Single Instance

In a Single Instance deployment, the emCA application server, OCSP server, TSA server, and DB server are installed on individual servers within a secure zone. The Hardware Security Module (HSM) is isolated in a highly trusted zone to safeguard cryptographic keys.

Key Components

• emCA CA Application Server – Generates and issues certificates, manages the CA’s certificate pool, and handles certificate lifecycle events.

• Timestamping Authority (TSA) Server – Issues trusted timestamps for digital signatures, maintaining long-term certificate validity and integrity.

• OCSP Application Server – Responds to Online Certificate Status Protocol requests to confirm certificate revocation status.

• Database Server – Stores CA certificate records, user data, device details, and related metadata.

• Hardware Security Module (HSM) – Secure, tamper-resistant storage for private keys and sensitive cryptographic material.

• Offline emCA – Provides certificate generation capability when the primary CA server is unavailable.

• Network Access – Accessible via internet or intranet for authorized certificate requests and management.

Deployment

All components are hosted on individual servers for each function within the secure zone. Network protection is enforced using routers and firewalls.

Advantages

• Simplified deployment and management.

• Lower infrastructure cost compared to distributed models.

• Suitable for organizations with moderate certificate issuance needs.

Limitations

• Limited scalability for high-volume environments.

• Single point of failure risk if a server is compromised or fails.

Requires strict configuration control and continuous security monitoring.