Key pairs for the CESNET CA are generated exclusively by authorized CESNET CA personnel acting in the role of CA.
End entities' key pairs are always generated by their application during the requesting process. They are never generated or stored by the CESNET CA.
Private keys are never delivered. End entities are required to generate their own key pairs.
The CESNET CA SHALL accept certificate requests in any of the formats:
PKCS#10 request format.(See RFC 2314).
Netscape Signed Public Key And Challenge (SPKAC) format.
The preferred transport method for certification requests is s SSL protected HTTP.
CA public keys are published on the CESNET CA certificate repository and the CESNET CA WWW site. (See Section 2.6).
The CESNET CA uses RSA public key algorithm.
The CA private key MUST be of 2048 bit key size.
The RA private key MUST be of 2048 bit key size.
All other private keys MUST be of at least 1024 bit key size.
Public key parameters are generated by the relevant applications.
The CESNET CA does not require checking of the quality of the public keys parameters.
The CESNET CA keys are generated in hardware security module certified to be compliant with FIPS 140-1 level 3.
The subscribers keys MAY be generated in software or hardware.
The CESNET CA hardware security module used to generate its signing keys and signatures is compliant with FIPS 140-1 level 3.
The CESNET CA does not use multi-person control of keys.
The CESNET CA private keys are not given in escrow. The CESNET CA is also not available for accepting escrow copies of keys of other parties.
The CESNET CA private keys are backup protected. The backup copies encrypted with 3DES or AES are securely stored off-site.
All private keys managed by the CESNET CA are generated by the hardware security module and cannot be exported.
The CESNET CA's private signing keys are activated by one representative of the Security Officer role and one representative of the Security Trustee role authenticated by a hardware token and a pass phrase..
Cryptographic modules which have been activated MUST NOT be left unattended. They MUST be deactivated after use, e. g. via logout procedure.
The CESNET CA private keys are archived. After the retention period (see Section 4.6.2) the archive media SHALL be destroyed.
Private keys on magnetic disk can be removed by overwriting the key files.
The pass phrases used by the CESNET CA are at least 15 characters long.
The CESNET CA private key activation data stored in the physical activation keys protected with a password of minimum 15 characters. The pass phrases MUST be known to authorized CESNET CA personnel only. The pass phrases MUST be used only in secure physic environment.
The CESNET CA computer system MUST satisfy following requirements:
The CESNET CA is run on dedicated computer system.
Only the software needed to perform the CA tasks is installed on the system.
Access to the operating system and the CA software is allowed only to the authorized CESNET CA personnel.
Physical access to the system is allowed only to the authorized CESNET CA personnel.
All security related events are audited.
The desired functionality MAY be provided by the operating system, the CA software, physical protection or by a combination of those.
The development of the CESNET CA software is carried in a controlled secure environment.
Production and development environment are totally separated.
The logs, the configuration files and the entire file system of the CESNET CA computer systems are regularly checked.
The CESNET CA computer system is operated in a controlled network environment protected by packet filtering firewalls.