A Secure Root CA Appliance

High assurance Offline Root Certificate Authority Appliance

-Designed according to best practices

-Offers you full control over the private keys.

Top of the Trust Chain

For a PKI Hierarchy,

Manage the top of the trust chain.

With ORCA you don’t have to spend valuable time integrating
bits and bytes in a functional solution. RNTrust has built ORCA
as an off-the-shelf turnkey solution.


Why is the Root CA required to be ‘Offline'?

PKI best practices are not stating that Root CAs must be offline. This design approach is influenced by the required assurance of the trust anchor.

Being deployed “offline” eliminates the possibility of all network-based and most physical attacks directly on the Root CA.

The chain of trust from a end-user certificate to a Root CA is unaffected whether a Root CA is implemented online or offline. The storage of Root CA keys in an appropriately rated (e.g., FIPS3 140-2 Level 3) HSM adds an additional level of physical protection to the Root CA.

While Root CAs are deployed offline, they must publish a CA certificate and Certificate Revocation List (CRL) regularly, which must be distributed to online repositories and retrievable by Relying Parties.

HSM Integrated ORCA Appliance

Download the ORCA Datasheet


Your Root of Trust with ORCA

ORCA enables the rapid and cost-effective deployment of a trusted CA hierarchy from Root CA to Subordinate CA certificates. The private keys are kept inside the cutting-edge nCipher Edge USB Hardware Security Module (HSM) linked to the  ORCA appliance.

ORCA is set up to deliver Subordinate CAs Certificates to build a trusted CA hierarchy. CA certificate profiles are generated using predefined models and can be associated with RSA or ECDSA keys. The production of CA certificates complies with the customer’s certification policy and meets the requirements of the supervisory body. Typical applications include the creation of a new requested delegated CA and the generation of Certificate Revocation Lists (CRLs).

Maximum Security

To ensure maximum security of your Root CA, ORCA includes a PIN-authenticated, AES-XTS 256-bit hardware-encrypted flash drive that securely encrypts, stores and protects data to military standards.


The Apricorn Aegis Secure Key 3NX allows you to securely store ORCA Backups to ensure compliance with stringent data protection and confidentiality regulations and directives, such as GDPR, HIPAA, SOX, CCPA and more.

How It Works

RNTrust provides the Appliance (ORCA) on which the OpenSSL based CA is installed on top of a hardened SuSE Linux with encrypted file system and stores its status in an SQLite database. This service functions by following the procedures below:

  • The Root CA’s private key generates a self-signed root certificate, allowing it to preside as the root of trust for the infrastructure.
  • The private key will be stored in a secure nCipher Edge USB HSM.
  • Signing requests are generated by an external Subordinate CA and signed by the Root CA’s private key.
  • Generated subordinate CA certificates are issued to the respective CAs.
  • ORCA backups will be stored securely into the datAshur PRO².
  • After the Root CA signing process, the ORCA Appliance is kept offline at all times.

It is possible to configure your Offline Root CA with little or no help from PKI experts.

Standards and technical specifications

ORCA - The Secured all-in-one solution for Offline Root CA

  • Taking advantages of ORCA following the best practices of the industry will results in not just Webtrust standards compliance, but peace of mind as well.
  • By partnering with leaders in Digital Security, a global vendor & system integrator, can help you successfully deploy offline Root CA in your environment and lift the FUD around this technology.
For further information, please contact us at sales@rn-trust.com 
call +971 800-RNTrust (7687878)
Offline Root CA

# let's Secure Your Business

Online Technical Workshop to Understand ORCA