ORCA-The Trust Anchor
2 years ago
ID: #825968
Listed In : Computer & Accessories Consultants Consumer Products
Business Description
WHY IS THE ROOT CA REQUIRED TO BE ‘OFFLINE'?PKI best practices are not stating that Root CAs must be offline. This design approach is influenced by the required assurance of the trust anchor.
Being deployed "offline" eliminates the possibility of all network-based and most physical attacks directly on the Root CA.
The chain of trust from a end-user certificate to a Root CA is unaffected whether a Root CA is implemented online or offline. The storage of Root CA keys in an appropriately rated (e.g., FIPS3 140-2 Level 3) HSM adds an additional level of physical protection to the Root CA.
While Root CAs are deployed offline, they must publish a CA certificate and Certificate Revocation List (CRL) regularly, which must be distributed to online repositories and retrievable by Relying Parties.
key ceremony
YOUR ROOT OF TRUST WITH ORCA
ORCA enables the rapid and cost-effective deployment of a trusted CA hierarchy from Root CA to Subordinate CA certificates. The private keys are kept inside the cutting-edge nCipher Edge USB Hardware Security Module (HSM) linked to the ORCA appliance.
ORCA is set up to deliver Subordinate CAs Certificates to build a trusted CA hierarchy. CA certificate profiles are generated using predefined models and can be associated with RSA or ECDSA keys. The production of CA certificates complies with the customer's certification policy and meets the requirements of the supervisory body. Typical applications include the creation of a new requested delegated CA and the generation of Certificate Revocation Lists (CRLs).
offline root certificate authority
HOW IT WORKS
RNTrust provides the Appliance (ORCA) on which the OpenSSL based CA is installed on top of a hardened SuSE Linux with encrypted file system and stores its status in an SQLite database. This service functions by following the procedures below:
The Root CA's private key generates a self-signed root certificate, allowing it to preside as the root of trust for the infrastructure.
The private key will be stored in a secure nCipher Edge USB HSM.
Signing requests are generated by an external Subordinate CA and signed by the Root CA's private key.
Generated subordinate CA certificates are issued to the respective CAs.
ORCA backups will be stored securely into the datAshur PRO².
After the Root CA signing process, the ORCA Appliance is kept offline at all times.
It is possible to configure your Offline Root CA with little or no help from PKI experts.
pki cps
HOW ORCA HELPS ORGANIZATIONS?
No Extra time: The appliance model is delivered with a standard configuration that can be used in most use cases, with no additional time spent on specifications or integration.
It solves the common challenges of the Offline Root CA - the
Hardware, the Software, the HSM, the Backup storage, and the Integration
of those four elements.
Unique Hardware:ORCA is delivered with pre-configured features and a database, it runs on a state-of-the-art Mini PC with Intel Atom
x5-Z8500 1.44Ghz CPU Quad Cores Quad Threads (up to 2.24Ghz),
4GB RAM and 64 GB SSD storage.