Security

The security architecture of emCA ensures the protection of the CA’s private key and issued certificates against physical, logical, and network threats.

Physical Security

  • HSM (Hardware Security Module) The CA’s private key is stored in an HSM, which provides tamper detection and key destruction in the event of physical attacks.

  • Isolation The HSM is isolated from the rest of the emCA system to prevent physical and side-channel attacks.

Logical Security

  • Encryption All communication between emCA components is encrypted using TLS/SSL protocols to protect data integrity and confidentiality.

  • Access Control emCA restricts access to authorized users through role-based access control (RBAC), multi-factor authentication (MFA), and audit logging.

  • Audit Logging emCA logs all activities for monitoring and security incident detection.

Data Security

  • Encryption at Rest and in Transit

    Sensitive data, certificate metadata, and audit logs, is encrypted at rest and in transit using AES-256.

  • Key Management Private keys are securely stored, with strict access control policies enforced.

  • Backup and Recovery Data backups are encrypted and stored in secure, access-controlled environments. Backup data retention and disposal are managed according to defined lifecycle policies to ensure compliance.

Role Based Access Control

To ensure security, the emCA application is designed such that each role has a unique set of permissions. The following are the roles and their corresponding duties.

CA Administrator

  • Initial setup: Completes the initial setup process of the emCA application.

  • License registration: Generates a license request and uploads the license to register the emCA application.

  • User management: Creates and manages Administrator users.

  • Certificate authority (CA) management: Deletes Root CA, CA, and Sub/Issuing CA certificates and key pairs.

Administrator

  • Certificate profile management: Creates and manages certificate profiles.

  • Key profile management: Creates and manages key profiles.

  • User management: Creates and manages Officer, Auditor, and Operator users.

Officer

  • CA key generation: Generates CA keys.

  • CA hierarchy management: Creates and manages the CA hierarchy.

  • Certificate revocation list (CRL)/Online Certificate Status Protocol (OCSP) service management: Creates and manages CRL/OCSP services.

  • Certificate management: Creates and manages CA, user, and OCSP certificates using certificate profiles created by the Administrator.

  • Scheduler configuration: Configures the scheduler.

  • Certificate revocation and reinstatement: Revokes and reinstates certificates as needed.

  • Key recovery: Performs complete key recovery activities.

Auditor

  • Audit log management: Views and downloads audit logs.

  • Report generation: Generates various types of reports.

Operator

  • Backup and restore: Performs backup and restore operations.

PreviousPost-Quantum Cryptography (PQC)NextGetting Started

Last updated