Subordinate CA Signing
-
1.
An IBM compatible computer (hereafter referred to as "the computer") was set up in a room providing strict personnel access control, security camera monitoring [and electronic isolation from any computer networks].2. The computer has a hard disk which has been pre-prepared with a fresh installation of a [Red Hat Enterprise Linux, version 5.0] operating system, the requisite HSM driver, nToken authentication PCI device, HSM device Support Software and the Digi-CA™ PKI System, both acting as the Cryptographic Operation Control Software. The software was tested for correct operation prior to the Key Ceremony by using an HSM reserved for backup purposes.
3. The hard disk installed in the computer contains an encrypted key repository, from which we will load necessary private keys into a securely protected operational memory of our HSM device.
4. The first HSM device (designated #1) was removed from production and connected to the computer prior to this ceremony and the event was monitored and supervised by an appointed company’s Head of Security. The Cryptographic Operation Control Software is now about to be used to cause the numbered (in section 3 above) operations to occur in the following sequence: 10.
During this step, the Key Ceremony Administrator, using the Cryptographic Operation Control Software, will create new Subordinate CA and assign it to a dedicated private key that was previously generated during this ceremony. The newly created Subordinate CA will be signed by the Root CA that was created earlier during this ceremony.
To complete this process, the Key Ceremony Administrator will use a Naming Document, that contains the details of the new Subordinate CA we are about to sign, to create a certificate profile configuration file, containing various certificate related information such as: Subject Distinguished Name, Validity Period, Signature Algorithm, Certificate Serial Number and Certificate extensions. The certificate profile configuration file will be used by the Cryptographic Operation Control Software to create the new Subordinate CA certificate.
All attending Witnesses must ensure, that the certificate details entered into the certificate profile configuration file by the Key Ceremony Administrator, match the details contained in the Naming Document used during this ceremony. The new Subordinate CA Certificate details must be taken from the section of the Naming Document specifically dedicated for the correct Subordinate CA, for which the Subordinate CA Certificate is created.
Key Ceremony Administrator will capture and store during this step any relevant informational output produced on the computer screen by the Cryptographic Operation Control Software in the Key Map Document.