Offline Root CA Storage
Risk-reducing, Offline Certificate Authorities
How It Works
VirtuCrypt provides the hardware on which the offline root CA is installed. This service functions by following the procedures below:
- The Root CA's private key generates a self-signed root certificate, allowing it to preside as the root of trust for the infrastructure.
- Signing requests are generated by an external Subordinate CA and signed by the Root CA's private key.
- Generated subordinate CA certificates are issued to the remote CA and out-of-band certificate validation is performed.
- The Subordinate CA may be used to issue additional certificates that will chain up to the root CA.
- During the Root CA signing process, the VirtuCrypt infrasturcture is kept offline at all times
Physical and Logical Protection
Root CAs have limitless applications within a cryptographic environment, including data protection, remote key loading, and ID issuance. Capable of such wide-ranging uses, these CAs require significant protection. VirtuCrypt provides the following security measures to safeguard against physical and logical threats.
- The CA is kept within a secure, access-controlled data center with multi-factor authentication, including the use of biometrics.
- The Futurex servers used to store the root CA are kept offline at all times within a FIPS 140-2 Level 3 and PCI PIN validated SCD with incorporates dual control physical barrel locks and a tamper responsive design.
- All user access operates on the principle of least privilege, dual control, and enforced split knowledge; lone users never have access to independently issue CAs.
- Full compliance with ANSI TR-39, PCI PIN, and PCI P2PE control objectives
A fully-managed and hosted PKI enables your organization to validate the integrity of users, devices, and more. The following are additional benefits provided by a PKI with an offline-root CA:
- PKI ensures your communication is private. By protecting the root CA, your organization secures its most valuable information.
- Keeping a root CA offline, and powered down, reduces your organization’s scope of compliance by separating the CA from potentially malicious third parties on the network.
- VirtuCrypt Solutions Architects, each with qualified by the latest security industry certifications, handle your services and the devices which power them, decreasing the possibility of employee error.