PKI
The solution supports the creation and maintenance of PKI hierarchies and the issuance of certificates for a
wide range of use cases.
LAAVAT Platform PKI features
The LAAVAT PKI capabilities enable the management of Certificate Authorities (CAs) and the issuance of X.509 certificates for various use cases. The platform supports multiple interfaces, including REST, EST, and ACME (coming soon), to facilitate seamless integration with various systems. The platform UI can be used to create and edit certificate profiles. All actions are logged to the audit trail for transparency and compliance.
In terms of hierarchy management, the platform offers advanced features, including:
-
Root CA creation and hosting, with the ability to manage multiple Root CAs per tenant
-
Issuance of multiple Sub CAs under a single Root CA
-
Issuance of Sub CAs from internal and external Root CAs
-
Sub CA renewal and management
-
Support for multiple Sub CAs in a single chain of trust
-
Importing of Root CAs and Sub CAs to the LAAVAT platform
Regarding revocation, the platform provides robust features, including:
-
Revocation of end-entity certificates and Sub CAs
-
Automatic creation of Certificate Revocation Lists (CRLs)
-
Downloading of CRLs for easy access
PKI & embedded device security features
Secure boot authentication is typically based on public key cryptography, which requires the creation and maintenance of a processor-specific PKI hierarchy. An example of this is the High Assurance Boot (HAB) for NXP i.MX families. Our Platform simplifies this process by seamlessly generating the necessary PKI hierarchy, including the bootloader signing key, firmware update signing key, kernel signing key, and other required keys.
A strong and unique identity is essential for embedded devices to authenticate themselves when connecting to the network, ensuring secure and encrypted communication with other devices, services, and users. Our Platform supports the issuance of device identities utilizing the x.509 certificates, this includes the initial device identities that can be issued during manufacturing.
Issuance of Secure Device Identifiers (DevID) based on the IEEE 802.1AR standard, which includes the Initial Device Identifier (IDevID) and the Locally Significant Device Identifier (LDevID) is also supported.