Digital certificates using the x.509 format are becoming more and more common and increasingly important. The processes for managing certificates or storing keys securely, however, have not become any simpler or straightforward. The need for certain security procedures is set for a head-on collision with usability in the real world. CodeMeter Certificate Vault is here to save the day.
At the core of every CodeMeter dongle (CmDongle), there is a secure element, a tiny chip with secure key storage and readable memory. CodeMeter Certificate Vault builds on this basic system and goes beyond the established CodeMeter API to offer interfaces for integrating the solution with existing applications or the client’s specific requirements. CodeMeter Certificate Vault works as a PKCS#11 compliant token provider, integrates with the Microsoft Cryptographic API Next Generation (CNG) as a Key Storage Provider (KSP), and works perfectly with the OpenSSL API to e.g. store and handle the keys for TLS certificates with uncompromising CodeMeter security.
The certificates and keys make their way onto the CmDongles via a specially protected route, going through a central system like CodeMeter License Central. There is no need for the end user to be concerned about the technical nitty-gritty of requests, updates, or signed certificates. All of this complex administration happens in the background for the user, including the CA (Certificate Authority) if need be.
According to the textbook process, the entity (a person or a machine) that needs a certificate would first create a key pair, ideally already within a hardware secure element. This is used to sign a request that is sent to the higher Certification Authority. The request is checked, a certificate created and signed, and the signed certificate sent back. The requesting entity then loads that certificate into the readable memory. Once the certificate has expired, the entire process starts over. This (simplified) description makes it easy to understand why so few emails are signed and encrypted, why the smart health insurance card is such a political hot potato in many countries, and why certificates are the wallflower of the IT world outside of the dedicated crypto scene.
CodeMeter Certificate Vault has arrived to change all this: On the user’s side, the standard interfaces like PKCS#11, KSP, or OpenSSL remain in place. Every application can access certificates and keys in the CmDongle in a fully conformant manner, and the necessary cryptographic operations happen in the dongle. The entire creation of certificates occurs within the central Certification Authority, which could be embodied by a company’s IT department. Here, certificates, and key pairs are created and then distributed to the dongles in the field.
This approach seems to go against all the rules of correct certificate management, which stipulate that private keys must never leave the secure dongles of the users. However, if the keys and certificates are created in a central and similarly secure environment, the CodeMeter Certificate Vault Admin Tool or CodeMeter License Central can package them up in an encrypted update file (WibuCmRaU) that only the destination CmDongle can decrypt. The file is the secure vessel bringing the keys and certificates into the CmDongle, where they are available for use via the standard interfaces. Certificates can also be renewed or deleted in the same manner, and the users need not get involved at all. This makes the process the ideal choice for remote controlled devices in industrial facilities, IoT devices, or just for encrypted emails or VPN certificates in corporate networks.