The benefits of the secunet eID PKI Suite
The eID PKI Suite is the bundled know-how from more than 350 PKI projects: It is designed for use in the area of sovereign documents as well as for applications in the industrial environment and supports all relevant standards and protocols.
For areas of application with special security requirements, the eID PKI Suite is also available in a variant certified according to Common Critera EAL4+.
The eID PKI Suite is standards-compliant, which makes it highly durable and protects investments: Our PKI easily adapts to changing security requirements and evolving infrastructures.
The various software modules of the eID PKI Suite combine to form a high-performance overall system, but can just as easily be integrated individually into an existing system architecture.
The eID PKI Suite can be set up on a highly customized basis - customers receive a scalable standard solution that is nevertheless tailored precisely to their needs.
Farming and IT security
Double protection for modern eIDs
The data stored on the chip in sovereign documents must be protected against manipulation and falsification. In addition, the use of suitable security mechanisms must ensure that only those persons who are verifiably authorized to do so have access to the data. The backbone of the security framework for sovereign documents are two comprehensive public key infrastructures (PKIs). While the ICAO PKI ensures the authenticity and integrity of the documents, a second PKI, the EAC PKI, is required for extended access protection. The secunet eID PKI Suite meets all requirements for a PKI in the field of eID and border control. Due to its modular approach, our customers benefit from a smooth integration into their systems.
The benefits of the secunet eID PKI Suite for sovereign documents
Flexible with regard to the signature components to be used and the associated certificate management. Different HSMs are supported.
One product meets all the requirements for a PKI to be used in the context of sovereign documents.
The eID PKI Suite is modular, scalable and standards-compliant. Furthermore, it supports all EAC versions.
The national and international certificate exchange via the SPOC is simplified and the document verification infrastructure, including certificate management, is centralized via the Terminal Control Center.
secunet eID PKI Suite or, rather, its components are used whenever a secure infrastructure for modern issuance and verification of electronic ID documents is realized:
- Passport-issuing authorities use eID PKI Suite for realizing a secure personalization-infrastructure
- Border-control authorities use eID PKI Suite for realizing a secure border-control infrastructure
- Security authorities use eID PKI Suite for realizing secure international certificate-exchange
- With the help of eID PKI Suite, Trustcenter can issue authorisation-certificates for service-providers in the field of national ID documents.
Liechtenstein digitizes its administration
The eID PKI Suite comprises individual software modules
The range comprises components for application in the ICAO PKI field and components which fulfil the requirements of the EAC PKI. Put together, the eID PKI Suite is a high-performance complete system, yet the software modules can also be integrated individually into an existing system architecture.
Country Verifying Certification Authority (CVCA)
The Country Verifying Certification Authority (CVCA) forms the root of the EAC infrastructure. It issues the CVCA root certificates as well any DV-certificates to any document verifying instance.
The CVCA must be operated in a secured environment. The system runs on standard PC server hardware using a Linux OS. The system provides a web application front end, so that the operator can control the system via a standard web browser. The system supports the following use cases:
- Create initial (self-signed) CVCA root certificate incl. secret key
- Perform key-rollover as the CVCA certificate expires and issue link certificates
- Import and verify certification requests from the DVCA
- Issue and export DV certificates
- The actual cryptographic operations are performed using an HSM or a Smart Card.
RSA- and ECDSA-based algorithms are supported.
Singe Point of Contact (SPOC)
As a centralised interface, the Single Point of Contact (SPOC) allows certificate exchange on international and national level; according to CSN 369791:2009, respectively to the technical guideline BSI-TR-03129. secunet’s solution covers both communication parts based on secure communication via TLS.
As a special feature secunet provides a SPOC online test system.
Document Verifying Certification Authority (DVCA)
The EAC infrastructure requires at least one instance of a Document Verifying Certification Authority (DVCA). The DVCA issues IS certificates to any document reading system.
The DVCA must be operated in a secured environment. The system runs on standard PC server hardware using a Linux OS and provides a web application front end, so that the operator can control the system via a standard web browser. The system supports the following use cases:
- Create initial DV certificate request and request certificate from the CVCA
- Perform key-rollover as the DV certificate expires request new certificate
- Import and verify certification requests from inspections systems
- Issue and export IS certificates to inspection systems
The actual cryptographic operations are performed using an HSM or a Smart Card.
DVCA supports all cryptographic algorithms to ensure full interoperability with foreign and national CVCAs.
Create initial DV certificate request and request certificate from the CVCA
- Perform key-rollover as the DV certificate expires request new certificate
- Import and verify certification requests from inspections systems
- Issue and export IS certificates to inspection systems
The actual cryptographic operations are performed using an HSM or a Smart Card.
DVCA supports all cryptographic algorithms to ensure full interoperability with foreign and national CVCAs.
Terminal Control Centre (TCC)
The Terminal Control Centre (TCC) implements a centralised document verification infrastructure that allows connection of various distributed terminals. The TCC solution of secunet supports different application scenarios for BAC and EAC protected documents. A secure centralised certificate and key storage are part of the solution allowing the TCC to take over the authentication procedure for authorised readers. For Passive Authentication, the TCC imports CSCA certificates from the Master List and known defects from the Defect List.
Country Signing Certification Authority (CSCA)
The Country Signing Certification Authority (CSCA) serves as the trust anchor for the ICAO PKI. It issues a country root certificate as well as the document signer certificate for organizations issuing electronic ID documents.
The CSCA must be operated in a secured offline environment. The system runs on standard PC server hardware using a Linux OS and provides a web application front end, so that the operator can control the system via a standard web browser. The system provides the following use cases:
- Create initial (self-signed) country root certificate incl. secret key
- Perform key-rollover as the CSCA certificate expires and issue link certificates
- Import and verify certification requests from the document signer
- Issue and export document signer certificates
- Revoke document signer certificates
- Issue and export a certificate revocation list
The actual cryptographic operations are performed using an HSM or a Smart Card.
N-PKD
As the national layer of the ICAO PKD the N-PKD stores all trusted domestic and foreign CSCA certificates, DS certificates and corresponding CRLs. In this context the N-PKD supports the ICAO PKD interface, requests CRLs from the distribution points and manually imports certificates and Master Lists. The N-PKD supports the operator reliably by analysing the various qualities of the imported data and storing them separately according to their trustworthiness. Additionally the N-PKD is able to create and store Master and Defect Lists to be used for Passive Authentication in the border control process.
Document Signer (DS)
The Document Signer (DS) is responsible for the creation of digital signatures which ensure the authenticity and integrity of the electronic data stored in the eID document.
The main purpose of the DS is the creation of a digital signature to ensure the data integrity and authenticity of the ePassport data.
The DS must be operated in a secured environment. The system runs on standard PC server hardware and provides a web service interface to the personalization system. The Document Signer supports the following use cases:
- Create document signer key pair and certification request
- Export certification request to a file
- Import document signer certificate (issued by CSCA) from a file
- Create document security object (EF.SOD)
The cryptographic operations are performed using an HSM or a Smart Card.
DSS for Visa
As of 01.05.2022, a visa for the Schengen area must contain an additional digital seal to enhance the optical protection measures with an electronic component.
The Digital Seal Signer for Visa (DSS for Visa) creates a digital signature as well as a 2D barcode that ensures the authenticity and integrity of the data printed in the paper document.
The DSS for Visa includes
- Generating ICAO compliant digital seals for visas
- Requesting and managing the associated digital certificates (issued by CSCA)
- Signature and barcode generation with the DSS certificate
- Web service interface to enrolment application SOAP- or REST-based
- Interface for quality assurance of issued certificates also integrated
PKI for Critical Infrastructures
Full control over all process relevant identities and data flows
IT-supported business processes are the backbone of industry and the economy today. The steadily increasing networking and thus the complete digitization of value chains in companies, complete industries, and between different industries require corresponding trust anchors. Cryptographic processes and the use of certificates and signatures ensure trust in actors and control over digital infrastructures.The provision and management of certificates by secunet's eID PKI Suite makes it possible to ensure the authenticity of communication partners, ensures the integrity of data and also enables them to be encrypted so that they are protected against inspection. In this way, communication between people, communications between users and systems, and even automated communication between machines, machine-to-machine communication (M2M), can be secured.The modular architecture of secunet's eID PKI Suite enables flexible integration into almost any use case that requires the creation, provision and management of digital identities for people or devices - including, of course, the automated verification of digital identities. These digital identities can be generated in formats as required, i.e. in the form of X.509 as well as CVC (card verifiable certificate), so that the use cases in the Internet of Things are fully taken into account.
Your solution - universal and flexible
secunet's eID PKI Suite already supports a wide range of applications and, thanks to its modular architecture, can be flexibly aligned to individual scenarios and expanded if necessary:
- Universal PKI - Certificate-based solutions for authenticating users, signing and encrypting data and messages.
- Industry PKI - Cryptographic services for securing the entire process chain of a product life cycle: development, production, application and service.
- Smart Metering PKI - Create and manage certificates for smart meter gateways. secunet PKI is approved for use as a sub-CA under the smart meter beta root CA operated by the BSI.
Secure your processes and infrastructure
- Authentication of persons and users
- Identification of devices, systems and users
- Protection of confidential information through encryption Authorization and verification of control actions
The CAKernel (C²K) of the secunet PKI Suite, certified according to Common Criteria EAL 4+, is a testament to the high level of security "Made in Germany".
eID PKI for Automotive
Secure Key Management
With eID PKI for Automotive, secunet Automotive Security offers a very flexible product that has proven itself in productive use as a foundation for central cryptographic systems. PKI systems for automotive applications with various supported certificate formats can be set up in the same way as crypto key management with hardware security modules.
Well-known applications for securing electronics in the automotive sector, such as secure flashing of ECUs, software over-the-air, diagnostic security and secure on-board power supply communication (SecOC), secure smart-charging communication (ISO 15118) can be implemented in the same way as new and future tasks in the field of data services, mobility services or car-2-car communication. Various standard-based interfaces are available for integration.
Product based solutions
secunet incorporates customer requirements as feature requests into the product planning process and implements them in an agile product development process. Customers thus regularly benefit from new functions that become relevant in the industry.
Individual additions can also be implemented using workflows based on the product. This reduces the typical share of project-specific software, which optimizes the implementation schedule and reduces effort.
secunet fulfills typical industry quality requirements through security-by-design, through reliable support as well as Common Criteria evaluations of relevant components. IT and operational demands are mapped by supporting data center technologies in the areas of operating systems, high availability and monitoring.
