Certificate Authority

Futurex Online Issuing CA

11min

The

 provides a turnkey solution for offline enterprise-level Certificate Authority (CA) and Private Key Infrastructure (PKI) management. You can issue Root CAs offline, which may power down the device and disconnect it from the network. In addition, the

enables to import and export PKIs offline.

Background of PKI

PKI is a set of roles, policies, hardware, software, and procedures necessary to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. PKI facilitates the secure electronic transfer of information in a network. This technology primarily secures electronic transactions, confirms the identity of individuals and devices, and protects the integrity of distributed data.

PKI is built upon asymmetric cryptography, which employs a pair of keys: a private key and a public key. While the private key remains confidential and in the sole possession of the owner, the public key is made freely available in a public directory. Through this framework, anyone can encrypt a message using a public key, but only the private key holder can decrypt it. This duality of keys forms the foundation of authentication, confidentiality, and integrity assurances in a PKI system.

The role of the Issuing Certification Authority

An Issuing Certification Authority (CA), part of the hierarchical PKI structure, plays a crucial role in the management and verification of digital certificates. It issues, validates, and revokes digital certificates.

The process begins when an entity (a person or a system) generates a pair of cryptographic keys and sends a Certificate Signing Request (CSR) containing the public key and some identifying information to the CA. The CA validates the authenticity of the request and the identity of the requester and then uses its private key to sign the public key of the entity, creating a digital certificate. You can then publicly share this digital certificate, acting as a form of digital ID, to establish the identity of the entity and the authenticity of its public key.

An Issuing CA is typically subordinate to the Root CA in the PKI hierarchy. While the Root CA's private key is highly secured and used sparingly, the Issuing CA's private key is used more frequently to sign end-entity certificates. This arrangement maintains the security and integrity of the Root CA while providing the operational flexibility needed to handle the vast number of requests for new certificates.

In summary, the Issuing CA acts as a trusted third party in the PKI structure, facilitating trust in digital transactions and communications. It ensures that the entities involved in these exchanges are who they claim to be, which is foundational to secure digital interactions.

KMES Series 3 features overview

The

 device enables you to deploy and maintain an Enterprise Key Management solution, giving you complete control over the lifecycle of security keys. In addition, the device has a comprehensive SDK to manage key distribution and administration, which you can effectively use for the following enterprise-level business use cases:

Use case

Description



Cloud Key Management

The

 remote cloud service enables you to independently manage key distribution by bringing your own key generated through the secure internal HSM and transferring it to your cloud environment by using encryption key wrapping.



End-to-end Data Protection

You can manage application encryption, Transparent Database Encryption (TDE), file encryption, and tokenization through the

 device with the cryptographic protection validated by the FIPS 140-2 Level 3 standards that are enforced throughout the process.



PKI Management

Businesses can use the

 device to build an expansive and robust Public Key Infrastructure (PKI), enabling you to go offline and perform certificate signing and issuing to secure your PKI.



Code Signing Management

The

 device enables you to manage Code Signing Requests (CSRs) securely for Internet of Things (IoT) devices, Authenticode Digital Signatures, Java applications, and Continuous Integration/Continuous Development (CI/CD) for code deployments.



Financial Key Management

The

 device enables financial institutions to securely manage EMV payment processing operations with the option to remotely manage the entire key loading process giving you the flexibility to control key loading from practically anywhere.



You can manage the

 device by using the following methods or devices:

  • the Futurex Command Line Interface (CLI) application
  • the local application interface
  • an Excrypt Touch device
  • a remote desktop session

This guide uses the remote desktop interface to illustrate managing keys and key groups.

Integration guide overview

This guide discusses the following concepts:

  1. Fundamental components of an issuing CA.
  2. Certificate formats, profiles, and extensions.
  3. Certificate Authority (CA) workflow.
  4. Registration Authority (RA) functionality on the KMES.
  5. Integration with 3rd-party tools.
  6. Revocation checking mechanisms.
  7. Java Keystore (JKS).
  8. Protocols for certificate management

The following sections cover these topics in detail.