PKI
      Back to home
      1. Help Center
      2. Infrastructure
      3. PKI

      IronWiFi PKI Infrastructure

      This technical article describes in detail the two-tiered HSM backed hybrid Certificate Authority hierarchy.

      Hardware-Backed Security

      IronWiFi PKI infrastructure employs the latest industry standards for the private key protection, relying on the HSM (Hardware Security Module) storage for the private keys that are used for issuing the certificates.

      The design of the two-tiered PKI consists of the offline Root CA and the online Issuing Intermediate CAs.

      Both RootCA and Intermediate Signing CAs have the CRLs (Certificate Revocation Lists) published on the regular basis, with Intermediate Signing CAs CRLs being issued automatically every time the certificate is revoked.

      Private PKI solution

      Given the modular architecture of our PKI, IronWiFi can offer both hybrid (where the customer's signing CA is signed by our RootCA) and private PKI implementation (where customer generates the keypair for signing and either transfers it securely to IronWiFi for importing into our HSM based KMS infrastructure or allows us to access the signing key for the certificate issuance from the customer's CloudHSM solution.

      For further information on setting up your Private PKI with IronWiFi, please click HERE

      IronWiFi Current Certificates

      IRONWIFI Root Certificate Authority 

      Download certificate

      • Expires: 5 April 2049
      • Signature Algorithm: SHA-256 with RSA Encryption ( 1.2.840.113549.1.1.11 )
      • Serial number: 13 F4 2B 9B 2C DB 70 65 73 8C BA F5 89 57 E3 52 1C 56 52 B3
      • SHA1 Fingerprint: 24 32 99 88 BB 05 45 FA 2B D6 43 4D 58 67 1A 64 6D B7 0B 42
      • SHA256 Fingerprint: A0 BC E3 6E CE 95 AA 1B DB 61 F5 39 20 E4 91 C1 63 39 BB 10 1C 2D 2D BE F2 53 1E 63 B2 23 A6 C7

      IRONWIFI SCEP Signing Intermediate Certificate Authority 

      Download certificate 

      • Expires: 5 April 2034
      • Signature Algorithm: SHA-256 with RSA Encryption ( 1.2.840.113549.1.1.11 )
      • SHA1 Fingerprint: 0A EE CD 7E 5B 84 AC 7D 41 C7 F8 1E 1F 9C 38 8E 38 FE C8 F9
      • SHA256 Fingerprint: 85 49 95 9A F1 F4 B4 8F 9A D5 A1 F9 95 D7 E4 C5 17 81 E4 BD 6C 23 70 C6 78 87 09 85 C0 2B 5B 24

      IRONWIFI Client Signing Intermediate Certificate Authority 

      Download certificate 

      • Expires: 6 April 2034
      • Signature Algorithm: SHA-256 with RSA Encryption ( 1.2.840.113549.1.1.11 )
      • SHA1 Fingerprint: 40 AF 17 ED CD 32 CB 8F D2 8D A3 95 5E F7 D7 B0 AA 54 F0 87
      • SHA256 Fingerprint: 55 19 EB 89 A2 CF A7 6D 7C FD 0A 27 8F 31 2B 1E 27 F8 D8 E8 91 93 20 BE 90 15 9E 0D 26 EB 35 B2

      IRONWIFI RadSec Signing Intermediate Certificate Authority 

      Download certificate 

      • Expires: 2 May 2034
      • Signature Algorithm: SHA-256 with RSA Encryption ( 1.2.840.113549.1.1.11 )
      • SHA1 Fingerprint: 8F CD 94 5E 29 8E BE E9 54 B2 34 08 46 B9 4D CC 47 F7 E4 0D
      • SHA256 Fingerprint: 48 2F 06 21 E1 BA 25 5F 66 1B 6A C0 3D 81 18 18 F7 09 5C 29 04 A3 53 EB 65 AD F6 DC F7 AD FC 79

      IRONWIFI Signing Intermediate Certificate Authority 

      Download certificate 

      • Expires: 13 May 2034
      • Signature Algorithm: SHA-256 with RSA Encryption ( 1.2.840.113549.1.1.11 )
      • SHA1 Fingerprint: A7 9A 40 B9 C2 7F 5B 0B D5 FE 93 D9 7B F5 A5 24 2E 90 4F 98
      • SHA256 Fingerprint: B2 FA B1 11 F0 CB EB 53 C0 94 4A 67 F1 C0 03 28 74 69 68 E0 94 95 27 61 56 51 2D 40 A7 AD C0 6B

      IRONWIFI PKI Radius Server Certificate

      Issued by IRONWIFI Signing Intermediate Certificate Authority

      • Expires: 13 May 2029
      • Signature Algorithm: SHA-256 with RSA Encryption ( 1.2.840.113549.1.1.11 )
      • SHA1 Fingerprint: 14 A7 D2 9A 8B 28 66 DF E9 5F 9E 0B 63 00 B1 14 D7 74 DE 3D
      • SHA256 Fingerprint: 37 26 16 AD 89 46 B4 CE E5 55 27 4E A8 15 25 AF 0F 99 3A 09 0D 84 9D 51 22 D5 A2 D1 F3 8E 07 23

      IronWiFi Legacy Certificates

      IronWiFi Certificate Authority 

      Download certificate

      • Expires: 18 May 2024
      • SHA-1 with RSA Encryption ( 1.2.840.113549.1.1.5 )
      • Serial number: 00 89 3E 97 4B 9B AF C9 D6
      • SHA1 Fingerprint: BA BC BA 6F E7 6A F4 95 A5 40 15 9A 7D 5D 3D 9F 3A 1C AF AF
      • SHA256 Fingerprint: 88 F5 C7 D5 91 E0 93 E1 8C 89 F4 2B C6 DC 8B CC F5 6E 7F E9 05 20 33 FE 12 A6 2E 49 57 13 C1 BB

       

      Detailed technical description:

      Our implementation of the Root CA  is an air-gapped machine that is running a custom stripped *BSD derivative built from the source. The partitions are encrypted using the keys derived from two hardware security devices, and each and every sector on the disk has a different AES encryption key. Both hardware keys need to be present and unlocked by the key custodians for the disk to be decrypted and for the OS to boot. The only access to the system is via hardware encrypted serial connection to the console, that requires the hardware authentication key to be present in the device connecting to the console. The private key for the RootCA has been generated on the HSM and can never be exported. The DKEK container with n-of-m custodial scheme has been employed to allow for the container re-assembly from the minimum n out of m shares that are backed up in the physical form.

      Intermediate Signing CAs' private keys are stored in the geo-redundant private cloud based Key Management Servers using the HSMs for key generation and storage. In the same way as with RootCA, the private keys are generated on HSMs and can never be exported. The API calls from the SCEP issuing server to the KMS with the request to sign are HMAC authenticated with the client certificate verification that is rotated after each API call. Each CSR from the client is verified before it is sent for signing.