Initialising Event

[1] The initializing event must be built into the script when creating a Root CA or when conducting a Key Generation Ceremony. In the Initializing Event, the Key Access Component Card Set is created (Key Access Component Cards). The Initializing Event provides critical security to protect the private key assigned to the new CA. This event is of paramount importance during the ceremony, and these procedures must be adequately documented in the script.

• Generating Event

When generating request files or keys, the Key Ceremony Administrator must build a generating event into every script prepared. In the generating event, the Cryptographic Operation Control Software (Cryptographic Device Support software and Digi-CA™ PKI [2] Toolkit) generates a request file. At this stage, the Key Access Component Holders provide their smart cards and these are used to activate the offline (previously generated) private and public key pair, that will be assigned to the new CA.

The Key Access Component Cards allow the activation of the private key within the cryptographic device and enable the device to generate the request file. The request file assigns that key pair to the certificate of the new CA. The Key Map file identifies the Common Name of the pre-generated key, which is to be associated with the new CA.

The Common Name of the pre-generated key also identifies the CA type. This information enables the Cryptographic Operation Control Software to generate an accurate request file with support of the cryptographic device.



• Signing Event

There must be a signing event in every prepared script, except for Key Generation Ceremony scripts. In the signing event, the Key Access Component Cards are used to activate the signer (the superior issuing authority). The signer is determined by the PKI hierarchy into which the new CA fits:

• Certificates for Root CAs are self-signed




• Certificates for Subordinate CAs are signed by the the Root CA or a Subordinate CA of a higher level within the CA hierarchy.




These Key Access Component Cards enable the signer to sign the certificate of the CA being created. The script should identify the new Distinguished Name, the validity dates, and the extension settings that are provided in the Naming Document. During the ceremony, this information is entered before directing the Cryptographic Operation Control Software to sign the Certificate.



• Distribution Event

The Key Ceremony script must also document the following steps in the distribution event:

• 1.Distribute the newly created Key Access Component Cards to the Key Access Component Holders.
• 2.Witnesses sign Attestation Letters indicating that they read the script, observed the ceremony and attest, that the ceremony was performed as described in the script.
• 3.Key Access Component Holders sign the Key Access Component Holder Document indicating, that they have read, understand and agree to follow the duties and responsibilities of a Key Access Component Holder and that they have witnessed the signature of all the other Key Access Component Holders.
• 4.Direct the notary or equivalent official, public witness to notarize (certify signatures on) the witnesses’ Attestation Letters.