Architecture

emCA is deployed in high-availability mode against a database cluster. Components are isolated into five zones, with all inter-zone communication authenticated.

The diagram shows a Deployment architecture, containing five main zones:

• Security Zone: Firewall and load balancer enforce access controls for incoming and outgoing traffic.

• Application Zone: Hosts the certificate enrolment service, OCSP/LDAP endpoint, and TSA for timestamping. The certificate enrolment server is responsible for issuing certificates to clients. The OCSP/LDAP server provides information about the status of certificates, such as whether they are revoked. The TSA provides timestamps for certificates, which can be used to verify their validity.

• Directory and Validation Services Zone: This zone contains the LDAP, OCSP, and CRL servers. The LDAP server stores information about users and certificates. The OCSP server provides information about the status of certificates. The CRL server provides a list of revoked certificates.

• Certificate Management zone: This is responsible for managing the certificates that are issued to clients. It includes the certificate authority (CA), policy authority (PA), and database cluster. The CA is responsible for issuing certificates. The PA defines the policies that govern how certificates are issued and managed. The database cluster stores information about certificates, users, and other PKI entities.

• HSM (Hardware Security Module): This a secure device that stores the CA's private keys. It is used to sign certificates and other PKI entities.