BlackVault CA
BlackVault CA
Certificate Authority with
Hardware Security Module
Overview
The BlackVault CA (Certificate Authority) is a fully functional CA application. It is utilized to provide strong assurance of identity by issuing and managing public-key certificates. Certificates are generated within secure software and trusted hardware with private keys stored in the tamper reactive cryptographic boundary of the integrated HSM. The BlackVault CA ensures both maximum security and operational simplicity.
Powerful and intuitive, the BlackVault CA is the right choice for highly secure certificate authority operations.
The BlackVault CA is a Certificate Authority with an integrated Hardware Security Module that simplifies and secures the implementation and operation of PKI infrastructures. Ready to deploy purpose built FIPS level 3 CA appliance that performs:
• X.509 certificate generation
• CSR and CRL processing
• OCSP and EST servers
• Key generation & management
The BlackVault CA is deployed as a root or subordinate CA and is effective in online and offline PKI applications including:
• VPNs, TLS
• Industrial Internet of Things (IIoT)
• Web Services
• Code & Document Signing
• Secure Email
• NSA Commercial Solutions for Classified
The BlackVault CA securely boots up as a secure certificate authority server running inside of a tamper reactive cryptographic boundary. All cryptographic functions, including private / public key generation and certificate signing are performed inside FIPS Level 3 protected hardware.The cryptographic algorithms are also FIPS certified and use a sophisticated NIST hardware random number generator to ensure key entropy. Private keys are never in the clear; including key backups where keys are encrypted.
Powerful Features
The BlackVault CA securely boots as a Certificate Authority and can be configured as a root CA with self-signed certificates or a subordinate CA with chain of trust to the root CA. Unlike general purpose operating systems and standalone HSMs, the BlackVault CA powers on in CA mode while automatically linking all CA functionality to its highly secure HSM cryptographic boundary.
The BlackVault CA supports both networked and off-line (air-gapped) applications, and is easily transported to a secure room or safe without loss or compromise of cryptographic material. It also delivers the latest secure CA features, including Enrollment over Secure Transport (EST) protocol, as well as OCSP, and a full suite of advanced cryptographic algorithms (including Suite B).
Certificate Revocation Lists (CRLs)
The BlackVault CA maintains and updates the CRL as certificates are revoked. The CRL is accessed using the Online Certificate Status Protocol (OCSP).
Real Time Audits
Constantly updated configuration and operation information provide Security Administrators with the data to discover anomalous activity or failure of critical functions. Audit information can be sent to a trusted entity and is protected to prevent unauthorized access, modification, or deletion.
Military Grade Tamper Reactive
The BlackVault cryptographic boundary is within the silicon of its secure CPU. This silicon die shield has dynamic fault detection with real-time environmental and tamper detection circuitry. It also avoids inadvertent tamper, making the BlackVault safe to transport. Critical security parameters, such as a certificate’s private key, are encrypted by an inaccessible Master key stored within the cryptographic boundary and zeroized if a tamper event is detected.
EST
The BlackVault CA has an integrated Enrollment over Secure Transport (EST) server.EST is a protocol defined by the IETF (RFC 7030) as a successor to Simple Certificate Enrollment Protocol (SCEP).EST is a modern approach to automatically obtain certificates in a manner that is secure and more comprehensive compared to SCEP.EST is designed to improve lifecycle management of certificates. The key advantages of EST are its ability to use Elliptic Curve Cryptography (ECC), and its use of TLS to securely transport certificates.
One of the areas where EST shines is its auto re-enrollment, and redistribution features.EST clients are aware when their certificate is about to expire and automatically re-enroll for a new certificate, or if CAs or endpoints certificates get compromised in any way, after repairing the vulnerability, set the client to re-enroll and the device will automatically have a new certificate.
Additionally, if the CA certificate changes, the EST client will notice the change and automatically obtain the new certificate. This process of auto re-enrollment and CA redistribution is faster and less work intensive than previous certificate management protocols.
ReST
To make the BlackVault CA EST Server as easy to utilize as possible, there is an integrated Representational State Transfer (ReST) API to automate and simplify secure client key enrollment and renewal integrated into its core functionality. Through the RESTful API devices enroll, and renew certificates programmatically.
Harnessing the power of HTTP, REST is an efficient, lightweight, high performance interface that is accessed by any device at a low bandwidth. allowing device automation, the reduction of time, and cost, as well as leverage economies of scale. The REST API is a faster, more efficient alternative to Simple Object Access Protocol (SOAP) and Web Services Description Language (WSDL).REST is focused on accessing resources through a consistent single interface.REST does not require expensive tools to interact with, allowing the REST interface to be accessed by any tool using any programming language that can utilize HTTP.
Applications
Applications
- Root CA
- Subordinate CA
- RA
- Commercial Solutions for Classified (CSfC)
- IoT
- Web, VPN, Email, Etc.
Features
Secure Boot
Solid State Design
Certified Security Architecture
Tamper Reactive Die Shield
Suite B Accelerators
Support for NIST ECC Curves
Secure Authentication/Access
Enrollment over Secure Transport
High Availability
Benefits
- CA Appliance
- Eliminates Complex Software Installation
- Out of Box Ultimate Level of Security
- Integrated HSM with truly Private Keys
- Overcomes Vulnerabilities of Soft Crypto
- Integrated Trusted Path Authentication
- Protects Intellectual Property
- Expedites Regulatory Compliance Audits
- Compact Size Fits in Safe Deposit Box
- Embeddable: Ethernet Attached
- Hard Drive Form Factor
- Secure Key Management:
- Generation, Storage, and Backup
Application Examples
Industrial Internet of Things
BlackVault CA specifically targets Industrial IoT's security need for secure identity authentication. Establishing the foundation of trust that IIoT systems, devices, applications, and users need to safely interact and exchange sensitive data. Specifically the BlackVault CA's support for ECC and EST enables IIoT devices to readily achieve Certificate based authentication.
Secure identity authentication for:
NERC CIP, IEC 62351, SSL, TLS, HTTPS
Offline Root Certificate Authority
Security conscious organizations that run internal PKIs operate their root CA offline.BlackVault CA is ideally suited to be the Offline Root CA for public and private PKI infrastructures.
- Security of Private Key
- Reactive Die Shield
- Advanced Cryptography
- Elliptical Curves
- 5 Year Battery Store
- Fits in a Safe
Virtual Private Network Authentication
The BlackVault CA Certificate Authority facilitates secure connection establishment between VPN gateways by providing an X.509 authentication method to validate identities. Operating as a CA Appliance with an intuitive configuration sequence enables un-certifieds to readily secure authenticated Virtual Private Networks.
VPN gateway Certificate Signing Requests are input by a command line copy-and-paste method or via the Simple Certificate Enrollment Protocol (SCEP). The Certificate Revocation List is retrieved by VPN gateways using Online Certificate Status Protocol (OCSP).
Wired Virtual Private Network
The Government’s CSfC program creates profiles for a layered combination of commercially available solutions to construct classified networks using VPNs. One of the key components of this network is the Certificate Authority.
The BlackVault CA with Suite B cryptography, advanced HSM functionality and intuitive controls improves the security of CSfC networks while simplifying their operation and minimizing their footprint.
CSfC Campus IEEE 802.11 Wireless Local Area Network
Specifications
CA Instantiation
Root CA (Self-Signed)
Subordinate CA (Chain of Trust to Root CA)
Certificate Generation
Certificate Signing Request (CSR) and X.509 Generatio
Certificate Types (Web, CA, Self-Signed, VPN / Email)
Certificate Extensions
Certificate Endpoint Delivery
- Enrollment over Secure Transport (EST)
- Simple Certificate Enrollment Protocol (SCEP)
Manage Certificates
NTP time stamps
Online Certificate Status Protocol (OCSP)
Certificate Revocation List (CRL)
Certificate Assignment
Export and Directory Publishing
Cryptography
Asymmetric public key algorithms:
- RSA (2048, 3072, 4096)
- ECDH, ECDSASymmetric algorithm: AES 128, 192, 256 bit
Hash/message digest: SHA-2 (256, 384, 512bit)
Full Suite B implementation with Elliptic Curve Cryptography (ECC) EC curves P-256, P-384, P-521
Key Exchange
With Key:
Personal Information Exchange PKCS #12
- Base-64 (PEM) with password PKCS #8
- Without Key:
- DER encoded (.CER)
- Base-64 (PEM) encoded (.PEM)
- Cryptographic Message Syntax Standard PKCS #7 (.P7B)
Protocols
SSH, TLS
EST: Enrollment over Secure Transport
X.509: Certificate Revocation Lists (CRLs)
OCSP: Online Certificate Status Protocol
Connectivity
- 10/100 Ethernet with Transport Layer Security (TLS) and Optional SFP
- USB 2.0
Management
Menu Driven VT100 CLI (SSH)
Syslog diagnostics support
Mounting
- Desktop (Portable)
- 19” rack mount (1U height)
- Server Hard Drive Slot Embeddable
Physical
Portable (Server Hard Drive Mechanics) Wall and Din Rail Mounting
Dimensions 102 x 153 x 26 mm (4 x 6 x 1in)
Weight: 454 grams; 1 pound
Temperature: operating -20 to 60°C,
Humidity: operating 10 to 90% storage 0 to 95%
Power
DB9 Connector: Dual Hot Standby 5 to 30 VDC
Power consumption: 4W
Redundancy
Optional Dual Power, Hot Standby
Environmental
Operating Temperature: -10° to 50° C (0° to 132° F)
Operating Humidity: Up to 90% (Non-Condensing)
Optional Extended Temperature Range Available
Regulatory
CE
EMC: CFR 47 Part 15 Sub Part B: 2002, EN55022: 1994+A1&A2, EN55024,ICES-003 1997, CISPR22 Level A
Safety: IEC 60950