WHY IS THE ROOT CA REQUIRED TO BE ‘OFFLINE ? PKI best practices are not stating that Root CAs must be offline. This design approach is influenced by the required assurance of the trust anchor. Being deployed "offline" eliminates the possibility of all network-based and most physical attacks directly on the Root CA. The chain of trust from a end-user certificate to a Root CA is unaffected whether a Root CA is implemented online or offline. The storage of Root CA keys in an appropriately rated (e.g., FIPS3 140-2 Level 3) HSM adds an additional level of physical protection to the Root CA. While Root CAs are deployed offline, they must publish a CA certificate and Certificate Revocation List (CRL) regularly, which must be distributed to online repositories and retrievable by Relying Parties. key ceremony YOUR ROOT OF TRUST WITH ORCA ORCA enables the rapid and cost-effective deployment of a trusted CA hierarchy from Root CA to Subordinate CA certificates. The private keys are kept inside the cutting-edge nCipher Edge USB Hardware Security Module (HSM) linked to the ORCA appliance. ORCA is set up to deliver Subordinate CAs Certificates to build a trusted CA hierarchy. CA certificate profiles are generated using predefined models and can be associated with RSA or ECDSA keys. The production of CA certificates complies with the customer s certification policy and meets the requirements of the supervisory body. Typical applications include the creation of a new requested delegated CA and the generation of Certificate Revocation Lists (CRLs). offline root certificate authority HOW IT WORKS RNTrust provides the Appliance (ORCA) on which the OpenSSL based CA is installed on top of a hardened SuSE Linux with encrypted file system and stores its status in an SQLite database. This service functions by following the procedures below: The Root CA s private key generates a self-signed root certificate, allowing it to preside as the root of trust for the infrastructure. The private key will be stored in a secure nCipher Edge USB HSM. Signing requests are generated by an external Subordinate CA and signed by the Root CA s private key. Generated subordinate CA certificates are issued to the respective CAs. ORCA backups will be stored securely into the datAshur PRO². After the Root CA signing process, the ORCA Appliance is kept offline at all times. It is possible to configure your Offline Root CA with little or no help from PKI experts. pki cps HOW ORCA HELPS ORGANIZATIONS? No Extra time: The appliance model is delivered with a standard configuration that can be used in most use cases, with no additional time spent on specifications or integration. It solves the common challenges of the Offline Root CA - the Hardware, the Software, the HSM, the Backup storage, and the Integration of those four elements. Unique Hardware:ORCA is delivered with pre-configured features and a database, it runs on a state-of-the-art Mini PC with Intel Atom x5-Z8500 1.44Ghz CPU Quad Cores Quad Threads (up to 2.24Ghz), 4GB RAM and 64 GB SSD storage. pki deployment guide READY TO USE: When the appliance is first started, only the most basic configuration is done to get it ‘ready to use’. You will be able to create and manage multiple CA Certificates and CRLs, making your key-ceremonies smooth and easy.
SPITRUST COOPERA SOLVES THE MOST COMMON PROBLEM IN DIGITAL TRANSFORMATION Digital signature solutions are commonly lacking advanced workflows capabilities BPM solutions are not focused on legally binding signatures. With SPITrust Coopera®, we have closed that gap, opening an attractive future of combined compliance and agility. WHY CHOOSE SPITRUST COOPERA, A "CUSTOMIZABLE WORKFLOW" DIGITAL SIGNATURE SOLUTION? When selecting a BPM platform with digital Signature capabilities, look for one that is business-friendly, requires little to no coding, and allows users to build and manage their own processes without relying on IT. IT should own the platform and manage its administration and access. This is a win-win situation for both IT and business https://spitrustcoopera.ae/