Many large organizations and trust service providers need to issue trusted identities for employees or citizens. The comprehensive PKI solution from Nexus, secured by a Utimaco HSM, brings a high level of trust.
Issue PKI-based identities for end users or devices
Many organizations need to issue trusted identities to employees, customers or citizens, for example, to authenticate employees and devices against the IT infrastructure, to sign documents or data, and encrypt messages.
A public-key infrastructure (PKI) uses the combination of private and public keys to ensure confidentiality, integrity, authenticity and non-repudiation of sensitive information.
Secure CA keys for high trust
A public key is placed in a certificate signed by a certificate authority (CA), enabling all PKI participants to trust the information and sensitive operations. A PKI relies heavily on the measures deployed to safeguard the cryptographic keys.
It must be ensured that CA signing private keys or root keys are not stolen, that unauthorized access to CA signing keys does not take place, or that any keys associated with the online certificate validation process are not misused, and thereby open for malicious use of revoked certificates.
To achieve this, the CA keys can be issued and managed in the secure environment of an HSM.
Deploying Hardware Security Modules (HSMs) in a PKI becomes a critical success factor. Scalability and performance are important features to keep operations running as more and more applications are deployed.
Solution: Highly secure certificate management for trusted identities
With the combination of a Nexus Certificate Manager as a certificate authority to issue and revoke certificates, Nexus OCSP Responder to check certificate validity, Nexus Timestamp Server as time stamping authority, and an Utimaco HSM as a safe location for issuing and storing all system internal keys and CA keys, you get a complete PKI solution based on the highest security standards.
The joint solution is future-proof, by being highly scalable and compliant with international standards such as the European eIDAS, and has proven very successful within corporate PKIs, citizen IDs and trust service providers.
By key recovery, encrypted information can be restored. For example, if a user has lost their smart card, phone with a mobile ID or laptop with a soft token, then the encryption key can be recovered, so that the user can still access any encrypted information, for example in emails.
The PKI solution is flexible for different use cases across networks and systems. It can be deployed as a service or installed on-premises, or a combination of both. The solution is multitenant, so that completely separated tenants can share one installation.
Key benefits
Flexible use cases
Issue certificates for citizens, employees, software or equipment across networks and systems, including large-scale environments.
High level of trust
Generate and use CA keys, OCSP responder keys and timestamp server keys inside a Utimaco HSM, to ensure the highest possible level of trust.
Key recovery
Restore lost information by key archiving and recovery, for example to read old encrypted emails.
eIDAS compliance
Ensure a solution that is fully compliant with the eIDAS standard, since both Certificate Manager and Utimaco HSM are eIDAS-compliant.
Nexus Certificate Manager
Nexus Certificate Manager is a flexible and high-security certificate authority (CA) platform, accompanied by OCSP Responder and Timestamp Server, which issues, manages, and validates digital certificates, the basis for electronic signatures.
Certificate Manager supports a large variety of interfaces, policies and certificate formats, including certificates for qualified electronic signatures (QES). Certificate Manager is certified according to the international Common Criteria for Information Technology Security Evaluation (CC).
Nexus Certificate Manager has the following benefits:
- Secure operation – The system is protected with PKI, uses dedicated roles for operation and follows the four-eye principle for changing policies.
- Multitenancy – Several departments can use separate domains of users, CAs and policies, by hosting multiple CA tenants in one deployment.
Flexible deployment – You can choose to install on-premises or – if you want a dedicated CA without having to operate the product – run as a service.
Utimaco General Purpose HSM
The Utimaco SecurityServer is a general purpose Hardware Security Module that ensures the security of cryptographic key material for servers and applications.
SecurityServer comes as a bundle with your choice of Utimaco hardware and includes a software HSM simulator for easy integration testing and evaluation.
The tamper-proof Utimaco HSMs offer scalable performance with the highest level of physical security and defense mechanisms for hostile environments. Utimaco HSMs meet and fulfill numerous compliance requirements and industry standards, and work with all common algorithms and interfaces (APIs).
Utimaco HSM has the following benefits:
- Configurable Role-based access control – variety of different authentication methods is supported
- Unlimited key storage – Keys can be stored internally or externally
- Future proof – supports quantum safe and blockchain algorithms, while being cloud-ready
About Nexus
Nexus, a part of IN Groupe, is an innovative identity management company. It secures society by enabling trusted identities for people and things. Nexus has 300 committed employees, as well as a global partner network. The headquarter are in Stockholm, Sweden. Nexus is certified in information security according to ISO 27001 and TISAX.
For more information, please visit www.nexusgroup.com or write us at contact@nexusgroup.com.
About Utimaco
Utimaco is a leading manufacturer of Hardware Security Modules (HSMs) that provide the Root of Trust to all industries. Utimaco HSMs are deployed across more than 90 countries. Utimaco employs a total of 270 people, with offices in Germany, the US, the UK and Singapore.
For more information, please visit hsm.utimaco.com or write us at hsm@utimaco.com.