Skip to main content

clca

clca

Professional offline Root-CA.

clca is the lean, secure solution for the company's own Root CA. A bootable live image ensures that the Root CA only needs to be taken out of the vault when it is needed – with customer-specific runbooks that guide operators step by step through each ceremony.

Fully configured, PQC-ready and prepared for your next CA rollover.

Request information

clca: Highlights

Turnkey boot medium – Complete CA runtime environment as a bootable Linux image, including all necessary cryptographic tools.

Command-line based, auditable and reproducible – Every operation is traceable and delivers consistent results.

Flexible key protection – From simple passphrase to software-based k/n Secret Sharing through to HSM-protected keys.

Crypto-agility built in – Support for RSA, ECDSA and post-quantum algorithms (PQC).

Template-based provisioning – Automatic generation of complete CA configurations with support for CA rollover and generation changes.

Guided CA ceremonies – Customer-specific runbooks guide operators step by step through all CA operations in the runtime environment.

Features

  • Management of any number of independent CA instances in a single installation.

    • Complete lifecycle: CA creation, certificate issuance (root, sub-CA and end-entity certificates), revocation and CRL generation.

      • Customer-specific runbooks with step-by-step instructions, available directly as documentation in the runtime environment.

        • Template-based provisioning: YAML templates generate complete CA configurations with a single command, supporting CA generation changes (rollovers) at consistent configuration quality.

          • Support for RSA (configurable key lengths), ECDSA (configurable curves) and post-quantum algorithms.

            • Prepared for post-quantum migration – quantum-resistant algorithms are already integrated and ready for use.

              • Protection of infrastructure keys: vendor-independent HSM support via PKCS#11 interface. Any required HSM drivers are installed at runtime in a RAM disk overlay during the boot process. Alternatively, software-based k-of-n Shamir's Secret Sharing is available.

                • Full or partial air-gap operation possible: no incoming network connections, no listening services on public interfaces. Data import/export and backup with standard tools of common operating systems.

                  Use Cases

                  • High-security offline Root CA: Dedicated air-gap operation on its own device – the Root CA only comes out of the vault for planned ceremonies.

                  • Virtualisation operation possible: As an alternative to dedicated hardware, the environment can also be operated with the same functionality in common virtualisation environments.

                  • Guided key ceremonies: Customer-specific runbooks with concrete instructions are displayed directly in the runtime environment – operators work through the steps via copy & paste.

                  • CA generation change without risk: Rollover to a new CA generation with a single provisioning command. CDP and AIA URIs are automatically generated in a generation-specific manner.

                  • Multi-level key protection: Choice between simple passphrase, k-of-n Secret Sharing (also without HSM) or HSM-protected keys depending on security requirements. The same Secret Sharing set can be used for multiple CA instances.

                  • Customer-specific customising: Extensible architecture for individual requirements such as code signatures, key import/export on hardware tokens or location-specific workflow adaptations.

                  Details

                  Architecture and design principles

                  • "Plain vanilla" approach for best long-term stability: Linux-based, easily understandable base system with few, well-documented command-line tools.
                  • Command-line-based operation allows 100% reproducible results.
                  • Tools in source code, open data structures, file-based data storage without database, no dependency on proprietary binary tools.

                   Cryptography

                  • OpenSSL as the cryptographic basis for all certificate and key operations.
                  • PQC support via OpenSSL with Open Quantum Safe: liboqs (library with quantum-resistant algorithms) and oqs-provider (OpenSSL integration).
                  • Vendor-independent HSM integration via PKCS#11 interface. All HSMs with PKCS#11 driver for Linux are fundamentally supported. Proven integration with: Entrust nCipher nShield, Thales Luna, Utimaco u.trust and Securosys Primus.
                  • As an alternative to simple passphrases, Shamir's Secret Sharing is available in a software implementation: configurable k-of-n quorums with passphrase-encrypted shares.

                  Runtime environment

                  • Compact, bootable Linux live image (ISO) for x86_64 platforms. Boots from USB or CD-ROM.
                  • Simple software updates by replacing the ISO image – configuration and data are retained on the persistence medium.
                  • Data persistence via a separate USB storage medium or other block device. Optionally with LUKS encryption.
                  • Data import/export and backup with standard tools of common operating systems.
                  • Operation also possible as a virtual machine (ISO as virtual CD-ROM).

                  Operation and documentation

                  • Customer-specific runbooks with concrete instructions for managing all Root CA use cases, directly usable via copy & paste in the runtime environment.
                  • System information display shows on boot: OpenSSL version, PQC status, persistence and HSM recognition.
                  • Offline operation is recommended, but network connectivity is possible if required (no incoming connections by default, no publicly listening services).

                  Adaptability

                  • Flexibly and reproducibly adaptable via .clcalive customising: files, boot scripts and shutdown hooks can be applied without rebuilding the ISO.
                  • Extensible configuration via clca.cfg.d/ – customer-specific functions and workflow extensions as separate configuration files.
                  • Numerous options for complex authorisation processes and fully step-by-step auditable key operations.

                  Licence

                  • The clca licence includes:

                    • Delivery of the ISO image for the runtime environment
                    • Creation of customer-specific configuration templates for the CA environments
                    • Creation of customer-specific documentation ("runbooks")

                  Maintenance and Support

                  Support

                  Would you like to learn more about our products
                  or request a demo?

                  Get in touch

                  PKI

                  Infrastructure

                  Use-Cases

                  Contact

                  • Werner-Heisenberg-Str. 8
                  • 85254 Sulzemoos, Germany
                  • This email address is being protected from spambots. You need JavaScript enabled to view it.
                  • +49 8135 314 000-0
                  © Whiterabbitsecurity