WHITE
PAPER
Option 2 : Certificates Created by the CA and Distributed Directly
The process becomes much more straightforward if the CA creates the certificate and the key pair itself and feeds it right into CodeMeter Certificate Vault . In that case , there is a moment when the private key of the end device is not kept in the secure hardware , but instead transmitted openly , even if in a trustworthy environment . The private key is only truly safe from theft and manipulation once it reaches CodeMeter Certificate Vault and the secure CodeMeter chip . This approach is attractively simple but should only be used in secure environments that can guarantee that attackers cannot intercept the private key during transit or on the device ’ s RAM . Care has to be taken , as a caching mechanism or simply the file system ’ s trash folder are often overlooked as potential weak spots .
Device Safe environment
Certificate Authority
Certificate Vault Import certificate + key pair
Certificate + key pair
Create key pair
Create certificate
Sign certificate
Option 3 : Certificates Created by the CA and Distributed by Secure Remote Update of the Container
Still , creating certificates in one central place can be the right choice in many cases , and CodeMeter Certificate Vault offers a viable solution . The key pair and the signed certificate are created in the secure environs of the CA and then distributed through the equally secure CodeMeter remote update process . For this to work , the end device creates an update request ( the CodeMeter *. RaC file ), and the certificate and key pair are safely packed away in a remote update file (*. RaU ) with the CodeMeter Certificate Vault admin tool . That file is encrypted and signed with the established CodeMeter remote update routines and can only be decrypted inside the CodeMeter chip on the target device . The entire transit is cryptographically secure , and it can be automated for added ease .
Device Safe environment
Create RaC Remote update request
RaC
Certificate Authority
Create key pair
Create certificate
Certificate Vault
Import RaU Remote
Import update
RaU file Remote update file
RaU
Sign certificate
Encrypt RaC + Certificate + Key
10