Certificate Profiles Specification

The following describes defining specifications for the central trust service and covers the content of the product certificates, their related issuing CA certificates, and the corresponding CA Services. The product certificate will be inserted in the device during manufacturing in the factory or at qualified suppliers of the PrimeOne company.

This specification of the Certificate Profiles should be used during the setup of the corresponding CAs service for the Product PKI. The Certificate Profile is the basic template from which segment-related Certificate Profiles are derived.

The provided specifications are intended to be used as examples when using this guide and are only for demonstration purposes.

PKI Architecture

In order to show the context of the following specification, this chapter describes the overall architecture of the PKI in its essential aspects. The picture below shows the intended CA hierarchy for the Certificates Service provides for the specific Products at PrimeOne. Basically, the infrastructure is based on a product-specific Product Issuing CA that is located under the common PrimeOne Product Root CA.


The figure shows an example infrastructure for issuing product certificates. For development and testing purposes, another similar hierarchy under a separate root will be used.

Certificate Profiles

When issuing product certificates, the expected lifetime of the specific product must always be taken into account. The product-specific validity periods are determined by the respective specialist department and must be taken into account within the certificate profiles. Furthermore, a product certificate validity of 10 years is defined and a validity for the Root CA of 15 years is set.

Taken into consideration that the very long validity period for device certificates exceeds the consideration period regarding the security of cryptographic algorithms and key lengths, this specification is following the recommendation for Algorithms and key length given by the ENISA for long term future use.

Note

The product does not automatically become useless when the validity date expires. The product policy and its definition are always important in the individual cases.

PrimeOne Product A Root CA

This Root CA Certificate shall be the common root certificates for all Product A issuing CAs.

Field name

Content

Comment

Type

Root CA

 

Serial Number

Integer

Set by the root CA

Signature Algo.

SHA512 with ECDSA

 

Validity

15 years

 

Subject

CN=PrimeOne Product A Root CA
O=PrimeOne
OU=PrimeOne 2020
C=DE

 

Key Usage

keyCertSign, CRLsign

 

Subject public key info

ec,secp521r,public key

Set by root CA

Authority Key Identifier

Key Identifier of public Key

Set by root CA

Subject Key Identifier

Key Identifier of public Key

Set by root CA

PrimeOne Product A Issuing CA

This is the certificates of the Product A Issuing CA which issues the PrimeOne manufacturer certificates for the Product A.

Field name

Content

Comment

Type

Sub CA

 

Serial Number

Integer

Set by root CA

Signature Algo.

SHA512 with ECDSA

 

Validity

[creation date] plus 12 years

 

Subject

CN=PrimeOne Product A Issuing CA
O=PrimeKey
OU=PrimeOne 2020
C=DE

 

Key Usage

digital Signature, keyCertSign, CRLsign

 

Subject public key info

ec,secp521r,public key

Set by root CA

Authority Key Identifier

Key Identifier of public Key

Set by root CA

Subject Key Identifier

Key Identifier of public Key

Set by root CA

PrimeOne Product A manufacturer Certificates

This is the Certificates Profile of the individual Product A devices. The manufacture certificate is used to authenticate the corresponding device. The Subject name of the Certificate combined with the public key stored in the subject public key info field shall uniquely identify the device, which holds the private key.

Field name

Content

Comment

Type

End Entity

 

Serial Number

Integer

Set by Product A Issuing CA

Signature Algo.

SHA512 with ECDSA

 

Issuer

Subject DN of Issuing CA

Set by Product A Issuing CA

Validity

[creation date] plus 10 years

 

Subject

CN=Article Name
serial Number = (printable String)
O=PrimeOne
C=DE
unstructuredAddress=
MACAddress=
    [xx-xx-xx-xx-xx-xx]
(up to 5 MAC addresses)

Article Name and serial Number as set in the device, has to be verified with the leading system

unstructuredAddress field will be set by the device specific MAC addresses. The order is not defined.

Key Usage

DigitalSign, Key agreement



Subject public key info

ec,secp521r,public key

Set by Product A Issuing CA

Authority Key Identifier

Key Identifier of public Key

Set by Product A Issuing CA

Subject Key Identifier

Key Identifier of public Key

Set by Product A Issuing CA

CMP Alias

Field name

Content

Name

PrimeProductCert_CMP

CMP Operational Mode

RA Mode

CMP Authentication Module

CA Shared Secret

EndEntityCert Issuing CA

PrimeOne Product A Issuing CA

RA Verify Proof-of-Possession

Allow

RA Name Generation Scheme

DN; CN

RA End Entity Profile

PrimeOneProductACertificate_EE

RA Certificate Profile

PrimeOneProductACertificates

RA CA Name

PrimeOne Product A Issuing CA

Certificate renewal with same key

Allow