WIBU-SYSTEMS

Perfection in Protection, Licensing, and Security

{{ moduleLabel }}
{{ label }}

A Peek Inside CodeMeter Certificate Vault

MarketingWIBU-SYSTEMS AG on September 25, 2023 at 2:31 PM

Certificates are used to prove the authenticity and identity of users or devices on the Internet, in emails, for machine-to-machine communication, and elsewhere. A commonly used certificate is an X.509 which is an International Telecommunications Unition standard defining the format of public key certificates. An X.509 certificate is based on asymmetric cryptography. Each certificate uses a pair of encryption keys. One key is public and confirmed by a neutral authority, the Certificate Authority, to belong to the person, device, or digital object, and the other is private and secure.

Typical uses of X.509 certificates include:

  • Establishing encrypted https connections and sharing data between web server and web browser
  • Encrypting and signing emails with the S/MIME standard
  • Digitally signing digital documents
  • Digitally signing software
  • Authenticating a participant in communication
  • Establishing a Virtual Private Network (VPN) and encrypted file sharing
  • Proving identity (digital ID cards)

In theory, with a certificate signed with the private key and the private key stored safely away from prying eyes, there should be no way to tamper with or steal the identity it confirms.

However, cyber attackers are always looking for vulnerabilities and ways to disrupt the digital eco-system. According to Venafi, a machine identity management company, digital certificates are attractive to attackers for a variety of reasons, but mainly because they are trusted; they require payment and proof of identity to tie the code, document, or application to the legitimate organization or person. In essence, they verify that the person or organization is real, and that the certificate belongs to them. As such, this usually makes end-users believe that the session protected by the digital certificate is a trusted environment where they can part with personal details, including financial information.

One of the most critical aspects of X.509 certificates is the ability to effectively administer them at scale, but as such, they are commonly thought to be complex to manage and implement. In particular, the set-up and configuration of digital certificates requires specific subject matter expertise as it is important to keep them up-to-date and ensure that they are properly configured to provide effective transactional security.

What it all boils down to is that the public and private keys must remain secure. In essence, certificates are just pieces of digital data, contained in a file in the file system or in the computer’s working memory. All certificates are issued for a specific key pair in an asymmetric cryptographic process, with the public key of that pair stored in the certificate. Its counterpart, the private key, is kept apart from it, usually in a separate file on the certificate holder’s device. And this is where the security of the system can break down: The private key must never be accessed by anyone but the certificate’s holder. Even if the place of storage is secure, the private key must regularly leave that safe environment for cryptographic operations in the CPU, making it again vulnerable to would-be attackers.

In our ongoing focus on perfecting the art of software licensing and software protection, Wibu-Systems has a solution designed to maintain the integrity and security of private keys, called CodeMeter Certificate Vault. With CodeMeter Certificate Vault, the certificates and keys are stored on secure hardware elements (CmDongles) via a specially protected route, going through CodeMeter License Central, Wibu-Systems automated license lifecycle management tool. There is no need for the end user to be concerned about the technical details in managing requests, updates, or signed certificates. All of this complex administration happens in the background for the user, including the CA (Certificate Authority) if need be. Once the keys are stored there, no sensitive information ever leaves the secure area.

CodeMeter Certificate Vault supports mainstream interfaces such as PKCS#11, openSSL, and KSP which makes it easy to integrate into existing software environments and significantly reduces implementation effort. Seamless customization and the many routes available for securely moving certificates and keys into CodeMeter Certificate Vault make it a universal and versatile tool for a range of circumstances and client requirements.

Let’s look at how it works in a few real-world use cases:

Use Case 1: Certifying a Person

In this case, a service engineer needs to be able to authenticate themselves and get access to the devices they are responsible for by showing the right certificate and proving their identity. That certificate and related key can be stored on a CmDongle or similar container. This solution is used e.g. by the technicians servicing ATMs, a highly secure task where every step needs to be recorded and only trained and approved technicians are qualified for the job.

Use Case 2: Identifying a Machine for Secure Communication

This use case needs a certificate that is bound to a specific device. Ideally this is done with a CodeMeter ASIC, with its security chip permanently fixed into the device’s inner workings. For this use case, a specific hardware entity should be uniquely identifiable in a network and be able to communicate securely. Examples of this include PLCs or smart sensors that are part of larger industrial networks via a standard protocol like OPC UA. That protocol uses the OpenSSL framework to handle X.509 certificates and protect communication in the network. In that setup, CodeMeter Certificate Vault provides secure certificate storage and a secure engine for cryptographic operations with the private key.

Use Case 3: Creating a Public Key Infrastructure (PKI)

In this case, CodeMeter Certificate Vault protects the signer’s private key when creating and signing certificates for use with VPN connections, mail signatures, or as proof of authenticity in process documentation.

For more specific information about CodeMeter Certificate Vault, I invite you to download our whitepaper, CodeMeter Certificate Value | Certificate Management with CodeMeter Comfort and Security.

Login or register now and enjoy all the benefits of a community!

To get the whole functionality of IndustryArena Forum you need to login or register. This process is absolutely free.

Password forgotten?
Contact request
Guest Photo
Your message
The controller within the meaning of Art. 4(7) GDPR is: IndustryArena GmbH, Schneiderstr. 6, 40764 Langenfeld, Germany.
You may reach our data protection officer under [email protected].

Purpose of processing
We process your personal data concerning the use of the contact form and the communication with the company of the newsroom as well as the transmission of your data to this company in accordance to Art. 6 (1a) GDPR. This constitutes a legitimate interest for us in accordance to Art. 6 (1f) GDPR.

Recipient of the data
Within our organization, those units gain access to your data, which are necessary to fulfil the above purposes.
Personal data will only be transmitted to third parties if this is necessary for the aforementioned purposes or if another legal basis exists. If necessary, we conclude the corresponding data protection agreements with third parties, in particular pursuant to Art. 28 GDPR.

Data storing
Your data will be transmitted to the company of the newsroom for further processing. The period of storing is the duration of the processing of your request by the respective company.

Select contact person

Newsroom Logo

Design options

  • Title text color:
  • Content background:
  • Content text color:
  • Navigation background:
  • Tab text color:
  • Active tab text color:
  • Link text color:
  • Active link text color:
  • Background image Background color:

    How do you want to position the background-image?

    Please note: Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.

    Set the link for the background image

  • Banner

    How do you like to align the banner?

    Please note: Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.

    Set the link for the banner

  • Skyscraper

    Set the link for the skyscraper

Please note:

Banners and skyscrapers are only saved for the current language. For other languages, change the language using the button at the top right.