ORCA - Secured all in one solution for Offline Root CA
ORCA solves the common challenges of the Offline Root CA: the Hardware, the Software, the HSM, the Backup storage and the Integration of those four elements.

With ORCA you don’t have to spend valuable time integrating bits and bytes in a functional solution. RNTrust has built ORCA as an off-the-shelf turnkey solution.
ORCA runs on a state-of-the-art Mini PC with Intel Atom x5-Z8500 1.44Ghz CPU Quad Cores Quad Threads (up to 2.24Ghz), 4GB RAM and 64 GB SSD storage.
ORCA uses an OpenSSL based CA on top of a hardened SuSE
Linux with encrypted file system and stores its status in a SQLite
database.
With ORCA, you will be able to create and manage multiple CA
Certificates and CRLs, making your key-ceremonies smooth and easy.

ORCA supports all the standards including:

- RSA, DSA and EC private keys.
- All x509v3 extensions.
- PKCS#1 unencrypted RSA key storage format.
- PKCS#7 Collection of public certificates.
- PKCS#8 Encrypted private key format for RSA DSA EC keys.
- PKCS#10 Certificate signing request.
- PKCS#11 Security token / Smart card / HSM access.
- PKCS#12 Certificate, Private key and probably a CA chain.
ORCA (Offline Root CA) is following best practices, eliminating the high cost and effort of finding, logistic, and managing crypto experts.
To ensure strong protection of the private keys, ORCA uses an nShield Edge hardware security module.


The nShield Edge hardware security module (HSM) is a full-featured, portable USB HSM designed for low-volume transaction environments. It’s capable of encryption and key protection and is ideally suited for off-line key generation for certificate authorities (CAs).
nShield EDGE FEATURES:
- Certifications: nShield Edge USB HSMs are certified to FIPS 140-2 Level 2 and Level 3.
- Supported APIs: PKCS#11, OpenSSL, Java (JCE), Microsoft CAPI and CNG.
SUPPORTED CRYPTOGRAPHIC ALGORITHMS:
- Asymmetric public key algorithms: RSA, Diffie-Hellman, ECMQV, DSA, KCDSA, ECDSA, ECDH, Edwards (X25519, Ed25519ph).
- Symmetric algorithms: AES, AES-GCM, ARIA, Camellia, CAST, RIPEMD160 HMAC, SEED, Triple DES.
- Hash/message digest: SHA-1,
- SHA-2 (224, 256, 384, 512 bit),
- HAS-160
- Full Suite B implementation with fully licensed ECC, including Brainpool and custom curves.
- Elliptic Curve Key Agreement (ECKA) available via Java API and nCore APIs.
- Elliptic Curve Integrated Encryption Scheme (ECIES) available via Java API, PKCS#11 and nCore APIs.
To ensure maximum security of your Root CA, ORCA includes a PIN-authenticated, AES-XTS 256-bit hardware encrypted flash drive that securely encrypts, stores and protects data to military standards.

The Apricorn Aegis Secure Key 3NX allows you to securely store ORCA Backups to ensure compliance with stringent data protection and confidentiality regulations and directives, such as GDPR, HIPAA, SOX, CCPA and more.
All ORCA components comply with the following safety and Environmental Standards:
