SmartCard-HSMs are great devices to store cryptographic keys. However, managing a bunch of token, setting up and running a PKI can be a quite daunting task.

This is going to change with the new PKI-as-a-Service portal. PKI-as-a-Service is an integrated, cloud-based solution to manage Certification Authorities, SmartCard-HSMs, keys and certificates. It builds on top of OpenSCDP technology to deliver impressive functionality and security.

The key idea of PKI-as-a-Service is, that you keep the keys and we run the process. In contrast to other cloud-based PKI solutions, the PKI-as-a-Service portal does not store cryptographic keys on the server. Instead keys are always located on a SmartCard-HSM, that you connect to the portal only when needed. At all other times the keys are offline, so you can keep them at a safe place.

But how does that work ? It requires an unique feature build into any SmartCard-HSM, the remote management capability. This feature allows to establish a secure communication channel between the device and the portal. The portal identifies and authenticates the remote SmartCard-HSM to establish end-to-end encryption and integrity protection. Any operation performed by the portal with a remote device is protected against information leakage and interception by a third party.

The remote managment capability also works the other way around: You deploy a SmartCard-HSM to an user or system and have it managed by the PKI-as-a-Service portal. Again, the device is connected only when the user performs activities in the portal or - in case of a device attached to a system - periodically when needed.

All activities in the PKI-as-a-Service portal are based on a workflow system, which effectively handles service requests created by users, systems or timed activities. Users can be assigned roles in order to perform tasks in a workflow, like for example request approval, device management, certification service or other management activities.

Access to the portal requires a SmartCard-HSM for 2nd-factor authentication. No need to remember login names and passwords. You just need your SmartCard-HSM’s PIN. But wait a second: Entering the PIN in a web application ? No need to do that, as the PIN verification is handled only locally on your system. It can be keyed-in using a card reader with PIN-PAD or using the PIN dialog in the OCF daemon. The PIN is never transmitted to the portal, it’s the SmartCard-HSM that reports successful PIN verification to the portal.

Signing up at the PKI-as-a-Service portal is free and allows you to request certificates from a public CA like the CardContact Developer Network CA.

The PKI-as-a-Service is available at A sandbox is available for testing.