Security

Security & Trust Center

ErlySign operates certificate authority infrastructure. Customers issuing device credentials through our platform need verifiable assurance about our security posture — not marketing claims. This page documents our infrastructure design, key management approach, and how to report vulnerabilities.

HSM Root CA key storage

TLS 1.3 All API endpoints

AES-256 Data at rest

Design principles

Infrastructure Security: How It Is Built

Hardware-Backed Root CA

Root CA private keys are stored in Hardware Security Modules (HSMs) — not software keystores. The root CA is offline and air-gapped from the online issuance infrastructure. All certificate signing passes through the HSM API. This design is consistent with NIST SP 800-57 Part 1 key management recommendations for CA key protection.

CA Infrastructure Isolation

The Certificate Authority infrastructure is isolated from the API gateway and management plane. A compromise of the API layer cannot directly access the CA signing infrastructure. Network segmentation, separate credential domains, and signed audit logs are designed in from the architecture.

Customer Key Sovereignty

Enterprise customers who deploy with their own root CA bring their own HSM-stored root key material. ErlySign's infrastructure issues certificates under their PKI hierarchy — ErlySign never has access to the customer's root private key. This is the correct design for regulated environments.

Auditable Certificate Operations

Every certificate issuance, renewal, and revocation event is logged with a tamper-evident audit log. Logs are immutable once written. Enterprise customers can export their complete certificate operation history for compliance review, incident response, or regulatory audit submission.

Infrastructure

Infrastructure Details

Cloud provider

AWS (primary), with multi-region redundancy

HSM provider

AWS CloudHSM (FIPS 140-2 Level 3 designed hardware)

API transport

TLS 1.3 minimum. TLS 1.2 with strong cipher suites permitted for legacy device compatibility.

Data at rest

AES-256-GCM encryption for certificate metadata and configuration data

API authentication

API keys with HMAC-SHA256 request signing. Customer API keys are hashed at rest — ErlySign cannot recover a customer's API key.

Certificate algorithms

RSA-2048/4096, ECDSA P-256/P-384. No SHA-1. Deprecated algorithm issuance can be disabled per CA hierarchy configuration.

Revocation

CRL published hourly. OCSP with 15-minute maximum response freshness. Both endpoints available to devices for real-time verification.

Penetration testing

Annual third-party penetration test of public API surface. Customer-specific security assessments available under Enterprise tier with advance scheduling.

Vulnerability disclosure

Responsible Disclosure

If you discover a security vulnerability in ErlySign's infrastructure, API, or SDKs, report it responsibly. We acknowledge within 2 business days and provide a remediation timeline within 7 business days.

For vulnerabilities affecting device credentials, certificate issuance, or CA infrastructure: use PGP encryption where possible and do not publish findings until coordinated disclosure is agreed. Researchers will be credited by name if preferred.

Report a Vulnerability

Email: [email protected] — Subject: "Security Vulnerability Report"