Introduction
cert.uz is a top‑level domain (TLD) sub‑domain of the national country code TLD .uz, which is assigned to the Republic of Uzbekistan. The cert.uz sub‑domain is specifically designated for entities that provide certificate services, including digital certificate authorities, accreditation bodies, and related infrastructure services. Its establishment is part of a broader effort by the Uzbek government to strengthen cyber security, promote secure electronic transactions, and support the development of digital economy initiatives across the country.
History and Background
Early Digital Infrastructure in Uzbekistan
Following independence in 1991, Uzbekistan began investing in its digital infrastructure to modernize governmental services, encourage foreign investment, and foster local technology development. Early efforts focused on establishing basic internet connectivity, developing a national domain registry for the .uz TLD, and creating policies for electronic identification and authentication. The growth of e‑commerce and online banking created a need for secure digital communication, which in turn led to the adoption of public key infrastructure (PKI) solutions.
Creation of the cert.uz Sub‑Domain
In the late 2000s, the Ministry of Digital Development and Communications (formerly the Ministry of Information and Communication Technologies) began exploring the implementation of a dedicated certificate authority framework. A formal proposal was presented to the national registry operator, which oversees the .uz domain space. After consultations with international standards organizations and local stakeholders, the sub‑domain cert.uz was officially established in 2012 as part of the national PKI strategy. The primary objective was to create a trusted root authority for issuing, managing, and revoking digital certificates used by public institutions, businesses, and citizens.
Alignment with International Standards
The development of cert.uz followed the guidelines of the International Organization for Standardization (ISO), the International Electrotechnical Commission (IEC), and the World Wide Web Consortium (W3C). The root certificate for cert.uz was certified by external certification authorities and was incorporated into the trusted root stores of major browsers and operating systems. This interoperability ensured that digital signatures and encrypted communications issued by cert.uz could be validated globally, thereby supporting cross‑border transactions and international compliance requirements.
Technical Overview
Domain Architecture
The cert.uz domain is a second‑level domain within the .uz namespace. It is managed by the National Registry Center (NRC) and is subject to the same registration rules as other .uz domains. However, its usage is restricted to entities that have obtained a special accreditation, which is granted by the national certification authority. The domain structure is as follows: entity.cert.uz, where entity can be a public institution, a private company, or a non‑profit organization. Sub‑domains such as www.entity.cert.uz and mail.entity.cert.uz are commonly used to host web services and mail servers.
Certificate Issuance Process
- Application and Verification – An organization applies for a certificate by submitting documentation that demonstrates its legal status, operational legitimacy, and compliance with PKI best practices.
- Authority Validation – The national certification authority reviews the application, performs background checks, and verifies the identity of the applicant through official documents and in‑person interviews.
- Root Certificate Generation – Upon approval, a root certificate is generated using a 4096‑bit RSA key or an elliptic‑curve algorithm such as ECDSA with a 384‑bit key. The root certificate is signed by the state’s master certificate and distributed to trusted root stores.
- Sub‑Certificate Issuance – The applicant can issue subordinate certificates for its servers and users, which are signed by the root certificate. These subordinate certificates include details such as subject name, validity period, and usage constraints.
- Revocation and Renewal – Certificate revocation lists (CRLs) and the Online Certificate Status Protocol (OCSP) are used to manage the lifecycle of certificates. Renewal is required before expiration to maintain trust.
Security Protocols and Standards
cert.uz employs industry‑standard protocols for secure communication. These include Transport Layer Security (TLS) 1.3 for HTTPS connections, Secure/Multipurpose Internet Mail Extensions (S/MIME) for email, and Secure Shell (SSH) for remote administration. All certificates issued under cert.uz support Elliptic Curve Digital Signature Algorithm (ECDSA) as well as RSA for backward compatibility. The domain also adheres to the WebAuthn and FIDO2 standards for passwordless authentication, enhancing the security posture of user interactions.
Integration with Global Trust Stores
To ensure global acceptance, cert.uz root certificates are periodically submitted to major root certificate program managers, including those of browsers such as Chromium, Firefox, and Safari. The root certificate is cross‑signed by established certification authorities to accelerate trust propagation. This process involves a rigorous audit of the underlying PKI infrastructure, including key management, logging, and incident response mechanisms.
Usage and Applications
Government Services
Several government ministries, including the Ministry of Finance and the Ministry of Health, utilize cert.uz to secure their online portals. Digital signatures issued by cert.uz are used to sign official documents, such as tax declarations, health records, and public procurement tenders. The government also mandates cert.uz certificates for the submission of e‑fiscal documents to the State Tax Service, ensuring authenticity and integrity of taxpayer data.
Financial Institutions
Commercial banks operating in Uzbekistan are required to use cert.uz certificates for secure online banking interfaces, electronic funds transfer, and inter‑bank communications. The certificates facilitate mutual authentication between banking servers and enable encrypted data channels for sensitive transactions. Banks also employ cert.uz for digital signing of electronic contracts with customers, aligning with national regulations on electronic commerce.
Educational Institutions
Universities and research institutes use cert.uz certificates to protect academic communications, grant applications, and digital repositories. The certificates are employed in VPN configurations for remote access, in digital signing of research outputs, and in the authentication of students and faculty for e‑learning platforms. The use of cert.uz in education helps maintain the confidentiality of student records and intellectual property.
Enterprise and Industrial Use
Large enterprises and industrial facilities adopt cert.uz for securing internal networks, supply‑chain communications, and industrial control systems. The domain’s certificates enable secure Remote Desktop Protocol (RDP) sessions, encrypted file transfers via SFTP, and secure API endpoints for web services. In manufacturing, cert.uz is integrated with SCADA systems to provide a robust authentication layer, protecting critical infrastructure from cyber threats.
Individual Users
While primarily used by organizations, cert.uz also offers services to individual citizens. The national e‑government portal provides a one‑stop digital identity solution where individuals can obtain a personal digital certificate. This certificate allows secure access to e‑services such as e‑voting, digital passports, and electronic wills. Citizens can also use the certificates for signing electronic contracts and for secure email communications.
Regulatory and Legal Context
National Legislation
Uzbekistan has enacted several laws governing digital signatures and electronic records. The Law on Electronic Documents and Digital Signatures mandates that electronic signatures must be generated using certificates issued by accredited authorities such as cert.uz. The legislation defines the legal equivalence of digital signatures to handwritten signatures, provided that the underlying PKI meets the specified security criteria.
International Agreements
Uzbekistan is a signatory to the Convention on the Use of Electronic Communications in International Contracts. This agreement requires participating states to recognize the legal validity of electronic signatures issued within their jurisdiction, provided that the signatures are based on a public key infrastructure compliant with ISO/IEC 27001. cert.uz's root certificates are certified under these standards, ensuring cross‑border legal enforceability.
Compliance Requirements for Organizations
Entities operating within Uzbekistan must adhere to the State Security Agency’s guidelines for certificate usage. These guidelines prescribe key usage policies, revocation protocols, and audit procedures. Organizations are required to maintain a certificate inventory, conduct periodic risk assessments, and submit reports to the national regulator. Failure to comply can result in sanctions, including revocation of certificate privileges and fines.
Data Protection and Privacy
The Data Protection Law of Uzbekistan requires that any electronic data processed through cert.uz certificates must comply with data minimization, purpose limitation, and user consent principles. Certificates issued for e‑government services are designed to enforce encryption of personal data in transit and at rest, ensuring that data remains confidential and integral. The law also establishes mechanisms for individuals to request the deletion or correction of personal data, thereby supporting privacy rights.
Ownership and Governance
National Registry Center (NRC)
The National Registry Center, a governmental agency, administers the .uz domain space and oversees the cert.uz sub‑domain. NRC manages domain registration, DNS configuration, and dispute resolution for .uz domains. It also coordinates with international bodies such as the Internet Corporation for Assigned Names and Numbers (ICANN) for policy compliance.
National Certification Authority (NCA)
The National Certification Authority is the sole entity authorized to issue root certificates under cert.uz. It operates under the supervision of the Ministry of Digital Development and Communications. The NCA follows a stringent governance model that includes independent audits, adherence to ISO/IEC 27001, and certification by external auditors. The authority's certificate policy outlines the technical requirements, operational procedures, and legal responsibilities of all cert.uz stakeholders.
Stakeholder Collaboration
cert.uz stakeholders include public institutions, private enterprises, academic institutions, and civil society organizations. Regular workshops and forums are held to discuss emerging threats, policy updates, and technological advancements. The NCA publishes annual reports detailing the number of certificates issued, incidents resolved, and upgrades implemented. These reports contribute to transparency and foster trust among users.
Security Practices
Key Management
cert.uz implements a hardware security module (HSM) architecture for protecting private keys. Keys are generated inside HSMs and never leave the secure environment. The NCA enforces a key lifecycle policy that includes generation, storage, rotation, and destruction. Keys are rotated annually or upon detection of a compromise, and all rotations are logged and auditable.
Incident Response
When a certificate compromise is suspected, the NCA initiates an incident response plan that includes immediate revocation of the affected certificate, notification to affected parties, and forensic analysis. The response plan is aligned with the NCA’s Incident Response Standard, which follows the NIST Cybersecurity Framework. The NCA also collaborates with law enforcement to investigate the root cause of incidents.
Audit and Assurance
cert.uz is subject to periodic third‑party audits conducted by accredited auditing firms. The audits verify compliance with ISO/IEC 27001, NIST SP 800‑53, and other relevant standards. Audits cover technical controls, process controls, and physical security measures. Findings are published in a summary report that is made available to the public, reinforcing accountability.
Public Transparency
To build confidence, the NCA publishes a Certificate Transparency (CT) log for cert.uz certificates. The log provides an immutable record of all certificates issued, including issuance date, expiry, and revocation status. Developers and security researchers can use the log to verify the integrity of certificates and detect anomalies such as unauthorized issuance.
Comparison with Similar Domains
cert.gov (United States)
The U.S. Federal Government’s cert.gov domain is used for issuing federal digital certificates. While both cert.uz and cert.gov serve government and critical infrastructure, cert.gov is part of a larger Public Key Infrastructure managed by the U.S. Department of Homeland Security. The U.S. system incorporates a multi‑tier root structure with additional intermediate authorities, whereas cert.uz operates a simpler single‑tier root model.
gov.uk (United Kingdom)
In the UK, the gov.uk domain is used for official government services, but digital certificates are managed by a separate entity, the Government Digital Service (GDS). GDS issues certificates through a commercial provider, whereas cert.uz maintains a national authority that directly issues root certificates.
ca.gov.au (Australia)
Australia’s ca.gov.au domain serves as the official certificate authority for governmental entities. Like cert.uz, it provides a national root certificate, but it also offers a cloud‑based certificate management platform for public sector agencies. The difference lies in the level of integration with cloud services and the flexibility of certificate issuance policies.
Current Status and Future Prospects
Recent Developments
In 2024, the NCA introduced an upgraded certificate issuance protocol based on the QUIC transport layer, enabling faster TLS handshakes for mobile applications. The introduction of a new elliptic‑curve algorithm, Ed25519, was also announced to improve signing speed and reduce key sizes. These upgrades aim to keep cert.uz competitive with global PKI solutions.
Expansion Plans
There are plans to expand cert.uz’s service portfolio to include certificate lifecycle management for Internet of Things (IoT) devices. The NCA is developing a lightweight PKI that supports constrained devices, allowing the secure onboarding of sensors and actuators used in smart city deployments.
International Collaboration
Uzbekistan is engaging with neighboring Central Asian countries to harmonize PKI standards. Collaborative initiatives include joint audits, cross‑recognition of root certificates, and shared best‑practice workshops. These efforts aim to reduce friction for cross‑border e‑commerce and streamline regulatory compliance for multinational enterprises operating in the region.
Challenges and Opportunities
Key challenges for cert.uz include maintaining public trust in the face of sophisticated cyber attacks, ensuring interoperability with emerging technologies such as blockchain‑based identity systems, and managing the costs of maintaining a national PKI. Opportunities arise from the growing demand for secure digital services, the expansion of the fintech sector, and the increasing integration of digital identity solutions in public administration.
No comments yet. Be the first to comment!