Complete e-Passport PKI solutions from root to border

Modern electronic passport ecosystems demand require more than certificate issuance. They demand interoperable trust anchors, protected biometric access, secure cross-border validation, and operational transparency.

Khatim delivers a full e-Passport PKI solution that covers:

  • Country Signing Certificate Authority (CSCA)

  • Document Signer & Master List Signer

  • CVCA / DVCA hierarchies

  • SPOC communication channels

  • National PKD integration with ICAO

  • HSM-backed key custody

  • Continuous monitoring, auditing, and reporting

The result is a deployable, standards-aligned infrastructure for governments, border agencies, and national identity authorities.

"End-to-end e-Passport PKI solutions built for global trust and ICAO interoperability"

Khatim PKI Server - e-passport PKI solutions

e-Passport PKI solutions for Basic Access Control (BAC)

What BAC provides: BAC establishes a basic trust model enabling inspection systems to verify the authenticity of an e-passport and the data in its chip.

Khatim capabilities for BAC:

  • CSCA (Country Signing Certificate Authority) generation and lifecycle management.

  • Document Signer (DS) creation and issuance (Document Signer Certificates signed by CSCA).

  • Master List Signer (MLS) management and Master List workflows.

  • Support for CVCA / DVCA issuance where domestic and foreign Document Verifier CAs are needed.

  • Distributed deployment: CSCA, MLS, DS and NPKD services can run on separate machines (each backed by HSMs) to meet operational and security separation requirements.

  • LDS signing: Khatim signs e-passport Logical Data Structure (LDS) data using the CMS profile identified by OID 1.2.840.113549.1.7.3.2 (CMS SignedData with appropriate content types), ensuring interoperability with ICAO-compliant readers.

  • NPKD integration: Khatim NPKD synchronizes with the ICAO PKD for importing/exporting country CSCA and Master List data.

BAC deployment notes: CSCA, MLS, DS and NPKD may be provisioned on dedicated hosts with HSMs. All components include configuration options surfaced via the admin portal for key lifecycle, publishing, and automated Master List generation.

Khatim e-passport Basic Access Control (BAC) architecture

Extended Access Control (EAC) & SPOC model – high-assurance verification

What EAC provides: EAC protects biometric data and enforces stricter access controls than BAC. It is typically used in European contexts and other high-assurance deployments.

Khatim capabilities for EAC & SPOC:

  • CVCA & DVCA support: Generate and manage Country Verifying CAs (CVCAs) and Document Verifier CAs (DVCAs) used in EAC flows. These can be created and stored in HSMs and deployed on separate systems to segregate trust domains.

  • SPOC (Single Point of Contact) architecture: SPOC servers run in a DMZ to facilitate secure inter-country communication. Khatim SPOC supports SPOC-to-SPOC mTLS communication and acts as the proxy/bridge between CVCA and DVCA services.

  • Protocols & standards: Khatim implements the EAC communication stack per BSI/TR specifications (including ICAO 9303 8th Edition Part 12, CSN 36 9791, BSI TR-03129 and BSI TR-03110 where applicable) for DVCA↔SPOC↔CVCA interactions and token exchanges.

  • Algorithm support: Khatim supports RSA and ECDSA (and can be configured for approved curves) across EAC flows; HSMs ensure secure key operations.

  • Rekey & continuity: Allows all CAs (CSCA, CVCA, DVCA) to be rekeyed for business continuity.

EAC deployment notes: In EAC deployments Khatim enforces mTLS for all SPOC communications, enforces role-based access control for SPOC operators, and logs message flows for forensic review.

Khatim e-passport Extended Access Control (EAC) architecture

National PKD & ICAO ecosystem integration

An effective e-Passport PKI solution must interact with the global trust environment.

Khatim NPKD enables you to:

  • Import CSCA certificates from other countries

  • Publish national Master Lists

  • Synchronize with ICAO PKD

  • Assign and manage trust levels

  • Revoke compromised signers quickly

  • Maintain complete audit history

Automation reduces manual effort while ensuring continuous compliance.

Core security & operational aspects

Khatim’s e-Passport deployment is engineered for compliance, resilience, and operational control.

User & application access control

  • Multi-factor authentication (2FA) for administrators and operators.

  • Fine-grained application access via TLS client certificates and OAuth where applicable.

  • Role separation between CSCA operators, Document Signer managers, and NPKD operators.

System integrity & tamper evidence

  • HMAC checks and integrity heartbeats for critical services.

  • Transaction logging for every trust service; logs can be archived and signed to prevent tampering.

  • Secure log export and retention policies for auditability.

HSM & key management

  • Integrated HSM manager to handle pools of HSMs with automatic reconnection, slot mapping and key segregation.

  • Support for generating keys in HSMs or importing pre-provisioned keys where required by national policy.

  • Rekey, rotation and retirement workflows consistent with standards and auditable.

Alerting, monitoring & reporting

  • Event-based alerts (email, SMS, SNMP) for critical conditions (CRL generation failures, HSM connectivity, rekey anomalies).

  • Daily summary reports for each trust service, plus detailed analytics for issuance, revocation, and operational metrics.

  • Dashboards for live monitoring of CSCA/DS/MLS/SPOC activity and historical trend graphs for compliance reviews.

e-Passport PKI components – how they interact

  • CSCA – issues Document Signer and Master List Signer certificates; root trust anchor.

  • Document Signer (DS) – signs Security Data Objects (SDOs) that are encoded on the passport chip.

  • MLS – signs the Master List used by inspection systems.

  • CVCA / DVCA – EAC-related CAs for cross-country verification and local inspection systems.

  • SPOC Server – DMZ-deployed server that mediates CVCA↔DVCA interactions, supports mTLS and BSI TR protocols.

  • NPKD – national PKD server to sync with ICAO PKD and publish data to inspection systems.

All these modules integrate with the Khatim PKI Server’s Certificate Provider engine, HSM Key Vaults, monitoring, and reporting subsystems.

Architecture notes – separation & HSM placement

For maximum assurance, we recommend:

  • Dedicated HSMs for CSCA/PAI keys (air-gapped or in a secured zone).

  • Separate hosts for CSCA, MLS and Document Signer roles to reduce blast radius.

  • SPOC in DMZ for EAC deployments, with strictly enforced mTLS and firewall rules.

  • Signed archives & integrity checks for log storage and CI/CD pipelines that manage configuration.

Compliance & standards coverage

Khatim aligns with ICAO e-Passport specifications and supports the protocol stack required for both BAC and EAC. Implementation includes CMS-based LDS signing OID 1.2.840.113549.1.7.3.2, BSI TR protocol support, ICAO PKD interoperability, and HSM-backed custody for attestation keys.

Why governments choose Khatim for e-Passport PKI solutions

National infrastructures require longevity, interoperability, and uncompromising security. Khatim supports distributed deployments, strict separation of duties, and internationally recognized protocols, helping authorities move from design to production with confidence.

"Your nation’s identity deserves a PKI without compromise"

Words from Client

Leading companies rely on us for their PKI and digital signature needs

We were struggling with our PKI implementation when Codegic came to the rescue. They not only sorted our technical issues but also designed the whole PKI for the infrastructure.

Hemal Patel, CEO, Ray Pte. Ltd.