System Design

Certificate Authority System Design

[1] The Digi-CA™ system is built in several modules. Each module communicates with other modules either directly through a programmable socket interface or an API interface. The system design is such that no access is allowed to the system Certificate Engine core level, except through the web based interface panel or through SSH for power low level administrators only [super users].

There is one operating system and four principle modules in the Digi-CA™ and how they are implemented for your requirements depends on the Certificate Policy:

• Digi-CA™ Operating System
• Digi-CA™ Certificate Engine
• Digi-CA™ Information Database [2]
• Digi-CA™ Control Centre [3]
• Digi-CA™ CRL [4]

As an option the following sub-systems can also be installed:

• Specific Database Nomination (Oracle, MsSQL ,Websphere, etc)
• Hardware Security Module(s) [HSM]
• On-Line Certificate Status Protocol [OCSP]
• Time Stamping Server

The above options are available subject to consultation and are listed here for indicative purposes only.

Digi-CA™ Operating System

Digi-CA™ has been designed and is built for Unix / Linux compatible operating system platforms. Typical installations use FreeBSD 5.4+ Unix or a RedHat Enterprise Linux based operating system.

Digi-CA™ Certificate Engine

The main module of the system is the Digi-CA™ Certificate Engine core that is used for the creation and revocation of Certificates based on the system Certificate Policy. It uses a direct interface to the Digi-CA™ Information Database that contains information about all Digi-ID™ [5] Certificate holders and the issued (or pending to be issued, suspended or revoked) Certificates. Output from the Digi-CA™ Certificate Engine core is directed to:

• The database Digi-CA™ Information Database for updated user information after the Certificates are created or revoked.
• The LDAP Digi-CA™ Directory that contains information about all issued and valid Certificates.
• Smart card or USB token support system (if installed) for the generation of the Digi-Card™, Digi-Token™, etc.
• Email system for distribution of Digi-ID™ Certificate collection notices for the Process Method or the actual PKCS#12 [.p12] package in if the Digi-ID™ is distributed using the Package Method.

The Digi-CA™ Certificate Engine core is designed so that no Administrator intervention is necessary. Using a daemon server, important maintenance tasks occur automatically.