S E C U R I T Y
CodeMeter Certificate Vault
Digital certificates using the x.509 format are becoming more and more common and increasingly important. The processes for
managing certificates or storing keys securely, however, have not become any simpler or straightforward. The need for certain
security procedures is set for a head-on collision with usability in the real world. CodeMeter Certificate Vault is here to save the day.
At the core of every CodeMeter dongle
(CmDongle), there is a secure element, a tiny
chip with secure key storage and readable
memory. CodeMeter Certificate Vault builds
on this basic system and goes beyond the
established CodeMeter API to offer interfaces for
integrating the solution with existing applications
or the client’s specific requirements. CodeMeter
Certificate Vault works as a PKCS#11 compliant
token provider, integrates with the Microsoft
Cryptographic API Next Generation (CNG) as a
Key Storage Provider (KSP), and works perfectly
with the OpenSSL API to e.g. store and handle
the keys for TLS certificates with uncompro-
mising CodeMeter security.
The certificates and keys make their way onto
the CmDongles via a specially protected route,
going through a central system like CodeMeter
License Central. There is no need for the end user
to be concerned about the technical nitty-gritty
of requests, updates, or signed certificates. All
of this complex administration happens in
the background for the user, including the CA
(Certificate Authority) if need be.
According to the textbook process, the entity (a
person or a machine) that needs a certificate
would first create a key pair, ideally already
within a hardware secure element. This is used
to sign a request that is sent to the higher
Certification Authority. The request is checked,
a certificate created and signed, and the signed
certificate sent back. The requesting entity then
loads that certificate into the readable memory.
Once the certificate has expired, the entire
process starts over. This (simplified) description
makes it easy to understand why so few emails
are signed and encrypted, why the smart health
insurance card is such a political hot potato
in many countries, and why certificates are
the wallflower of the IT world outside of the
dedicated crypto scene.
CodeMeter Certificate Vault has arrived to
change all this: On the user’s side, the standard
interfaces like PKCS#11, KSP, or OpenSSL remain
in place. Every application can access certificates
and keys in the CmDongle in a fully conformant
manner, and the necessary cryptographic
operations happen in the dongle. The entire
creation of certificates occurs within the central
Certification Authority, which could be embodied
by a company’s IT department. Here, certificates,
and key pairs are created and then distributed to
the dongles in the field.
This approach seems to go against all the rules of
correct certificate management, which stipulate
that private keys must never leave the secure
dongles of the users. However, if the keys and
certificates are created in a central and similarly
secure environment, the CodeMeter Certificate
Vault Admin Tool or CodeMeter License Central
can package them up in an encrypted update
file (WibuCmRaU) that only the destination
CmDongle can decrypt. The file is the secure
vessel bringing the keys and certificates into
the CmDongle, where they are available for
use via the standard interfaces. Certificates
can also be renewed or deleted in the same
manner, and the users need not get involved at
all. This makes the process the ideal choice for
remote controlled devices in industrial facilities,
IoT devices, or just for encrypted emails or VPN
certificates in corporate networks.
3