The security of cryptographic communication protocols that use X.509 certificates depends on the correctness of those certificates. This paper proposes a system that helps to ensure the correct operation of an X.509 certification authority and its registration authorities. We achieve this goal by enforcing a policy-defined, multi-party validation and authorization workflow of certificate signing requests. Besides, our system offers full accountability for this workflow for forensic purposes. As a foundation for our implementation, we leverage the distributed ledger and smart contract framework Hyperledger Fabric. Our implementation inherits the strong tamper-resistance of Fabric which strengthens the integrity of the computer processes that enforce the validation and authorization of the certificate signing request, and of the metadata collected during certificate issuance.
@article{arxiv.2004.07063,
title = {Hardening X.509 Certificate Issuance using Distributed Ledger Technology},
author = {Holger Kinkelin and Richard von Seck and Christoph Rudolf and Georg Carle},
journal= {arXiv preprint arXiv:2004.07063},
year = {2020}
}