This article explains the main concepts in se.SAM™ PKI and helps customers to understand and use the HSM integrated Certificate Authority correctly.
Keys: Any asymmetric supported by N200 crypto core can be used as CA key. Keys are generated using N200 Admin Web-GUI or RESTful API.
CAs: Root-CAs and subordinate (Sub) CAs e.g., issuing or intermediate CAs are created in N200 Admin Web-GUI using a existing ECC or RSA key and various certificate settings like name fields, key usages, extended key usages, validity, hash-algorithm, etc. The private key of the CA always stays hardware protected within the HSM
Templates: Templates define specific settings for creating certificates. These settings include the CA used to sign certificates, the distribution mode (download, REST API, email distribution to admin or user), mandatory key usage and extended key usage, type and length of certificate private/public key, hash-algorithm used, validity of certificates and Authority Information Access (AIA) information. Any signing request or issued certificate must refer to a template.
Key Usages: For all CA certificates and client certificates the key usages defined in RFC 5280 can be defined. se.SAM™ PKI supports all RFC 5280 defined usages: digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign, cRLSign, encipherOnly, decipherOnly (8)
Extended Key Usages: Administrators can freely define extended key usages based on OIDs. The following extended key usages are predefined for use in CAs and certificate templates: Server Auth, Client Auth, Code Signing, E-mail Protection, Time Stamping, OCSP Signing, Any Extended Key Usage, Smartcard Logon, Kerberos Pkinit KDC, Domain Controller, Microsoft CA Version, Microsoft EFS File Recovery, IP security end entity, Name distinguisher, EAP over PPP, EAP over Lan, SSH Client, PKINIT Client Auth, Adobe PDF Signing, Microsoft Office Signing, Microsoft BitLocker Drive Encryption, Microsoft BitLocker Data Recovery Agent.
Signing Requests: The HSM based Certificate Authority supports client provided Certificate Signing Requests (CSR) according to RFC 2986 (superseding RFC 2314), where the CSR can be generated by a client or generated on the N200 Crypto Appliance. In case of a client generated CSR the private key is held by the client only, whereas on appliance generated CSRs the private key optionally can be stored in the appliance database and re-distributed at any time.
Certificates: se.SAM™ PKI can issue X.509v3 certificates based on any supported key type and length, including RSA, ECC SECG NIST-P, NIST / Koblitz keys, and RFC 5639 Brainpool keys. Certificate meta data is always stored in the appliance database, where the private key optionally is safeguarded.
Certificate Revocation Lists (CRL): Are generated in N200 Admin Web-GUI using the CA change role and distributed by the build-in HTTPS web-service or downloaded and distributed externally.
Audit log: se.SAM™ PKI utilizes the N200 Crypto Appliance internal audit log for any configuration change or certificate issuing. The audit log can be centralized to a SIEM or other log management solution using syslog mechanisms.
The se.SAM™ N200 Crypto Processor is responsible for creating, protecting and utilizing all cryptographic keys. Isolation is therefore ensured between all apps and the cryptographic keys. This ensures the keys are always under control of the responsible security officer.
The se.SAM™ N200 Crypto Appliance combines a easy to use PKI with the se.SAM™ N200 processor. Also included is a flexible key management solution to protect and manage keys during their overall life cycle.
An example of the easy to use web interface for configuration, management and administration of the appliance, keys and certificates
The se.SAM™ Embedded toolkit is an easy to use possibility to store crypto-keys secure in hardware while being utilized by the host processor. sematicon provides an complete ecosystem to protect identities and keys from chip on pcb up to the data center or cloud. The se.SAM™ PKI is responsible for creating the necessary keys and certificates and to ensure encrypted and protected transport to the target devices.
For more information contact us: