Complex CESARIS is a system for digital certificate management X.509. The complex has been developed according to the requirements of international and European standards as well as EU and Ukrainian legislation. The complex is oriented on creating the digital signature infrastructure of a multibranched organization.

Structure and technical requirements of the complex CESARIS

1. Structure of the complex

Certificate Authority. It is designed for issuing and managing the digital certificates X.509; it is a centralized module in the head office.

Registration Authority centre(-s). It is designed for registering users of the system. These modules can be installed in remote offices (branches and structure subdivisions) to management and control for its local users and their digital certificates. Number of modules depends on the structure of the enterprise (organization).

Certificate repository . It is designed for storing the certificates and lists of withdrawn (annulled, blocked) certificates (database); it is a centralized module in the head office.

Complex Architecture Image

Basic services

Certificate Generation Service - services that are given by the CA. Basic functions: it generates and signs certificates, based on the identity and other features of the subjects, which are checked by the RA.

Registration Service services that are given by the RA. Basic functions: it verifies identity and if it is necessary any specific features of the subjects (subscribers). Results of this service are transmitted to the CA service.

Dissemination Service. Basic functions: it disseminates certificates to the subjects/subscribers and if the subject agrees . to others. This service also spreads the CA policy and practical information for the subscriber and the party that relies on the signature.

Revocation Management Service. Basic functions: it processes inquiries and reports on the certificates revocation. Results of this service are disseminated by the Revocation Status Service.

Revocation Status Service. Basic functions: it provides information on Certificate Revocation Status. This service can be on-line or it can be based on the Revocation Status information, which is updated in a certain period of time.

Additional Services

Subject Device Provision Service. Assignment: it prepares and provides the subscriber with the SCDev (Signature Creation Device.).

Time-Stamping Service or TSA (Time-Stamping Authorities). Actually, it can be a trusted third party assigned to generate and provide TST (Time-Stamp Token). TST proves that the data element existed before a certain time stamp. Security requirements are set only for TSA, which cryptographically relate the time value with the data value.

2. Technical features of the CA system

Providing security for private keys of the signature ( SMART cards and USB tokens ).

Secure storing and using private keys of the digital signature is one of the most important questions.

HSM (Hardware Security Module) can be used for ensuring security of storing and using the server digital signature private keys, e.g. CA, RA, WEB-server etc. We offer Eracom GmbH HSM (Germany); it has an international security certificate FIPS 140-1 and SBU advisory action.

Cryptographic smart-cards (Axalto, GemPlus, Oberthur) or cryptographic USB-tokens (Aladdin Knowledge Systems; GemPlus International etc.) can be used for ensuring security of storing and using the individual person.s signature of private keys (staff and clients of the institution).

3. System requirements

Server modules of the тл. system operate under Windows 2003 management.

For successful work with digital certificates the clients. PCs should have an operational system Windows 2000 SP1 or later versions.

Important: The PC should have a browser of Internet Explorer version 6.0 or higher (other browsers have to be tested).