Key Components

emCA suite has following Solution components

Certificate Manager - emCA

The Certificate Manager is the core component responsible for managing the entire lifecycle of digital certificates within an organization. It does the sensitive functionalities such as digital certificate generation, renewal, revocation, and overall maintenance.

Key Features:

  • Role based access to the application

  • Multi factor authentication for user login using token based certificates

  • M out of N user control for separation of duties

  • Supports SCEP, CMP, EST protocols – Automated Certificate issuance

  • User and Group management (view, create, de-activate, renewal and delete)

  • Encryption of sensitive data in the database using AES key stored in HSM

  • Supports Certificate Transparency

  • Signing of CSR generated by external entity

  • Mapping of Groups to CA/Issuing CA for groupwise management of CAs.

  • Support for Cross Certification

  • Multi-HSM support with PKCS#11 compliant HSM

  • OCSP certificates generation and management

  • Support for Mobile PKI

User Enrollment - emRA

The user enrollment platform empowers organizations to oversee both certificate issuance and user KYC (Know Your Customer) information management. This includes handling demographic data, photos, identity and address proofs, along with organizational documentation. The platform offers configurability, allowing inclusion of supplementary information or documents for processing digital certificates. Comprising four decentralized portals, this solution can be flexibly deployed across diverse environments to align with the organization's specific needs.

Key Features

  • Manage Registration Authority Officers with different levels and approval powers.

  • Configure different certificate types and validity, as well as currencies.

  • Create/Configure vetting profiles based on different criteria.

  • Requests can have different verification checklist based on the criteria in vetting profiles.

  • Enable single / multiple RA approvals for the requests based on vetting profiles Risk based verification level configurations.

  • Manage external RAs with multi-level organization, as well as multi-user configurations.

  • Subscriber self-service for certificate management.

  • Certificate Download module Integration for Email and Mobile validation

  • Integration with Video Verification System for in-person verification.

  • Supports Document upload based verifications Video recording system.

Online Certificate Status Protocol (OCSP)

Online Certificate Status Protocol (OCSP) is an Internet protocol that enables clients to verify the revocation status of X.509 digital certificates in real time. It has emerged as a more efficient and effective alternative to Certificate Revocation Lists (CRLs) due to its ability to provide up-to-date revocation information without the need for frequent downloads.

Key Features:

  • OCSP certificates generation and management.

  • Generate OCSP response in compliance with RFC 5019/6960 and compliance with CAB Forum OCSP requirements.

  • Real-time certificate status by connecting to the emCA application.

  • Ability to store OCSP key pair on HSM and use the same for signing the requests.

  • Supports whitelist checking mechanism for OCSP responses.

Overcoming the Limitations of CRLs

CRLs, the traditional method for certificate revocation, have inherent limitations that make them less suitable for modern digital environments. One major drawback is the need for clients to download the entire CRL file, which can be large and time-consuming, especially over low-bandwidth connections. Additionally, CRLs are inherently susceptible to delays in propagation, meaning that revoked certificates may still be accepted for a period of time until the CRL is updated.

Online Certificate Status Protocol (OCSP) Components

Online Certificate Status Protocol (OCSP) is an Internet protocol that enables clients to verify the revocation status of X.509 digital certificates in real time. It consists of two major components:

OCSP Client

The OCSP client is the software that initiates the revocation check by sending an OCSP request to an OCSP responder. The OCSP client typically resides on the machine that wants to verify the validity of a certificate. It receives the OCSP response from the OCSP responder and interprets the response to determine whether the certificate is valid or revoked.

OCSP Responder

The OCSP responder is the server that receives OCSP requests and provides revocation information. It is typically hosted by the Certificate Authority (CA) that issued the certificate. The OCSP responder verifies the request, checks the revocation status of the certificate, and sends a signed response back to the OCSP client.

How OCSP Works in emCA?

  1. The authenticating client or OCSP client (i.e. browser) sends an OCSP request to the OCSP wrapper.

  2. OCSP wrapper sends the request to OCSP core or responder (server).

  3. The responder verifies the request and returns an authentic, digitally signed response indicating the certificate status response containing the status (good, revoked or unknown) to the client.

A good response will indicate the certificate is valid and not revoked. A ‘revoked’ status will indicate the certificate has been revoked.

Integration of OCSP with HSM

The Online Certificate Status Protocol (OCSP) system is integrated with Hardware Security Modules (HSMs) and supports most major HSM models. OCSP responder keys can be securely protected in a single or distributed HSM structure and can be configured in the emCA OCSP component to retrieve the responder keys from the HSM. It is recommended that OCSP responder keys be delegated keys under each Certificate Authority (CA) and may reside in a separate HSM device from the CA HSM. However, the system also supports non-delegated scenarios where OCSP responses may need to be signed by the CA key itself.

Time Stamping Module

The Timestamping Module ensures the integrity and long-term validity of digital signatures by providing trusted timestamps. It is essential for documents and transactions that require proof of existence at a specific point in time.

  • Timestamping can be used to prove the time of a transaction, the time a document was signed, and when it was archived independently and irrefutably.

  • RFC 3161 and RFC 5816 are standards for secure cryptographic timestamping.

How does it work?

Generating a Timestamp

Timestamping provides a secure method of proving the exact time of occurrence for digital documents, transactions, and signatures. This process involves generating a unique identifier, known as a timestamp, that is linked to the original data and cannot be altered without invalidating the timestamp.

Steps for Timestamp Generation:

  1. Data Input: The data to be timestamped is submitted to the timestamping solution. This data can be in various formats, such as PDF, XML, or any other digital format.

  2. Hash Calculation: A hash is calculated from the input data. A hash is a unique digital fingerprint of the data, represented by a string of bits. It is computationally infeasible to generate the same hash value for two different pieces of data.

  3. Hash Concatenation: In the case of web-based timestamping, the entire document is considered as input. The timestamping solution calculates a hash of the document and then appends the timestamp to this hash.

  4. Second Hash Calculation: A second hash is calculated from the concatenated data, which includes the original document hash and the timestamp.

  5. Digital Signature: The generated hash is digitally signed using the private key of the Trusted Time Stamping Authority (TSA). This signature ensures the authenticity and integrity of the timestamp.

  6. Timestamp Response: The signed hash and the timestamp are sent back to the requester, who stores them along with the original data.

This process ensures that the timestamp is securely linked to the original data and cannot be tampered with without invalidating the timestamp.

Verifying Timestamp Authenticity

Timestamping provides a secure method of proving the exact time of occurrence for digital documents, transactions, and signatures. Verifying the authenticity of a timestamp ensures that the document or data has not been altered since the timestamp was created and that the timestamp was issued by a trusted third-party Time Stamping Authority (TSA).

Steps for Timestamp Verification:

  1. Calculate the Hash of the Original Data: Generate a hash of the original document or data to be timestamped.

  2. Append the Timestamp to the Hash: Combine the hash generated in step 1 with the timestamp received from the TSA.

  3. Calculate the Hash of the Concatenated Data: Calculate a hash of the combined data from step 2. This resulting hash is referred to as hash A.

  4. Validate the TSA's Digital Signature: Verify the digital signature provided by the TSA using their public key. This ensures that the timestamp has not been tampered with and was indeed issued by the TSA.

  5. Compare Hash A with Hash B: Compare the hash A calculated in step 3 with the hash B included in the signed TSA message. If the two hashes match, it confirms that the timestamp and the message have not been altered and were issued by the TSA.

  6. Conclusion: If the calculated hash code (hash A) equals the result of the decrypted signature (hash B), it confirms that neither the document nor the timestamp was changed and the timestamp was issued by the TSA. If the hashes do not match, it indicates that either the timestamp was altered or the timestamp was not issued by the TSA.

Key Management Module

The Key Management Module is responsible for the secure generation, storage, and management of cryptographic keys. It ensures the confidentiality and security of keys throughout their lifecycle.

Key Features:

  • Secure key generation and storage.

  • Key rotation and retirement policies.

  • Integration with Hardware Security Modules (HSMs).

Hardware Security Module Integration

Integration with Hardware Security Modules (HSMs) enhances the security of cryptographic operations by utilizing dedicated hardware for key management. It provides additional protection against physical and logical attacks.

Key Features:

  • Secure storage of private keys in hardware.

  • Hardware-based cryptographic operations.

  • Enhanced resistance to tampering and attacks.

Functional Components

Profile Management:

Administrative users can create, modify, and delete certificates and key profiles to meet organization requirements.

CA Certificate Management

The management of CA certificates within the emCA system is handled by users with the officer role. With the help of the key profile and certificate profile generated by the system, officers can create certificates as needed. Additionally, officers have the power to revoke certificates, which ensures that the management process is both dynamic and secure.

User Certificate Management

The emCA system allows officers to manage user certificates through the User Certificate Management feature. By leveraging the key profile and certificate profile, officers can easily create and issue user certificates. Furthermore, officers have the ability to revoke user certificates, which facilitates a holistic and user-focused approach to certificate management.

Key Recovery

The emCA allows key recovery only when the user chooses it while creating a certificate profile. This means that only those who explicitly opt for key recovery during the certificate creation process can use this functionality. This provision ensures that the key recovery process is available only to those who actively choose it.

Backup & Restore

The Backup and restore feature in the emCA system can only be accessed by users. This enables systematic backups and facilitates the restoration of important data and configurations, ensuring the system's stability and continuity.

Reports

All users in the emCA system have the ability to access and view reports. This inclusive feature promotes transparency and accountability by enabling all users, regardless of their roles, to stay informed about various aspects of the certificate infrastructure.

OCSP Management

Seamless integration of OCSP Management in the emCA system allows administrators to effectively manage and configure the OCSP service, facilitating real-time validation of certificate status within the Public Key Infrastructure.

CERT/CRL Management

The emCA system efficiently manages the administration of certificates and Certificate Revocation Lists (CRLs). This includes creating and distributing CRLs, ensuring timely communication of certificate revocation events, and contributing to the overall security of the certificate infrastructure.

License Management

Seamless operation of the solution requires an essential license issued by eMudhra. This module offers functionalities for both generating and managing the requisite license to ensure continuous and unhindered system functionality.

User Management

As a sensitive application, robust role-based access controls have been implemented. This module serves as the hub for creating and managing users, ensuring strict control over user access and permissions.

Last updated