It is recommended that organizations who elect a self-managed PKI support a hierarchical PKI deployment. This is recommended for a number of security reasons and allows organizations to more easily expand the infrastructure to support additional scenarios or use-cases in future projects and deployments.
The hierarchical PKI deployment most commonly consists of the Offline Root CA and Issuing CA(s). This hierarchy increases security because roles are separated, allowing the private key of the Root CA to be better protected. Because the KMES Series 3 is a turnkey solution, it can take on either of these roles through the management of certificate trees, individual certificates, private keys, signing requests, and more through import, export, generation, tracking, storage, and revocation.
Offline Root Certificate Authority
The Offline Root serves as the trusted anchor for the entire system. The Offline Root CA is the foundation of the entire PKI infrastructure and as such, the consequences of a compromised root CA is astronomical. The security and integrity of this system is commonly ensured by keeping the unit in an offline state with no network connectivity. When the KMES Series 3 is used as an offline root, it is only brought online to complete very infrequent, and very specific tasks, such as signing an intermediate CA or issuing CA. In the interim, the device is powered-off, and stored in a secured, access-controlled environment.
Issuing Certificate Authority
Issuing CAs are the lower tier of the hierarchical PKI deployment. Issuing CAs are subordinate to the Root CA, but are much more flexible. They can exist for different organizational or project silos, in different geographic regions, and with unique security levels in a more manageable environment. The issuing CA is used to provide certificates to applications, users, devices (i.e. phones, computers, etc.), and more. and other services. The KMES Series 3 is built for complete lifecycle management to meet this use case, in addition to integrating with or serving as a dedicated registration authority.
Futurex also integrates with other certificate management tools, helping to guard against key compromise, reduce fraud risk, and protect insider attacks. For example, the KMES Series 3 integrates with Venafi’s Trust Protection Platform, enabling enterprises to expand Machine Identity Protection with secure key generation and storage and integrated private PKI with FIPS 140-2 Level 3-validated HSMs.
USB Backup HSM
Back-ups are important for any data security infrastructure, but with critical PKI infrastructures it is essential. Integrating directly with the KMES Series 3, Futurex offers a small, form-factor USB Backup HSM to store Futurex device backups on-premises or remotely, with a FIPS 140-2 Level 3 validated USB device.
The device is a software-free, 100% hardware-based 256-bit AES XTS encrypted USB key, with onboard keypad PIN authentication and ultra-fast USB 3.1 (3.0) data transfer speeds. Equipped with on-the-fly encryption, PINs and other important data remain encrypted while the drive is at rest. Meanwhile, device backups stored on the device are double-encrypted using source and USB HSM keys plus multi-user authentication. Secured with a passcode number pad, the FIPS 140-2 Level 3 validated USB device can be directly connected to the KMES Series 3 to take and restore back-ups and can be securely stored in a safe when not in use.
Financial Certificate Authorities
The Futurex KMES Series 3 also supports non-X509 certificates, also known as the EMV standard. The EMV secure payment process is possible entirely through a cryptographic microchip embedded directly into the card. EMVenabled smart cards support public key infrastructure (PKI), a two-key encryption system that provides trusted authentication for objects such as devices, users, documents, and more. When the card is activated for a payment transaction, the Point-of-Sale terminal issues a command to the chip embedded in the card, requesting verification that the transaction is authentic. The card uses an HSM to process validation using secured PKI information, and that response is sent back to the reader. To set up the PKI that will allow EMV transactions to occur, the KMES Series 3 can be used to generate, store, and manage the public and private keys that encompass this process.
The EMV Certificate Authority and Issuer certificates work with the banks, the issuers, and the acquirers to validate EMV transactions at the Point-of-Sale terminal. The KMES Series 3 supports generating EMV certificates for all major card brands, including American Express, Japan Credit Bureau (JCB), Mastercard, and Visa. Any issuer, or an organization that provides services on behalf of an issuer, can use the KMES Series 3 to securely generate and manage EMV certificates to implement an EMV certificate authority, with PKCS#7, EMV, ISO Formats, and more.
