Product
eID PKI suite

The key to secure digital processes

Digital certificates ensure the trustworthiness and integrity of data transmission for online banking and tax returns. But they are also used for intelligent electricity meters, for checking passports, and in connected cars. We have developed the secunet eID PKI Suite for the generation, use and management of these digital certificates, thus creating an essential basis for secure digital processes and automation.

The benefits of the secunet eID PKI Suite

Reliable

The eID PKI Suite is the bundled know-how from more than 350 PKI projects: It is designed for use in the area of sovereign documents as well as for applications in the industrial environment and supports all relevant standards and protocols.

Premium levels of security

For areas of application with special security requirements, the eID PKI Suite is also available in a variant certified according to Common Critera EAL4+.

Durable

The eID PKI Suite is standards-compliant, which makes it highly durable and protects investments: Our PKI easily adapts to changing security requirements and evolving infrastructures.

Modular

The various software modules of the eID PKI Suite combine to form a high-performance overall system, but can just as easily be integrated individually into an existing system architecture.

Perfect fit

The eID PKI Suite can be set up on a highly customized basis - customers receive a scalable standard solution that is nevertheless tailored precisely to their needs.

Farming and IT security

CLAAS invests in the future: Agricultural machinery has reached a level of development that can hardly be increased by traditional means. In order to maintain its leading position in the market, the agricultural machinery manufacturer CLAAS is therefore focusing on new and forward-looking business areas.

Application areas of
the eID PKI Suite:

The data stored on the chip in sovereign documents must be protected against manipulation and falsification. In addition, the use of suitable security mechanisms must ensure that only those persons who are verifiably authorized to do so have access to the data. The backbone of the security framework for sovereign documents are two comprehensive public key infrastructures (PKIs). While the ICAO PKI ensures the authenticity and integrity of the documents, a second PKI, the EAC PKI, is required for extended access protection. The secunet eID PKI Suite meets all requirements for a PKI in the field of eID and border control. Due to its modular approach, our customers benefit from a smooth integration into their systems.

The benefits of the secunet eID PKI Suite for sovereign documents

Flexible

Flexible with regard to the signature components to be used and the associated certificate management. Different HSMs are supported.

Individual

One product meets all the requirements for a PKI to be used in the context of sovereign documents.

Future-proof

The eID PKI Suite is modular, scalable and standards-compliant. Furthermore, it supports all EAC versions.

Efficient

The national and international certificate exchange via the SPOC is simplified and the document verification infrastructure, including certificate management, is centralized via the Terminal Control Center.

secunet eID PKI Suite or, rather, its components are used whenever a secure infrastructure for modern issuance and verification of electronic ID documents is realized:

  • Passport-issuing authorities use eID PKI Suite for realizing a secure personalization-infrastructure
  • Border-control authorities use eID PKI Suite for realizing a secure border-control infrastructure
  • Security authorities use eID PKI Suite for realizing secure international certificate-exchange
  • With the help of eID PKI Suite, Trustcenter can issue authorisation-certificates for service-providers in the field of national ID documents.

Liechtenstein digitizes its administration

The Liechtenstein government relies on secunet software modules for its infrastructure for electronic identity documents (eID).

The eID PKI Suite comprises individual software modules

The range comprises components for application in the ICAO PKI field and components which fulfil the requirements of the EAC PKI. Put together, the eID PKI Suite is a high-performance complete system, yet the software modules can also be integrated individually into an existing system architecture.

The Country Verifying Certification Authority (CVCA) forms the root of the EAC infrastructure. It issues the CVCA root certificates as well any DV-certificates to any document verifying instance.

The CVCA must be operated in a secured environment. The system runs on standard PC server hardware using a Linux OS. The system provides a web application front end, so that the operator can control the system via a standard web browser. The system supports the following use cases:

  • Create initial (self-signed) CVCA root certificate incl. secret key
  • Perform key-rollover as the CVCA certificate expires and issue link certificates
  • Import and verify certification requests from the DVCA
  • Issue and export DV certificates
  • The actual cryptographic operations are performed using an HSM or a Smart Card.

RSA- and ECDSA-based algorithms are supported.


As a centralised interface, the Single Point of Contact (SPOC) allows certificate exchange on international and national level; according to CSN 369791:2009, respectively to the technical guideline BSI-TR-03129. secunet’s solution covers both communication parts based on secure communication via TLS.

As a special feature secunet provides a SPOC online test system.


The EAC infrastructure requires at least one instance of a Document Verifying Certification Authority (DVCA). The DVCA issues IS certificates to any document reading system.

The DVCA must be operated in a secured environment. The system runs on standard PC server hardware using a Linux OS and provides a web application front end, so that the operator can control the system via a standard web browser. The system supports the following use cases:

  • Create initial DV certificate request and request certificate from the CVCA
  • Perform key-rollover as the DV certificate expires request new certificate
  • Import and verify certification requests from inspections systems
  • Issue and export IS certificates to inspection systems

The actual cryptographic operations are performed using an HSM or a Smart Card.

DVCA supports all cryptographic algorithms to ensure full interoperability with foreign and national CVCAs.

Create initial DV certificate request and request certificate from the CVCA

  • Perform key-rollover as the DV certificate expires request new certificate
  • Import and verify certification requests from inspections systems
  • Issue and export IS certificates to inspection systems

The actual cryptographic operations are performed using an HSM or a Smart Card.

DVCA supports all cryptographic algorithms to ensure full interoperability with foreign and national CVCAs.


The Terminal Control Centre (TCC) implements a centralised document verification infrastructure that allows connection of various distributed terminals. The TCC solution of secunet supports different application scenarios for BAC and EAC protected documents. A secure centralised certificate and key storage are part of the solution allowing the TCC to take over the authentication procedure for authorised readers. For Passive Authentication, the TCC imports CSCA certificates from the Master List and known defects from the Defect List.


The Country Signing Certification Authority (CSCA) serves as the trust anchor for the ICAO PKI. It issues a country root certificate as well as the document signer certificate for organizations issuing electronic ID documents.

The CSCA must be operated in a secured offline environment. The system runs on standard PC server hardware using a Linux OS and provides a web application front end, so that the operator can control the system via a standard web browser. The system provides the following use cases:

  • Create initial (self-signed) country root certificate incl. secret key
  • Perform key-rollover as the CSCA certificate expires and issue link certificates
  • Import and verify certification requests from the document signer
  • Issue and export document signer certificates
  • Revoke document signer certificates
  • Issue and export a certificate revocation list

The actual cryptographic operations are performed using an HSM or a Smart Card.


As the national layer of the ICAO PKD the N-PKD stores all trusted domestic and foreign CSCA certificates, DS certificates and corresponding CRLs. In this context the N-PKD supports the ICAO PKD interface, requests CRLs from the distribution points and manually imports certificates and Master Lists. The N-PKD supports the operator reliably by analysing the various qualities of the imported data and storing them separately according to their trustworthiness. Additionally the N-PKD is able to create and store Master and Defect Lists to be used for Passive Authentication in the border control process.


The Document Signer (DS) is responsible for the creation of digital signatures which ensure the authenticity and integrity of the electronic data stored in the eID document.

The main purpose of the DS is the creation of a digital signature to ensure the data integrity and authenticity of the ePassport data.
The DS must be operated in a secured environment. The system runs on standard PC server hardware and provides a web service interface to the personalization system. The Document Signer supports the following use cases: 

  • Create document signer key pair and certification request
  • Export certification request to a file
  • Import document signer certificate (issued by CSCA) from a file
  • Create document security object (EF.SOD)

The cryptographic operations are performed using an HSM or a Smart Card.


As of 01.05.2022, a visa for the Schengen area must contain an additional digital seal to enhance the optical protection measures with an electronic component.

The Digital Seal Signer for Visa (DSS for Visa) creates a digital signature as well as a 2D barcode that ensures the authenticity and integrity of the data printed in the paper document.

The DSS for Visa includes

  • Generating ICAO compliant digital seals for visas
  • Requesting and managing the associated digital certificates (issued by CSCA)
  • Signature and barcode generation with the DSS certificate
  • Web service interface to enrolment application SOAP- or REST-based
  • Interface for quality assurance of issued certificates also integrated

Full control over all process relevant identities and data flows

IT-supported business processes are the backbone of industry and the economy today. The steadily increasing networking and thus the complete digitization of value chains in companies, complete industries, and between different industries require corresponding trust anchors. Cryptographic processes and the use of certificates and signatures ensure trust in actors and control over digital infrastructures.The provision and management of certificates by secunet's eID PKI Suite makes it possible to ensure the authenticity of communication partners, ensures the integrity of data and also enables them to be encrypted so that they are protected against inspection. In this way, communication between people, communications between users and systems, and even automated communication between machines, machine-to-machine communication (M2M), can be secured.The modular architecture of secunet's eID PKI Suite enables flexible integration into almost any use case that requires the creation, provision and management of digital identities for people or devices - including, of course, the automated verification of digital identities. These digital identities can be generated in formats as required, i.e. in the form of X.509 as well as CVC (card verifiable certificate), so that the use cases in the Internet of Things are fully taken into account.

 

Your solution - universal and flexible

secunet's eID PKI Suite already supports a wide range of applications and, thanks to its modular architecture, can be flexibly aligned to individual scenarios and expanded if necessary:

  • Universal PKI - Certificate-based solutions for authenticating users, signing and encrypting data and messages.
  • Industry PKI - Cryptographic services for securing the entire process chain of a product life cycle: development, production, application and service.
  • Smart Metering PKI - Create and manage certificates for smart meter gateways. secunet PKI is approved for use as a sub-CA under the smart meter beta root CA operated by the BSI.

 

Secure your processes and infrastructure

  • Authentication of persons and users
  • Identification of devices, systems and users
  • Protection of confidential information through encryption Authorization and verification of control actions

The CAKernel (C²K) of the secunet PKI Suite, certified according to Common Criteria EAL 4+, is a testament to the high level of security "Made in Germany".

Your success - we support from analysis to realization

The requirements for the use of cryptographic security measures often result from regulatory requirements, technical guidelines and risk analyses. With our 20 years of experience, we sort out requirements and sustainable solution approaches with you.


Once the goals have been set, we work with you to develop the technical requirements for the future solution and organizational specifications for the secure operation of the PKI or the use of externally procured certificates and signatures.


If secunet's eID PKI Suite is the right solution for you, we integrate it completely as specified.

Otherwise, we support you in the proper implementation of other PKI solutions.


Secure Key Management

With eID PKI for Automotive, secunet Automotive Security offers a very flexible product that has proven itself in productive use as a foundation for central cryptographic systems. PKI systems for automotive applications with various supported certificate formats can be set up in the same way as crypto key management with hardware security modules.

Well-known applications for securing electronics in the automotive sector, such as secure flashing of ECUs, software over-the-air, diagnostic security and secure on-board power supply communication (SecOC), secure smart-charging communication (ISO 15118) can be implemented in the same way as new and future tasks in the field of data services, mobility services or car-2-car communication. Various standard-based interfaces are available for integration.

Product based solutions

secunet incorporates customer requirements as feature requests into the product planning process and implements them in an agile product development process. Customers thus regularly benefit from new functions that become relevant in the industry.

Individual additions can also be implemented using workflows based on the product. This reduces the typical share of project-specific software, which optimizes the implementation schedule and reduces effort.

secunet fulfills typical industry quality requirements through security-by-design, through reliable support as well as Common Criteria evaluations of relevant components. IT and operational demands are mapped by supporting data center technologies in the areas of operating systems, high availability and monitoring.

Projects and references
As a partner of public authorities, organizations and industry, we drive digital sovereignty in Germany and the EU. For a secure, independent and fully networked future.
Downloads
You want to learn more about eID PKI Suite?
Brochures
Success Story PKI

Central PKI - confidence and trust at the border: secunet eID PKI Suite enables the German Federal Police to check EAC1- and EAC2-protected ID documents at border control points

Technical info
Factsheet eID PKI Suite

Public Key Infrastructure for modern identity documents

Factsheet eID PKI Suite NKPD

More than just a mirror of the ICAO-PKD

Factsheet eID PKI Suite x509

Universal security framework and trust anchor

Factsheet DSS for Visa

Digital Seal Signer for Visa: Reliable protection for modern residence permits

Contact request
Any questions about secunet eID PKI Suite?
Any questions about secunet eID PKI Suite?

Write us a message and we will get back to you as soon as possible.

Site 1