Creating an infrastructure of public keys and employment of HSM modules
The basis of the solution is a pair of certification authorities in the hierarchical arrangement of root and subordinate certification authority designed for use in non-classified domains. A complete structure of certification authorities has been designed and operates in the mode of high availability in geographically separated localities. Part of the project consisted of the creation of certification policies and procedures for the administration of the PKI infrastructure, and the training of workers in charge. To create certification authorities, Microsoft Windows Server 2012R2 was chosen that includes systems and applications for issuing and administration digital certificates based on the technology of public keys. The safety of private keys was provided by HSM technology supplied by THALES. The HSMs have robust instruments at their disposal for both, controlling access to own facilities and protecting cryptographic keys (separation of roles, system of several eyes), which is necessary in order to achieve the security level required. The supplied modules have internationally recognized FIPS 140-2 Level 3 and EAL4+ certification. The system that has been developed is thus completely ready for future expansion by certification authorities for dedicated and classified domains.