This guide is intended to assist buyers in selecting [1] the correct Digi-CA™ Certificate Authority [CA] system for their environment. It is assumed that the audience and readers of this guide have a basic understanding of the concepts of information technology, CA systems and the use of digital certificates and signatures.
Organisations choose to use a CA for many reasons and ultimately it relates to using the internet to improve efficiency, reduce costs and/or increase market reach. In almost every instance, using the internet in these ways encounters security issues of identifying users, authenticating of transactions, events and times, the need for secure servers, digital document and workflow signing and related matters.
Whilst a CA cannot address every conceivable security issue, it solves most of them. There are several recognised CA providers, but few can compete with the ease-of-use and management capabilities offered by Digi-CA™ [1].
A CA issues digital certificates and digital signatures for use by end users or servers. They are used for securing servers (i.e. https:// and the ‘little yellow lock’ that is seen when making payments online) and also for:
Digi-CA™ is the complete CA system for organisations that would like to have their own CA or would like to own and manage a Public Key Infrastructure [PKI] for digital certificates, inside the organisation, or over the Internet. Digi-CA™ generates and manages digital public key certificates that are used for a variety of different purposes, most commonly for secure server connection [1], electronic signatures, natural person and/or device authentication and for secure email.
The Digi-CA™ system can create multiple instances of independent CAs in a single Digi-CA™ system deployment. The Digi-CA™ model imposes delegation of trust downwards from Root CAs to their Subordinate CAs using a concept called ‘layered hierarchy’. The same Digi-CA™ system also enables a CA to be cross signed by an external third party CA. As a result of this design principal, the Digi-CA™ model for trust levels increases towards the highest authority. This type of arrangement facilitates easy deployment and scalability of any PKI requirement from the smallest to the largest.
Digi-CA™ can be delivered as an installed Software CA, or as a Managed CA service [9]. Uniquely, both the Managed Digi-CA™ Service and the installed Digi-CA™ Server software [10] use the same common, core technology. This is important because in selecting Digi-CA™ it is possible to begin with Digi-CA™ Service and migrate to Digi-CA™ Server with ease.
It is possible to use the distributed architectural design of Digi-CA™ to implement the concept of a ‘Shared CA’ where different modules of the system are hosted and managed in separate geographical locations.
Digi-CA™ replaces older Legacy CA systems using the latest in CA and PKI technologies and benefits from combining commercial and open source software initiatives. With Digi-CA™, all of the complexities and onerous technical overhead that were required by Legacy CAs have been simplified to a ‘user-friendly’ and usable level.
By combining the consulting and professional services [1] offered by Digi-CAST™ with the functions provided by Digi-CA™, can bring an organisation to a highly professional PKI level, meeting the criteria for internationally recognised accreditation standards such as WebTrust® and ISO 27001 certifications.
Compliance to international standards | Digi-CAST™ follows the international industry standards for PKI and CA systems [11] so that is can easily fit into almost any certificated IT infrastructure and work seamlessly within that environment. This compliance to standards is important when considering current requirements and potential future requirements too | |
Programming language | All components of the Digi-CAST™ [1] system kernel have been developed in C on Unix and this is considered the most stable, secure and efficient language and operating system for the development of PKI & CA systems | |
Centralised Management | Web based ‘system management centre’ for all operated CAs, RAs & LRAs makes it ideal for operation as an installed standalone CA system or as a Managed CA [1] | |
‘‘futureproof’ | By its very design, the entire Digi-CAST™ system can be in house, totally out sourced or a combination of the two and this can be decided at any stage during the life of the system. So you can purchase [1] what it needs today, safe in the knowledge that you can easily migrate and move all or part of the system to the Managed CA alternative to meet your future demands | |
Ease of integration | Whether now or in the future, because it is LDAPv3 compliant, Digi-CAST™ can publish X.509 certificates and certificate Revocation [12] Lists [CRL] to other directories. This is a significant factor when considering integration with existing or future environments | |
Scalability | Digi-CAST™ can scale, easily and with minimal/no interrupting of live operations. This is important when considering the future growth of your requirements. It is also possible to add additional hardware [13] to expand the system capacity and services and to conduct cross certification | |
Continuous operation | When considering the future growth of your requirements, live production can continue uninterrupted while adding more CAs, RAs and LRAs. These capabilities ensure the CA remains operational and without interruption throughout | |
Customisation to your requirements | Custom multi-layer CA hierarchy, RA and LRA distribution can be modified, extended and changed at any stage and again, this can be done without affecting the operation of the live environment | |
‘look & feel’ customisation | The entire Digi-CAST™ system interfaces and all its levels can be easily changed using Cascade Style Sheet [CSS]. This ability to completely change the ‘look and feel’ of the system eases the deployment to your end users because they know you but may not be familiar with the CA vendor. It also helps with integrating into web sites and other online systems seamlessly | |
Multiple Languages | Language localisation is “plug n’ play” for displaying all interfaces in your desired language(s). This further helps the deployment to end users and reduces ‘help desk calls’ (where users are really looking for translation of help files, etc) | |
Custom profile, enrolment & DN capabilities supplied as | Certificate profiles and enrolment policies can be customised and therefore full custom certificate subject Distinguished Name [DN] attributes and certificate extensions are possible. This is particularly important | |
standard | when meeting national & international standards and the cost of providing these capabilities from other systems can be considerable | |
CA Flexibility | Ability to operate multiple independent CA hierarchies from a single system instance without the need of installing multiple software applications on multiple server computers to run each CA hierarchy | |
RA Flexibility | Multiple independent Registration Authority [RA] instances from a single system without needing to install multiple applications on multiple servers to run each RA | |
100% browser independent | 100% certificate enrolment web browser platform and operating system independency | |
Root CA cross certification | Digi-CAST™ offers the capability of cross certification between the your Root CA and any other CA | |
Trusted Root capability | Also it can be cross certified by a Trusted Root CA of issuing trusted SSLs and secure, signed and/or encrypted email | |
Best training & knowledge transfer | With the largest online searchable PKI & CA KnowledgeBase, the extensive documentation offered, the Digi-TaSC system and the many different types of training offered, this proposal offers the most comprehensive that programme for your personnel | |
Overall most capable & most competitively priced | Digi-CAST™ achieves the best blend of meeting your current requirements and possible future ones too. It’s highly customisable and flexible features means it will meet future demands easily, without incurring downtime, service interruption or unwieldy costs | |
The simplicity of the design of the complete Digi-CA™ system means that the same system can be purchased initially as a service [14]. Later, if needed, the software [15] version can be deployed and later scaled for enterprise, large scale and even national PKI use, with minimum or no disruption. This is made possible by the modular architecture used in the development of the Digi-CA™ system.
The modular architecture of Digi-CA™ provides its components in Service Modules [14]. Here is the list of modules currently available (for further details, refer to the Digi-CA™ Deployment Guide).
Module Name | Code | Services Provided |
Cryptographic Service Provider | CSP | Certificate & CRL Generation Services |
Time-Stamping Gateway | TSG | Digital Time-Stamping Service |
OCSP Gateway | OCSPG | Real time Revocation Status Service |
CA Application Service | CAAS | TSG and OCSPG gateway services connector |
CA Management Console | CAMC | Web based Certification Authority management |
RA Management Console | RAMC | Web based Registration Authority management |
Entity Registration Service | ERS | Web based End Entity Registration management |
Content Dissemination Service | CDS | Certificate and CRL dissemination management |
The above diagram shows each module of Digi-CA™ [14] distributed across multiple servers for use in a large scale enterprise/government PKI.
This modular architecture permits Digi-CA™ to meet almost any requirement. The principal delivery models are:
Digi-CA™ Service - Managed CA [9] | ||
Digi-CA™ Server - CA Software [10] | ||
Digi-CA™ Shared - Dedicated CA [11] |
It is possible to build [16] a custom Digi-CA™ solution that will meet all your requirements. This sophisticated online shopping cart assist you in selecting the correct Digi-CA™ and also demonstrates the many add-ons available to meet those requirements. For further information use this URL:
Digi-CA™ Service is the Managed CA [9] and is the service that is provided online using the Application Service Provider [ASP] or Software-as-a-Service [SaaS] delivery model. There is no hardware or software requirement at the customer site.
Unless there is a very specific reason why your organisation must own and locate its own CA system [1], then Digi-CA™ Service will most probably meet all of your requirements. As a service offering it is more cost effective both financially and from a human resource/time consumption perspective.
Digi-CA™ Service is charged on an annual recurring fee that is based on the number of digital certificates [1] issued each year. The annual fee covers all maintenance, administration and day-to-day system support that is required to keep the Digi-CA™ operational. For further information use this URL:
Digi-CA™ Server is the CA Software that is installed on a server in a data centre [10] or at the customer site. Digi-CA™ charges a ‘once off’ initial license fee that is based on the cost of the software, its configuration and installation and then the number of certificates required over the life of the product's use.
Unless there is a very specific reason why your organisation must own and locate its own CA system, then Digi-CA™ Service [9]will most probably meet all of your requirements. If ownership and specific geographic location are specific requirements, the Digi-CA™ Server is probably your best choice.
Once personnel are properly trained, they should be able to manage and administer the system with ease. Digi-CA™ Server also has the ability to be accessed using a highly secure Virtual Private Network [VPN] connection, where Digi-CAST™ personnel can assist with escalated technical matters using direct access to the system.
Apart from the initial license fee, the only other fees you pay are the annual license fee to cover upgrades, patches and application telephone support and optional annual support fees that can be purchased in ‘blocks of tickets’ where a single support case uses one support ticket until the case is solved.
When considering a centralised or distributed deployment model of Digi-CA™ [10], one must consider the fact, that Digi-CA™ requires a pre-established network infrastructure that is a key objective to a successful deployment of this system.
Although Digi-CA™ does not require, or rely on, a specific network design, careful network architecture planning [1] is strongly recommended prior to the deployment of this system. Diagrams below – as an example only - illustrate two most common deployment methodologies, one with all Service Modules centralised on a single server and the other with distributed services as an alternative.
As an installed Software CA [10], Digi-CA™ Server will require at least one, if not multiple servers, networking and at least one internet connection. The minimum software and hardware requirement to deploy a standard Digi-CA™ on a single server device is as follows:
Component | Minimum Requirements Specification |
Server OS Platform | Unix®, Linux® [x86 / x86-64 / ia64] |
Operating System | Red Hat Enterprise Linux® 4.x, 5.x ; FreeBSD® 5.x, 6.x, 7.x, 8.x |
RAM Memory | 1GB RAM |
Hard Disk Device | 15GB ATA/SCSI/SAS |
CPU | Intel® Pentium® IV 2.4 MHz |
Network Interface Card | Intel® compatible 10/100 Megabits NIC |
Database server software | MySQL Community Server 5.0.45 |
For further information use this URL:
Digi-CA™ [18] Shared was a concept conceived by Digi-Sign in 2006 that has only recently been acknowledged by potential customers as a real alternative to providing Digi-CA™ Service. Although implementations of this concept CA are limited, the capability and the option are important.
Typical enquiries come from large industry or government agencies where ownership of the entire CA is not a requirement, but ownership of specific components is preferred (e.g. data files, HSMs or the requirement to have a complete, hosted disaster recovery system). When considering Digi-CA™, the availability of this concept may not be of paramount importance, but its availability may be very useful during the continued growth and expansion of the total environment.
Digi-CA™ Shared can be a dedicated instance of the Digi-CA™ Service [19] that is completely separate from all other Digi-Sign systems; or it can be a combination of the Digi-CA™ Server system, hosted at a location of your choosing, with certain functions hosted by at one of our nominated data centres.
Estimating the annual charges and other cost considerations for Digi-CA™ Shared is calculated on a case-by-case basis. For further information use this URL:
Digi-CA™ replaces older Legacy CA systems using the latest in CA and PKI technologies and benefits from combining commercial and open source software initiatives. With Digi-CA™, all of the complexities and onerous technical overhead that were required by Legacy CAs have been simplified to a ‘user-friendly’ and usable level.
The Digi-CA™ Team combine consulting and professional services with the functions provided by Digi-CA™ and can bring an organisation to a highly professional PKI level whilst meeting the criteria for internationally recognised accreditation standards such as WebTrust® and ISO 27001 certifications.
Advice on selecting the modules and services you may require are in the next section.
This section of the Guide provides general information on the functional concepts for each Digi-CA™ Service Module and related Digi-CAST™ services to consider when selecting the correct Digi-CA™ system for your environment. As a guide, it is recommended that you familiarise yourself with the general concepts and then contact us directly for more information, or use the online shopping cart or more detailed information:
Regardless of what Digi-CA™ system you elect to use, the following service modules will always be active, albeit in some cases, transparent to the administrators or end users. These are:
Cryptographic Service Provider | |
CA Management Console [CAMC] | |
RA Management Console [RAMC] | |
Entity Registration Service [EERS] | |
Certificate & CRL Dissemination Services [CCDS] |
The Cryptographic Service Provider [CSP] Service Module is a software application that ultimately provides the most of cryptographic operations to the system and is effectively responsible for generating all public key certificates. Due to the high severity for the security of this module, it is not accessible through any network communications protocol. This design imposes an asynchronous certificate generation and distribution model.
The CA Management Console [CAMC] Service Module is the central graphical user interface [GUI] for managing Certification Authorities, Registration Authorities, Service Modules and other services provided within the Digi-CA™ system infrastructure.
The following table presents a general overview on the functionalities provided by CAMC.
CAMC functionality overview | ||
Management of CA accounts | Management of internal Master CA key pair | |
CA Key Pair management | Management of Digi-CA™ system user accounts | |
CA Certification and Cross-Certification management | Management of End Entity certificate policies | |
Service Module Registration and Management | Management of Time-Stamping Authorities | |
Digi-CA™ main configuration | Management of OCSP Validation Authorities | |
Registration and management of X.509 certificate profiles | Digi-CA™ system status overview | |
End Entity Certificate reporting | CSP cryptographic request queue reporting | |
Management of RA accounts | Activity Dual Control authorization |
The RA Management Console [RAMC] Service Module is the central graphical user interface [GUI] for operating Registration Authorities and managing End Entity Certificates.
The following table presents a general overview on the functionalities provided by RAMC.
RAMC functionality overview | ||
End Entity account management | Management of RA user accounts | |
End Entity key pair life cycle management | Management of End Entity certificate policies | |
End Entity certificate request registration | End Entity Validation | |
End Entity certificate authorization | Activity Dual Control authorization | |
End Entity certificate revocation | End Entity certificate reporting | |
End Entity certificate suspension | End Entity certificate de-suspension | |
End Entity certificate replacement (re-issuance) |
Management of TSA clients |
The Entity Registration Service [ERS] Service Module is the central graphical user interface [GUI] provided to End Entities for user account and certificate related activity registration purposes.
The following table presents a general overview on the functionalities provided by ERS.
ERS functionality overview | ||
End Entity initial account registration | End Entity certificate status reporting | |
End Entity certificate request registration | End Entity certificate collection | |
End Entity certificate revocation requests | End Entity certificate replacement (re-issuance) requests |
|
End Entity certificate suspension requests | End Entity certificate de-suspension requests | |
TSA client token reporting |
The Certificate & CRL Dissemination Services [CCDS] Module is a software application that ultimately provides dissemination service for End Entity Public Key Certificates, Key Pairs and Certificate Revocation Lists.
From an Operating System perspective, the CDS is a client application to the CA database server. It sustains a persistent connection to the database from where dissemination requests are loaded and subsequently served. The following table presents a general overview of the functionality the CDS module is designed to provide.
CSP functionality overview | ||
End Entity public key publication in LDAP directory | CRL publication in web repository | |
End Entity public key distribution | CRL distribution | |
End Entity certificate expiration notification | TSA Client notifications |
The following optional additional services are categorised as being available as follows:
Unique to Digi-CA™ Service Only | ||
Available on all Versions of Digi-CA™ | ||
Restricted to Certain Versions of Digi-CA™ |
The following services are only available with Digi-CA™ Service
Total Trust Management™ is much more than direct telephone support line or a dedicated Account Manager. Total Trust Management™ is the total out sourcing of your Digi-CA™ Service management, where Digi-CAST™ personnel effectively work for you and every aspect of the certificate life-cycle management is done for you.
We pioneered the Total Trust Management™ [TTM™] in 2004 and have been offering this valuable service to our customers ever since. Under TTM™ we act as the Trusted Administrator of your Digi-CA™ Service and carry out all of the duties of the CAMC and RAMC operator on your system. TTM™ is an option that is only available with Digi-CA™ Service.
Digi-CA™ Service automatically offers fail-over and load balancing as part of the standard service provisioning and strictly speaking, is not an optional addition. It is listed here for illustration purposes only.
Digi-CA™ Service automatically offers backup and disaster recovery as part of the standard service provisioning and strictly speaking, is not an optional addition. It is listed here for illustration purposes only.
The following services are available on all versions of Digi-CA™.
When purchasing your Digi-CA™system, the initial order will contain a fixed number of digital certificates/signatures. In the case of Digi-CA™Service, the entire annual cost is based on the number of certificates in use. With Digi-CA™Server, the system is supplied, as standard, with 100 multi-use certificates.
Therefore, additional certificates must be ordered on an, as needed basis. Additional single use (e.g. for encryption only) or multi-use (e.g. authentication and digital signature, etc.) certificates must be ordered separately.
When issuing large numbers of certificates in a single instance (e.g. several thousand in one hour or day) this will result in many users completing the online application form very soon after receiving the invitation email. Manually approving each request may not be possible and in such cases, RA Automation is the recommended option.
RA Automation can be as simple or as integrated as your environment requires and can be enabled on any version of Digi-CA™.
The TimeStamp Authority [TSA] provides digital TimeStamping network based services in compliance with RFC 3161 standard, Internet X.509 Public Key Infrastructure TimeStamp Protocol [TSP]. The TimeStamp Protocol, or TSP, is a cryptographic protocol for certifying timestamp tokens using X.509 public key certificates and public key infrastructure.
The timestamp token is the signer's assertion that a piece of electronic data existed at, or before, a particular time. TimeStamp tokens are effectively used to provide evidence data in the process of validating long-term electronic signatures applied to digital communication or payment transactions and electronic documents such as Adobe® Acrobat® PDF.
The OCSP Gateway [OCSPG] Service Module is intended to provide digital
Online Certificate Status Protocol [OCSP] network based services in compliance with RFC 2560 standard, X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP.
The OCSP is an Internet protocol used for obtaining the revocation status of an X.509 digital public key certificate. It was created as an alternative to Certificate Revocation Lists [CRL], specifically addressing certain problems associated with using CRLs in a public key infrastructure [PKI].
A CA or PKI, although not mission critical, must ensure that all its data is protected and available at all times. Using fail-over may ensure that no data is lost, but the best option is to ensure that there is a back-up system that is completely separate from the main system.
This is referred to as disaster recovery and in high security situations, this backup disaster recovery is usually located at a separate geographic location from the main system.
The following services are only required on certain versions of Digi-CA™Server. This is because in the case of Digi-CA™Server Xg, fail-over and load balancing are component parts of the overall system delivery and parts of the overall system delivery of Digi-CA™Service.
Fail-over is where a second system is enabled so that if the primary system ceases to function for any reason, the fail-over, or second system, temporarily assumes the primary role until normal service can resume. As Digi-CA™Server Xp and Xg are automatically supplied with fail-over, this is the only version of Digi-CA™Server where fail-over must be ordered separately (and is a good reason why most customers order Digi-CA™Server Xp).
Load balancing is where a minimum of two machines are configured so that all traffic across the system is balanced equally across the machines to ensure the highest performance of the overall system. Load balancing is only required where high volumes, or high production peaks, are expected in the einvironment.
A Key Ceremony is only required when your organisation wishes to achieve your own independent root, or intermediate, Certificate Authority. This typically occurs where an organisation wants to create and own its own Root CA for reasons relating to compliance to specific standards (e.g. ISO 27001, WebTrust, EU Qualified Certificates, etc).
A Root Key Ceremony is a procedure where a unique pair of Public and Private Root Keys is generated. Depending on your requirements and specifications, the generation of the Root Keys may require notarisation, legal representation, witnesses and ‘Key Holders’ to be present. This process is best explained with some examples:
Unless the information being accessed or transmitted is valued in terms of millions of dollars, it is probably sufficient that the Digi-CAST2™ Team conduct the Root Key Ceremony within the security of the Digi-CAST2™ Laboratory. The customer may opt to have the Root Key stored on a Luna Card or HSM, but in most cases the safe storage of the Root Key on a CD or hard disk is sufficient. The Root Key is never stored on the Digi-CA™server.
This type of environment requires much higher security than a commercial one. When conducting the Root Key Ceremony, the Government or Organization will require rigorous security checks to be conducted on all personnel in attendance. Those that are normally required to attend the Key Ceremony will include a minimum of two Administrators from the organisation, two signatories from the organisation, one lawyer, a notary and two video camera operators in addition to the Digi-CAST2™ Team.
The actual Root key-pair generation is normally conducted in a secure vault that has no communication or contact with the outside world other than a single telephone line or intercom. Once the vault is secured, all personnel present must prove their identity using at least two legally recognised forms of identification. Every person present, every transaction and every event is logged by the lawyer in a Root Key Ceremony Log Book and each page is notarized by the notary. From the moment the vault door is closed until it is re-opened, everything is also video recorded. The lawyer and the two organisation’s signatories must sign the recording and it too is then notarized.
Finally, as part of the above process, the Root Key is broken into as many as twenty-one parts and each individual part is secured in its own safe for which there is a key and a numerical lock. The keys are distributed to as many as twenty-one people and the numerical code is distributed to another twenty-one people.
Example A and B are at opposite ends of the security spectrum and no two environments are the same. When considering the Root Key Ceremony, the Digi-CAST1™ Team of professional advisors can assist you in deciding on the most efficient level of security to reflect the level of protection required.
Links:
[1] http://wwwtest.digi-sign.com/products
[2] http://wwwtest.digi-sign.com/digi-bill
[3] http://wwwtest.digi-sign.com/digi-code
[4] http://wwwtest.digi-sign.com/digi-id
[5] http://wwwtest.digi-sign.com/digi-id/qualified
[6] http://wwwtest.digi-sign.com/digi-access
[7] http://wwwtest.digi-sign.com/digi-seal
[8] http://wwwtest.digi-sign.com/digi-mail
[9] http://wwwtest.digi-sign.com/digi-ca/service
[10] http://wwwtest.digi-sign.com/digi-ca/server
[11] http://wwwtest.digi-sign.com/digi-ca
[12] http://wwwtest.digi-sign.com/ocsp
[13] http://wwwtest.digi-sign.com/hsm
[14] http://www.digi-sign.com/products
[15] http://www.digi-sign.com/digi-ca/server
[16] http://wwwtest.digi-sign.com/products/digi-ca
[17] http://www.digi-sign.com/product/digi-ca
[18] http://wwwtest.digi-sign.com/digi-ca/shared
[19] http://wwwtest.digi-sign.com/products/