Public Key Infrastructure (PKI)

The PKI consists of:

• A Certificate Authority (CA), which delivers certificates,

• A Registration Authority (RA), which acts as an intermediary between the CA and the end-users by handling the verification of identity and certificate signature. PKI uses an automated RA complying to the EST protocol. For more information, refer to the RFC7030 Documentation.

The PKI workflow is as follows:

1. Through an EST API endpoint, .well-known/est/simpleenroll, the users send PKCS#10 Certificate Signing Requests (CSR) to the default PKI engine. A PKI engine is the combination of a specific CA and RA.

2. The RA engine verifies the CSR information.

3. The CA issues the certificates.

Several PKI engines can be defined for the same tenant in the Stormshield KMaaS configuration file. However, only a single one, called the default PKI engine, can be used at a time

WARNING
The PKI is restricted to RSA and ECC algorithms and to the certificate extensions required for mTLS. For more information refer to section Compatibility of algorithms and CA properties.

NOTE
The use of the solution in any way other than as described in the documentation is not managed. Alternatively, get in touch with Stormshield Support for clarification.