Key Features

emCA offers a centralized and secure platform for managing Certification Authorities (CAs), associated policies, and system configurations through an intuitive Graphical User Interface (GUI). This enables administrators to efficiently monitor and manage all CA components from a single pane of glass.

• emCA offers a centralized and secure platform for managing Certification Authorities (CAs), associated policies, and system configurations through an intuitive Graphical User Interface (GUI). This enables administrators to efficiently monitor and manage all CA components from a single pane of glass.

• The solution supports comprehensive CA hierarchy management, including Root CAs, Sub-CAs, and Issuing CAs, within a single unified system. Each CA instance can be configured with independent policy sets, allowing maximum flexibility for different organizational needs and regulatory contexts.

Administrators can define and enforce highly granular CA policies, including:

• Certificate & CRL formats and contents

• Validity periods and expiry rules

• Revocation services (OCSP, CRL, delta CRL)

• Algorithm preferences (RSA, ECC, SHA-2 family)

• Distribution point configurations

• emCA enables customization of policies for CA-issued and end-entity certificates, as well as CRLs. Attributes such as validity duration, format, key usages, algorithms, and extended key usages can be defined per certificate profile, ensuring adherence to internal security standards and regulatory guidelines.

The solution supports cross-certification workflows that allow:

• Internal CAs to trust external CAs

• External CAs to be certified by internal infrastructure All such cross-certification operations are PKCS#10 compliant and can be controlled through policy-based governance and auditability.

emCA supports the creation and enforcement of certification procedures, policies, and profiles in line with WebTrust and CA/B Forum compliance requirements. This ensures that all CA operations meet globally recognized security and assurance benchmarks.

Supports for different certificate types

emCA as a certificate issuance platform supports varied types of digital certificates for end users and devices. This include:

Device Certificates: Device certificates are issued to machines, IOT devices etc. for device identification and authentication.

SSL/TLS Certificates: Used to secure communication between a user's web browser and a web server. Ensures the confidentiality and integrity of data during transmission.

Code Signing Certificates: Used by software developers to digitally sign their software binaries. Verifies the authenticity and integrity of the software and assures users that it has not been tampered with.

Email Certificates (S/MIME): Used to secure email communication. Provides encryption and digital signatures for emails to ensure confidentiality and verify the sender's identity.

Client Certificates: Used for client authentication in various applications and services. Clients present these certificates to prove their identity to a server.

Document Signing Certificates: Used to sign electronic documents, ensuring the document's authenticity and integrity.

Extended Validation (EV) Certificates: Provides the highest level of assurance for SSL/TLS certificates. Requires a rigorous validation process to confirm the legitimacy of the entity.

Support for certificate transparency

Certificate Transparency is a built-in optional feature that complies with the requirements of various browsers and recommendations of CAB Forum towards publishing the certificate information to log operators. Once enabled and configured with trusted log operator information, the system will automatically publish the certificate information and incorporate the Signed Certificate Timestamp (SCT) to the certificate extension. This is in compliance with RFC 6962 specifications for Certificate Transparency.

Support for Certification Authority Authorization Record

emCA facilitates CAA Record Validation per RFC 6844, empowering users to define authorized Certification Authorities (CAs) for certificate issuance. This optional yet robust feature allows seamless domain-specific configuration and verification, enhancing the security and validation of certificates issued within the PKI system."

The system within emCA supports the configuration of authorized CAA records, ensuring compliance with domain-specific authorization checks during the domain name verification process. Leveraging this capability provides users with a heightened level of control over certificate issuance, bolstering overall security measures within the PKI infrastructure.

Supported Cryptography Algorithms

A wide range of cryptography algorithms, including both traditional and post-quantum cryptography (PQC) algorithms is supported by the solution. This comprehensive support ensures that it can meet the diverse security needs of organizations in various industries.

Traditional Cryptography Algorithms

Supports several traditional cryptography algorithms, not limited including:

• Digital Signature Algorithm (DSA): A digital signature algorithm widely used for message authentication and integrity verification.

• RSA (Rivest-Shamir-Adleman): A widely used asymmetric-key cryptosystem based on the difficulty of factoring large prime numbers.

• Elliptic Curve Cryptography (ECC): A public-key cryptography algorithm that offers enhanced security and smaller key sizes compared to RSA.

ECC Algorithms

A variety of Elliptic Curve Cryptography (ECC) algorithms are supported, including:

• secp-192: A 192-bit ECC curve with a good balance of security and performance.

• secp-256: A 256-bit ECC curve widely used in applications such as Bitcoin and TLS.

• secp-384: A 384-bit ECC curve offering higher security than secp-256 but with slightly reduced performance.

• secp-521: A 521-bit ECC curve providing the highest level of security among the listed ECC curves.

• brainpoolp256r1: A 256-bit ECC curve with a slightly different security profile compared to secp-256.

• brainpoolp384r1: A 384-bit ECC curve with a slightly different security profile compared to secp-384.

• brainpoolp521r1: A 521-bit ECC curve with a slightly different security profile compared to secp-521.

• prime224v1: A 224-bit ECC curve standardized by the National Institute of Standards and Technology (NIST).

• prime256v1: A 256-bit ECC curve standardized by NIST.

• Ed25519: A 255-bit ECC curve designed for compact and fast signing operations.

Post-Quantum Cryptography (PQC) Algorithms

In addition to traditional cryptography algorithms, emCA supports NIST shortlisted PQC algorithms, ensuring long-term cryptographic security against potential attacks based on quantum computers.

• DILITHIUM: A lattice-based PQC signature scheme offering high security and performance.

  • DILITHIUM2: A variant of DILITHIUM with improved security parameters.

  • DILITHIUM3: A variant of DILITHIUM with further improved security parameters.

  • DILITHIUM5: A variant of DILITHIUM with the highest security level among the listed DILITHIUM algorithms.

• FALCON: A lattice based PQC signature scheme with higher performance compared to DILITHIUM but with slightly reduced security.

  • FALCON-512: A variant of FALCON with a security level equivalent to DILITHIUM2.

  • FALCON-1024: A variant of FALCON with a security level equivalent to DILITHIUM3.

• SPHINCS+: A hash based PQC signature scheme offering high security and strong resistance to quantum computer attacks.

Certificate Serial Number Generation

emCA supports various types of certificate serial number generation.

It is advised that emCA is configured using the ‘Strict mode’ which complies to generate Certificate serial numbers greater than zero (0) containing at least 64 bits of output from a CSPRNG. It is necessary to adhere to a minimum of 64 bits of entropy in the certificate serial number, for any widely acceptable system.

Other legacy modes of certificate serial number generation include sequential generation across the system, sequential generation for each CA, general random numbering, and derived serial numbers through dependent parameters. All of these are deprecated.

PKI Standard Support

Multifactor Authentication

Authentication for registered users within the certificate manager mandates the use of a digital signature certificate retrieved and stored on a FIPS-certified crypto token for additional security. Additionally, emCA application offers support for alternative modes of Two-Factor Authentication (2FA).

PKI validation that is inbuilt into the solution includes

• Digital signature certificate verification

• Digital signature verification

• Crypto token Device ID verification

• Certificate expiry check

• CRL Check

• Trust store verification

emCA application can also be integrated with external multifactor authentication systems such as Active Directory, IDAM, etc. for user authentication.

LDAP Support

The software integrates seamlessly with various LDAP systems, including Microsoft Active Directory and open LDAP and is used for various purposes.

Key points:

• Seamlessly integrates with multiple LDAP systems such as Microsoft Active Directory and open LDAP for certificate management.

• Simplifies setup through a user-friendly wizard-based approach.

• Automates distribution of CA and end-user certificates, along with CRLs, to LDAP repositories.

• Facilitates LDIF file generation for essential certificate and CRL management.

• Ensures compliance with LDAP v3 standards as per RFC 4519 and RFC 4524 protocols.

SAML Support

By supporting SAML, the solution facilitates seamless integration with existing SAML-based Single Sign-On (SSO) and Identity and Access Management (IAM) solutions within organizations. This functionality enables users to effortlessly authenticate into emCA using their current credentials, eliminating the need for separate login credentials.

OID Support

Solution offers predefined OIDs such as Country, Organization, Organization unit, Postcode, State/Province, Street Address, House Identifier, Common Name, Serial Number, Unique Identifier, Pseudonym, Telephone Number, Title, etc. In addition to these, custom OID creation is also supported where users can enter custom OIDs as part of the certificate profile.

Certificate Subject DN and Extensions

emCA application supports X.509 V3 standard and issues certificates in accordance with RFC 5280. The following extensions are supported:

• Structure of certificate.

• Extension with respect to usage of a certificate i.e. Basic Constraints, key usage, Extended key usage.

• Certificate file name extensions: .pem, .cer, .p7b, .p12, .pfx.

• Authority Information Access extensions.

• CRL extensions

Solution can also be configured to issue custom certificate extensions. Using this, certificate profiles for SSL and EV SSL can be created to be compliant with CAB forum Baseline requirements.

Protocols Support

emCA supports following protocols for automated certificate issuance and management:

• SCEP (Simple Certificate Enrollment Protocol) is a protocol for requesting and renewing certificates from a Certificate Authority (CA). SCEP is a lightweight protocol that is easy to implement on both the client and server sides.

• CMP (Certificate Management Protocol) is a more complex protocol than SCEP, but it offers more features, such as support for certificate revocation and certificate status checking. CMP is often used in enterprise environments where a high degree of security and control is required.

• ACME (Automated Certificate Management Environment) is a protocol for automating the issuance and renewal of certificates. ACME is often used in cloud computing environments.

• EST (Enrollment over Secure Transport) is a protocol for requesting and renewing certificates from a CA over a secure transport channel, such as HTTPS. EST is a lightweight protocol that is easy to implement on both the client and server sides.

• SOAP (Simple Object Access Protocol) is an XML-based protocol for exchanging information between applications. SOAP is often used in web services applications.

• REST (Representational State Transfer) is an architectural style for designing web services. REST APIs are typically designed to be easy to use and consume.

Organizations can select from various protocols tailored to their needs. For instance, those desiring lightweight options may opt for SCEP or EST, while CMP offers enhanced security. ACME enables automated certificate processes. Additionally, emCA provides a REST API for streamlined certificate management tasks like requests, renewals, revocations, and status checks. This versatility makes it a flexible solution for certificate lifecycle management.

Certificate Validity

emCA supports both short-lived and long-lived certificates. The validity of signing certificate is configurable in terms of years, days, hours, minutes and seconds. The Root and issuer certificates in the chain of trust have longer validity.

Encoding formats

Supports various encoding formats that can be enabled in the X509 v3 certificate format for allowing the certificates to function any various use cases. This include:

• UTF8String: Represents character strings encoded using the UTF-8 character encoding scheme, allowing for the representation of characters from multiple languages and scripts.

• Printablestring: is one of the string types defined in the Abstract Syntax Notation One (ASN.1) notation. It is a character string type that consists of printable characters from the ASCII character set, which includes uppercase and lowercase letters, digits, and some special characters such as space, hyphen, apostrophe, and parentheses. It does not contain control characters or non-printable characters.

• IA5String: Represents character strings using the International Alphabet No. 5 (IA5), also known as the International Telegraph Alphabet No. 5 (ITA5). It includes a subset of the ASCII character set.

• BMPString: Represents character strings encoded using the Basic Multilingual Plane (BMP) of the Unicode character encoding scheme.

• BITSTRING: Used to represent a sequence of zero or more bits. It consists of a series of bits followed by a final byte indicating the number of unused bits in the last octet (byte). This additional byte is called the "unused bits" field and ranges from 0 to 7, indicating the number of bits not used in the last octet

Multi-lingual Capability

emCA application supports a wide variety of languages as part of certificate values and is compliant with RFC 5280 specifications. Certificate values can be configured in various languages including Arabic, Indic, European, East Asian etc.

It also supports mix of languages for each subject attribute and as a result, the certificate can contain English as well as a local language.

Support for Tempest machine

emCA’s Root CA (Offline) application is available as a standalone desktop utility which can be run on any standalone machine including Tempest laptops that provide greater security.

Recovery Management for Encryption Keys

emCA supports the recovery of archived keys following two person authentication process (if done by CA administrator). Recovery is also supported via secure subscriber authentication mechanisms.

Support for OpenStack

eMudhra’s solutions can be deployed on OpenStack architecture that extensively leverages open-source technologies to provision infrastructure. The core technology stack of eMudhra’s products is in Java while the database is written in Hibernate thereby supporting a number of database systems.

This architecture allows for complete modular deployment of the software and database components in a variety of configurations supported by an Open stack.

API(Application Programming Interface)

The solution provides secure API (Application Programming Interface) for integrating with third-party applications, portals or websites such as sign servers, EMRA portal etc. And it support both SOAP and REST APIs.

The data communication between third-party applications and emCA API Gateway is signed and encrypted.