What is Certificate Authority?
Certificate Authorities are a critical service in a network.
Certificate Authorities serve as a Point of Trust for all users, devices, and services on a network.
The CA Point of Trust allows clients to verify each other’s identity using a digital signature, with the identity being validated without the need to contact the Certificate Authority.
This technology enabled the internet to scale to the size it is today. Behind every https website resides a unique X.509 Certificate, issued by a globally trusted Certificate Authority. The enormous scale reduced the effectiveness of the Point of Trust, a handful of Certificate Authorities managed by even fewer providers dominates this space.
This was not the original intent behind the technology, and the smaller the Pool of Trusted Certificates the higher the confidence in the produced Digital Certificates.
We make it our mission to provide every organisation with their own Certificate Authority and full management access to all Digital Certificates produced within their environment.
Functions of a CA
CA’s are vital to security. They perform the following functions.
Issue Digital Certificates for Users, Devices, Services, Websites and Documents.
Using Subject, SAN, Key Usages, Issuance Policies and Application Policies the Certificate Authority imposes exact restrictions for each certificate allowing it to only preform the exact actions it was issued for.
Certificate Revocation List (CRL)
The CA can revoke a previously issued certificate. This notifies devices and services that they should no longer trust devices and services using this Digital Signature.
This can serve a variety of purposes, removing a user’s smartcard access.
OCSP Certificate Issuance
OCSP provides a faster mechanism for services to identify revoked certificates. Where a CRL can take a week to identify a revoked certificate, OCSP provides this update immediately.
Leviathan is Cogito Group’s preferred CA product solution.
Built from the ground up with the primary focus on security, it supports a multitude of configurations, including cloud HSM. If you organisation has an existing On-Premise, Jellyfish Cloud, AWS Cloud or Azure Key Vault HSM then you can use our in-house built HSM Connector and acquire the full might of Jellyfish, whilst maintaining full control over your keys.
Supporting full active-active configuration throughout the entire stack, Jellyfish Cloud’s multi-region deployment gives full confidence that you can issue your certificates when you need to.
A single Leviathan instance is capable of hosting multiple CA’s simultaneously. With this, you can extend your trust chain with the press of a button and assign individual CA’s for each sub-organisation in your tenancy. This provides a trust hierarchy for organisations that want to take security to the next level.
Leviathan supports both online and standalone operation modes, allowing you to isolate your Root Certificate Authorities and protect your trust chain where you are most vulnerable.
Migrating your existing CA to our platform is seamless process and provides immediate access to the full Jellyfish certificate mangement suite.
Private/Secret Key Protection
The protection of the Private/Secret key used for the certificate signing is provided by HSM.
Public Key Protection
Protection of public key used to meet CA against undetected modification through use of a digital signature. Each signature is verified upon each access of key.
Leviathan CA implements certificate profiles. Profiles are configurable indirectly via the Jellyfish User Interface.
Session Locking Mechanisms
The ability to configure to lock and end a session if the user has been inactive for a configured period of time. It requires the user to re-authenticate to continue using the CA. This mitigates the risk of unattended sessions being hijacked.
The CA administration role is configured within Jellyfish. The Jellyfish user interface allows user to configure and manage certificate profiles, key management, CRL configuration, configuring allowed algorithms and configuration of workflows for certificate issuance.
The management of Stored Data is only available to authorised users only. It protects identity, contact information and the evidence of identity information. It restricts the ability of destruction of sensitive data. Leviathan CA also has the ability to store and recover to a previous state at the direction of the administrator.
Jellyfish provides a secure interface for Leviathan protecting the CA from bad actors and giving confidence in the Point of Trust. Users and Services have a rigid set of security enforcing policies applied to their Jellyfish accounts depending on their organisation’s security requirements.
Leviathan CA has redundancy features built in allowing it to perform recovery steps on a corrupt database. The built-in database resolver supports a wide variety of providers in a standalone, failover and cluster setup. It also supports running multiple instances in a single environment providing high availability.
Leviathan CA and Jellyfish are built with microservice architecture where each component operates in complete independence and can work in isolation or integrated into Jellyfish setup. This allows constraint scaling satisfying a simplistic setup for smaller organisations or multi-region deployments for larger enterprises.
Every certificate issued by the Leviathan Certificate Authority has an associated user or device within the Jellyfish Ecosystem. This makes it easy to track the identity and expiration of issued Digital Certificates that power your organisation’s wifi, smartcards, websites, services and more.
Jellyfish provides a wide range of authentication mechanisms each centred around Role Based authentication where a user is assigned one or more Roles within the system.
Each Role authenticates a user or service for a set of actions they can perform within the Jellyfish Portal. Managers can assign custodians within Jellyfish to manage Certificate Templates, CA Keys, Certificate Request Approvals, Certificate Revocation and Certificate Issuance.
The protection of the Private/Secret key used for the CA certificate signing is provided by an HSM. By default, all CA keys are non-exportable and can only be accessed for signing in the HSM quorum the key was generated.
Client private keys are generated on their local device and are never exposed to Jellyfish. Leviathan also supports key archival in the rare circumstances where your key needs to be backed up. With our key archival your key is wrapped in an asymmetric transport key that never leaves HSM, allowing secure import between your local device and the HSM without exposing your private key during transport.
The Audit Record contains all interactions with the CA tracking each action by user identity, datetime and outcome. The Audit Role can read all information from the logs. The Audit Records is ready-only and is protected from modification or deletion. The Audit Records log can be archived for long term retention.
Q & A
Question: Why don’t I just use Active Directory Certificate Services (AD CS) instead of Leviathan for my deployment?
Answer: They are for very different purposes. AD CS is designed for small scale simple on Premises install supporting only On Premises solutions. Leviathan is designed to be even easier to set up than AD CS, because it is already set up in an as a Service environment. As a cloud first solution, Leviathan is able to support on premises and cloud needs simultaneously for small and simple deployments in test up to very large scale and complex deployments with rich feature set requirements. Download our White Paper to read more and see if AD CS meets your needs or if Leviathan is a better fit.
Public Key Infrastructure
Benefits of Digital Signatures