In a nutshell
Digital certificate management is therefore an important task. The components needed for this purpose are referred to as Public Key Infrastructure (PKI).
A PKI is a highly individual infrastructure. The actual realization is dependent from the IT environment, security requirements, applications and many other factors. It is often necessary to alter or extend an existing PKI. cryptovision’s CAmelot is a highly flexible solution for digital certificate management. With CAmelot you can create a PKI that is tailor-made for your individual needs. Existing CAmelot PKIs are easy to alter and extend.
The flexibility of CAmelot is based on a highly modular design. In addition to standard modules, additional ones can be developed according to your needs.
As one of the most flexible PKI solutions in the world CAmelot supports both enterprise PKIs (X.509 certificates) and government PKIs (card verifiable certificates). Among other things the modular architecture of CAmelot enables different security levels. High security architectures can be realized as well as cost-effective architectures for medium security requirements.
Generally, the modular architecture of CAmelot makes it easier to build a secure system. Modules not needed can be omitted. A system consisting of separated modules is easier to monitor than a large, monolithic architecture.
Frequently asked questions
Private and public keys play a major role for authentication, encryption, and digital signature. However, a private/public key pair is only of use if it is bound to a digital identity (this can be a person or a device). This binding is achieved with a digital certificate. A Public Key Infrastructure (PKI) is the entire combination of components and processes necessary for managing digital certificates.
Typical parts of a PKI include the certification authority, registration authorities, a certificate repository, and PKI applications. Every PKI is a unique and individual infrastructure. The differences between PKIs may be considerable, depending on applications, size, security requirements and many things more. For instance, a corporate PKI considerably differs from a PKI used for electronic identity (eID).
Even in an eID environment a PKI fulfills different tasks. PKI functionality not only enhances the security of eID cards, but also enables additional applications like card-based digital signatures or secure web authentication. In addition, many document verifying systems use private keys to authenticate against the card chip, which involves a number of special PKI standards.
- Disk encryption
- WWW login
- system login
- VPN login
- secure WiFi
- secure e-mail
CAmelot is used (among others) by the following customers:
- Identity authorities of emerging nations: Citizens of several emerging nations receive eID cards with private keys and certificates.
- German defense supplier: Uses CAmelot for authentication.
- Car manufacturer: A Japanese car manufacturer uses CAmelot for protecting the internal IT infrastructure.
- Windows Server 2008/2012 R2
- Redhat 6/7 64bit
- CentOS 6/7 64bit
- Any LDAP server which supports the entryDN attribute (RFC 5020)
- HSMs from Utimaco, Thales (nCipher), Bull, Gemalto (SafeNet)
CAmelot contains the following modules
- Protocol Handler Modules: This Module type communicates with control units, especially with a management console.
- Key Manager Modules: Key manager Modules communicate with the key stores usedby CAmelot, typically smart cards, HardwareSecurity Modules (HSMs) or key files.
- Publisher Modules: Modules of this type are responsible for publishing digital certificates generated by CAmelot. Especially, Modules for LDAP servers, databases, and files can be used.
- Certifier Modules: Modules of this type assemble the content of digital certificates and prepare them for signing. There are Modules for X.509 certificates and card verifiable (CV) certificates.
- CA Modules: This is the core component, responsible for generating and signing digital certificates.
- Certificate Template Modules: A Certificate Template Module provides one or more specific certificate extensions which are encoded in a certificate.
- Access Module: The Access Module (there is only one of its kind) is responsible for access control within the CAmelot architecture. It verifies the access conditions from external systems and also for the internal connections between the Modules.
CAmelot is a Certification Authority (CA) software. The CA is the core component of a Public Key
For Individual PKIs
With CAmelot you can easily configure your own individual PKI architecture. CAmelot supports all scenarios from simple PKIs with one CA to complex certification hierarchies. Changes in the PKI setting are easily possible.
For Extensible PKIs
With CAmelot you can change or extend your PKI without touching the system core. You can choose from many existing modules. Additional modules can be developed, existing ones can be customized.Certificates for eIDs
CAmelot is an ideal solution for electronic identity documents (eIDs). It supports both X.509 and card verifiable (CV) digital certificates. It can also be operated as an ICAO Document Signer. Due to its modularity it easily scales to hundreds
of millions of users.
Certificates for Enterprises
CAmelot is ideally suitable for enterprise certificate lifecycle management. Due to its modular architecture it can be easily integrated
into existing IT environments and provisioning processes. Instead of introducing a new infrastructure CAmelot is designed according
to the philosophy that existing infrastructure should be used and that different components with similar tasks should be avoided.Platform-independent
CAmelot is completely realized in JAVA. Therefore, it can be operated on many different platforms.
Based on the modular architecture CAmelot supports PKIs on different security levels. From a high security PKI (e.g. for corporate
infrastructures) to a cost-effective PKI with medium security requirements all scenarios are possible. CAmelot supports HSMs, flexible roles, strong admin authentication and more.
CAmelot supports a sophisticated logging function, several kinds of auto-enrolment and many other advanced features.
- Hierarchies, SubCA
- Smart card support
Algorithms and standards
- X.509 and CV
- EACv2 / TR3129
- ECC and RSA
- HSM, dual security
- Certificate based login
- Workflow, signed approval
- Maximum certificate profile flexibility
- Card protection with fingerprint
With close to 160 million citizens, Nigeria is Africa’s most populous country. As part of an ambitious Presidential initiative, adult Nigerians and resident legal aliens currently receive advanced multipurpose electronic identity cards. cryptovision plays critical role in this mammoth project. The company is responsible for the deployment of the PKI which will be used to both electronically validate the card itself as well enable online digital signatures. One of the largest PKIs in the world, the full deployment will include least eight CAs and eventually issue certificates more than 100 million card holders. This PKI is unique as it serves as the backbone of the eID card which will be used many different government agencies and ministries. Card verifiable certificates ensure that only authorized agencies access relevant chip content specific to their organization. On the other hand, the same PKI will enables the eID holder to perfume advanced two factor authentication and to create digital signatures.