Internet of Things security

Meet the security challenges of the IoT

PKI for IoT

Create and manage the electronic certificates of your IoT infrastructure with a PKI for IoT solution

Electronic certificates allow applications to support security services such as user authentication, non-repudiation of transactions, and confidentiality of data exchanges.

Atos, a European actor in IS security, provides PKI for IoT solution, a complete solution to create electronic certificates and manage the connected devices life cycle.

Strong internal security mechanisms

From strong authentication to access to all metapki functional entities to recording of all actions, enciphered sensitive information and private and public keys protected using Hardware Security Modules (HSM), metapki ensures data security.

Bull cyber Trust compliance


Metapki is EAL 3+ Common Criteria Certified and is also RGS basic level certified


Capacity to produce over 1000 certificates/second (e.g., specific formats like C-ITS certificates for Car2Car Communication)

n-Tiers architecture and scalability
3-Tiers architecture: Front Offices, Back Offices and external Database
Scalability: possibility to add several Front offices and/or several Back Offices

Automation and auto-enrollment protocols (CMP, SCEP, EST)
CMP and SCEP already available for X509 certificates
EST in progress for X509 certificates and other formats

Support for Long-Term CA (X509 certificates with RSA or ECDSA keys), Pseudonym CA (X509 certificates with RSA or ECDSA keys), and short-lived pseudonym certificates (C-ITS) (Specific certificates with ECDSA keys).

Capacity to produce over 1000 certificates/second (e.g., specific formats like C-ITS certificates for Car2Car Communication).

System requirements

Linux Platform (e.g. Red Hat or SUSE)
Open source international components delivered with metapki: Apache, OpenSSL, PostgreSQL and PHP
LDAP Server: when the CA publishes certificates and/or LCR in a directory
SMTP Mail Server: when metapki sends notifications related to the management of certificates

Norms and standards

Certificate compliance with ITU-T X.509v3 and RFC 5280
Certificate enrolment protocols: SCEP, CMP (RFC 2510 et RFC4210), CCEP
Certificate profile compliance with ETSI TS 101 862, Netscape and Microsoft
Revocation information compliance with ITU-T X.509v2 LCR and OCSP Protocol (RFC 2560)
Certification request format: PKCS#10, SPKAC
Key exchange format: PKCS#12
Connectivity: LDAP, HTTPS, SMTP
HSM interface: PKCS#11


Hardware & Software for metapki hosting
Physical Servers: 32/64 bits platform with at least 4 Go of RAM, 10 Go of available disc memory, 2 Ethernet ports
Virtual Machines: VMWare, HyperV
Operating System: Red Hat 5 and 6 (32 or 64 bits) / SUSE SLES 10 and 11 (32 or 64 bits)
LDAP Server: CAs publish the certificates and/or the LCR in a LDAP directory
Mail Server: Email sending is possible for each step of certificates life cycle

Working station for metapki users
Navigator: Internet Explorer 8 version and later, Firefox, Chrome
Java Runtime Environment: 1.6 (superior to update 19), 1.7 et 1.8

Smart Card
All smart cards with PKCS#11 interface and particularly: CardOS, Gemalto ID PRIME MD840, Gemalto IAS TPC, Gemalto Classic TPC IM, Gemalto Cyberflex Access 64k v2, Morpho vpsID SmartCard Ux, ActivIdentity ActivCard 64K V2C

All HSM with PKCS#11 interface and particularly Bull TrustWay Proteccio®

Electronic certificates may be used to support:
Strong authentication for users with smart cards or USB tokens (two factor authentication)
Strong authentication for web servers (SSL/TLS)
Strong authentication for VPNs (Virtual Private Networks)
Electronic signatures to provide integrity and non-repudiation of transactions
Data confidentiality for data in transit or in storage.

Users and applications are provided with one or more key pairs (a public key and a private key) and public key certificates, generated by a Certification Authority (CA), that associate the registered user or application with the public key.

Metapki supports one or more Certification Authorities that may be independent, or subordinate CAs.

A whole range of security profiles for public certificates is supported by metapki. For each profile, the registration process may be tailored to the specific needs of the organisation and integrated with the existing IS.

A workflow manager handles the registration process in order to minimise the time to produce and manage the certificates through the use of one or more Local Registration Authorities (LRA).

A validation authority (Vericert) for checking the validity of a certificate against a validation policy

More information on Vericert solution >>

Related resources and news

IoT Security Suite

Build trusted and secure Intelligent Transportation Systems

Secured V2X communication is critical to set up reliable ITS. Discover how PKI solutions are key to secure exchanges between connected vehicles and roadside units.

Atos cybersecurity IDnomic ITS webinar


Bring trust to Intelligent Transportation Systems with a cybersecurity and standardization approach.

Interested in our PKI for IoT solution?