Deployment Guide

Digi-CA™ Deployment Introduction

PDF This Guide is intended to provide general information on the basic concepts, design, deployment and use of the Digi-CA™ Public Key Infrastructure [PKI] system. It is assumed that the audience and readers of this guide have a basic understanding of the concepts of information technology, PKI and the use of X.509 digital public key certificates.

If you are planning to deploy Digi-CA™ inside your organisation, ensure your read this document first, before attempting to perform a new standalone or distributed installation of this system.

General Information

In cryptography, a Certificate Authority or Certification Authority [CA] is an entity that issues digital certificates for use by other parties. It is an example of a trusted third party. A CA issues digital certificates that contain a public key and the identity of the public key owner. The matching private key is not similarly made available publicly, but kept secret by the end user who owns the key pair. The certificate is also an attestation by the CA that the public key contained in the certificate belongs to the person, organization, software or hardware device or other entity noted in the certificate. A CA's obligation in such schemes is to verify an applicant's credentials, so that users and relying parties can trust the information in the CA's certificates.

Digi-CA™ is the complete Certificate Authority system for organisations that would like to have their own CA, like to own and manage a PKI for digital certificates inside the organisation or over the Internet. Digi-CA™ generates and manages digital Public Key Certificates that are used for a variety of different purposes, most commonly for electronic signatures, natural person or device authentication and secure email.

The Digi-CA™ system can create multiple instances of independent Certification Authorities in a single Digi-CA™ system deployment. The Digi-CA™ model imposes delegation of trust downwards from Root CAs to their Subordinate CAs that meets the concepts of layered hierarchy. The same Digi-CA™ system also enables a CA to be cross signed by an external third party CA. As a result of this design principal, the Digi-CA™ model for trust levels increases towards the highest authority. This type of arrangement facilitates easy deployment and scalability of any PKI requirement from the smallest to the largest.

The Digi-CA™ System provides a full scale of services necessary for the management of X.509 certificates. An overview of these services is presented in the table below.

Digi-CA™ service overview

  End Entity registration   Time-Stamping
  Certificate issuance   Online Certificate Status Protocol [OCSP]
  Certificate re-signing   Multi-CA system engine
  Certificate renewal   Cross-Certification management
  Certificate dissemination   Certificate Revocation List [CRL] generation
  Certificate revocation   CRL distribution & dissemination
  Certificate suspension   Entity based multi-key management
  Certificate de-suspension   Certificate profile management
  Certificate expiration notification   Certificate Enrolment Policy Management
  Event logging & auditing service   Support for hardware cryptographic module devices
  Hierarchical CA operations   Support for Smart Cards and USB Tokens

Table 0.1

In principle and in compliance with internationally recognised PKI standards, Digi-CA™ offers the following core Certification Authority services:

As an addition, Digi-CA™ offers the following supplementary services:

The core and supplementary CA services are further described in the Digi-CA™ Service Modules