MTG Public Key Infrastructure Platform - MTG CARA

Multi-tenant Capability

• Management of large volumes of certificates by domain concept

CA Hierarchy

• Offline/online Root CA
• Subordinate CAs
• Unrestricted number of Root and Sub CAs

Support of Different Applications

• Certificate formats: X.509, Card Verifiable Certificates (CVC), Attribute Certificates (AC), Post-Quantum-Cryptography Certificates etc.
• Certificate templates for CA, mail, TLS, IoT, network devices, mobile

Easy Integration into Applications

• REST API for registration authorities, certificate lifecycle management, corporate frontends, …

HSM Support

• Hardware Security Module support using PKCS#11 or HSM vendor specific interfaces (Utimaco, Thales, Entrust)
• LAN HSMs, Smart Cards, USB HSM

Crypto-Agility

• Easy and smooth replacement of cryptographic algorithms
• PQC support already integrated

Certification and Evaluation

• MTG CARA can use Hardware Security Modules which are Common Criteria EAL4+ certified (e.g. Utimaco)
• MTG CARA can be operated according to BSI TR-03145 Secure Certification Operation
• All processes at MTG including development are certified according to ISO 27001

Identity Management

• OpenID Connect and SAML support
• Strong authentication using X.509 Certificates
• Usable for API and operator authentication

High Availability / Scalability

• MTG CARA is specifically designed to operate in clustered, high available environments
• All its components (database, web servers, HSMs) can scale up and down independently according to operational needs. MTG CARA is designed to work well in a clustered, high availability setup

Roles and Rights Management

• Separation of roles and rights (e.g., according to BSI TR-03145)
• Special rights and roles concept for mapping your organizational structure

LDAP/Active Directory Integration

• Certificates and CRLs can be exported to LDAP server or Active Directory

Smart Card support

• Smart card support of web applications 
• Easy integration into web browser
• Support of different smart cards (e.g., ID Key, NetKey, SignatureCard, CardOS, Starcos)
• Use cases:
  
  • Personalization of smart cards
  • Certificate creation
  • User authentication
  • PDF signatures
  • PIN/PUK management

Certificate Revocation

• OCSP responder according RFC 6960
• OCSP stapling according to RFC 6961
• LDAP and HTTP CRL distribution point support 
• Reliable and high performance
• Logging & auditing