Ambimat GroupAmbimatAmbiSecureeSIM InitiativeEngineering BlogAhmedabad · India · Est. 1981
ASAmbiSecureHardware-rooted security
Contact
ASAmbiSecureHardware-rooted security
Brochure · PKI & credential lifecyclePrint → PDF

X.509 issuance from workforce to government scale.

The architecture, the actors, the audit trail. RA, CA, key custody, attestation in the issuance flow, lifecycle from issuance to destruction — designed so the programme is defensible in front of an auditor.

Hierarchy

Two-tier offline-root by default. Offline root signs the issuing CA only, in HSM-protected key ceremonies, once a year or less. Issuing CA signs end-entity certificates daily. Revocation infrastructure (OCSP / CRL) operationally separate from the issuing CA.

The four roles

RoleWhat it owns
CASigns certificates. Holds the CA signing key in an HSM. Operates under M-of-N approval.
RADecides who gets a certificate. Verifies identity. Verifies attestation. Forwards CSR to CA.
VAPublishes revocation status — OCSP and CRL.
SubscriberThe user or device that holds the certificate.

Key custody

  • CA signing key generated inside HSM. Never exists in cleartext outside the HSM.
  • Backup HSM imports the wrapped key under M-of-N control. Wrapped key can only be unwrapped in another HSM.
  • FIPS 140-3 L3 or higher for any CA HSM. L4 for government workloads.
  • Key ceremonies are scripted, witnessed, recorded.

Attestation in issuance

The CA does not sign a certificate over a key it has not verified as living in certified hardware. The hardware provides an attestation at CSR time; the CA verifies the attestation against the manufacturer’s attestation root; only then does it sign. Without this, the CA signs assertions, not verified facts.

Lifecycle

StateAction
IssuedSubscriber receives certificate; relying parties begin to trust it.
ActiveCertificate used for authentication / signing.
RotatedNew certificate issued (typically via EST). Old certificate phased out by overlap.
RevokedOCSP / CRL flips status. Relying parties refuse the certificate.
DestroyedHardware returned; secure element zeroised; audit log updated.

Scale notes

  • Workforce (10k-100k certificates) — IT-desk issuance, OCSP throughput is comfortable.
  • National-ID / government (millions of certificates) — enrolment centres, HSM clustering, formal separation of duties, multi-year algorithm-migration planning.

Related on the AmbiSecure site

Standing up a PKI that has to last a decade?

Bring your scale and your CPS draft. We’ll bring a defensible hierarchy plus a key-ceremony script we’ve run before.

Start a conversation Engagement models