A Secure Root CA Appliance

High assurance Offline Root

Certificate Authority Appliance

Designed according to best practices

Offers you full control over the private keys

Top of the Trust Chain

For a PKI Hierarchy,

Manage the top of the trust chain.

With ORCA you don’t have to spend valuable time integrating
bits and bytes in a functional solution. RNTrust has built ORCA
as an off-the-shelf turnkey solution.

Implement Offline Root CA

Unique Hardware

ORCA is delivered with pre-configured features and a database, it runs on a state-of-the-art Mini PC with Intel Atom

x5-Z8500 1.44Ghz CPU Quad Cores Quad Threads (up to 2.24Ghz), 4GB RAM and 64 GB SSD storage.

No Extra time

The appliance model is delivered with a standard configuration that can be used in most use cases, with no additional time spent on specifications or integration.

It solves the common challenges of the Offline Root CA - the Hardware, the Software, the HSM, the Backup storage, and the Integration of those four elements.

Ready to use

When the appliance is first started, only the most basic configuration is done to get it ‘ready to use’. You will be able to create and manage multiple CA Certificates and CRLs, making your key-ceremonies smooth and easy.

HSM Integrated

To ensure strong protection of the private keys, ORCA uses a nShield Edge Hardware Security Module.

The nShield Edge hardware security module (HSM) is a full-featured, portable USB HSM designed for low-volume transaction environments. It’s capable of encryption and key protection and is ideally suited for offline key generation for certificate authorities (CAs).

Why is the Root CA required to be ‘Offline'?

PKI best practices are not stating that Root CAs must be offline. This design approach is influenced by the required assurance of the trust anchor.

Being deployed “offline” eliminates the possibility of all network-based and most physical attacks directly on the Root CA.

The chain of trust from a end-user certificate to a Root CA is unaffected whether a Root CA is implemented online or offline. The storage of Root CA keys in an appropriately rated (e.g., FIPS3 140-2 Level 3) HSM adds an additional level of physical protection to the Root CA.

While Root CAs are deployed offline, they must publish a CA certificate and Certificate Revocation List (CRL) regularly, which must be distributed to online repositories and retrievable by Relying Parties.

HSM Integrated ORCA Appliance

Download the ORCA Datasheet

Your Root of Trust with ORCA

ORCA enables the rapid and cost-effective deployment of a trusted CA hierarchy from Root CA to Subordinate CA certificates. The private keys are kept inside the cutting-edge nCipher Edge USB Hardware Security Module (HSM) linked to the  ORCA appliance.

ORCA is set up to deliver Subordinate CAs Certificates to build a trusted CA hierarchy. CA certificate profiles are generated using predefined models and can be associated with RSA or ECDSA keys. The production of CA certificates complies with the customer’s certification policy and meets the requirements of the supervisory body. Typical applications include the creation of a new requested delegated CA and the generation of Certificate Revocation Lists (CRLs).

Maximum Security

To ensure maximum security of your Root CA, ORCA includes a PIN-authenticated, AES-XTS 256-bit hardware-encrypted flash drive that securely encrypts, stores and protects data to military standards.


The Apricorn Aegis Secure Key 3NX allows you to securely store ORCA Backups to ensure compliance with stringent data protection and confidentiality regulations and directives, such as GDPR, HIPAA, SOX, CCPA and more.

How It Works

RNTrust provides the Appliance (ORCA) on which the OpenSSL based CA is installed on top of a hardened SuSE Linux with encrypted file system and stores its status in an SQLite database. This service functions by following the procedures below:

  • The Root CA’s private key generates a self-signed root certificate, allowing it to preside as the root of trust for the infrastructure.
  • The private key will be stored in a secure nCipher Edge USB HSM.
  • Signing requests are generated by an external Subordinate CA and signed by the Root CA’s private key.
  • Generated subordinate CA certificates are issued to the respective CAs.
  • ORCA backups will be stored securely into the datAshur PRO².
  • After the Root CA signing process, the ORCA Appliance is kept offline at all times.

It is possible to configure your Offline Root CA with little or no help from PKI experts.

Standards and technical specifications

  • RSA, DSA, and EC private keys.

  • All x509v3 extensions.

  • PKCS#1 unencrypted RSA key storage format.

  • PKCS#7 Collection of public certificates.

  • PKCS#8 Encrypted private key format for RSA DSA EC keys.

  • PKCS#10 Certificate signing request.

  • PKCS#11 Security token / Smart card / HSM access.

  • PKCS#12 Certificate, Private key, and probably a CA chain.

  • Certifications: nShield Edge USB HSMs are certified to FIPS 140-2 Level 2 and Level 3.

  • Supported APIs: PKCS#11, OpenSSL, Java (JCE), Microsoft CAPI, and CNG.

  • Asymmetric public key algorithms: RSA, Diffie-Hellman, ECMQV, DSA, KCDSA, ECDSA, ECDH, Edwards (X25519, Ed25519ph).

  • Symmetric algorithms: AES, AES-GCM, ARIA, Camellia, CAST, RIPEMD160 HMAC, SEED, Triple DES.

  • Hash/message digest: SHA-1,

  • SHA-2 (224, 256, 384, 512 bit),

  • HAS-160.

  • Full Suite B implementation with fully licensed ECC, including Brainpool and custom curves.

  • Elliptic Curve Key Agreement (ECKA) is available via Java API and nCore APIs.

  • Elliptic Curve Integrated Encryption Scheme (ECIES) is available via Java API, PKCS#11, and nCore APIs.

We're here to assist you.

Our RNTrust technical team would be happy to answer any questions you may have about ORCA as a employee, customer, or partner.

If you have any questions, please feel free to download datasheet or contact us directly! Using the following link.

ORCA - The Secured all-in-one solution for Offline Root CA

  • Taking advantages of ORCA following the best practices of the industry will results in not just Webtrust standards compliance, but peace of mind as well.
  • By partnering with leaders in Digital Security, a global vendor & system integrator, can help you successfully deploy offline Root CA in your environment and lift the FUD around this technology.
For further information, please contact us at sales@rn-trust.com 
call +971 800-RNTrust (7687878)
Offline Root CA

# let's Secure Your Business

Online Technical Workshop to Understand ORCA