Certificate Profiles Specification
The following specifies the content of the Product Certificates, their related issuing CA Certificates, and the corresponding CA Services. The Product Certificate will be inserted in the Device during manufacturing in the factory or at qualified suppliers of PrimeOne.
The provided specifications are intended to be used as examples when using this guide and certificates defined within this scope are for demonstration purposes and have no validity outside of this scope.
Profiles of Manufacturer Certificates for PrimeOne Products
This specification of the certificate profiles is to be used during the setup of the corresponding CAs Service for the Product PKI. The Certificates Profile is the basic template from which segment-related Certificate Profiles are derived.
PKI Architecture
In order to show the context of the following specification, this chapter describes the overall architecture of the PKI in its essential aspects. The picture below shows the intended CA hierarchy for the Certificates Service provides for the specific Products at PrimeOne. Basically, the infrastructure is based on a product-specific Product Issuing CA that is located under the common PrimeOne Product Root CA.
The figure shows an example infrastructure for issuing product certificates. For development and testing purposes, another similar hierarchy under a separate root will be used.
Certificate Profiles
When issuing product certificates, the expected lifetime of the specific product must always be taken into account. The product-specific validity periods are determined by the respective specialist department and must be taken into account within the certificate profiles. Furthermore, a product certificate validity of 10 years is defined and a validity for the Root CA of 15 years is set.
Taken into consideration that the very long validity period for device certificates exceeds the consideration period regarding the security of cryptographic algorithms and key lengths, this specification is following the recommendation for Algorithms and key length given by the ENISA for long term future use.
Note
The product does not automatically become useless when the validity date expires. The product policy and its definition are always important in the individual cases.
PrimeOne Product A Root CA
This Root CA Certificate shall be the common root certificates for all Product A issuing CAs.
Field name | Content | Comment |
---|---|---|
Type | Root CA |
|
Serial Number | Integer | Set by the root CA |
Signature Algo. | SHA512 with ECDSA |
|
Validity | 15 years |
|
Subject | CN=PrimeOne Product A Root CA |
|
Key Usage | keyCertSign, CRLsign |
|
Subject public key info | ec,secp521r,public key | Set by root CA |
Authority Key Identifier | Key Identifier of public Key | Set by root CA |
Subject Key Identifier | Key Identifier of public Key | Set by root CA |
PrimeOne Product A Issuing CA
This is the certificates of the Product A Issuing CA which issues the PrimeOne manufacturer certificates for the Product A.
Field name | Content | Comment |
---|---|---|
Type | Sub CA |
|
Serial Number | Integer | Set by root CA |
Signature Algo. | SHA512 with ECDSA |
|
Validity | [creation date] plus 12 years |
|
Subject | CN=PrimeOne Product A Issuing CA |
|
Key Usage | digital Signature, keyCertSign, CRLsign |
|
Subject public key info | ec,secp521r,public key | Set by root CA |
Authority Key Identifier | Key Identifier of public Key | Set by root CA |
Subject Key Identifier | Key Identifier of public Key | Set by root CA |
PrimeOne Product A manufacturer Certificates
This is the Certificates Profile of the individual Product A devices. The manufacture certificate is used to authenticate the corresponding device. The Subject name of the Certificate combined with the public key stored in the subject public key info field shall uniquely identify the device, which holds the private key.
Field name | Content | Comment |
---|---|---|
Type | End Entity |
|
Serial Number | Integer | Set by Product A Issuing CA [defined in chapter VI] |
Signature Algo. | SHA512 with ECDSA |
|
Issuer | Subject DN of Issuing CA | Set by Product A Issuing CA [defined in chapter VI] |
Validity | [creation date] plus 10 years |
|
Subject | CN=Article Name | Article Name and serial Number as set in the device, has to be verified with the leading system unstructuredAddress field will be set by the device specific MAC addresses. The order is not defined. |
Key Usage | DigitalSign, Key agreement | |
Subject public key info | ec,secp521r,public key | Set by Product A Issuing CA [defined in chapter VI] |
Authority Key Identifier | Key Identifier of public Key | Set by Product A Issuing CA [defined in chapter VI] |
Subject Key Identifier | Key Identifier of public Key | Set by Product A Issuing CA [defined in chapter VI] |
CMP Alias
Field name | Content |
---|---|
Name | PrimeProductCert_CMP |
CMP Operational Mode | RA Mode |
CMP Authentication Module | CA Shared Secret |
EndEntityCert Issuing CA | PrimeOne Product A Issuing CA |
RA Verify Proof-of-Possession | Allow |
RA Name Generation Scheme | DN; CN |
RA End Entity Profile | PrimeOneProductACertificate_EE |
RA Certificate Profile | PrimeOneProductACertificates |
RA CA Name | PrimeOne Product A Issuing CA |
Certificate renewal with same key | Allow |