest in CA and PKI technologies and benefits from combining commercial and open source software initiatives. With Digi-CA™, all of the complexities and onerous technical overhead that were required by Legacy CAs have been simplified to a ‘user-friendly’ and usable level.

The Digi-CA™ Team combine consulting and professional services with the functions provided by Digi-CA™ and can bring an organisation to a highly professional PKI level whilst meeting the criteria for internationally recognised accreditation standards such as WebTrust® and ISO 27001 certifications.

Advice on selecting the modules and services you may require are in the next section.

This section of the Guide provides general information on the functional concepts for each Digi-CA™ Service Module and related Digi-CAST™ services to consider when selecting the correct Digi-CA™ system for your environment. As a guide, it is recommended that you familiarise yourself with the general concepts and then contact us directly for more information, or use the online shopping cart or more detailed information:

http://www.digi-sign.com/product/digi-ca [17]

Regardless of what Digi-CA™ system you elect to use, the following service modules will always be active, albeit in some cases, transparent to the administrators or end users. These are:

The Cryptographic Service Provider [CSP] Service Module is a software application that ultimately provides the most of cryptographic operations to the system and is effectively responsible for generating all public key certificates. Due to the high severity for the security of this module, it is not accessible through any network communications protocol. This design imposes an asynchronous certificate generation and distribution model.

The CA Management Console [CAMC] Service Module is the central graphical user interface [GUI] for managing Certification Authorities, Registration Authorities, Service Modules and other services provided within the Digi-CA™ system infrastructure.

The following table presents a general overview on the functionalities provided by CAMC.

The RA Management Console [RAMC] Service Module is the central graphical user interface [GUI] for operating Registration Authorities and managing End Entity Certificates.

The following table presents a general overview on the functionalities provided by RAMC.

The Entity Registration Service [ERS] Service Module is the central graphical user interface [GUI] provided to End Entities for user account and certificate related activity registration purposes.

The following table presents a general overview on the functionalities provided by ERS.

The Certificate & CRL Dissemination Services [CCDS] Module is a software application that ultimately provides dissemination service for End Entity Public Key Certificates, Key Pairs and Certificate Revocation Lists.

From an Operating System perspective, the CDS is a client application to the CA database server. It sustains a persistent connection to the database from where dissemination requests are loaded and subsequently served. The following table presents a general overview of the functionality the CDS module is designed to provide.

The following optional additional services are categorised as being available as follows:

The following services are only available with Digi-CA™ Service

Total Trust Management™ is much more than direct telephone support line or a dedicated Account Manager. Total Trust Management™ is the total out sourcing of your Digi-CA™ Service management, where Digi-CAST™ personnel effectively work for you and every aspect of the certificate life-cycle management is done for you.

We pioneered the Total Trust Management™ [TTM™] in 2004 and have been offering this valuable service to our customers ever since. Under TTM™ we act as the Trusted Administrator of your Digi-CA™ Service and carry out all of the duties of the CAMC and RAMC operator on your system. TTM™ is an option that is only available with Digi-CA™ Service.

Digi-CA™ Service automatically offers fail-over and load balancing as part of the standard service provisioning and strictly speaking, is not an optional addition. It is listed here for illustration purposes only.

Digi-CA™ Service automatically offers backup and disaster recovery as part of the standard service provisioning and strictly speaking, is not an optional addition. It is listed here for illustration purposes only.

The following services are available on all versions of Digi-CA™.

When purchasing your Digi-CA™system, the initial order will contain a fixed number of digital certificates/signatures. In the case of Digi-CA™Service, the entire annual cost is based on the number of certificates in use. With Digi-CA™Server, the system is supplied, as standard, with 100 multi-use certificates.

Therefore, additional certificates must be ordered on an, as needed basis. Additional single use (e.g. for encryption only) or multi-use (e.g. authentication and digital signature, etc.) certificates must be ordered separately.

When issuing large numbers of certificates in a single instance (e.g. several thousand in one hour or day) this will result in many users completing the online application form very soon after receiving the invitation email. Manually approving each request may not be possible and in such cases, RA Automation is the recommended option.

RA Automation can be as simple or as integrated as your environment requires and can be enabled on any version of Digi-CA™.

The TimeStamp Authority [TSA] provides digital TimeStamping network based services in compliance with RFC 3161 standard, Internet X.509 Public Key Infrastructure TimeStamp Protocol [TSP]. The TimeStamp Protocol, or TSP, is a cryptographic protocol for certifying timestamp tokens using X.509 public key certificates and public key infrastructure.

The timestamp token is the signer's assertion that a piece of electronic data existed at, or before, a particular time. TimeStamp tokens are effectively used to provide evidence data in the process of validating long-term electronic signatures applied to digital communication or payment transactions and electronic documents such as Adobe® Acrobat® PDF.

The OCSP Gateway [OCSPG] Service Module is intended to provide digital
Online Certificate Status Protocol [OCSP] network based services in compliance with RFC 2560 standard, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP.

The OCSP is an Internet protocol used for obtaining the revocation status of an X.509 digital public key certificate. It was created as an alternative to Certificate Revocation Lists [CRL], specifically addressing certain problems associated with using CRLs in a public key infrastructure [PKI].

A CA or PKI, although not mission critical, must ensure that all its data is protected and available at all times. Using fail-over may ensure that no data is lost, but the best option is to ensure that there is a back-up system that is completely separate from the main system.

This is referred to as disaster recovery and in high security situations, this backup disaster recovery is usually located at a separate geographic location from the main system.

The following services are only required on certain versions of Digi-CA™Server. This is because in the case of Digi-CA™Server Xg, fail-over and load balancing are component parts of the overall system delivery and parts of the overall system delivery of Digi-CA™Service.

Fail-over is where a second system is enabled so that if the primary system ceases to function for any reason, the fail-over, or second system, temporarily assumes the primary role until normal service can resume. As Digi-CA™Server Xp and Xg are automatically supplied with fail-over, this is the only version of Digi-CA™Server where fail-over must be ordered separately (and is a good reason why most customers order Digi-CA™Server Xp).

Load balancing is where a minimum of two machines are configured so that all traffic across the system is balanced equally across the machines to ensure the highest performance of the overall system. Load balancing is only required where high volumes, or high production peaks, are expected in the einvironment.

A Key Ceremony is only required when your organisation wishes to achieve your own independent root, or intermediate, Certificate Authority. This typically occurs where an organisation wants to create and own its own Root CA for reasons relating to compliance to specific standards (e.g. ISO 27001, WebTrust, EU Qualified Certificates, etc).

A Root Key Ceremony is a procedure where a unique pair of Public and Private Root Keys is generated. Depending on your requirements and specifications, the generation of the Root Keys may require notarisation, legal representation, witnesses and ‘Key Holders’ to be present. This process is best explained with some examples:

Unless the information being accessed or transmitted is valued in terms of millions of dollars, it is probably sufficient that the Digi-CAST2™ Team conduct the Root Key Ceremony within the security of the Digi-CAST2™ Laboratory. The customer may opt to have the Root Key stored on a Luna Card or HSM, but in most cases the safe storage of the Root Key on a CD or hard disk is sufficient. The Root Key is never stored on the Digi-CA™server.

This type of environment requires much higher security than a commercial one. When conducting the Root Key Ceremony, the Government or Organization will require rigorous security checks to be conducted on all personnel in attendance. Those that are normally required to attend the Key Ceremony will include a minimum of two Administrators from the organisation, two signatories from the organisation, one lawyer, a notary and two video camera operators in addition to the Digi-CAST2™ Team.

The actual Root key-pair generation is normally conducted in a secure vault that has no communication or contact with the outside world other than a single telephone line or intercom. Once the vault is secured, all personnel present must prove their identity using at least two legally recognised forms of identification. Every person present, every transaction and every event is logged by the lawyer in a Root Key Ceremony Log Book and each page is notarized by the notary. From the moment the vault door is closed until it is re-opened, everything is also video recorded. The lawyer and the two organisation’s signatories must sign the recording and it too is then notarized.

Finally, as part of the above process, the Root Key is broken into as many as twenty-one parts and each individual part is secured in its own safe for which there is a key and a numerical lock. The keys are distributed to as many as twenty-one people and the numerical code is distributed to another twenty-one people.

Example A and B are at opposite ends of the security spectrum and no two environments are the same. When considering the Root Key Ceremony, the Digi-CAST1™ Team of professional advisors can assist you in deciding on the most efficient level of security to reflect the level of protection required.