# Architecture

emCA is deployed in high-availability mode against a database cluster. Components are isolated into five zones, with all inter-zone communication authenticated.

<figure><img src="/files/o5AffpiMSMa2dI3U4BFx" alt=""><figcaption></figcaption></figure>

The diagram shows a Deployment architecture, containing five main zones:

* **Security Zone:** Firewall and load balancer enforce access controls for incoming and outgoing traffic.
* **Application Zone:** Hosts the certificate enrolment service, OCSP/LDAP endpoint, and TSA for timestamping. The certificate enrolment server is responsible for issuing certificates to clients. The OCSP/LDAP server provides information about the status of certificates, such as whether they are revoked. The TSA provides timestamps for certificates, which can be used to verify their validity.
* **Directory and Validation Services Zone:** This zone contains the LDAP, OCSP, and CRL servers. The LDAP server stores information about users and certificates. The OCSP server provides information about the status of certificates. The CRL server provides a list of revoked certificates.
* **Certificate Management zone:** This is responsible for managing the certificates that are issued to clients. It includes the certificate authority (CA), policy authority (PA), and database cluster. The CA is responsible for issuing certificates. The PA defines the policies that govern how certificates are issued and managed. The database cluster stores information about certificates, users, and other PKI entities.
* **HSM (Hardware Security Module):** This a secure device that stores the CA's private keys. It is used to sign certificates and other PKI entities.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://emca.emudhra.com/architecture.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.