emCA Deployment Architecture

emCA is usually configured in High Availability mode connected to a database cluster as indicated in the diagram below. Since emCA is never exposed to public internet, the application will reside in a private subnet and communicate to external applications through a services layer which is tightly controlled through strong authentication.

The diagram shows a Deployment architecture. It consists of five main zones:

  • Security Zone: This zone contains the firewall and load balancer that protect the other two zones from unauthorized access.

  • Application Zone: This zone contains the certificate enrollment, OCSP/LDAP server, and TSA. The certificate enrollment server is responsible for issuing certificates to clients. The OCSP/LDAP server provides information about the status of certificates, such as whether they are revoked. The TSA provides timestamps for certificates, which can be used to verify their validity.

  • Directory and Validation Services Zone: This zone contains the LDAP, OCSP, and CRL servers. The LDAP server stores information about users and certificates. The OCSP server provides information about the status of certificates. The CRL server provides a list of revoked certificates.

  • Certificate Management zone: This is responsible for managing the certificates that are issued to clients. It includes the certificate authority (CA), policy authority (PA), and database cluster. The CA is responsible for issuing certificates. The PA defines the policies that govern how certificates are issued and managed. The database cluster stores information about certificates, users, and other PKI entities.

  • HSM (hardware security module): This a secure device that stores the CA's private keys. It is used to sign certificates and other PKI entities.

Last updated