Web-based CA using HSM

Metanate was contracted to provide on-going support and enhancements to a pre-existing web-based certification authority for use in the production of telecommunications equipment.

The authority is made up of a multi-tiered CA hierarchy generating batches of certificates and keys for embedding in equipment during production.

The certification authority has a web interface (Apache/Perl) with multiple levels of authenticated user access, accessing an encrypted database back-end (MySQL) for certificate and non-CA key storage and a networked HSM (via PKCS#11) for secure CA key storage, the whole system running on a minimal Debian Linux distribution.

Once generated, certificates and keys can be exported in secure form to transit databases for use in the equipment production process.

The original inhouse design used individual USB PKI tokens to store each CA's private key, and Metanate were asked to research and then implement an HSM based solution to replace the USB tokens and help with migrating the CA to the HSM and upgrading to later operating system distributions.

The authority has subsequently been enhanced to support later generations of the customer's products and provide PKI support for the server infrastructure that the equipment relies on in everyday use.