GEISA PKI Certificate Profiles
The P-521 (secp521r1) Elliptic Curve Cryptography (ECC) curve SHALL be used for GEISA certificates to provide an acceptable interim level of pre-quantum security for GEISA 1.0 while the industry transitions to broader support for Post Quantum Cryptography (PQC) cipher suites. The standard ECDSA signature algorithm as defined in ANSI X9.62 and FIPS 186-5 SHALL be used with the NIST P-521 curve and the hash method SHALL be SHA-512. The valid lifetime of a GEISA certificate SHOULD be a function of local Utility security policy; a GEISA CA SHOULD support configurable validity dates at runtime.
App Code Signing
GEISA Code Signing Sub CA Certificate
<TODO>
GEISA Code Signing Certificate
<TODO>
Field Identity Management
GEISA Sub CA Certificate
The GEISA Subordinate Certificate Authority certificate SHALL be chained up to a utility or deployment specific Trust Anchor as specified in https://lf-energy.atlassian.net/wiki/x/A4BUGw. The GEISA Sub CA Certificate format is defined in RFC 5280 with additional requirements described below. The GEISA Sub CA certificate SHALL include the following fields:
Field Name | RFC 3280 Data Type | Value |
TBSCertificate { | SEQUENCE | Certificate contents |
Version | INTEGER | 3 |
serialNumber | INTEGER | Unique positive integer |
Signature | AlgorithmID | ecdsa-with-SHA512 |
Issuer | Name | C=country, ST=state, O=organization, CN=Utility-Sub-CA |
validity { | SEQUENCE |
|
notBefore | Time | Datetime of certificate signing |
notAfter | Time | XX years after notBefore date |
} |
|
|
Subject | Name | C=country, ST=state, O=organization, CN=GEISA-Sub-CA |
subjectPublicKeyInfo { | SEQUENCE |
|
algorithm | AlgorithmID | id-ecPublicKeyASN1 |
subjectPublicKey | BIT STRING | 1042-bit public key |
} |
|
|
extensions | Extensions | See the Certificate Extensions table |
} |
|
|
signatureAlgorithm | AlgorithmID | ecdsa-with-SHA512 |
signatureValue | BIT STRING | The certificate digital signature |
The GEISA Sub CA certificate SHALL include the following extensions. The GEISA Sub CA certificate SHALL NOT include any additional critical extensions.
Extension Name | Critical | Value |
authorityKeyIdentifier | N |
|
keyUsage | Y |
|
subjectKeyIdentifier | N |
|
basicConstraints | Y |
|
GEISA LDevID Certificate
The GEISA Local Device Identifier (LDevID) certificate MAY be issued to the following End Entities:
EMS and Edge Env - LwM2M application level DTLS transport layer security
Edge App (future; requires unique app instance ID specification)
The GEISA LDevID certificate format is defined in RFC 5280 with additional requirements described below. The GEISA LDevID certificate SHALL include:
Field Name | RFC 3280 Data Type | Value |
TBSCertificate { | SEQUENCE | Certificate contents |
Version | INTEGER | 3 |
serialNumber | INTEGER | Unique positive integer |
Signature | AlgorithmID | ecdsa-with-SHA512 |
Issuer | Name | C=country, ST=state, O=organization, CN=GEISA-CA |
validity { | SEQUENCE |
|
notBefore | Time | Date time of certificate signing |
notAfter | Time | XX years after notBefore date |
} |
|
|
Subject | Name | Subject name shall be a globally unique immutable device id (EUI-64 or IMEI) of the Edge Env, specified in the Certificate Signing Request with colons removed. Examples:
|
subjectPublicKeyInfo { | SEQUENCE |
|
algorithm | AlgorithmID | id-ecPublicKeyASN1 |
subjectPublicKey | BIT STRING | 1042-bit public key |
} |
|
|
extensions | Extensions | See the Certificate Extensions table |
} |
|
|
signatureAlgorithm | AlgorithmID | ecdsa-with-SHA512 |
signatureValue | BIT STRING | The certificate digital signature |
The GEISA LDevID Device certificate SHALL include the following extensions. The GEISA LDevID Device certificate SHALL NOT include any additional critical extensions.
Extension Name | Critical | Value |
authorityKeyIdentifier | N |
|
keyUsage | Y |
|
extendedKeyUsage | N |
|
subjectAltName | Y | Examples:
|