WHITE
PAPER
OpenSSL Library
OpenSSL , originally Secure Sockets Layer ( SSL ), works for Transport Layer Security ( TLS ) and covers network protocols , a set of encryption means , and the command line tool OpenSSL to request , create , and manage certificates . The basic OpenSSL library provides general cryptographic capabilities for encrypting and decrypting as well as a range of other tools .
By contrast to PKCS # 11 , which only works as an interface to the key storage , OpenSSL is a more powerful application that can encrypt transport in network protocols or applications like https , OPC UA , or MQTT . OpenSSL can even act as a CA to handle the entire process from the signing request onwards .
However , OpenSSL is no key or certificate management solution . The certificates and keys are typically kept right in the file system , making them easy prey for attackers . By launching OpenSSL with CodeMeter Certificate Vault the whole key and certificate storage is handled in the secure environs of the dongle .
Microsoft Windows KSP
Microsoft Key Storage Provider ( KSP ) is essentially a database that manages certificates and keys on behalf of Windows applications . The keys can be used in isolation , which means that CodeMeter Certificate Vault can allow the certificates to be stored in KSP while the private key can remain on the dongle and all key operations are executed there . KSP and CodeMeter Certificate Vault work hand-in-hand to redirect these key operations as needed .
Platforms and Design
The PKCS # 11 library is available for Linux , Microsoft Windows , and macOS , the OpenSSL library for Linux and Microsoft Windows , running on x86 and ARM 32- or 64-bit systems , while the KSP library is exclusive to Microsoft .
CodeMeter Certificate Vault itself consists of a single library ( available separately for PKCS # 11 , OpenSSL , and KSP ) that contains all components needed to communicate with a CodeMeter chip on a dongle or in an ASIC .
Certificates are usually transferred to the CmDongle via the established procedures using a signing request and a signed certificate . The private key is generated in the CmDongle and remains there . Alternatively , a complete certificate including a centrally generated keypair can be loaded into the CmDongle via the encrypted remote update procedure of CodeMeter .
Under Windows , CertVaultManager is a GUI tool for the interface between CodeMeter Certificate Vault and KSP .
8