Chain of authority for public key certificates

Background

DigiStamp publishes the public key for each of its time stamp servers. The public key is used to verify the authenticity of the time stamps that you have created using the DigiStamp service.

 

Each DigiStamp server goes through an external audit process. This process creates an Audit Certificate within the secure hardware. The purpose of the design is to ensure that each time stamp key-pair is created within the audited hardware. This method ensures the private key is never revealed and that the clock cannot be tampered. This Audit Certificate is the parent of each of the subsequent time stamp certificates. The child time stamp certificate key-pairs are replaced frequently within the hardware device; the Audit Certificate is never changed during the life of the server. The parent-child relationships are maintained by standard x.509 certificate chaining methods.

 

Each audited hardware device will have a unique Server Audit Certificate. These Audit Certificates are issued by a single DigiStamp internal self-signed CA. "Self-signed" means that the chain of authority does not continue beyond this certificate; described as a root certificate. Click here for an image of this hierarchy.

 

All of the DigiStamp public keys are provided the form of x.509 certificates. You can choose to put the DigiStamp public key in a different x.509 certificate that you create. This would be done when you want to replace the DigiStamp Root CA. For example, you would do this if your organization has an internal PKI CA authority. The result is that your PKI CA becomes the Issuer of the public key certificate. To facilitate this process, DigiStamp provides the public keys in standard PKCS #10 certificate request that you can download below. Using this process, you can create a chain of authority as shown in the diagram below - there are two alternative approaches.

 

Using your PKI, you can replace the certificates that are highlighted in red below.

keyHier2.gif

 

Alternative 1: This approach replaces only the DigiStamp Root CA. Your internal CA becomes the issuer of this public key. This means that DigiStamp can sign the Audit Certificates of many time stamp servers and all of those Audit Certificates (child certificates) would be trusted.

 

Alternative 2: This approach replaces the individual Server Audit Certificates. The replacement certificate would be rooted in your internal CA. This means that you have designated that you trust a specific DigiStamp server. You would need to replace the Server Audit Certificate for each DigiStamp server (at present, that is TSA1 and TSA2). [ This alternative in development and is not yet fully supported.]

 

The Certificate Requests can be download below as DER encode PKCS #10 records. Certificate chaining uses the x.509 data element Subject Key Identifier, or called "Local Key ID" in the PKCS #10 request.

 

Production servers

To use Alternative 1 above, the certificate request for the public key contained in the DigiStamp Root CA is DGSca80.cer.p10

 

To use Alternative 2 above, there is a certificate request to replace the Audit Certificate for each of our current production time stamp servers. For TSA1: DGSaudit92.cer.p10. For TSA2: DGSaudit91.cer.p10.

Test Servers

To use Alternative 1 above, the certificate request for the public key contained in the DigiStamp Test CA is testCA70.cer.p10 To use Alternative 2 above, the certificate request for the public key for test server audit certificate is testAudit71.cer.p10