Key Server - Overview

Comprehensive documentation for Key Server. This section provides a high-level overview of the solution, its key features, and use cases.

Key Features

• Key Management - Centralized key storage and lifecycle management
• Security Features - FIPS 140-2 compliance and HSM integration
• Integration - REST API access and multiple SDK support

Use Cases

Our Key Server provides the foundation for secure key management:

• Centralized key management infrastructure
• Secure storage and distribution of cryptographic keys
• Integration with hardware security modules (HSMs)
• Automated key lifecycle management

Key Server – Get Started

This guide demonstrates how to perform firmware signing using PKCS11 with the Cryptera KeyServer API.

Prerequisites

• Ubuntu 24.04 (or a compatible Linux distro)
• Docker Engine
• cURL, OpenSSL, pkcs11-tool, jq, libengine-pkcs11-openssl, and OpenSC

Authentication

Obtain an authentication token using:

export KSC_ID_TOKEN=$(curl -sS --tlsv1.3 -X POST \
  -H "Authorization: Basic YWRtaW5jbGllbnQ6cGFzc3dvcmQ=" \
  -d "grant_type=client_credentials" \
  https://authserver.ocean-lantern.cryptera.com:8300/oauth2/token | jq -r .access_token)
        

Initiate Pipeline

Start a signing pipeline:

export KSC_OPERATION_ID=$(curl -sS --tlsv1.3 -X POST 'https://keyserver.ocean-lantern.cryptera.com:8200/api/operations' \
  -H "Authorization: Bearer $KSC_ID_TOKEN" \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
    "validms": 60000,
    "description": "Firmware signing for development board",
    "new-keyusagerestrictions": [
      { "keyid": "key1", "maxusagecount": 1 },
      { "keyid": "key4", "maxusagecount": 1 }
    ]
}' | jq -r .id)
        

Approval

Approve the pipeline operation:

curl -sS --tlsv1.3 -X PUT "https://keyserver.ocean-lantern.cryptera.com:8200/api/approvals/$KSC_OPERATION_ID" \
  -H "Authorization: Bearer $KSC_ID_TOKEN" \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json'
        

Signing

Perform the signing operation using OpenSSL with PKCS11:

openssl dgst -engine pkcs11 -keyform engine \
  -sign "pkcs11:object=" -sha256 -out signature.bin data.txt
        

Verification

Verify the signature by extracting the public key and checking the signature:

pkcs11-tool --module /opt/app/scripts/libpkcs11keyserver.so --read-object --type cert \
  --label  --output-file cert.der
openssl x509 -pubkey -noout -inform DER -in cert.der -out pubkey.pem -outform PEM
openssl dgst -sha256 -verify pubkey.pem -signature signature.bin data.txt
        

Key Server – API Reference

The KeyServer API provides endpoints for managing signing operations. Key endpoints include:

Authentication

POST /oauth2/token
Retrieve an authentication token.

Initiate Pipeline

POST /api/operations

{
  "validms": 60000,
  "description": "Firmware signing for development board",
  "new-keyusagerestrictions": [
    { "keyid": "key1", "maxusagecount": 1 },
    { "keyid": "key4", "maxusagecount": 1 }
  ]
}
        

Approve Pipeline

PUT /api/approvals/{operation_id}

Operation Status

GET /api/operations/{operation_id}

Code Signing - Overview

Comprehensive documentation for Code Signing. This section provides a high-level overview of the solution, its key features, and use cases.

Key Features

• Integrated Key Management - Enterprise-grade key infrastructure with secure generation, storage, and automated lifecycle management of signing keys.
• Hardware Security Module Support - Integration with HSMs for maximum security of cryptographic keys and signing operations.
• Automated Signing Process - Streamline code releases with automated signing workflows integrated into your CI/CD pipeline.
• Version Control - Track and manage code versions with built-in versioning system and rollback capabilities.
• Multi-Stage Verification - Implement multiple verification checks to ensure code integrity throughout the deployment process.
• Audit & Compliance - Comprehensive audit trails and reporting for all signing operations and key activities.
• Developer Tools - Comprehensive SDK and CLI tools for developers to sign and verify code locally during development.

Use Cases

Learn how Code Signing can benefit your organization:

• Secure IoT device communications
• Manage cryptographic keys at scale
• Ensure firmware integrity
• Meet compliance requirements

Code Signing – Get Started

This guide outlines the process for code signing using Cryptera’s PKCS11-based infrastructure.

Prerequisites

• Linux environment (e.g., Ubuntu 24.04)
• Tools: Docker, cURL, OpenSSL, pkcs11-tool, jq, etc.

Authentication & Pipeline Initiation

Obtain your token and initiate a pipeline for code signing (adjust key identifiers as needed):

export KSC_ID_TOKEN=$(curl -sS --tlsv1.3 -X POST \
  -H "Authorization: Basic [base64]" \
  -d "grant_type=client_credentials" \
  https://authserver.ocean-lantern.cryptera.com:8300/oauth2/token | jq -r .access_token)

export KSC_OPERATION_ID=$(curl -sS --tlsv1.3 -X POST 'https://code-signing.ocean-lantern.cryptera.com:8200/api/operations' \
  -H "Authorization: Bearer $KSC_ID_TOKEN" \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
    "validms": 60000,
    "description": "Code signing for release",
    "new-keyusagerestrictions": [
      { "keyid": "keyA", "maxusagecount": 1 }
    ]
}' | jq -r .id)
        

Signing Operation

After approval, sign your code artifact:

openssl dgst -engine pkcs11 -keyform engine \
  -sign "pkcs11:object=" -sha256 -out signature.bin code.zip
        

Code Signing – API Reference

The Code Signing API includes endpoints for initiating, approving, and checking the status of code signing operations.

Initiate Pipeline

POST /api/operations

{
  "validms": 60000,
  "description": "Code signing for release",
  "new-keyusagerestrictions": [
    { "keyid": "keyA", "maxusagecount": 1 }
  ]
}
        

Approve Pipeline

PUT /api/approvals/{operation_id}

Operation Status

GET /api/operations/{operation_id}

Device Certificates - Overview

Comprehensive documentation for Device Certificates. This section provides a high-level overview of the solution, its key features, and use cases.

Key Features

• Certificate Authority - Built-in certificate authority with integrated key management for issuing and managing device certificates.
• Key Infrastructure - Secure generation, storage, and automated lifecycle management of cryptographic keys for device authentication.
• Automated Provisioning - Streamline device onboarding with automated certificate provisioning and enrollment protocols.
• Certificate Lifecycle - Comprehensive lifecycle management including automated renewal, revocation, and status checking.
• Scalable Architecture - Handle millions of devices with distributed architecture and efficient certificate operations.
• Integration Support - Easy integration with major IoT platforms and cloud services through standard protocols.
• Security Compliance - Meet industry security standards and compliance requirements with robust certificate management.

Use Cases

Learn how Device Certificates can benefit your organization:

• Secure IoT device communications
• Manage cryptographic keys at scale
• Ensure firmware integrity
• Meet compliance requirements

Device Certificates – Get Started

This guide explains how to initiate and manage operations for issuing device certificates using Cryptera’s system.

Prerequisites

• Linux environment (e.g., Ubuntu 24.04)
• Tools: Docker, cURL, OpenSSL, pkcs11-tool, etc.

Authentication & Pipeline Initiation

Fetch your authentication token and initiate a pipeline for certificate issuance:

export KSC_ID_TOKEN=$(curl -sS --tlsv1.3 -X POST \
  -H "Authorization: Basic [base64]" \
  -d "grant_type=client_credentials" \
  https://authserver.ocean-lantern.cryptera.com:8300/oauth2/token | jq -r .access_token)

export KSC_OPERATION_ID=$(curl -sS --tlsv1.3 -X POST 'https://device-certificates.ocean-lantern.cryptera.com:8200/api/operations' \
  -H "Authorization: Bearer $KSC_ID_TOKEN" \
  -H 'accept: application/json' \
  -H 'Content-Type: application/json' \
  -d '{
    "validms": 60000,
    "description": "Issuance of device certificate",
    "new-keyusagerestrictions": [
      { "keyid": "deviceKey1", "maxusagecount": 1 }
    ]
}' | jq -r .id)
        

Certificate Issuance

After approval, the system issues a device certificate which can be retrieved and verified using standard tools.

Device Certificates – API Reference

The Device Certificates API provides endpoints for managing certificate issuance and tracking the status of operations.

Initiate Pipeline

POST /api/operations

{
  "validms": 60000,
  "description": "Issuance of device certificate",
  "new-keyusagerestrictions": [
    { "keyid": "deviceKey1", "maxusagecount": 1 }
  ]
}
        

Approve Operation

PUT /api/approvals/{operation_id}

Operation Status

GET /api/operations/{operation_id}