The technical basis of Industry 4.0 is intelligent and digitally networked systems; this means that machines, devices and IT systems communicate and interact with each other. However, this networking only works if the individual machines and devices can be uniquely addressed; they must be distinguishable and securely identifiable. The international standard for this is digital certificates: they are based on a key pair, more precisely a public key that is exchanged with others and a secret private key that must never be disclosed. Every single machine and every device is given an individual certificate so that they can be uniquely identified in the same way as a forgery-proof ID card. It must also be possible to check the validity of the certificate. Both work well using public key certificates in x.509 format, which are now common in the industry.

The growing number of machines and devices makes the use of certificates necessary, but the processes for managing the certificates must be simplified and the keys must be stored securely. Another requirement for certificates is simple handling.
The components must be easy to replace in common situations - such as commissioning or servicing - despite the presence of certificates. The handling of certificates and their secure storage is demonstrated using the example of 'CodeMeter Certificate Vault'.

Overview of certification

If an instance, be it a human or a machine, requires a certificate, this instance initially generates a key pair itself - which is most securely done within a hardware secure element - and then sends a certification request to the higher-level certificate authority (CA). The CA checks this request and generates and signs a certificate, which is sent back. The instance takes this certificate and loads it into the target device. As soon as the certificate expires, the process starts all over again. The whole process is organizationally complex and difficult to understand for the layman. This explains why so few emails are encrypted and signed and why the use of certificates is not particularly popular.

The technology in detail

CodeMeter technology supports various interfaces and provides containers for software-based activation files and for the cloud. The fields in turquoise mark the functions of CodeMeter Certificate Vault.

© Wibu-Systems

Based on CodeMeter technology, Wibu-Systems has developed 'CodeMeter Certificate Vault', a kind of vault for securely storing digital certificates in the protective hardware CmDongle - a secure element. The central licensing tool CodeMeter License Central is used to create, manage and deliver licenses and, more recently, certificates and keys can also be securely transferred to CmDongles.
The CmDongles serve as secure key storage and are equipped with their own cryptoprocessor. The hardware is available in various designs for USB, SD, micro SD and CFast interfaces or as an ASIC; some designs are also suitable for use in harsh environments. CodeMeter Certificate Vault securely stores the certificates in the smart card chip and offers standard interfaces in addition to the CodeMeter API. It acts as a PKCS#11-compliant token provider, integrates as a key storage provider (KSP) in the Microsoft 'Cryptographic API Next Generation' (CNG) and can be used together with the OpenSSL API to securely store and use the keys of TLS certificates for websites, VPN connections or OPC UA instances, for example.

CodeMeter License Central securely transfers the certificates and keys to the CmDongle. This allows the certificates to be created and rolled out across the board, with minimal effort and in a fully automated manner. These keys and certificates cannot be read or passed on, nor can they be duplicated or compromised. Each time a certificate is used, a new cryptographic operation is carried out with the private key. The user does not have to deal with requests and updates or importing signed certificates. The entire administration and creation process takes place centrally, including a higher-level certification authority if required, for example in the certificate authority of a company's internal IT department. This authority checks and confirms that the public key associated with the certificate is actually assigned to this machine or device and is valid.

On the user side, there are also standard interfaces such as PKCS#11, KSP and OpenSSL. Each application can thus access certificates and keys in the CmDongle in a standard-compliant manner and calculate the cryptographic operations in the CmDongle. Functions such as optional PIN protection are available as a second factor.
The entire certificate creation and roll-out process takes place within the central certification authorities, for example a CA of the company's internal IT department. The CA generates certificates, key pairs and passwords and transfers them to the users' decentralized CmDongles. The transfer and import can be automated.

Handling certificates securely

A look at the source code shows the interaction between OpenSSL and CodeMeter Certificate Vault Engine.

© Wibu-Systems

At first glance, this procedure appears to be in contrast to certificate management. However, if the keys and certificates are generated in a central, secure environment, they are packaged in an encrypted update file (WibuCmRaU) that can only be opened by a dedicated CmDongle using the 'CodeMeter Certificate Vault Admin Tool' or 'CodeMeter License Central'. This file securely transfers the key and certificate to the CmDongle. The process for updating the dongles is carried out in several stages with a request file (CmRaC) and a response file (CmRaU), as with the signing of certificates.

At this point, the procedure is similar to the certificate request process, except that the certificate with its key pair is encapsulated as a payload within this CodeMeter process. This simplifies the process considerably. CodeMeter also offers an internal, tamper-proof time so that the secure CodeMeter functions can be used for the use of time-based certificates.
As soon as loading into the CmDongle is complete, the certificates can be used by the standard interfaces described above. The certificates are renewed and deleted in the same way - if desired, without any action by the user.

CodeMeter Certificate Vault using the example of OpenSSL

Marco Blume is Product Manager Embedded at Wibu-Systems in Karlsruhe.

© Wibu-Systems

As already mentioned, 'CodeMeter Certificate Vault' offers other standard interfaces such as PKCS#11, KSP and OpenSSL in addition to the CodeMeter API, so that the solution can be integrated into existing applications or according to customer requirements. The image above illustrates the interaction between OpenSSL and CodeMeter Certificate Vault. In the first step, a CA root certificate is created, which is then securely stored in the SmartCard chip of a CmDongle, including the private key. In the next step, a 30-day valid, file-based certificate is created via OpenSSL and the 'CodeMeter Certificate Vault Engine' with the help of this root certificate, which is now securely stored in the CmDongle. In this combination, OpenSSL now uses the private key and the associated certificate directly from the CmDongle.

Public key certificates are important for the identification of instances and prove the authenticity and integrity of data. Secure communication channels can be established using the public keys of these certificates and the corresponding private keys. The high level of security results from the fact that the private keys are stored in a secure element such as a CmDongle so that they cannot be read. CodeMeter License Central and CodeMeter Certificate Vault provide tools for the central management and distribution of certificates and private keys. This makes the process suitable for remote-controlled devices in industrial environments, IoT devices or simply for email encryption or VPN certificates in the corporate environment.