The Certification Center of NPK is implemented based on the Public Key Infrastructure (PKI) software complex “CERTEX,” providing tools for issuing and maintaining registration certificates (certificates) developed in accordance with globally accepted practices in the field of PKI construction, following international standards of the PKIX series (Public Key Infrastructure (X.509 v.3, RFC 3280)).
Main tasks and functions of the Certification Center of NPK:
The main task of the Certification Center is to verify the correspondence of the public key for signing/encrypting to the private key and to confirm the authenticity of the registration certificate.
The Certification Center, within the framework of its competence as stipulated by legislation, performs the following functions:
- Initial registration, generation of personal (private) and public keys, and registration certificates of users.
- Issuance, storage of registration certificates.
- Issuance, suspension/resumption of action, revocation (annulment) of registration certificates.
- Publication of the list of revoked registration certificates (CRL) in the registry.
- Maintenance of the registry (catalog) of registration certificates.
- Confirmation of ownership, authenticity, and validity of the registration certificate’s public key.
To carry out its functions, the Certification Center (CC) may, in accordance with established legislation, enter into relevant agreements for the implementation of its statutory activities.
The Certification Center may charge fees for the services provided, as established by current legislation or contractual obligations.
Structure of the Certification Center of NPK:
The Certification Center of NPK consists of the following modules/components:
- Software (CERTEX) Certification Center;
- Software (CERTEX) Registration Center;
- Hardware and/or software for cryptographic information protection (CIIP);
- Registration certificate registry (storage);
- Additional components for certificates, requests for revocation/suspension/resumption of registration certificates received from the Registration Center and/or users of the CC, as well as for issuing and managing registration certificates and CRL.
The Software (CERTEX) Registration Center is responsible for user registration, key pair generation, creation and submission of a request to the CC for issuing a user’s registration certificate, and generating and submitting a request to the CC for revocation/suspension/resumption of a registration certificate.
Hardware or software CIIP provides the CC components with necessary cryptographic functions, including computation and verification of digital signatures. Interaction with hardware CIIP is provided according to the PKCS#11 “Cryptographic Token Interface Standard” protocol. In the case of using software CIIP, the interaction protocol corresponds to the API of the Microsoft Cryptographic Service Provider (CSP).
The Registration Certificate Registry is a specialized LDAP directory. Access to the directory is provided using the LDAP protocol (RFC 2251 “Lightweight Directory Access Protocol v.3”) or through a web interface.
Additional Components of the Certification Center of NPK:
Time Stamp Service (TSA):
- CERTEX Time Stamp Software: This is part of the CERTEX PKI and includes a Time Stamping Authority (TSA) server component and the CERTEX TSP Client component for generating TSP requests. The purpose of the CERTEX Time Stamp software is to obtain and manage time stamps. The server part establishes a timestamp for data to create evidence that the data existed at a specific point in time. This timestamp can be used, for example, to confirm that a digital signature was applied to a message before the corresponding registration certificate was revoked, creating the opportunity to use a revoked registration certificate’s public key as confirmation of signature creation before revocation. The TSA server can also be used to indicate the time of document submission when the submission deadline is a critical factor or to indicate the time of an operation for recording entries in the log.
Online Certificate Status Protocol (OCSP) Service:
- OCSP is a simple “request-response” protocol that allows obtaining information about the current status of a registration certificate in real-time.
Supported Standards:
- Information exchange with users and registration certificate owners is conducted using standard network protocols of the TCP/IP stack.
- Publication of registration certificates and Certificate Revocation Lists (CRLs) in directories supporting access is done using the LDAP protocol RFC 2251 “Lightweight Directory Access Protocol (v3).”
- Registration certificates of public keys issued by the Certification Center comply with X.509 v.3 RFC 3280 “Certificate and Certificate Revocation List (CRL) Profile” and RFC 3039 “Qualified Certificates Profile” recommendations and can be used by standard user applications.
- The structure of generated lists of revoked registration certificates complies with X.509 v2 RFC 2459 “Certificate and Certificate Revocation List (CRL) Profile” and RFC 3280 “Certificate and Certificate Revocation List (CRL) Profile” recommendations.
- Various standards, including PKCS#1, PKCS#3, PKCS#5, PKCS#6, PKCS#7, PKCS#8, PKCS#9, PKCS#10, PKCS#11, PKCS#12, PKCS#13, PKCS#15, CMS (Cryptographic Message Syntax), CMC (Certificate Management Messages Over CMS), SHA-1, SHA-2, SSL, TLS, DSA, ECDSA, OCSP, TSP, SNTP, GOST (Russian cryptographic standards) are supported for cryptographic operations and communication.
The Certification Center of NPK adheres to international and national standards, ensuring the security and reliability of its services.