Skip to main content
Skip table of contents

PKI by Keyfactor

Keyfactor provides several products capable of delivering the requirements required by a PKI management system. Each of these products serves an individual role in the creation and maintenance of a PKI service within the context of a trust service provider. A short description of the products is presented below:

The rest of this manual goes into more detail about the installation, configuration and administration of some of these products.

EJBCA

EJBCA is a Java based Certificate Authority that can be used to issue and manage certificates. The EJBCA is compliant with EAC 1.11 specification and supports EU qualified certificate directive. The EJBCA can store its keys in a Hardware Security Module (HSM) through PKCS#11 interface. EJBCA supports various algorithms as RSA or ECC as well as different key length. EJBCA uses X509 certificates to authenticate the users accessing the administration GUI. EJBCA use role-based access control as well having support for security functions like dual authorization for administrative tasks and separation of duties. EJBCA supports both CRL and OCSP for revocation information. EJBCA is common criteria certified.

Validation Authority

The validation authority (VA) module of EJBCA provides services used to validate a certificate. These services can run on an installed EJBCA or on a standalone VA installation Each service can be enabled/disabled independently. VA can be deployed for signed OCSP responses with the signature generated in an HSM. The VA is built as an instance of EJBCA. If your environment is uber-busy, try the pre-signed response functionality of EJBCA, where OCSP responses are generated after issuance and renewed at expiration for the fastest response when the client re-queues them.

SignServer

SignServer is a Java based server-side signature service, used for signing various kinds of objects. SignServer can store its keys in a Hardware Security Module (HSM) to enhance both security as well as performance. SignServer communicates with the HSM through PKCS#11 interface. SignServer is a dynamic product and able to fit several business cases. By customizing the different workers, SignServer can be deployed in one of the following roles:

  • SignServer as a TSA

  • SignServer as a PDF Signer

  • SignServer as an XML Signer

  • SignServer as a CMS Signer

SignServer is a cutting-edge signer able to provide code signing, advanced CMS and XML signatures through the deployment and configuration of various workers. SignServer is a modular product and allows for the creation of workers for each signing purpose. It is possible to create several parallel signers that use different certificates to perform signing operations. Within the context of SignServer, each signer is referred to as a worker. A single deployment can host several workers. SignServer provides an SDK, WebServices Interface and a command level interface (CLI) for communication with the server. External integration can be performed using any one of these interfaces. A worker holds the policy for signing operations. Each worker has a number of user keys associated with it. SignServer integrates with a database and HSM for persistent storage. The DB stores configuration, end user certificates (in encrypted format) and log information while the HSM stores certain private keys for specified operations.

SPOC

SPOC (Single Point of Contact) is a scheme developed by European Union (EU) to enable Extended Access Control (EAC) to Machine-Readable Travel Documents (MRTD) like passports. The purpose of EAC is allowing each country to decide which other countries should be permitted to read biometric information. A single SPOC server per country is serving the cross-certification requests that are needed for issuing Inspection System (IS) certificates matching the national MRTDs EAC requirements. Keyfactor Solution's SPOC Server is tightly integrated with Keyfactor's EJBCA. The latter can simultaneously serve as a CVCA (Country Verifying Certification Authority) and a set of DVCAs (Document Verifier Certification Authorities). SPOC Server supports the Web Service interface according to CSN-36 9791.

NPKD

The NPKD (National Public Key Directory) LDAP server is the storage database that serves as a repository for storage and maintenance of the certificates. The LDAP server stores certificates using the same schema as the ICAO PKD. The LDAP server shall be synchronized with the ICAO PKD server and also have provisions to manually import certificates whenever required. Manual Import of the following is supported via command line tools. Web based GUI applications for import are can be supported:

  • CSCA


  • DSC

  • Defect lists

  • CSCA Masterlist

The NPKD supports the following functions:

  • Certificate Import

  • CRL Import

  • CRL Activation

  • Certificate De-activation

  • CRL export

  • Retrieving Information from an IS

RA Server

The RA Server facilitates centralized registration facilities for Inspection Systems (IS). The RA Server is designed to facilitate the following functions:

  • Handle the communication between the DVCA and the IS.

  • Ability to handle multiple IS requests to multiple DVCAs

  • Ensure uniqueness of certificates

In the absence of a RA Server, the IS would be required to handle certificate requests several DVCAs depending on the range of documents and countries that it would like to inspect. This can introduce errors into the procedures especially if several IS systems are sending requests at the same time. In addition, the short validity of the IS certificates can lead to additional issues with the system.

PKI Appliance

The Keyfactor PKI Appliance has the ability to deploy all PKI components, including Certificate Authority, Registration Authority and Validation Authority (CA/RA/VA). In a single deployment of EJBCA, it is possible to effectively manage multiple CAs, thus reducing need for multiple, dedicated hardware units. Similarly, one VA can operate as OCSP responder on behalf of multiple issuing CAs. When starting up, the setup wizard provides with faster and easier deployment. Out of the box functionality for backup/restore and software updates, as well as key management functions, are designed to simplify operations and maintenance tasks. Integrated with FIPS 140-2 Level 3 certified HSM, the Keyfactor PKI appliance has robust hardware:

  • Field replaceable, redundant high-performance SSDs

  • Field replaceable redundant Power Supply


  • Intel Xeon Server CPU


  • Dual Ethernet Interface

  • Excellent Performance and Scalable Architecture

The standard configuration can issue up to 100k certificates per hour per device, supports full life cycle for 8M+ certificates per device, and the Validation Authority can serve up to 1000 OCSP responses per second. While a single unit delivers plenty of power on its own, the Keyfactor PKI Appliance is engineered to make it easy to scale both vertically and horizontally. In that sense, Keyfactor provides a robust building block ́ for complex and large-scale PKI projects.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close