Learn about the GlobalSign Online Certificate Status Protocol (OCSP) service for IoT PKIs. As a CA agnostic service it can accommodate certificates provisioned with in-house PKIs or other commercial CAs. It performs certificate checks, functions as a certificate inventory and enables OCSP revocation with high availability and performance.
9. Thank you
About GlobalSign
GlobalSign is the leading provider of trusted identity and
security solutions enabling businesses, large enterprises,
cloud service providers and IoT innovators around the
world to secure online communications, manage millions
of verified digital identities and automate authentication
and encryption. Its high-scale Public Key Infrastructure
(PKI) and identity solutions support the billions of
services, devices, people and things comprising the
Internet of Everything (IoE).
DIANE VAUTIER
Product Marketing Manager, IoT
diane.vautier@globalsign.com
@dvautier
GlobalSign IoT: the Custom PKI Experts
Editor's Notes
Firms that operate a locally-hosted PKI and/or CA looking to outsource certificate validation and revocation (validation authority) services
Original Equipment Manufacturers (OEMs) of IoT connected devices that produce numerous product lines, operate multiple production facilities, or have begun the digital transformation to incorporate IIoT into their production processes and IoT connected products. For OEMs, outsourcing certificate management and revocation optimizes production capacity and frees up resources to concentrate on manufacturing core competencies.
Electronics Manufacturing Services (EMS) firms producing secure devices but that want to outsource certificate management after the product leaves the facility to minimize certificate management expenses while still maintaining secure device certificate management. EMS firms can more easily segment customer production runs and manage the full life of device identity certificates for periods meeting or exceeding the certificate validation period, eliminating orphaned certificates as a result of decommissioned PKIs.
Semiconductor manufacturers that promote security by design by delivering certs on chips, but don’t want to maintain certificate inventories or maintain costly certificate validation and revocation services after programming. With Hosted OCSP, Semiconductor manufacturers have a unique opportunity to offer customers the ultimate in security by design. In addition to digital certificates on a chip, they can offer a means to manage the lifecycle of the chip identity and thus the device it goes into, throughout the lifecycle of the chip and the device.
PKI complexity and lack of expertise. The complexity, expense and expertise needed to establish, operate and maintain a highly-trusted, IoT Public Key Infrastructure (PKI) can be daunting. Since it is an emerging technology, there is a lack of expertise, causing companies to stretch the capabilities of in house IT beyond their capabilities and know how.
Long Certificate Validity Periods. IoT digital certificates can have extended validity periods that span months to several years, necessitating the establishment of certificate management, validation and revocation services that can extend beyond company acquisitions, employee turnover, and changing technology standards.
Disparate certificate types and CAs. Hosted OCSP is CA agnostic, so whether you provisioned your device certificates on an internal, locally-hosted PKI or obtained them from a CA other than GlobalSign, all existing IoT device certificates can be accommodated and managed throughout their lifecycles.
High operational expenses to maintain on-prem VA (and other PKI components). IoT digital certificates can have extended validity periods that span months to several years, necessitating the establishment of certificate management, validation and revocation services that can extend beyond company acquisitions, employee turnover, and changing technology standards. Outsourcing these functions delivers real-time efficiencies without the exposure of financial, technology and personnel commitment.
Ease and speed of implementation. Speed adoption and operation A RESTful API speeds integration with your on-premise PKI. Certificates are stored in our secure certificate inventory. Cloud-based OCSP servers handle high volumes of concurrent users and OCSP responders push notifications to our content delivery network (CDN) to reduce network latency. Our reputable CDNs include top networks such as CloudFlare, Fastly, Tencent and Alibaba.
Simplified PKI management
The addition of professionally recognized (and certified) certificate revocation (VA) to on-premise CAs (eliminates need for staffing)
The tools and expertise to do the job right
Ensure status check and revocation capabilities extend beyond the certificate (or CA) lifecycle
Accommodates status checks for long validity certificates where maintaining a VA is not operationally feasible or financially prudent
Accommodates decommissioned ICAs – eliminates the existence of orphaned certificates
Manage all types of certificates, regardless of type or issuer (CA Agnostic)
We’re certificate type and CA Agnostic
whether you provisioned your device certificates on an internal, locally-hosted PKI or obtained them from a Certificate Authority (CA) other than GlobalSign, all existing IoT device certificates can be accommodated and managed throughout their lifecycles.
Minimize operational expense of locally-hosted PKIs
IoT digital certificates can have extended validity periods that span months to several years, necessitating the establishment of certificate management, validation and revocation services that can extend beyond company acquisitions, employee turnover and changing technology standards. Outsourcing these functions delivers real-time efficiencies while minimizing the exposure of financial, technology and personnel commitments.
Adhere to IETF’s RFC 6960
RESTful API speeds integration for fast certificate upload
Certificates are stored in our secure certificate inventory. Cloud-based OCSP servers handle high volumes of concurrent users and OCSP responders push notifications to our content delivery network (CDN) to reduce network latency. Our reputable CDNs include such top vendors as CloudFlare, Fastly, Tencent and Alibaba.
Ensure the ability to revoke the certificate after the chip/device leaves the production floor
Benefits of device identity is a competitive advantage that you can offer to customers.
Limits production of (extra) gray market devices
Delivers security even before the product is shipped, during shipment, and at deployment
• Upload existing certificates to the GlobalSign Certificate Inventory using our Inventory API
• Select the method to digitally sign responses from the GlobalSign OCSP Responder
• With a Customer OCSP Delegated Signing Certificate through a self-managed PKI
• With a GlobalSign OCSP Delegated Signing Certificate via the IoT Identity Platform
• With a Direct Signing certificate from a copy of the customer’s CA within the GlobalSign cloud
• Enable GlobalSign’s authorized OCSP Responder for requests and responses through our reputable third-party content delivery network