Futurex Online Issuing CA
The provides a turnkey solution for offline enterprise-level Certificate Authority (CA) and Private Key Infrastructure (PKI) management. You can issue Root CAs offline, which may power down the device and disconnect it from the network. In addition, the enables to import and export PKIs offline.
PKI is a set of roles, policies, hardware, software, and procedures necessary to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption. PKI facilitates the secure electronic transfer of information in a network. This technology primarily secures electronic transactions, confirms the identity of individuals and devices, and protects the integrity of distributed data.
PKI is built upon asymmetric cryptography, which employs a pair of keys: a private key and a public key. While the private key remains confidential and in the sole possession of the owner, the public key is made freely available in a public directory. Through this framework, anyone can encrypt a message using a public key, but only the private key holder can decrypt it. This duality of keys forms the foundation of authentication, confidentiality, and integrity assurances in a PKI system.
An Issuing Certification Authority (CA), part of the hierarchical PKI structure, plays a crucial role in the management and verification of digital certificates. It issues, validates, and revokes digital certificates.
The process begins when an entity (a person or a system) generates a pair of cryptographic keys and sends a Certificate Signing Request (CSR) containing the public key and some identifying information to the CA. The CA validates the authenticity of the request and the identity of the requester and then uses its private key to sign the public key of the entity, creating a digital certificate. You can then publicly share this digital certificate, acting as a form of digital ID, to establish the identity of the entity and the authenticity of its public key.
An Issuing CA is typically subordinate to the Root CA in the PKI hierarchy. While the Root CA's private key is highly secured and used sparingly, the Issuing CA's private key is used more frequently to sign end-entity certificates. This arrangement maintains the security and integrity of the Root CA while providing the operational flexibility needed to handle the vast number of requests for new certificates.
In summary, the Issuing CA acts as a trusted third party in the PKI structure, facilitating trust in digital transactions and communications. It ensures that the entities involved in these exchanges are who they claim to be, which is foundational to secure digital interactions.
The device enables you to deploy and maintain an Enterprise Key Management solution, giving you complete control over the lifecycle of security keys. In addition, the device has a comprehensive SDK to manage key distribution and administration, which you can effectively use for the following enterprise-level business use cases:
Use case
Description
Cloud Key Management
End-to-end Data Protection
PKI Management
Code Signing Management
Financial Key Management
- the Futurex Command Line Interface (CLI) application
- the local application interface
- an Excrypt Touch device
- a remote desktop session
This guide uses the remote desktop interface to illustrate managing keys and key groups.
This guide discusses the following concepts:
- Fundamental components of an issuing CA.
- Certificate formats, profiles, and extensions.
- Certificate Authority (CA) workflow.
- Registration Authority (RA) functionality on the KMES.
- Integration with 3rd-party tools.
- Revocation checking mechanisms.
- Java Keystore (JKS).
- Protocols for certificate management
The following sections cover these topics in detail.