CA Services

The basis of trust in safe hands

Our CA services provide the full life cycle for a PKI system, including Certificate Authority (CA), a Registration Authority (RA) and related services. The purpose of the CA and RA is to produce digital certificates, often in the form of smart cards. The certificates are then used in customer applications, such as securing email and network connections or authenticating mobile terminals.

Insta’s extensive experience guarantees the successful deployment of a PKI system. The deployment starts by gathering and analysing requirements jointly with the customer. An optimal service model is chosen (see below) and the system is planned based on the requirements. Depending on the selected service model, either the service is set up at Insta environment or the necessary hardware and software is purchased and deployed at the customer premises.

Choose the service model that best suits your organisation

Full Servce Model

In the Full Service Model Insta provides all the components, including CA hosting, certificate management as well as other associated services.

Certificates can be issued from a generic Insta CA or from a dedicated CA created exclusively for the customer. Insta is responsible for the maintenance of the CA and handles certificate enrolment. Certificates are delivered to the customer as required, either with a smart card, USB token or file format.

Getting started with a PKI is easy with the Full Service Model. Insta recommends the model especially for smaller organisations since there is no need to bind critical resources to deployment and administration. Other advantages include:

  • —Service provider expertise and experience guarantees efficient operation
  • Information security assured by regular audits
  • Short deployment time
  • Reduces the deployment investment and establishes predictable costs

Shared Service Model

In Shared Service Model, Insta provides CA hosting as a service and the customer handles certificate management with an RA workstation located on its premises.

This model is recommended for environments with a large number of certificates or if there is a need to get certificates quickly enrolled.

System Delivery Model

System Delivery Model means that Insta delivers and deploys a complete PKI system. The customer owns the CA/RA equipment, hosts the CA and manages certificates.

The System Delivery Model is ideal for larger organisations wanting to host the CA service on their own premises and are able to take care of the maintenance.

Insta provides all the services needed to run a complete PKI system:

  • —CA Hosting
  • Certificate Management
  • Publishing Services
  • Certificate Revocation Service
  • PKI Accessories

CA Hosting

A CA (Certificate Authority) is the basis of trust within a PKI system, issuing certificates to entities, such as end users or devices. In the CA Hosting service, certificates can be issued from a generic Insta CA or from a dedicated CA created exclusively for the customer.

Insta provides CA hosting in a High Availability environment where services can be distributed between multiple data centers. Uninterrupted availability of services is ensured by duplicating critical components, such as the internal and external data connections and power supplies.

Servers are housed in dedicated server rooms in the middle of data centers. Access control and several layers of physical security guarantee that only authorised persons are able to gain access to the servers. The services are monitored around the clock from a manned control room.

Certificate Management

Usually, the CA delegates the identification of entities and other administrative tasks to a separate entity, the registration authority (RA). The RA is in practice a workstation, performing certificate management tasks, such as the enrolment process of a new employee.

The enrolment process is initiated by an end user placing a certificate order with the RA workstation operator. The operator identifies the user and sends a certificate request to the CA server. The CA server then validates the certificate request and returns a signed certificate to the RA workstation operator. Typically, at this point, the signed certificate is written to a smart card or onto a USB token which is finally delivered to the end user.

A smart card can be personalised in the RA workstation by printing e.g. the company logo on the card surface. The smart card can also serve as an ID card for personnel. If certificates are no longer used, they can be revoked in the RA workstation, preventing unauthorised usage.

Insta provides the RA functionality either as a service or by delivering the RA workstation to the customer's premises.

Publishing Services

A PKI system typically includes a Certificate Revocation List (CRL), a list identifying revoked certificates. The CRL needs to be published in a network reachable by end users. In addition, all the encryption certificates used within the system are also published in order to be reached from anywhere in the network.

Insta maintains an LDAP directory service where the customer CRLs and certificates can be published. Publishing to a http server or a customer's Microsoft Active Directory is also supported.

Certificate Revocation Service

If required by the application, Insta provides a 24/7/365 certificate revocation service. If abuse is suspected, the customer can place a call at anytime to suspend the certificate, enabling instant access denial.

PKI Accessories

Insta provides all the accessories needed in a PKI system, such as smart cards, smart card readers and USB tokens. Smart cards and USB tokens can be personalised through printing e.g. the company logo on the card surface.

Common applications of PKI include:

  • Connecting sites of geographically distributed organisations
  • Remote work over Internet
  • Smart card based Single Sign-On (SSO) login
  • Improved web security for users and servers
  • Mobile device (e.g. laptop, smartphone) identification
  • Electronically signed and encrypted email
  • Ensuring the origin of documents with an electronic signature