Fotolia_79763070_Subscription_Monthly_M.jpg
Advanced Solutions

Public Key Infrastructures

Multicert is your trusted partner for the supply of the turnkey Public Key Infrastructure solutions.

We develop and deliver integrated PKI solutions that include not only the technological components, but also the complete set of management, administration and operation procedures.

We ensure the necessary transfer of know-how to the PKI work teams through intensive training programs and expert support throughout all the system's lifetime.

  • Electronic Passport
  • National Identification
  • Corporate Identity
  • Electronic Driving License
  • Internet of Things

  • Electronic Passport

    The new generation of electronic passports recommended by ICAO requires a PKI for protection of biographic and biometric data included the in Passport’s chip.

    Multicert provides a PKI solution complying with the ICAO 9303 specifications, adapted and scaled to specific needs. For the level of protection BAC/SAC, the solution includes the CSCA, data formatter on LDS structure and Document Signer. For passports of the latest generation with EAC authentication, we provide CVCA and DVCA, in accordance with BSI TR-03110.

    The solution is further complemented with:

    • PKD for publishing certificates, CRL, master list and defects list. It is possible to publish through a national service (n-PKD) or the ICAO PKD

     

    • SPOC for Exchange of certificates with other countries, in accordance with ČSN 36 9791 standard
    • Terminal Control Center for a complete integration between the PKI systems and the inspection systems (for example, automatic gates, mobile terminals of the Police, service centers in Embassies and Consulates, etc.)

    Several countries have been extending the scope of the Electronic Passport solution for the issuance of Residence Permits in smartcard format to foreign citizens who have been granted residence permit in the country, thus providing access to public services.

  • National Identification

    The national identification documents (eID) of the latest generation include a secure chip, with biographic and biometric data, and digital certificates which allow to certify the identity of the individual in online services and to sign electronic documents, in a dematerialized form and with full equivalence with respect to traditional signatures, namely in terms of integrity, authenticity and non-repudiation.

    An eID widely distributed through the population is a cornerstone for a strategy of digitization of services of the Public Administration, dematerialisation of processes and approaching to companies and citizens.

    Multicert provides a large-scale PKI solution, required for the issuance of an eID in accordance with the highest international standards, including ETSI (EU), NIST (USA), ICP-Brazil (Brazil).

     

    Besides the Certification Authority system, other systems may be installed such as OCSP, Timestamping Authority, certificate directory LDAP and Key Management System. For the eID to be considered a travel document, it shall comply with the ICAO 9303 and BSI TR-03110 standards, and the infrastructure must be complemented with data formatter on LDS structure and Document Signer, as well as CVCA and DVCA to ensure EAC authentication.

    For integration with third-party systems such as National Registration Database and Card Personalization Systems, Multicert also provides a solution for lifecycle management, allowing orchestration of subsystems through the development and flexible configuration of processing workflows.

    .

  • Corporate Identity

    For organizations with enhanced authentication needs and with a strategy of dematerialization of processes, the option for a dedicated PKI offers the following advantages:

    • Greater control and autonomy over the processes of issuance, renewal and revocation of certificates
    • Integration with the organisation's internal systems, such as HR databases, Active Directory, ERP, etc.
    • Management of a single certificate chain, simplifying the processes of online authentication and validation of digital signatures
    • Control over the total cost of operation

    Among the typical cases of dedicated PKIs is included the certificate issuance for:

    • Employees and/or members of the organisation, in smartcard with corporate image, to log on to the PC, for authentication on intranets and VPNs, and internal workflows of digital signatures

     

    • Suppliers and Clients, for authentication on extranets
    • Integrated logistics systems
    • Authentication of equipment on centralized services (ATMs, smart meters, network access points, etc.)

    The PKI can be installed and hosted on Multicert facilities, benefiting from higher conditions of security and business continuity, with a professional management and operation. Alternatively, the PKI can be installed and hosted in-house with exclusive operation by the Client or shared with Multicert.

  • Electronic Driving License

    The Driving License is an important means for individual identification, even being the main form of identification established in some countries, such as, for example, the USA and Canada.

    Multicert provides a PKI solution in accordance with the ISO 18013 specifications, adapted and scaled to specific needs.

    For the BAP level of protection, the solution comprises the OSCA, data formatter on LDS structure and Document Signer. For protection and control of access to the biometric data through EAP authentication, we also provide OVCA and DVCA, in accordance with BSI TR-03110.

  • Internet of Things

    Currently, many of the objects that surround us and that we use daily already have connectivity and get networked to provide increasingly advanced services, forming the Internet of Things (IoT).

    One of the most important requirements is the security of communications,

    particularly as regards the integrity, confidentiality and authenticity. With millions of connected devices, Multicert provides PKI solutions that address these needs, particularly suited to IoT in terms of flexibility, scalability and resource consumption.

Offer

  • Certification Authority

    A complete and robust Certification Authority solution, with the following features:

    • X.509 and CVC certificate issuance
    • CRLs and delta CRLs issuance
    • CA cryptographic keys in HSMs compatible with PKCS#11
    • Web administration interface
    • Access control by two-factor
    • Configurable user profiles (operators, administrators, auditors, etc.)
    • Audit logs
    • Compliance with RFC 5280, CWA 14167
    • Common Criteria EAL4+ CMIC Certification
    • Robust: Clustering, Backup, Disaster Recovery
    • Multilanguage
    • Complete documentation package, which includes CPS, CP, PDS, policies, manuals, diagrams, procedures, forms and inventory

  • ​Registration Authority

    A complete, robust and flexible Registration Authority solution, with the following features:

    • Web forms of internal and external data collection for the issuance of certificates, including photograph
    • Installing certificates via web
    • Backoffice Web for registration operators with features such as order management, approval workflows and status query
    • Certificate life cycle management operations (suspension, revocation, activation)
    • Access control by two-factor
    • Configurable user profiles (registration operators, Customer Support operators, administrators, auditors, among other)
    • Audit logs
    • Suitable for internationalisation (i18n): multilingual, directionality, formatting, character encoding
    • Robust: Clustering, Backup, Disaster Recovery

  • Timestamping Authority

    A complete and strong Timestamping Authority solution, with the following features:

    • Compliance with RFC 3161
    • Support to multiple timestamping units (TSU)
    • CA cryptographic keys in HSMs compatible with PKCS#11
    • Web administration interface
    • Management of contracts and timestamp packages to wholesale offer and retail
    • Access control by two-factor for internal users
    • Configurable user profiles (operators, administrators, auditors, etc.)
    • Audit logs
    • Built on certified Common Criteria EAL4+ security core
    • Assessed and approved by the Portuguese National Security Cabinet
    • Suitable for internationalisation (i18n): multilingual, directionality, formatting, character encoding
    • Robust: Clustering (active-active), Backup, Disaster Recovery

  • OCSP

    A complete and strong OCSP solution, with the following features:

    • Compliance with RFC 6960
    • Support to multiple CAs and OCSP responders
    • Cryptographic keys in HSMs compatible with PKCS#11
    • Web administration interface
    • Access control by two-factor for internal users
    • Configurable user profiles (operators, administrators, auditors, etc.)
    • Audit logs
    • Built on certified Common Criteria EAL4+ security core
    • API for integration with existing CAs
    • Real time updating of status of certificates via integration API
    • Periodic update of status of certificates through CRL (blacklist) and LDAP (whitelist)
    • Replacement of OCSP legacy solutions without scalable support for new solution, without development and integration needs of the remaining existing PKI
    • Suitable for internationalisation (i18n): multilingual, directionality, formatting, character encoding
    • Robust: Clustering (active-active), Backup, Disaster Recovery

  • Key Management System

    A secure and robust solution for key generation and management, with the following features:

    • Mass pre-generation of cryptographic keys, immediately available to the processes of certificate issuance and customization
    • Keys generated in HSMs, with parameters of quality and superior performance when compared to those generated in smartcard chip
    • Dynamic management of keys stock
    • Secure channel from the HSM to customization, through transport keys and key encryption keys (KEK)
    • Web administration interface
    • Access control by two-factor for internal users
    • Configurable user profiles (operators, administrators, auditors, among other)
    • Audit logs
    • Built on certified Common Criteria EAL4+ security core
    • Suitable for internationalisation (i18n): multilingual, directionality, formatting, character encoding
    • Robust: Clustering, Backup, Disaster Recovery

  • Data Preparation

    A complete and robust solution for formatting data for identification documents and electronic passports, with the following features:

    • Formatting biographic and biometric data for identity documents and electronic passports
    • In accordance with LDS v1.7 ICAO 9303
    • Support for BAC, SAC/PACE, Active Authentication, EAC
    • API for integration with lifecycle and customization systems
    • Integrated with Key Management System
    • Audit logs
    • Robust: Clustering, Backup, Disaster Recovery

  • Document Signer

    A complete and robust solution for data signature of identification documents and electronic passports for protection of the authenticity and integrity, with the following features:

    • Signature of biographic and biometric data for identity documents and electronic passports
    • In accordance with ICAO 9303, producing the structure Secure Document (SOD)
    • Support for BAC, SAC/PACE, Active Authentication, EAC
    • API for integration with lifecycle and customization systems
    • Audit logs
    • Robust: Clustering, Backup, Disaster Recovery

  • Card Management System

    A complete and robust solution of customization for smartcards and USB cryptographic tokens, with the following features:

    • Application for final customization of SSCDs (smartcards, USB cryptographic tokens, secure microSD)
    • Support to SSCDs compatible with PKCS # 11
    • Key generation in chip or import by secure channel
    • Integration with smartcard printers
    • Graphical interface for customization operators
    • Print Preview
    • Printing PIN cards in customizable templates
    • Printing cover letters and accompanying letters in customizable templates
    • Support to multiple configurable customization profiles
    • Installation on multiple workstations for customization in parallel
    • Access control restricted to customization operators

  • Maestro – Gestão de Ciclo de Vida

    Maestro é a solução completa, flexível e robusta da Multicert para a interligação de todos os componentes PKI e serviços terceiros através de workflows personalizáveis, com as seguintes características:

    • Essential service in the PKI solution, acting as Enterprise Service Bus (ESB)
    • Orchestration of services, coordinating the exchange of messages between components according to customizable workflows
    • Extremely flexible integration with internal and external Registration Entities, Customization, ERP, Active Directory / LDAP, SMS messaging systems, invoicing, payment gateways, etc.
    • Increased security, by preventing direct contact of the CA with the various PKI components - all requests are forwarded through Maestro
    • Synchronous and asynchronous processing of messages. In complex and large-scale PKIs, it minimizes the impacts of occasional failures of the components and programmed maintenance stops
    • It simplifies error handling, avoiding the development of logic of support to exception situations and recovery in each of the PKI components. Maestro provides reprocessing capabilities for all the services
    • Breakdown of processes into individual steps, facilitating the integration, reuse, maintenance and change management
    • Multiple input/output protocols: JSON, SOAP, HTTP, JMS, SMTP, FTP, file system, etc.
    • Web administration interface
    • Access control by two-factor for internal users
    • Configurable user profiles (operators, administrators, auditors, etc.)
    • Audit logs
    • Robust: Clustering, Backup, Disaster Recovery

  • PKD Nacional

    The National Public Key Directory (PKD) enables automated availability to electronic identity documents inspection systems of the required information for its verification. Multicert’s complete and robust PKD solution includes the following features:

    • LDAP interface for providing CSCA certificates, Document Signer, CVCA, DVCA, CRLs and MasterLists
    • hierarchical organisation according to the certificate naming structure
    • Application with graphical interface for service management
    • Robust: Clustering, Backup, Disaster Recovery

  • SPOC

    Single Point of Contact (SPOC) is a certificate and information exchange solution, necessary for the validation of electronic identification documents such as the Passport, which is mandatory between the European Union member countries.

    The SPOC of a country connects to the SPOC of another country, making the request for document verification certificates to enable access to the biometric verification capabilities.

    Multicert’s SPOC solution is installed in several countries, with the following features:

    • Receiving requests for DVCA certificates from the national EAC PKI and delivery to the destination SPOC
    • Receiving online requests from SPOCs from other countries and forwarding to those responsible for the national EAC PKI
    • In accordance with ČSN 36 9791:2009, BSI TR-03110 and BSI TR-03139
    • Protection of communications between SPOCs using digital certificates issued by SPOC CA
    • Registration of SPOC CA by SPOC
    • Publishing SPOC CA’s CRL
    • Web administration interface
    • Access control by two-factor for internal users
    • Configurable user profiles (operators, administrators, auditors, among other)
    • Audit logs
    • Robust: Clustering, Backup, Disaster Recovery

  • Terminal Control Centre

    The Terminal Control Center (TCC) is a complementary solution to Electronic Passport and National ID PKIs and necessary for an effective automation of border control.

    Multicert’s TCC solution performs key and lifecycle management of X.509 and CVC certificates for the inspection systems, allowing the terminals to read identification documents and to use advanced mechanisms of biometric authentication.

    In addition to the certificate and key management, Multicert’s TCC solution also makes the connection between the inspection system and the National PKD, providing all the information necessary to the correct and complete verification of identification documents.

    Multicert’s high performance TCC solution has the following features:

    • Integration with the National EAC PKI for automatic issuance of inspection system certificates
    • Integration with the reading terminals of inspection systems
    • Cryptographic keys of inspection systems generated and maintained in HSM compatible with PKCS # 11
    • Centralized installation (for example: Police) or decentralized (for example: airport, seaport, border)
    • Web administration interface
    • Access control by two-factor for internal users
    • Configurable user profiles (operators, administrators, auditors, among other)
    • Audit logs
    • Compliance with BSI TR-03129 and BSI TR-03129-2
    • Robust: Clustering, Backup, Disaster Recovery

Professional Services

In addition to the technological components, Multicert offers you a range of Professional Services specialized in PKI, provided by a team with know-how and accumulated experience of several implemented projects and daily operations of our own Certification Authority.

The activities presented on the right, are some of the activities we offer.

  • Consultancy

    We support the requirements analysis and solution design based on the knowledge and experience of installing and operating dozens of PKIs.

    Support is provided in all the dimensions of a PKI, including technology, IT infrastructure, processes, physical and perimeter security, logical security, support for internal and external audits, implementation of an information security system (ISMS) in accordance with ISO 27001, among other.

  • Development

    We adapt our solutions to your specific needs

  • Provisioning

    We select, scale and provide the IT infrastructure of servers, HSMs, network equipment, among other, assuming the best compromise between security, business continuity and costs

     

  • Installation

    We proceed to the configuration and installation of the solution in testing, production, disaster recovery environments and other available environments, ensuring the correct configuration and the establishment of monitoring, synchronization, backup and recovery processes in case of failure or disaster.disaster.

  • Documentation

    Along with the PKI solution, we deliver a complete package of documentation that includes CPS/CP/PDS, CPS, CP, PDS, policies, manuals, diagrams, procedures, forms and inventory. In addition to supporting the operation of the PKI, this documentation package is fundamental to the audit process

  • Training

    We organized a local staff training program to ensure the necessary transfer of know-how.

    Training includes introductory sessions to PKI concepts and the solution, and practical training of systems and equipment, having as fundamental objectives the autonomy of PKI teams during operation and resolution of 1st and 2nd line issues and awareness of security requirements.

  • Maintenance

    With the delivery of the solution, we provide support over time through preventive, corrective and evolutionary maintenance services, so that your PKI is always operational

  • Operation

    Our professionals can exclusively operate your PKI, or in combination with members of your organization, in mixed teams, providing specialist support, redundancy of human resources for assurance of business continuity and a progressive transfer of know-how.