WHITE PAPER
Unique Capabilities of CodeMeter Certificate Vault
The greatest challenge when working with certificates is surprising : How to get certificates and , specifically , the related keys where they need to go ?
Ideally , the process should be automated and not have the user involved in creating the key pairs or signing the certificate by the Certificate Authority ( CA ). In practice , however , the easy way out is chosen , and a finished and signed certificate and key pair are simply sent to the end user to store in their file system , typically on a hard drive . This approach leaves many inroads for attackers to steal the keys and access the certificate . If the certificate is not securely bound to the user or end device , the attacker could even steal the user ’ s identity and disguise themselves as a trustworthy entity ( either a flesh-and-blood person or a digital device ).
There are three other ways to get certificates and key pairs onto the target device , both initially or later as updates , focused specifically on the right means for equipping IoT devices with certificates .
Option 1 : How it is Done : The Textbook Process
The commonly accepted process always starts with the end device . If there is no certificate yet , e . g ., on a brand-new device that the user wants to integrate into an existing environment , a new key pair is created , with the CodeMeter chip creating a random private key and storing it in secure storage . The public key is then derived from that private key , and the end device creates a certificate signed with that private key . The certificate can include information like the serial number of the device in addition to the public key that is an inseparable part of it . The certificate is then sent to a CA for a Certificate Signing Request ( CSR ). That CA is kept as a trustworthy instance in the network operator ’ s datacenter ( it can be a computer with CodeMeter Certificate Vault acting as key storage for the CA or any other external CA ). The request is received , checked automatically or manually for its authenticity , and the certificate is digitally signed with the CA ’ s private key . The signed certificate is then sent back and stored on the target device , and the system is good to go .
If the certificate needs to be updated , the same process springs back into motion , with the only difference being that no new key pair has to be created .
The certificate is protected from tampering during its digital transit , as neither the device ’ s private key nor that of the CA can be taken out from the secure CodeMeter chip . A would-be attacker could also not gain anything from copying the certificate , since they would still lack the private keys .
The entire process can be automated via CodeMeter Certificate Vault ’ s OpenSSL and PKCS # 11 interfaces and adapted to the specific client ’ s needs .
Device
Create key pair Certificate Signing Request
Safe environment
Certificate Authority
Create self-signed certificate
Certificate Vault Import certificate
Signed certificate Sign certificate
9