What is orca?
ORCA solves the common challenges of the Offline Root CA: the Hardware, the Software, the HSM, the Backup storage and the Integration of those four elements.
With ORCA you don’t have to spend valuable time integrating bits and bytes in a functional solution. RNTrust has built ORCA as an off-the-shelf turnkey solution.
ORCA runs on a state-of-the-art Mini PC with Intel Atom x5-Z8500 1.44Ghz CPU Quad Cores Quad Threads (up to 2.24Ghz), 4GB RAM and 64 GB SSD storage.
ORCA uses an OpenSSL based CA on top of a hardened SuSE Linux with encrypted file system and stores its status in a SQLite database.
ORCA supports all the standards including:
- RSA, DSA and EC private keys.
- All x509v3 extensions.
- PKCS#1 unencrypted RSA key storage format.
- PKCS#7 Collection of public certificates.
- PKCS#8 Encrypted private key format for RSA DSA EC keys.
- PKCS#10 Certificate signing request.
- PKCS#11 Security token / Smart card / HSM access.
- PKCS#12 Certificate, Private key and probably a CA chain.
To ensure strong protection of the private keys, ORCA uses an nShield Edge hardware security module.
No Extra Time
x5-Z8500, 4GB RAM and 64 GB SSD
AES-XTS 256-bit hardware-encrypted flash drive
Out of the Box
Fully Tested and Controlled Solution
The nShield Edge hardware security module (HSM) is a full-featured, portable USB HSM designed for low-volume transaction environments. It’s capable of encryption and key protection and is ideally suited for off-line key generation for certificate authorities (CAs).
nShield EDGE FEATURES:
- Certifications: nShield Edge USB HSMs are certified to FIPS 140-2 Level 2 and Level 3.
- Supported APIs: PKCS#11, OpenSSL, Java (JCE), Microsoft CAPI and CNG.
SUPPORTED CRYPTOGRAPHIC ALGORITHMS:
- Asymmetric public key algorithms: RSA, Diffie-Hellman, ECMQV, DSA, KCDSA, ECDSA, ECDH, Edwards (X25519, Ed25519ph).
- Symmetric algorithms: AES, AES-GCM, ARIA, Camellia, CAST, RIPEMD160 HMAC, SEED, Triple DES.
- Hash/message digest: SHA-1,
- SHA-2 (224, 256, 384, 512 bit),
- Full Suite B implementation with fully licensed ECC, including Brainpool and custom curves.
- Elliptic Curve Key Agreement (ECKA) available via Java API and nCore APIs.
- Elliptic Curve Integrated Encryption Scheme (ECIES) available via Java API, PKCS#11 and nCore APIs.
All ORCA components comply with the following safety and Environmental Standards:
©2023 RNTrust. All rights Reserved