Key Ceremony Conclusion

[1] The Key Ceremony script then lists the steps that will be performed at the conclusion of the ceremony. Before anyone leaves the room all copies of the signed Key Ceremony Script, the Key Access Component Holder Documents, the Attestation Letters and the Video Recordings must be placed in the Archive Folder and sealed.

At this point, the CA is created but it is not yet activated. This is the next event that occurs after the Key Ceremony and is the CA Activation event.

Key Activation

After a CA is created, it is ready to be put online by the Digi-Sign Digi-CAST2™ Installation Team. This is done by using the certificate repository folder, that contains the files created during the Key Ceremony. For each CA, a request file (.req) and a certificate (.x509) file are generated. The request file (.req), identifies which pre-generated key pair is assigned to the new CA. The certificate (.x509) file is a binary encoding of the Digital Certificate [2] associated with the new CA. Both of these files include a copy of the public key.

After the Key Ceremony, the request file and the .x509 file are saved to the certificate repository folder maintained on the computer system. The Digi-CAST2™ Installation Team will then complete the process and bring the new CA online.

Key Maintenance

Once a CA is put online, it must be maintained. Maintenance activities include archiving CA material in a secure storage area, reactivating the CA in the event of a hardware failure, and tracking revoked and suspended certificates. If there is any possibility that the integrity of the individual CA is no longer verifiable, then the integrity of the entire PKI hierarchy to which it belongs is threatened. Reasons for compromise could include violation of the Certificate Practice Statement [3] by the customer, incorrect CA parameters, or loss or misuse of the CA private key. If any of these occur, your organization is responsible for revoking the CA certificate in order to maintain the integrity of the PKI hierarchy.

Important Note: If a CA’s certificate is revoked during the maintenance phase that CA cannot be re-certified.

Key Recertification

Every CA is assigned a validity period. During this period, the CA can issue end entity Certificates. A CA cannot issue a certificate with a validity period that extends beyond its own expiration date. End entity certificates typically have a validity period of one year. Consequently, a CA must be re-certified a minimum of one year before its expiration date. Recertification occurs in a separate Key Ceremony. Fir this reason, your organization must appoint a Key Ceremony Administrator and this/these person(s) must participate in the original Key Ceremony conducted by the Key Ceremony Administrator. Using all of the above collateral and experience, this new Key Ceremony Administrator assumes responsibility for tracking the validity periods of all created CAs and for notifying the appropriate personnel when it is time to re-certify a CA.