Introduction

What is AVX One Platform?

AVX One Platform refers to a unified solution offered by AppViewX designed to simplify and automate the management of various infrastructure components, such as PKI (Public Key Infrastructure), SSL/TLS certificates, load balancers, and application delivery controllers (ADCs), among other network and security resources.

Key features of AVX One Platform include:

  1. Centralized Management: AVX One provides a centralized platform for managing multiple components, including certificates, keys, and security policies, making it easier for organizations to maintain security across their infrastructure.
  2. Automation: It offers automation capabilities for tasks such as certificate lifecycle management, certificate discovery, renewal, and revocation. This reduces manual errors and improves operational efficiency.
  3. Multi-cloud & Hybrid Cloud Support: The platform supports both on-premises and cloud-based deployments, allowing organizations to manage their infrastructure across multi-cloud and hybrid cloud environments.
  4. PKI Management: AVX One simplifies the deployment, configuration, and operation of Public Key Infrastructure (PKI), enabling organizations to create, manage, and deploy certificate authorities (CAs), and handle certificate issuance, revocation, and validation.
  5. Security & Compliance: The platform helps ensure compliance with various security standards and industry regulations, particularly related to encryption and certificate management.
  6. Integrations: AVX One integrates with various third-party systems, including cloud services, load balancers, and network security appliances, offering flexibility for businesses with complex IT environments.

In summary, AVX One Platform is an integrated, scalable solution designed to streamline and secure the management of infrastructure resources, particularly focusing on PKI, certificates, and related security operations.

CERT Architecture

The following diagram illustrates the CERT architecture:

What is AppViewX PKI?

AppViewX PKI is a comprehensive solution for managing Public Key Infrastructure (PKI) and digital certificates within an organization's IT environment. It simplifies the entire lifecycle of digital certificates, providing tools for automated certificate management, secure key management, and ensuring compliance with security policies.

What is AppViewX Native CA?

AppViewX introduces its own Certificate Authority (CA)--AppViewX Native CA--for PKI initialization enabling the customers to take advantage of Post-Quantum Cryptography (PQC) capabilities, to ensure the infrastructure remains secure in the era of quantum computing.
Note: PKI can be initialized using either the AppViewX CA backend (PKIaaS Native) or a Cloud CA backend (Standard).

Key Features

  • Post-Quantum Cryptography (PQC) support: Supports NIST-standardized PQC algorithms and selected algorithms from the fourth round of NIST's post-quantum standardization process.
  • Customizable Certificate Templates: Allows users to create tailored certificate authorities (CAs) with custom templates and offers pre-configured templates for different types of end certificates.
  • CA Key Storage Mechanisms:
    • CA Key with On-Prem HSM (BYOD): Seamlessly integrates with external HSM vendors for cryptographic operations. HSMs supported by AppViewX Native CA are:
      • Fortanix with FIPS
      • Fortanix without FIPS
      • Thales DPOD
      • Thales GPN
      • Utimaco
      • Entrust
    • CA Key with Cloud HSM (BYOD or AVX Provided): Requires connectivity 443 to the external Cloud HSM Provider.
    • AVX Managed Key: This is a key management service provided by AppViewX, which is part of the PKI solution. The AVX Managed Key feature is designed to streamline and automate the generation, storage, and lifecycle management of cryptographic keys used in PKI, SSL/TLS certificates, and other security operations.
  • Enhanced Security – Airgapped Root CA: Enhances security with offline Root CA deployment support.
  • Revocation List Management – Custom CRLDP & OCSP: Provides customizable Certificate Revocation List Distribution Points (CRLDP) and Online Certificate Status Protocol (OCSP) services.
  • Auto-Enrollment Support: Simplifies certificate enrollment with support for SCEP, EST, ACME, WAEP, and Microsoft Intune protocols.
  • Support for Short-Lived Certificates: Short-lived certificates refer to SSL/TLS certificates that are issued with a very short validity period, typically ranging from a few days to a few months. With shorter validity periods, the use of automated tools (like ACME protocol for certificate management and many more MDM tools) becomes more common. This encourages the automation of certificate renewal, which reduces human errors and increases operational efficiency. They are more secure as attack surface is minimized because certificates are rotated more frequently. If a certificate is compromised, revocation becomes more effective because the certificate will expire quickly anyway.
  • PKI Dashboard: Features an intuitive dashboard for streamlined certificate and CA management.
  • Security: AppViewX Native CA provides Quantum-Resilient Security by implementing algorithms such as Dilithium, Falcon, and Sphincs Plus to protect data against quantum attacks.
Note: AppViewX PKIaaS offers 99.5% availability by default as a multi-tenant SaaS solution.
Key Types, Hash Functions, and Key Sizes supported by AppViewX Native CA
Key Types Hash Functions Key Sizes
SPHINCS PLUS (SLH-DSA) SHAKE256, HARAKA256, SHA256 256, 384, 512
DILITHIUM (ML-DSA) SHAKE256 10496, 15616, 20736
FALCON (Beta) SHAKE256 7176, 14344
EC SHA160, SHA224, SHA256, SHA3-224, SHA3-256, SHA384, SHA512 160, 163, 191, 192, 193, 224, 233, 239, 256, 283, 320, 359, 384, 409, 431, 512, 521, 571
DSA SHA160, SHA224, SHA256, SHA3-224, SHA3-256, SHA384, SHA512 1024, 2048
RSA SHA160, SHA224, SHA256, SHA3-224, SHA3-256, SHA384, SHA512 1024, 2048, 3072, 4096, 7680, 8192

Supported Signature Algorithms for CA Certificate Creation

This section delineates the signature algorithms supported for certificate generation. Each algorithm comprises three fundamental elements:

  • Key type and scheme: (for example, RSA, EC, DSA, Falcon, Dilithium, SPHINCS+)
  • Key size / security parameter: (for example, 2048, 3072, 4096 bits for RSA, or parameter sets for PQC algorithms)
  • Hash or digest function: (for example, SHA-256, SHA-384, SHA-512, SHAKE256) The hash function specified within each algorithm is used for hashing the certificate during its certificate signing process, as mentioned below
Examples of Hash functions used in Supported Algorithms
  • SHA-256: Generates a 256-bit output, which is widely adopted and serves as the baseline for most contemporary PKI systems.
  • SHA-384: Generates a 384-bit output, offering an elevated security posture compared to SHA-256.
  • SHA-512: Generates a 512-bit output, particularly well-suited for high-security environments.
  • SHAKE256: An extendable-output hash function from the SHA-3 family, engineered for versatility and post-quantum applications.

The selection of the hash function directly influences the certificate signing.

Traditional Algorithm
  • RSA Algorithm: RSA (Rivest–Shamir–Adleman) is one of the most widely used asymmetric cryptographic algorithms.
    • Algorithm Format
      RSA_<SCHEME>_<KEYSIZE>_<HASH>
      Note: The algorithm name, scheme, and key size correspond to the CA Certificate key generated during the Create CA operation. The specified hash algorithm is used by the CA to sign child certificates.
    • Scheme:
      • PKCS1: Based on the PKCS #1 standard. It specifies the padding and encoding methods for RSA signatures. Commonly used and well-supported.
      • PSS: Stands for Probabilistic Signature Scheme. A modern, more secure padding method for RSA signatures, recommended by NIST.
    • Key Size (2048, 3072, 4096): Dictates the security strength. Larger keys enhance security but may lead to diminished performance.Bit length of the RSA key.
    • Examples
      • RSA_PKCS1_2048_SHA256:Uses PKCS#1 v1.5 padding, a 2048-bit key, and the SHA-256 hash algorithm.
      • RSA_PKCS1_4096_SHA512: A high-security configuration with PKCS#1 padding, 4096-bit key, and SHA-512.
      • RSA_PSS_3072_SHA256: Uses PSS padding, a 3072-bit key, and SHA-256 for enhanced security.
  • EC (Elliptic Curve) Algorithm: Elliptic Curve Cryptography (ECC) offers comparable security to RSA with reduced key sizes, thereby facilitating faster operations.
    • Algorithm Format
      EC_<CURVE>_<HASH>
      Note: The algorithm name and EC curve pertain to the CA Certificate key generated during the Create CA operation. The Hash indicates the algorithm the CA will employ for signing child certificates.
      Examples:
      • EC_P256_SHA256: Uses the NIST P-256 curve with SHA-256 hashing.
      • EC_P384_SHA384: Uses the NIST P-384 curve with SHA-384 hashing.
      • EC_P521_SHA512: Uses the NIST P-521 curve with SHA-512 hashing.
  • DSA with PSS: DSA (Digital Signature Algorithm) with PSS padding is less prevalent but remains supported within certain environments.
    • Algorithm Format
      DSA_PSS_<KEYSIZE>_<HASH>
      Note: The algorithm name, scheme, and key size pertain to the CA Certificate key generated during the Create CA operation. The Hash indicates the algorithm the CA will employ for signing child certificates.
    • Examples
      • DSA_PSS_1024_SHA256: A 1024-bit DSA implementation with PSS padding and SHA-256.
      • DSA_PSS_2048_SHA256: A 2048-bit DSA offering enhanced security.

Post-Quantum Cryptography (PQC) (Enabled only for PKIaaS Native CA)

NIST is actively engaged in standardizing algorithms resilient to quantum attacks. The subsequent algorithms represent post-quantum signature schemes.

  • Dilithium (Lattice-based): Dilithium is recognized as a leading candidate for standardization. Larger parameter sets denote superior security.
    • Algorithm Format
      DILITHIUM_<KeySize>_<HASH>
      Note: The algorithm name and key size pertain to the CA Certificate Key generated during the Create CA operation. The SHAKE256 indicates the algorithm the CA uses for signing child certificates.
    • Supported Cryptography
      • DILITHIUM_10496_SHAKE256
      • DILITHIUM_15616_SHAKE256
      • DILITHIUM_20736_SHAKE256
  • Sphincs+ (Lattice-based): SPHINCS+ is considered a conservative, hash-based approach, though it tends to produce larger signature sizes compared to Falcon/Dilithium.
    • Algorithm Format
      SPHINCSPLUS_<SECURITY_LEVEL><MODE>_<HASH>
      Note: The algorithm name, security level, and generation mode pertain to the CA Certificate key generated during the Create CA operation. The SHAKE256 indicates the algorithm the CA will employ for signing child certificates.
    • Security level: 128, 192, 256 bits.
    • Mode: F = Fast (characterized by smaller signatures and quicker signing), S = Small (characterized by smaller public keys and slower performance)
    • Hash function: SHAKE256 or the SHA-2 family (SHA-256, SHA-384, SHA-512).
    • Supported Cryptography
      • SPHINCSPLUS_128F_256_SHAKE256
      • SPHINCSPLUS_128S_256_SHAKE256
      • SPHINCSPLUS_192F_384_SHAKE256
      • SPHINCSPLUS_192S_384_SHAKE256
      • SPHINCSPLUS_256F_512_SHAKE256
      • SPHINCSPLUS_256S_512_SHAKE256
      • SPHINCSPLUS_128F_256_SHA256
      • SPHINCSPLUS_128S_256_SHA256
      • SPHINCSPLUS_192F_384_SHA256
      • SPHINCSPLUS_192S_384_SHA256
      • SPHINCSPLUS_256F_512_SHA256
      • SPHINCSPLUS_256S_512_SHA256