Digital Signing Certificate Management for generating EU Digital COVID Certificates

Overview

Qryptal Secure Code System (QSCS) can generate many types of secure codes including Digital COVID Certificates, earlier known as Digital Green Certificates (DGC). DCC is a new open standard published by the EU Digital COVID Certificates (EUDCC) project. It is meant to issue three types of certificates:

a) Vaccination Certificates (‘v’): for vaccinated people to receive proof of vaccination.

b) Recovery Certificates (‘r’): some countries have established specific travel rules for people that have recently recovered from the COVID-19 disease. Instead of a test or vaccination certificate, such persons can be requested to present a recovery certificate.

c) Test Certificates (‘t’): for travellers to provide proof that their COVID-19 test result was negative. Since public health is involved, there are specific guidelines countries have to adhere to ensure integrity of these certificates. Security is underpinned by establishing a framework of Public Key Infrastructure and governance as detailed here.

DCC Generation

DGC Generation

The DSC (Digital Signing Certificate) contains the Public Key corresponding to the Private Key (inside HSM in diagram) used to sign the DGC (the secure QR code). The DSC itself is signed by the private key of the CSCA (Country Signing Certificate Authority). This establishes a chain of trust and ensures that a DSC used for verification is trusted and no-party can deliberately or accidentally change the Public Key encapsulate inside the DSC or publish a fake DSC. Verifiers then simply need the secure code and the DSC to validate:

1. Validate the code content using the public key encapsulated inside the DSC.

2. Typically DSC are sent securely to verifiers via a National Backend.

DSC Generation

DSC Generation process

The CSR (Certificate Signing Request) includes the Public Key corresponding to the Private key in HSM. In point (4) of the diagram above, the CSCA will provide the DSC which will need to be imported into QGEN (Qryptal QSCS Generator) and also publish the DSC to the DGCG (Digital Green Certificate Gateway) so that other countries and verifiers can receive the new DSC to enable them to validate codes generated with the new DSC.

DSC and CSCA-DSC Governance

1. As per the governance model published here, a new DSC needs to be generated every 6 months.

2. Everytime a new DSC is generated, it needs to be uploaded to the DGCG. This is typically done by the CSCA.

3. All countries that take part in the DGCG framework MUST use a CSCAs to issue the DSCs.

4. Each country MAY have more than one CSCA.

5. Countries can either use existing certificate authorities or they can set up a dedicated (possibly self-signed) certificate authority (CSCA) for the DGC system.

6. Section 3.2 of the document details requirements for the CSCA. It also details how frequently the various credentials have to be generated and with corresponding validity periods:

Credentials generated with validity periods

Recommended process for generating DCC using Qryptal Generator (QGEN):

1. Every 6 months generate a new CSR on QGEN and send it to your CSCA:

   1.1. The CSR parameters can be specified in the QGEN configuration file

   1.2. QGEN, when integrated with your HSM will generate CSR using the public key provided by the HSM

2. Receive DSC from CSCA and import into QGEN:

   2.1. At the time of import, QGEN will verify that the DSC corresponds to the active key in HSM

3. Optional: share the DSCs bilaterally with other entities

4. Required for verification of DGCs issued by other entities: Integrate with National Backend to procure DSCs of all countries to provide to Qryptal Validation SDK and utilities for verification of codes.

---

Schedule Qryptal Discussion

---