What are the topics for CA.

Navigation and service

Only a secure certification authority can serve as the root for a public key infrastructure, which is used to safeguard confidentiality or the authenticity / integrity of information. Public key infrastructures (PKI) are based on trust. A Certification Authority (CA) that operates the PKI must therefore be trustworthy on the one hand and be trusted by third parties on the other. To establish this trust, two conditions must be met:

  • First, there must be a basis for trustworthiness, i.e. the CA must implement organizational and technical measures at an appropriate level of security and establish rules for all PKI participants.
  • Second, these security measures must be transparently documented. A (passed) audit based on clear and documented requirements is used for this.

The BSI [TR-03145] aims to support CAs in both steps. Requirements are placed on the security measures to be implemented, and the technical guideline serves as the basis for an audit and certification process. The requirements of [TR-03145] include, among other things, an audit according to ISO / IEC 27001 in which all processes and areas of CA named in the TR must be taken into account. The audit is carried out by a certified auditor "Secure CA Operation" and takes place on site at the CA to be audited.