• Tegona ICAO PKI
  • Public Key Infrastructure
  • for ID & Travel Documents

ICAO compliant PKIeID/eMRTD issuancePublic Digital Identity

Read more


Tegona Key Management System (TKMS) is a Public Key Infrastructure solution for the
issuance & management of digital certificates. TKMS provides both a signing stack for the electronic signature and a verification stack ensuring the inspection of identity & travel documents.

TKMS is a state-of-the-art integrated PKI system compliant with standards and recommendations issued by the International Civil Aviation Organisation (ICAO) and the German Federal Office for Information Security (BSI - Bundesamt für Sicherheit in der Informationtechnik).


Features & Benefits

TKMS provides the necessary signature and inspection features for identity and
travel documents' production and management. Tegona PKI system can be used for all kind of secure documents, such as: ePassport (diplomatic, services, ordinary), eID card,
eVisa/Visa, consular card, driving licence...

ICAO/BSI compliant

TKMS is a state-of-the-art integrated PKI system compliant with ICAO (BAC/SAC/PACE) and BSI (EAC) standards.


CSCA/CVCA, DS/DV, PS/IS and nPKD: each software components to be provided individually or fully integrated with the others.

Fully equipped

Provided with HSMs – Hardware Security Modules (nCipher, Atos Proteccio, SafeNet or else), servers and network equipments.

Production Suite

One single API for signature, personalisation and verification features (DS/DV + PS/IS).


Certificate issuance, registration & verification capabilities. Configurable certificate profiles.

Country adaptable

Adaptable to each country certificate policies (CP/CPS). Management of link certificates to replace existing PKI systems.


As a core PKI, TKMS empowers all components required, which can be delivered individually or fully integrated with the others, thus forming a complete turn-key ICAO PKI solution .


Country Signing Certificate Authority & Country Verifying Certificate Authority:

ICAO/BSI compliant Country Certificate Authorities, root authorities that are unique for each country and essential prerequisite before any document issuance.



Document Signer (DS): back-end for the preparation and the signature of personalised data. Document Verifier (DV/DVCA): intermediate authority which provides digital certificates to the Inspection System (IS). In a context of documents’ production, the DV component can be used as a QVCA component.



Personalisation System: this software component is responsible for the electrical & graphical personalisation. Inspection System: this software component is in charge of the quality assurance and verification of the document for border control and law enforcement.

n / PKD

National Public Key Directory, component for the transfer and management of certificates to/from the ICAO PKD directory, the central repository for exchanging required information to authenticate ePassports.


Production / Suite

One single API as a one-stop-shop system for ePassport, eID Card and other secure documents’ personalisation and inspection. Document Signer (DS) + Document Verifier (DV) + Personalisation System (PS) + Inspection System (IS) provided as a unique API to be easily integrated to the CSCA/CVCA.


x509 Signature / Digital ID

Our core PKI system also provides functionalities dedicated to Digital Identity. TKMS x509 is compliant with RFC 5280 standards and is in charge of the issuance of certificates required for the digital identity. TKMS x509 can also be used as a general purpose PKI system.

Use cases

Customisable and component-oriented, Tegona Key Management System (TKMS) can be delivered in many ways; either within a new PKI project (new document issuance for instance) or in the context of a Public Key Infrastructure renewal. TKMS can also be provided with only the necessary software components to be integrated into an existing infrastructure.

1 Full TKMS

In this scenario, Tegona would supply and integrate a complete end-to-end infrastructure dedicated to the signature and inspection of secure documents, i.e. Root Certification Authorities (CSCA/CVCA), Document Signer & Verifier (DS/DV) and Personalisation & Inspection Systems (PS/IS). DS/DV & PS/IS would be provided for every personalisation centers. Every component would be delivered as physical appliances with HSMs embedded.

2 CSCA/CVCA only

In this context, Tegona would provide and integrate Root Certificate Authorities only, for the renewal/replacement of a country ICAO PKI for instance (as these components can only exist once in each country). CSCA & CVCA software would be supplied with servers and HSMs (with redundant infrastructure if requested). Continuity of the certificate chain is guaranted by signed linked certificates.

3 Production Suite

In this last example, Tegona would only deliver and integrate necessary PKI components involved in the production & quality assurance, as part of a new project or passport / ID card renewal. In this case, the supplied system would be integrated through an API to the country existing Root Certificate Authorities. DS/DV  & PS/IS are provided in all personalisation centers, with servers and HSMs, or virtualised. The suite is fully integrated to personalisation & inspection equipments.

Our 4-points PKI solution

TKMS is a state-of-the-art PKI solution, compliant with ICAO, BSI and RFC 5280
standards and recommendations
for the issuance of digital certificates
and the personalisation of secure documents.

Look no further ! Contact us





Founded in 2009, Tegona is a digital security
system provider based in Geneva, Switzerland.


Tegona provides software, hardware & services for, among
others, Identity & Travel documents management.


Tegona works with governments, manufacturers
& integrators all over the world.




+41 22 552 20 00






Chemin du Champ des Filles 36,

Plan-les-Ouates / Geneva