Certificate Authorities (CAs)

Certificate Authorities (CAs)

Engage Black - Products

Certificate Authority
Ethernet Encryption
Circuit Encryption

What is a Certificate Authority (CA)?

A Certificate Authority (CA) issues Digital Certificates. Digital Certificates are small, validated data files consisting of certain identification credentials that aim to aid various domains, people, and devices in representing  their true online identity. CAs play a crucial part in how the Internet operates and how safe, trusted transactions can occur online. The Digital Certificates issued online are used to safeguard information, encrypt transactions, and enable secure communication.

An SSL (Secure Sockets Layer) Certificate is a type of Digital Certificate that links the ownership specifics of a web server and website to cryptographic keys. These keys are utilized in the SSL/TLS protocol (a global security standard) to ensure a secure "conversation" between the two intended parties–generally a browser and the web server hosting the SSL Certificate. In order for a browser to trust a Certificate however, the SSL Certificate must have the domain name of website using it, be issued by a trusted CA, and not have expired.

PKI 

Browsers and devices can trust any Certificate Authority by accepting the CA's Root Certificate into its root store– which collects the root certificates of permitted CAs that come already installed within the the device or browser. For example, Windows and Apple operate root stores, Mozilla (for its Firefox browser) and typically each mobile carrier also operates its own root store. 

CAs purpose pre-installed Root Certificates for issueing Intermediate Root Certificates and end entity Digital Certificates. A CA receives certificate requests, approves the applications, issues the certificates, and transmitts the ongoing validity condition of issued certificates so anyone depending on the certificate is informed about the ongioing approval of the certificate.  

CAs usually build some sum of Intermediate CA (ICA) Root Certificates to be used for issueing end entity certificates, such as SSL Certificates. This process in known as a trust hierarchy.

Managing Digital Certificates

The growing sophistication of cyber criminals makes protecting certificate generation, revocation, storage and management a top priority for enterprise, utility, government, manufacturers, Internet of Things, and other security stakeholders. 

Increasingly, both Certificate Authorities and their customers are mandating management of certificate-based cryptographic keys in tamper reactive Hardware Security Modules (HSMs).  The risk of theft, loss, and compromise is just too high when keys are stored on less secure servers, smart cards, or USB tokens.

The Engage BlackVault platform comes as a purpose built CA appliance with an integrated CA application (BlackVault CA), or a powerful but easy to use Hardware Security Module (BlackVault HSM). Both solutions meet FIPS 140-2 Level 3.

 

Certificate Security and Management with the BlackVault

The BlackVault CA is purpose built for CA applications, with a full CA stack integrated into our tamper reactive FIPS Level 3 Hardware Security Module (HSM). Its USB and Ethernet connectivity support both off-line and networked applications. A unique touch screen display and built-in smart card reader make operations secure and intuitive.

The BlackVault HSM is a FIPS Level 3 HSM with a silicon based cryptographic boundary for maximum security.It supports a wide range of crypto algorithms and APIs, including the government’s Suite B. It’s compact size and long battery life also allow for transportation to other locations and easy storage in a safe or secure room. 

Both BlackVault CA and BlackVault HSM support multi-factor authentication with onscreen PIN and smart card credentials. In addition, an "M of N" quorum can be established to protect both User and Crypto Officer functions.

What is a Certificate Authority (CA)?

A Certificate Authority (CA) issues Digital Certificates. Digital Certificates are small, validated data files consisting of certain identification credentials that aim to aid various domains, people, and devices in represneting  their true online identity. CAs play a crucial part in how the Internet operates and how safe, trusted transactions can occur online. The Digital Certificates issued online are used to safeguard information, encrypt transactions, and enable secure communication.

An SSL (Secure Sockets Layer) Certificate is a type of Digital Certificate that links the ownership specifics of a web server and website to cryptographic keys. These keys are utilized in the SSL/TLS protocol (a global security standard) to ensure a secure "conversation" between the two intended parties–generally a browser and the web server hosting the SSL Certificate. In order for a browser to trust a Certificate however, the SSL Certificate must have the domain name of website using it, be issued by a trusted CA, and not have expired.

PKI 

Browsers and devices can trust any Certificate Authority by accepting the CA's Root Certificate into its root store– which collects the root certificates of permitted CAs that come already installed within the the device or browser. For example, Windows and Apple operate root stores, Mozilla (for its Firefox browser) and typically each mobile carrier also operates its own root store. 

CAs purpose pre-installed Root Certificates for issueing Intermediate Root Certificates and end entity Digital Certificates. A CA receives certificate requests, approves the applications, issues the certificates, and transmitts the ongoing validity condition of issued certificates so anyone depending on the certificate is informed about the ongioing approval of the certificate.  

CAs usually build some sum of Intermediate CA (ICA) Root Certificates to be used for issueing end entity certificates, such as SSL Certificates. This process in known as a trust hierarchy.

Managing Digital Certificates

The growing sophistication of cyber criminals makes protecting certificate generation, revocation, storage and management a top priority for enterprise, utility, government, manufacturers, Internet of Things, and other security stakeholders.

Increasingly, both Certificate Authorities and their customers are mandating management of certificate-based cryptographic keys in tamper reactive Hardware Security Modules (HSMs).  The risk of theft, loss, and compromise is just too high when keys are stored on less secure servers, smart cards, or USB tokens.

The Engage BlackVault platform comes as a purpose built CA appliance with an integrated CA application (BlackVault CA), or a powerful but easy to use Hardware Security Module (BlackVault HSM). Both solutions meet FIPS 140-2 Level 3.

 

Certificate Security and Management with the BlackVault

The BlackVault CA is purpose built for CA applications, with a full CA stack integrated into our tamper reactive FIPS Level 3 Hardware Security Module (HSM). Its USB and Ethernet connectivity support both off-line and networked applications. A unique touch screen display and built-in smart card reader make operations secure and intuitive.

The BlackVault HSM is a FIPS Level 3 HSM with a silicon based cryptographic boundary for maximum security.It supports a wide range of crypto algorithms and APIs, including the government’s Suite B. It’s compact size and long battery life also allow for transportation to other locations and easy storage in a safe or secure room. 

Both BlackVault CA and BlackVault HSM support multi-factor authentication with onscreen PIN and smart card credentials. In addition, an "M of N" quorum can be established to protect both User and Crypto Officer functions.

BlackVault Hardware Security Platform

 

 Engage's BlackVault Hardware Security Platform

  • Keeps cryptographic material safe and secure in a FIPS 140-2 Level 3 Tamper Reactive Hardware Security Module

  • Securely boots into CA mode avoiding the complicated setup process typically associated with HSMs and general purpose OS CAs

  • NIST compliant Random Number Generator (RNG) and FIPS certified cryptographic algorithms

  • M of N authentication and key backup partitioning ensure multi-person authentication prior to administrative modifications to the BlackVault, or key backup distribution

  • Easily integrates into a variety of applications, supporting numerous crypto APIs including PKCS#11, Java (JCE) and Microsoft CAPI / CNG, across a variety of operating systems
BlackVault CA (Certificate Authority)
BlackVault CA

This standalone platform manages certificates without the complexity of installing and operating general purpose OSs and HSMs 

  • Define roles and authentication process
  • Create key and optional certificate 
  • Load code and sign
  • Are integrated into a purpose built CA appliance
  • Includes Hardware Security Module (HSM) functionality
  • Support advanced Suite B cryptographic algorithms
  • Meet the latest standards, such as EST
  • Work in both on-line and off-line applications

DIMENSIONS

4"(L) x 6"(W) x 1"(H)

Engage Black - Products

Certificate Authority
Ethernet Encryption
Circuit Encryption

Virtual Private Network Authentication

The BlackVault CA Certificate Authority facilitates secure connection establishment between VPN gateways by providing an X.509 authentication method to validate identities. Operating as a CA Appliance with an intuitive configuration sequence enables un-certifieds to readily secure authenticated Virtual Private Networks.

VPN gateway Certificate Signing Requests are input by a command line copy-and-paste method or via the Simple Certificate Enrollment Protocol (SCEP). The Certificate Revocation List is retrieved by VPN gateways using Online Certificate Status Protocol (OCSP).

Commercial Solutions for Classified (CSfC)

The Government’s CSfC program creates profiles for a layered combination of commercially available solutions to construct classified networks using VPNs.  One of the key components of this network is the Certificate Authority.

The BlackVault CA with Suite B cryptography, advanced HSM functionality and intuitive controls improves the security of CSfC networks while simplifying their operation and minimizing their footprint.

BlackVault Certificate Authority (CA) VPN Diagram
BlackVault Certificate Authority (CA) Black and Grey Network Diagram

BlackVault CA Overview

The BlackVault CA (Certificate Authority) is a fully functional CA application. It is utilized to provide strong assurance of identity by issuing and managing public-key certificates. Certificates are generated within secure software and trusted hardware with private keys stored in the tamper reactive cryptographic boundary of the integrated HSM. The BlackVault CA ensures both maximum security and operational simplicity.

Powerful and intuitive, the BlackVault CA is the right choice for highly secure certificate authority operation.

The BlackVault CA is a Certificate Authority with an integrated Hardware Security Module that simplifies and secures the implementation and operation of PKI infrastructures. Ready to deploy purpose built FIPS level 3 CA appliance that performs:

• X.509 certificate generation
• CSR and CRL processing
• OCSP and EST servers
• Key generation & management


The BlackVault CA is deployed as a root or subordinate CA and is effective in online and offline PKI applications including:

• VPNs, TLS
• Industrial Internet of Things (IIoT)
• Web Services
• Code & Document Signing
• Secure Email
• NSA Commercial Solutions for Classified


The BlackVault CA securely boots up as a secure certificate authority server running inside of a tamper reactive cryptographic boundary. All cryptographic functions, including private / public key generation and certificate signing are performed inside FIPS Level 3 protected hardware.
The cryptographic algorithms are also FIPS certified and use a sophisticated NIST hardware random number generator to ensure key entropy. Private keys are never in the clear; including key backups where keys are encrypted.

Powerful Features

The BlackVault CA securely boots as a Certificate Authority and can be configured as a root CA with self-signed certificates or a subordinate CA with chain of trust to the root CA. Unlike general purpose operating systems and standalone HSMs, the BlackVault CA powers on in CA mode while automatically linking all CA functionality to its highly secure HSM cryptographic boundary. 

The BlackVault CA supports both networked and off-line (air-gapped) applications, and is easily transported to a secure room or safe without loss or compromise of cryptographic material. It also delivers the latest secure CA features, including Enrollment over Secure Transport (EST) protocol, as well as OCSP, and a full suite of advanced cryptographic algorithms (including Suite B).


Certificate Revocation Lists (CRLs)

The BlackVault CA maintains and updates the CRL as certificates are revoked. The CRL is accessed using the Online Certificate Status Protocol (OCSP).
 


Real Time Audits
Constantly updated configuration and operation information provide Security Administrators with the data to discover anomalous activity or failure of critical functions. Audit information can be sent to a trusted entity and is protected to prevent unauthorized access, modification, or deletion.

 

Military Grade Tamper Reactive
The BlackVault cryptographic boundary is within the silicon of its secure CPU. This silicon die shield has dynamic fault detection with real-time environmental and tamper detection circuitry. It also avoids inadvertent tamper, making the BlackVault safe to transport. Critical security parameters, such as a certificate’s private key, are encrypted by an inaccessible Master key stored within the cryptographic boundary and zeroized if a tamper event is detected.

 

EST
The BlackVault CA has an integrated Enrollment over Secure Transport (EST) server. EST is a protocol defined by the IETF (RFC 7030) as a successor to Simple Certificate Enrollment Protocol (SCEP). EST is a modern approach to automatically obtain certificates in a manner that is secure and more comprehensive compared to SCEP. EST is designed to improve lifecycle management of certificates. The key advantages of EST are its ability to use Elliptic Curve Cryptography (ECC), and its use of TLS to securely transport certificates.

One of the areas where EST shines is its auto re-enrollment, and redistribution features. EST clients are aware when their certificate is about to expire and automatically re-enroll for a new certificate, or if CAs or endpoints certificates get compromised in any way, after repairing the vulnerability, set the client to re-enroll and the device will automatically have a new certificate.

Additionally, if the CA certificate changes, the EST client will notice the change and automatically obtain the new certificate. This process of auto re-enrollment and CA redistribution is faster and less work intensive than previous certificate management protocols.

 

ReST

To make the BlackVault CA EST Server as easy to utilize as possible, there is an integrated Representational State Transfer (ReST) API to automate and simplify secure client key enrollment and renewal integrated into its core functionality. Through the RESTful API devices enroll, and renew certificates programmatically.

Harnessing the power of HTTP, REST is an efficient, lightweight, high performance interface that is accessed by any device at a low bandwidth. allowing device automation, the reduction of time, and cost, as well as leverage economies of scale. The REST API is a faster, more efficient alternative to Simple Object Access Protocol (SOAP) and Web Services Description Language (WSDL). REST is focused on accessing resources through a consistent single interface.REST does not require expensive tools to interact with, allowing the REST interface to be accessed by any tool using any programming language that can utilize HTTP.

Engage logo 990000 rev 2.000
9565 Soquel Drive Dr,
Aptos, CA 95003
 
Telephone: +1-831-688-1021
Toll Free : +1-877-ENGAGE4
Designed, Fabricated, and Assembled
in America icon
Supported Worldwide