Sample Project
Sample Certificate Authority Project
Once the Certificate Policy Requirements are documented and available, the project process can begin. The Digi-CA™ project can be sub-divided into five separate undertakings:
The Certificate Policy sets out the system design, RA function and overall workflow of the system and also the Root Certificate(s) and Intermediate Root Certificate(s) design. As explained in the Requirements section of this document, the Digi-CA™ is pre-configured prior to delivery at the customer site.
During the software configuration, the Digi-CAST2™ Team will produce test Root Certificate(s) and Intermediate Certificates(s) for your approval. Again, depending on the Certificate Policy, the actual Root(s) and Intermediate Certificate(s) may be generated prior to delivery. Other workflow and processes may also need to be verified. Finally, all the interfaces for the End User and Administrators can be customized to reflect the organization’s identity and/or local language.
Once the configuration is complete it is compiled, complete with ‘hardened’ Operating System [OS] and software, and delivered on a CD or DVD to the customer site.
At the heart of every Digi-CA™ are at least one Root Key or Root Certificate and one Intermediate Root Certificate(s). Every Digi-CA™ Certificate is made from a Public and a Private Key. A Root Key Ceremony is a procedure where a unique pair of Public and Private Root Keys is generated. Depending on the Certificate Policy, the generation of the Root Keys may require notarization, legal representation, witnesses and ‘Key Holders’ to be present. This process is best explained with some examples:
The Root Certificate is only ever used to sign the Intermediate Root Key(s). After signing this Key(s) the Root Key is 3-DES encrypted and split into a minimum of 4 Key shares that are each stored on 3-DES encrypted smartcard and signed with SHA-1. All Key shares will have a unique password and should be stored separately in different secure locations (bank vault, safety deposit box, attorney’s office, etc). A Key generation log is kept in the system and in a separate physical log.
Important Note: the Root Certificate should not exceed a 25-Year life duration.
The Intermediate Root Certificate is protected by 3-DES encryption and all key shares have unique passwords.
Important Note: the Root Certificate should not exceed a 25-Year life duration.
In order to create Digi-IDs™ from the system, at least one self-signed Digi-CA™ Root Certificate must be generated. There is a possibility in the system, depending on ordered options, to create any number of Digi-CA™ Root Certificates and Digi-CA™ Intermediate Roots with different policies and validity. The figure below represents a theoretical relationship between Digi-CA™ Root Certificates. Please consult Digi-CAST1™ before setting up your specific schema.
