Codegic Launches PKI Designer in Khatim PKI Server

Setting up two Tier PKI

Let’s deep dive and see how the PKI builder helps in visualizing your PKI. Our plan is to build a PKI like this Root CA > Issuing CAs. Let’s call the Root CA as:

• Corporate-Root-CA
  • Commercial-TLS-CA
  • Commercial-SMIME-CA
  • Commercial-CLIENT-AUTH-CA

First we’ll create the Root and the Sub CAs. We’ll keep things simple by creating all the CAs on a single instance of Khatim PKI Server although ideally CAs should be on segregated to have maximum security. From My CA > Create CA, we’ll setup our Root and Sub CAs.

This open a CA form. We’ll fill in the form and create the CA. We’ll setup the keys to be in an HSM & select a CA template.

Note that the Khatim PKI Server’s certificate template section allow PKI Admins to setup certificate parameters like validity periods, policies (Qualified statement, CA/B forum extension) & RFC 5280 based extensions.

Like in the Card View, each CA is shown as a card. Here the CA is shown in green color representing that it is a CA which is configured locally; has access to it’s private key as well. If not then the CA is shown in grey color meaning they are managed remotely which are normally Remote Root CAs or Remote Sub/Issuing CAs.

PKI Admins can see basic details just like in the card view. There is an exclamation shown guiding that the CRL configurations are missing, this can be setup to remove the warning.

Now let’s issue Sub CAs i.e. Commercial TLS CA.

Let’s add one more CA.

Each CA is neatly stacked to visually represent the PKI hierarchy, starting from the Root CA at the top and progressing downward through Subordinate CAs. This structured layout makes it easy for PKI Admins to understand the trust chain at a glance. Clicking the card opens the CA details screen provide complete information about the CA. On the card, there are also buttons to give one click access to:

• CA issued certs, crls
• Ability rekey the CA
• Download the CA certificate
• Download CSR or import the issued cert (if CA was certified by an external CA)

Setting up Three Tier PKI

Let’s build another PKI hierarchy for a three tier architecture.

Adding more CAs.

More Options

Let’s explore operations like CA revocation and renewal. If a CA is revoked a RED exclamatiion icons is shown.

If we configure any of the CA to issue CRLs automatically and also configured it inside Certificate Provider engine for certificate issuance (over Restful calls) then the card will highlight those attributes accordingly (filled light green).

If we Rekey/Renew a CA, Khatim PKI Server will automatically detect the list of certificate provider policies where the being renewed CA was configured. This is handy as the old CA might not be used to issue new certificates rather only issue CRLs. PKI admin can select those certificate provider policies and the new CA will automatically be configured there.

Once complete, the rekeyed CA will be shown as disabled. Both the old and new CAs will share the same color marker for easy identification and pairing.

For the newly issued CA, the PKI admin can refer to the CA History tab to view information about the old CA that was renewed.

Now let’s create a new CA (Quantum Sub CA) using a CSR which the Quantum Root CA (running on another org/system) will issue.

Once done the Quantum Sub CA is shown in green filled box, representing that it is local i.e. has access to its private keys.

To issue Issuing CAs via CSR by Quantum Sub CA, PKI Admin can open the list of issued certs and click Certify Manually (PKCS#10) option to select the Issuing CA’s CSR/PKCS#10.

Here PKI Admins can easily paste the CSR and issue the CA certificate. Here is the PKI Tree view while issuing multiple CAs.

Viewer Management

Other than this you can use the zoom in/out controls, fit to screen, full screen & show/hide the mini map options to further improve the visibilty of the PKI.