How and why LuxTrust migrated to the Nexus certificate authority software
Luxembourg’s national trust services provider LuxTrust migrated to identity and security company Nexus Group’s certificate authority (CA) software in 2017. “As of 2019, switching to the Nexus software has proved to be beneficial both for us as a company and for the citizens of Luxembourg. The migration process was straight-forward and had low business impact, thanks to competent help from Nexus,” says Ralph Berkes, chief engineer at LuxTrust.
LuxTrust’s core business is to issue electronic identities (eIDs) to everybody living or working in Luxembourg. The electronic identities are used to grant secure access to a wide range of e-services within both the private and public sector, and to make legally binding digital signatures.
LuxTrust is fully eIDAS certified
“People can get one private eID and one employee eID, which are stored centrally and accessed via mobile apps, smart cards or hard tokens,” says Pascal Rogiest, CEO of LuxTrust.
The electronic identities are based on public key infrastructure (PKI) certificates, and LuxTrust is fully certified according to the EU regulation eIDAS (electronic identification, authentication and trust services).
“Our services are ranked as having the highest possible quality: our certificates are deemed ‘qualified,’ according to eIDAS,” says Rogiest.
The previous setup didn’t meet the needs
At the heart of a PKI is the certificate authority software, which issues and manages the certificates. Prior to August of 2017, LuxTrust used a certificate authority software from a large American vendor.
“We had outsourced the management of this certificate authority software to another company, but this setup didn’t meet our specific needs,” says Berkes.
Why did you want another certificate authority software?
“We experienced limitations and drawbacks with the software. All softwares have their pros and cons, and there were good things with our previous certificate authority software. But the drawbacks took the upper hand. It was complicated to operate and upgrade, mainly because it required a dedicated instance of the software per certificate authority – that is, it wasn’t multitenant,” says Berkes.
This meant that every time LuxTrust wanted to make changes to the certificate authority software, they had to make the changes in all the different instances of the software. With a multitenant software – such as the Nexus certificate authority software – many certificate authorities can be run on the same instance of the software.
Tough demands on the new software
“So, multitenancy was one of our main requirements when we started to look for a new CA software supplier. But we had a range of other important requirements too: first of all, the CA software of course has to be reliable and efficient, and appropriately certified. We also wanted a suitable pricing model, and we had tough demands on flexibility and detailed requirements on the certificates,” says Berkes.
In the end of 2016, LuxTrust initialized a project with the aim of migrating the certificate authorities to a new certificate authority software, run on their own servers.
Workshops with potential suppliers
“The process of choosing a new CA software involved workshops with potential suppliers, where we got to test out their CA softwares and see if they could fulfil our requirements. Among other things, we wanted to see how we could create and change policies, and change configurations, and how we could integrate the CA software with our services,” says Berkes.
What’s your best advice for people in the process of choosing a new CA software?
“To have these workshops, where you are allowed to play with the software. It’s very important to be able to see how the software functions in reality. Someone can show you a PowerPoint presentation about a CA software, and it looks really good – but you don’t know if it’s really true. When you play with it, you can discover problems with it and challenge the supplier,” says Berkes.
Nexus committed to meet all demands
The Nexus certificate authority software didn’t originally meet all of LuxTrust’s demands, but Nexus committed to develop the software to deliver fixes in coming releases.
“And Nexus has fulfilled its promises. We are happy with the solution: it functions as expected,” says Berkes.
What are the biggest benefits with the Nexus CA software?
“One very important aspect is the pricing model, as it gives us flexibility when volumes and transactions increase over time. Other important benefits are that the application is very straight forward to use, and that it provides all the audit logs and all the access controls we need: we can limit the functionality to different roles, and that’s very important for us since we are heavily regulated. And as I’ve already mentioned, the multitenancy feature is also very important to us. There are also a number of other useful features that we benefit from, and we appreciate that Nexus develops more features continuously,” says Berkes.
Are the citizens and organizations of Luxembourg also experiencing improvements after the software change?
“The benefits of the Nexus software are most noticeable for us internally, but there are a number of benefits for the citizens and organizations as well, and there are more to come,” says Berkes.
Migration of the cryptographic keys
LuxTrust operates the Nexus certificate authority software as a certificate factory and OCSP (Online Certificate Status Protocol) responder for certificate status validation.
“We have a redundant system: we have two data centres for the online CAs, and we have two offline CAs on computers in safes. The registration authority is a portal that we have developed ourselves,” says Berkes.
The migration from the old CA software began with migration of the cryptographic keys to a new hardware security module (HSM) in the end of July 2017.
“This was a critical operation, as the keys are the heart of the CA. The migration took place in a secure room with an auditor present,” says Berkes.
A migration team of five people
The migration to the new CA software took place on in the end of August 2017.
“We started at 2 p.m. on a Saturday, to minimize the impact on our users. Pretty much everybody in Luxembourg uses our services, so it’s really important that the system is up and running,” says Berkes.
The migration team consisted of Berkes and three more people from LuxTrust, plus Christophe Cauche, technical account manager at Nexus.
“We also got some help from the company that had managed the old CA software, but we wanted to involve them as little as possible. I’m very happy with Christophe’s contributions: he has been very supportive and active during the entire project,” says Berkes.
Went smoother than expected
During the migration, two root CAs, seven sub-CAs, a number of certificate policies, and many certificates were imported to the Nexus CA software.
“We had done a test migration earlier, but during the sharp migration we ran into an issue nonetheless: when we imported the certificate revocation list it was so big that the application became unresponsive. We restarted the application, and that solved the problem. So, over all it was a straight-forward migration that went smoother than expected. We all stayed at our premises all night, and at 7 o’clock on Sunday morning we were finished,” says Berkes.
LuxTrust recommends Nexus
The Nexus CA software has now (as of January 2019) been up and running for 1.5 years, and Berkes says that he can wholeheartedly recommend both the software and Nexus.
“If we have any questions, we contact the Nexus support team or Christophe. It’s really important to always have access to a competent technical consultant from the supplier, and Nexus is really great in this aspect. When it comes to the commercial parts, our Nexus contact is Philippe Fonton, director for France at Nexus. We are very satisfied with the way he managed the commercial discussions and the Nexus team availability,” says Berkes.
A part of the Nexus Smart ID platform
The Nexus general-purpose certificate authority software is a part of the Nexus Smart ID platform, which is used by large organizations all around the world to enable trusted corporate identities or secure communication in internet of things applications such as connected cars.
Magnus Malmström, CEO of Nexus, is pleased that LuxTrust opted for the Nexus CA software.
“As a national trust service provider, LuxTrust is a heavily regulated organization with very high demands on their CA software, so having them choosing us is a real badge of honor. The migration project from legacy CA software assured low business impact for LuxTrust, which is a strong endorsement of the great technical skills we have at Nexus,” says Malmström.
Other related blogs: