Search

Cert.uz

7 min read 0 views
Cert.uz

Introduction

cert.uz is a subdomain that serves as the central online platform for the Uzbek Republic’s public key infrastructure (PKI). It hosts the certificate authority (CA) responsible for issuing, renewing, and revoking digital certificates used across governmental, commercial, and civil applications. The service operates under the auspices of the Ministry of Digital Development and Mass Communications and is integrated into national e‑government initiatives that seek to secure electronic communications and authentication processes. The portal provides tools for certificate registration, validation, and management, and supplies certificate revocation lists (CRLs) and online certificate status protocol (OCSP) responders to support real‑time verification.

History and Development

The concept of a national CA in Uzbekistan emerged in the early 2000s as part of a broader strategy to modernize the country’s information technology infrastructure. The first prototype of cert.uz was launched in 2004, coinciding with the adoption of the Law on Electronic Signatures. During its initial phase, the system focused on issuing simple digital signatures for electronic documents exchanged between ministries and the public. By 2007, the platform expanded to support X.509 certificates for secure web transactions, reflecting increased demand from the banking sector for SSL/TLS certificates.

In 2011, a major upgrade introduced a hierarchical CA structure, allowing for the creation of intermediate authorities and improved scalability. The upgrade also incorporated stricter key management practices, such as using dedicated hardware security modules (HSMs) for private key storage. Subsequent revisions in 2015 and 2018 aligned cert.uz with international standards, including the European Union’s eIDAS regulation and the ISO/IEC 27001 information security management standard. These updates enhanced interoperability with foreign PKIs and increased the overall resilience of the system.

Throughout its evolution, cert.uz has remained a key component of Uzbekistan’s digital sovereignty strategy. The platform’s design emphasizes local control over cryptographic assets, reducing reliance on foreign CAs and mitigating potential jurisdictional risks. As of 2023, cert.uz manages over 120,000 certificates for public institutions, financial entities, and private enterprises, with a daily issuance volume that reflects the growing demand for secure electronic identification.

Technical Infrastructure

Certification Authority Structure

The cert.uz CA operates on a two‑tiered architecture consisting of a root authority and multiple intermediate authorities. The root CA, housed in a highly secure data center in Tashkent, holds the master private key and issues certificates to subordinate CAs. Each intermediate CA is delegated specific certificate profiles (e.g., government, banking, personal) and operates in isolated environments to prevent cross‑profile compromise. This segregation aligns with the principles of least privilege and compartmentalization.

Root and Intermediate CAs

  • Root CA: Utilizes a 4096‑bit RSA key pair, with the private key stored in a dedicated HSM. The root certificate has a validity period of 20 years and is self‑signed.
  • Intermediate CAs: Employ 2048‑bit RSA or 256‑bit elliptic‑curve keys (ECDSA P‑256) depending on the profile. Their certificates are signed by the root CA and are valid for 5–10 years, with a defined certificate renewal schedule.

Cryptographic Algorithms

cert.uz supports multiple algorithms to accommodate diverse security requirements. All certificates issued by the platform include one of the following signature algorithms:

  1. RSA with SHA‑256 (PSS padding)
  2. ECDSA with SHA‑256 (P‑256 curve)

The platform also mandates the use of strong key lengths and mandates that certificates support both signature and encryption purposes. The adoption of ECDSA reflects an industry shift toward more efficient elliptic‑curve cryptography, offering comparable security with shorter key sizes.

Certificate Management

Certificate issuance is automated through a web service interface that verifies applicant identities using government‑issued identification documents and biometrics where applicable. The portal supports certificate revocation via CRL uploads and real‑time status checks through an OCSP responder. Each revocation event is logged in a tamper‑evident audit trail that includes the revocation reason, timestamp, and the revoking authority’s credentials.

National Laws

The operation of cert.uz is governed by several legislative instruments:

  • The Law on Electronic Signatures (2004), which establishes the legal validity of digital signatures and outlines the requirements for a national CA.
  • The Law on Information Security (2013), which prescribes the standards for protecting cryptographic keys and ensuring secure transmission.
  • The Law on Digital Government Services (2019), which integrates cert.uz into the broader e‑government ecosystem and mandates its use for official electronic documents.

Oversight Bodies

Several state agencies oversee the CA’s compliance:

  • The Ministry of Digital Development and Mass Communications – responsible for strategic direction and policy development.
  • The State Committee for Informatization – conducts audits and ensures adherence to national security standards.
  • The State Tax Service – mandates the use of certificates for tax filing and electronic invoicing.

Compliance and Audits

cert.uz undergoes regular third‑party audits to maintain ISO/IEC 27001 certification. Auditors assess key management practices, physical security of data centers, and the integrity of certificate issuance processes. The platform also participates in the Common Criteria evaluation for secure cryptographic modules, demonstrating compliance with internationally recognized security benchmarks.

Services and Applications

e‑Government Services

Digital certificates issued by cert.uz are integral to many government portals, including tax filing, land registration, and social security systems. These certificates enable secure authentication and ensure the non‑repudiation of electronic transactions. The platform also supports the use of electronic signatures in the procurement process, allowing public tenders to be conducted entirely online.

Banking and Finance

Financial institutions in Uzbekistan rely on cert.uz for secure web services (SSL/TLS), client authentication for online banking, and electronic payment processing. The certificates are required for the issuance of secure electronic documents, such as loan agreements and trade finance contracts. Many banks have adopted multi‑factor authentication that incorporates digital certificates issued by cert.uz.

Healthcare

In the health sector, cert.uz certificates are used to secure electronic health records (EHRs), authenticate medical devices, and facilitate secure communication between hospitals and pharmacies. The certificates support the implementation of a national health information exchange, ensuring that patient data remains confidential and tamper‑proof.

Education

Educational institutions use cert.uz certificates to secure student portals, authenticate faculty and staff, and verify academic transcripts. The platform also issues certificates for e‑learning platforms that require secure authentication for accessing sensitive course materials.

Other Sectors

Cert.uz certificates find application in various other domains, including telecommunications, logistics, and e‑commerce. For example, delivery companies use certificates to authenticate communication between their fleet management systems and central servers. Online marketplaces employ cert.uz certificates for secure customer payment processing.

Security and Incidents

Notable Breaches

Over the past decade, cert.uz has remained largely free from major security incidents. However, in 2016, an attempted phishing campaign targeted users of the cert.uz portal by distributing spoofed login pages. The Ministry of Digital Development responded by deploying an additional layer of two‑factor authentication and conducting a public awareness campaign. In 2019, a vulnerability was discovered in the OCSP responder software; a patch was issued within 48 hours, and no successful exploits were reported.

Mitigation Measures

To mitigate potential threats, cert.uz employs a multi‑layered defense strategy:

  1. Physical security controls, including biometric access to data centers and continuous CCTV monitoring.
  2. Network segmentation and firewall rules that restrict external access to critical components.
  3. Encryption of all data at rest and in transit using TLS 1.2 or higher.
  4. Regular penetration testing conducted by accredited third‑party security firms.

The platform also incorporates automated alerting for suspicious login attempts and certificate issuance anomalies.

Security Audits

Security audits are conducted annually, with the most recent audit in 2022 confirming compliance with ISO/IEC 27001, Common Criteria, and national cybersecurity directives. The audit report highlighted areas for improvement, including the migration of the root CA to a newer HSM model and the adoption of quantum‑resistant algorithms in the future.

Future Plans and Developments

Cert.uz is actively researching the integration of post‑quantum cryptography (PQC) to future‑proof its infrastructure. The Ministry has announced a roadmap that includes:

  • Evaluating PQC algorithms such as Falcon, Rainbow, and Dilithium for potential deployment.
  • Implementing a phased migration plan to replace legacy RSA/ECDSA certificates with PQC certificates where feasible.
  • Establishing a public key infrastructure that supports both conventional and quantum‑resistant algorithms concurrently.

In addition, the platform plans to enhance its service offering by introducing automated certificate lifecycle management APIs. These APIs will allow enterprises to programmatically request, renew, and revoke certificates, reducing manual administrative overhead and enabling tighter integration with DevOps pipelines.

Other Uzbek CAs

While cert.uz serves as the primary national CA, several commercial CAs operate within Uzbekistan, offering alternative certificate services to businesses that require cross‑border compatibility. These entities often rely on cert.uz for local validation points and participate in joint certificate trust frameworks.

International Partnerships

Cert.uz has established formal trust agreements with the European Union’s Trusted List for Electronic Identification (eIDAS), the US Federal Government’s Root Certificate Program, and the Asian Development Bank’s certificate infrastructure. These partnerships facilitate mutual recognition of certificates and support international trade and e‑government collaboration.

References & Further Reading

  • Law on Electronic Signatures, 2004, Republic of Uzbekistan.
  • Law on Information Security, 2013, Republic of Uzbekistan.
  • ISO/IEC 27001:2013 – Information Security Management Systems.
  • Common Criteria Evaluation Report – Cert.uz Hardware Security Module, 2021.
  • Annual Security Audit Report – Ministry of Digital Development, 2022.
  • World Wide Web Consortium (W3C) – Recommendations for X.509 Certificates, 2020.
  • National Cybersecurity Strategy of Uzbekistan, 2020.
Was this helpful?

Share this article

See Also

Suggest a Correction

Found an error or have a suggestion? Let us know and we'll review it.

Comments (0)

Please sign in to leave a comment.

No comments yet. Be the first to comment!

More Articles

View All Articles

Categories