Offline Root CA Storage

Offline Root CA Storage

Risk-reducing, Offline Certificate Authorities

VirtuCrypt Offline Root CA Storage provides a secure root certificate authority infrstructure. At the highest point within a Public Key Infrastructure (PKI) hierarchy, the root CA is trusted by all an organization’s users, and as such it is critical to maintain the root private key securely to prevent unauthorized use. For comprehensive risk reduction, the Root CA's private key is kept offline within a FIPS 140-2 Level 3 and PCI HSM validated Secure Cryptographic Device. This solution safisfies PCI PIN and P2PE requirements that dictate that CAs used to sign subordinate CAs be kept in an offline dedicated network.

How It Works

VirtuCrypt provides the hardware on which the offline root CA is installed. This service functions by following the procedures below:

  • The Root CA's private key generates a self-signed root certificate, allowing it to preside as the root of trust for the infrastructure.
  • Signing requests are generated by an external Subordinate CA and signed by the Root CA's private key.
  • Generated subordinate CA certificates are issued to the remote CA and out-of-band certificate validation is performed.
  • The Subordinate CA may be used to issue additional certificates that will chain up to the root CA.
  • During the Root CA signing process, the VirtuCrypt infrasturcture is kept offline at all times

Physical and Logical Protection

Root CAs have limitless applications within a cryptographic environment, including data protection, remote key loading, and ID issuance. Capable of such wide-ranging uses, these CAs require significant protection. VirtuCrypt provides the following security measures to safeguard against physical and logical threats.

  • The CA is kept within a secure, access-controlled data center with multi-factor authentication, including the use of biometrics.
  • The Futurex servers used to store the  root CA are kept offline at all times within a FIPS 140-2 Level 3 and PCI PIN validated SCD with incorporates dual control physical barrel locks and a tamper responsive design.
  • All user access operates on the principle of least privilege, dual control, and enforced split knowledge; lone users never have access to independently issue CAs.
  • Full compliance with ANSI TR-39, PCI PIN, and PCI P2PE control objectives
Diagram shows VitruCrypt storing a certificate on a hardened certificate management server and taking the server offline

High-Level Benefits

A fully-managed and hosted PKI enables your organization to validate the integrity of users, devices, and more. The following are additional benefits provided by a PKI with an offline-root CA:

  • PKI ensures your communication is private.  By protecting the root CA, your organization secures its most valuable information.
  • Keeping a root CA offline, and powered down, reduces your organization’s scope of compliance by separating the CA from potentially malicious third parties on the network.
  • VirtuCrypt Solutions Architects, each with qualified by the latest security industry certifications, handle your services and the devices which power them, decreasing the possibility of employee error.