Certificate Authority
Futurex Online Issuing CA
11min
the {{k3}} provides a turnkey solution for offline enterprise level certificate authority (ca) and private key infrastructure (pki) management you can issue root cas offline, which might cause the device to power down and disconnect from the network in addition, the {{k3}} enables you to import and export pkis offline background of pki pki is a set of roles, policies, hardware, software, and procedures necessary to create, manage, distribute, use, store, and revoke digital certificates and manage public key encryption pki facilitates the secure electronic transfer of information in a network this technology primarily secures electronic transactions, confirms the identity of individuals and devices, and protects the integrity of distributed data pki is built upon asymmetric cryptography, which employs a pair of keys a private key and a public key while the private key remains confidential and in the sole possession of the owner, the public key is made freely available in a public directory through this framework, anyone can encrypt a message using a public key, but only the private key holder can decrypt it this duality of keys forms the foundation of authentication, confidentiality, and integrity assurances in a pki system the role of the issuing certification authority an issuing certification authority (ca), part of the hierarchical pki structure, plays a crucial role in the management and verification of digital certificates it issues, validates, and revokes digital certificates the process begins when an entity, a person or system, generates a pair of cryptographic keys and sends a certificate signing request (csr) containing the public key and some identifying information to the ca the ca validates the authenticity of the request and the identity of the requester and then uses its private key to sign the public key of the entity, creating a digital certificate you can then publicly share this digital certificate, acting as a form of digital id, to establish the identity of the entity and the authenticity of its public key an issuing ca is typically subordinate to the root ca in the pki hierarchy while the root ca's private key is highly secured and used sparingly, the issuing ca's private key is used more frequently to sign end entity certificates this arrangement maintains the security and integrity of the root ca while providing the operational flexibility needed to handle the vast number of requests for new certificates in summary, the issuing ca acts as a trusted third party in the pki structure, facilitating trust in digital transactions and communications it ensures that the entities involved in these exchanges are who they claim to be, which is foundational to secure digital interactions {{k3}} features overview the {{k3}} device enables you to deploy and maintain an enterprise key management solution, giving you complete control over the lifecycle of security keys in addition, the device has a comprehensive sdk to manage key distribution and administration, which you can effectively use for the following enterprise level business use cases use case description cloud key management the {{k3}} remote cloud service enables you to independently manage key distribution by bringing your key generated through the secure internal hsm and transferring it to your cloud environment by using encryption key wrapping end to end data protection you can manage application encryption, transparent database encryption (tde), file encryption, and tokenization through the {{k3}} device with the cryptographic protection validated by the fips 140 2 level 3 standards that are enforced throughout the process pki management you can use the {{k3}} device to build an expansive and robust public key infrastructure (pki), enabling you to go offline and perform certificate signing and issuing to secure your pki code signing management the {{k3}} device enables you to manage code signing requests securely for internet of things (iot) devices, authenticode digital signatures, java applications, and continuous integration/continuous development (ci/cd) for code deployments financial key management the {{k3}} device enables financial institutions to securely manage emv payment processing operations with the option to remotely manage the entire key loading process, giving you the flexibility to control key loading from practically anywhere you can manage the {{k3}} device by using the following methods or devices the {{futurex}} command line interface (fxcli) application the local application interface an excrypt touch device a remote desktop session this guide uses the remote desktop interface to illustrate managing keys and key groups integration guide overview this guide discusses the following concepts fundamental components of an issuing ca certificate formats, profiles, and extensions certificate authority (ca) workflow registration authority (ra) functionality on the kmes integration with 3rd party tools revocation checking mechanisms java keystore (jks) protocols for certificate management the following sections cover these topics in detail