To reach compliance regarding the handling of the Root CA keys, we would like to implement a Root Key Generation Ceremony. This ceremony discribes the creation process, the role involved and the key management. Typically this means splitting the Root CA key or passphrase and store it savely on an USB Stick or CD ROM.
Have anyone done something similiar, and are you willing to share this process? IHMO, this process is specific/limited to the PKI software used and before investing to much time to see how I can accomplish this with EJBCA.
I appreciate any comment on this.
Cheers,
Michael
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I believe we are facing the same challange.. It's depends on the quality standard of Root CA Key Ceremony you're trying to achieve.
The point of key ceremony is to verify that the generation of keys are on the spot, secured by HSM, and Backed up. These three things are need to be described to the audience and witnesses, while also explaining the meaning to the asociated script in the key generation script.
I've learnt also that to meet the the WebTrust Service Principles (This Audit Criteria is needed in order for your Root CA to be accepted by common browsers), a public accountant from reputable company is required as a witness (can be replaced with full video tape of ceremony).
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
We are doing such ceremony in the following manner:
Keys must be securely stored on a secure HW like HSM.
In our case we would like to have also a secure backup of keys.
We are generating key pairs on a certified random number generator in a secured room and load it on HSM or Cryptographic token with dual access control, mainly split access control using Shamir Secret Sharing.
Backup is stored as a AES encrypted private key with HMAC signature to verify its integrity.
Everything must be logged and records signed. Backup must be securely stored so no one can access it alone, etc.
This can be used with EJBCA in sense it would be configured as a CryptoToken which would be used by CA to sign certificates or other materials.
If you want to have dual access control in activating CryptoToken in EJBCA, it will need some customizing of course.
And if you can afford Enterprise version of EJBCA you can have a very nice and secure PKI in combination with that.
And of course the best way (and also the most costly) is to have EJBCA in a box which contains Utimaco HSM.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If you want to be audited, you need to work with auditors. Perhaps needless to say, but various EJBCA Enterprise installations have been audited with most audit standard.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Dear community,
To reach compliance regarding the handling of the Root CA keys, we would like to implement a Root Key Generation Ceremony. This ceremony discribes the creation process, the role involved and the key management. Typically this means splitting the Root CA key or passphrase and store it savely on an USB Stick or CD ROM.
Have anyone done something similiar, and are you willing to share this process? IHMO, this process is specific/limited to the PKI software used and before investing to much time to see how I can accomplish this with EJBCA.
I appreciate any comment on this.
Cheers,
Michael
Hi!
I believe we are facing the same challange.. It's depends on the quality standard of Root CA Key Ceremony you're trying to achieve.
The point of key ceremony is to verify that the generation of keys are on the spot, secured by HSM, and Backed up. These three things are need to be described to the audience and witnesses, while also explaining the meaning to the asociated script in the key generation script.
I've learnt also that to meet the the WebTrust Service Principles (This Audit Criteria is needed in order for your Root CA to be accepted by common browsers), a public accountant from reputable company is required as a witness (can be replaced with full video tape of ceremony).
We are doing such ceremony in the following manner:
Keys must be securely stored on a secure HW like HSM.
In our case we would like to have also a secure backup of keys.
We are generating key pairs on a certified random number generator in a secured room and load it on HSM or Cryptographic token with dual access control, mainly split access control using Shamir Secret Sharing.
Backup is stored as a AES encrypted private key with HMAC signature to verify its integrity.
Everything must be logged and records signed. Backup must be securely stored so no one can access it alone, etc.
This can be used with EJBCA in sense it would be configured as a CryptoToken which would be used by CA to sign certificates or other materials.
If you want to have dual access control in activating CryptoToken in EJBCA, it will need some customizing of course.
And if you can afford Enterprise version of EJBCA you can have a very nice and secure PKI in combination with that.
And of course the best way (and also the most costly) is to have EJBCA in a box which contains Utimaco HSM.
If you want to be audited, you need to work with auditors. Perhaps needless to say, but various EJBCA Enterprise installations have been audited with most audit standard.