Overview

The PKI-as-a-Service Portal is a card and certificate management system for SmartCard-HSMs.

While CardContact hosts an instance of the PKI-as-a-Service Portal for customers that own a SmartCard-HSM or license the SmartCard-HSM applet, the software itself is made available to customer for running their own on-side or cloud based instances.

For a quick start, a basic deployment setup can be found on GitHub.

The source code for the portal can be found in the CardContact Developers Network.

A User Manual is provided for administrators and users.

Architecture

This chapter contains informations that are helpfull to understand the architecture and operating principles of the PKI-as-a-Service Portal.

A central objective for the PKI-as-a-Portal is traceability for all activities that users perform. To achieve this, all data changing activities are modelled using service requests. Service requests maintain the data required for an activity, have a life-cycle state and have actions that implement data processing and state changes.

Subjects are entities that can participate in processing service requests. Subjects can be persons, system or organisations, like a trustcenter. Basically anything that can have a certificate.

Certificates, Keys and Request are subordinates of Holders. A Subject can be Holder in multiple PKI hierachies, depending on their position in the tree of CAs. A CA holder is usually associated with a TrustCenter Subject, while a End-Entitiy Holder is typically associated with a Person or System Subject.

A Person uses his SmartCard-HSM card or token to log into the portal and then has, based on the roles assigned, certain rights in the system. There a system wide roles and roles associated with a TrustCenter.