Digi-CA™ Hierarchy
As can be seen from the extensive documentation relating to the Key Ceremony, at the heart of every Digi-CA™ is at least one Root CA. Every Digi-CA™ Certificate is made from a Public and a Private Key. After the Root Key Ceremony procedure has produced the unique pair of Public and Private Root Keys is generated and depending on the Certificate Practice Statement [Certificate Practice Statement] and Certificate Policy [CP], the generation of the Root Keys may require notarization, legal representation, witnesses and ‘Key Holders’ to be present. This process is best explained with some examples and for further details review the Root Key Ceremony.
The Root Certificate is only ever used to sign the Intermediate Root Key(s). After signing this Key(s) the Root Key is 3-DES encrypted and split into a minimum of 4 Key shares that are each stored on 3-DES encrypted smartcard and signed with RSA SHA-1. All Key shares will have a unique password and should be stored separately in different secure locations (bank vault, safety deposit box, attorney’s office, etc). A Key generation log is kept in the system and in a separate physical log.
Important Note: the Root Certificate should not exceed a 25-Year life duration.
In order to create Digi-IDs™ from the system, at least one self-signed Digi-CA™ Root Certificate must be generated. There is a possibility in the system, depending on ordered options, to create any number of Digi-CA™ Root Certificates and Digi-CA™ Intermediate Roots with different policies and validity. The figure below represents a theoretical relationship between Digi-CA™ CA Certificates. Please consult Digi-CAST1™ before setting up your specific schema.
The Intermediate CA Certificate is protected by 3-DES encryption and all key shares have unique passwords.
Important Note: the Root Certificate should not exceed a 25-Year life duration.
The Digi-CA™ PKI System provides the ability to operate a Sub-CA that can be signed by a publicly recognized CA. This enables the Digi-CA™ to issue and manage Digital Certificates for S/MIME and SSL, that are globally trusted throughout the Internet Community. To get a globally Trusted Root [TRoot] to sign the Sub-CA, consult the Digi-CAST™ Team leader for your project.