X

Inside Symantec's secret SSL Certificate Vault (pictures)

A beige building in an average office park leads to some of the most closely guarded secrets of the Internet.

James Martin
James Martin is the Managing Editor of Photography at CNET. His photos capture technology's impact on society - from the widening wealth gap in San Francisco, to the European refugee crisis and Rwanda's efforts to improve health care. From the technology pioneers of Google and Facebook, photographing Apple's Steve Jobs and Tim Cook, Facebook's Mark Zuckerberg and Google's Sundar Pichai, to the most groundbreaking launches at Apple and NASA, his is a dream job for any documentary photography and journalist with a love for technology. Exhibited widely, syndicated and reprinted thousands of times over the years, James follows the people and places behind the technology changing our world, bringing their stories and ideas to life.
James Martin
symantec-vault-7943.jpg
1 of 21 James Martin/CNET

Hidden in plain sight

Near a wide, meandering road with meticulous landscaping, a single unmarked front door in an unassuming beige building in a rather average office park leads to some of the most closely guarded secrets of the Internet.

The door buzzed and we stepped inside and were signed in by the 24-hour security guards seated behind protective glass. Immediately, I noticed that it was no ordinary lobby. The small room had all the signs of a guaranteed defense: the guards, security cameras watching, and each door protected by keypad access. We had passed the first of many outer gateways to access the Symantec SSL Certificate Vault.
symantec-vault-7816.jpg
2 of 21 James Martin/CNET

Biometric security

Access to this specific building, one of four main data centers that handles Symantec's Public Key Infrastructure, is incredibly restricted. Only employees whose job requires a specific reason to enter are allowed access to the building -- even the CEO doesn't have access.

Doors at the facility have biometric readers, including fingerprint and iris scanners, for access, with fewer and fewer employees approved as you get closer to the center of the building.
symantec-vault-7823.jpg
3 of 21 James Martin/CNET

Inside the Trust Services 24-7 Operations Center

In the Trust Services Operations Center, behind at least four levels of security doors, engineers monitor the health of the Symantec security network, including keeping an eye on Internet traffic around the globe 24 hours a day, seven days a week.
symantec-vault-7830.jpg
4 of 21 James Martin/CNET

Double-layered metal mesh walls

As we make our way through layers of security toward the center of the building, our guide describes the unusual walls, which are double layers of metal mesh that run from floor to ceiling. There are no false ceilings here, to prevent intruders from climbing over walls and through the ceilings to gain access.

Down this corridor, through a door protected by a fingerprint scanner, is the data center that issues Symantec's digital certificates to browsers on behalf of businesses, handling 4.5 billion online lookups to verify the validity of the digital signatures using a process called Online Certificate Status Protocol.
symantec-vault-7832.jpg
5 of 21 James Martin/CNET

Warning signs

The Symantec SSL Certificate Vault is protected against virtually every threat possible, from hackers to earthquakes to fires.
symantec-vault-7887.jpg
6 of 21 James Martin/CNET

Keypads, iris scanners, and fingerprint readers

Keypads, iris scanners, and fingerprint readers restrict access to many layers of security throughout the building. Hallways with increasingly tight access wind toward the center, where the Key Ceremony takes place, and the most valuable security information is created and stored. Understandably, the security network is military grade, with practices based on Department of Defense standards for the storing of classified material.
symantec-vault-7839.jpg
7 of 21 James Martin/CNET

Inside the data center

Inside the cool hum of one of Symantec's data centers, of which there are 14 worldwide, verified digital certificates ensure secure online transactions with more than 4.5 billion authentication online lookups each day.

In less than a second, the system validates the identity of a Web site by verifying that its public cryptographic key, contained in the certificate, is legitimate.
symantec-vault-7842.jpg
8 of 21 James Martin/CNET

Piezoelectric lock

The entrance to the data center at the core of the building is behind many layers of security, and restricted to personnel with a verified need to know, which requires an additional two-factor authentication, including biometrics. The servers are secured behind military-grade electronic locks.

This piezoelectric gyro-generator lock works by rotating the face, powering up the battery.
symantec-vault-7835.jpg
9 of 21 James Martin/CNET

Data Center corridors

We briefly entered the Data Center room, a highly secure core where Symantec's digital certificates are stored. The room rarely sees any outside visitors.
symantec-vault-7845.jpg
10 of 21 James Martin/CNET

Symantec's watchful eye

Security cameras are plentiful throughout the building -- wherever we were, someone was watching. No one wanders these halls alone. Many security doors require two people to enter together -- and those same two people must badge out and leave together as well when exiting a room.
symantec-vault-7853.jpg
11 of 21 James Martin/CNET

Iris scanner verification

Continuing on down a series of narrow corridors, we're taken next to an unmarked room with an iris scanner mounted at its side: the Key Ceremony Room.

With irises scanned, badges scanned, and PINs entered, we're granted access to the heart of the Symantec verification process. It is here where the keys are first created that verify all those billions of transactions per day.
symantec-vault-7880.jpg
12 of 21 James Martin/CNET

Motion detector in the Key Ceremony room

A motion detector mounted on the ceiling inside the Key Ceremony room.
symantec-vault-7906.jpg
13 of 21 James Martin/CNET

Inside the inner vault

Inside, behind yet another layer of security, is the vault, which is inside this highly secure room with iris-scanner access. This is "probably the most secure room on campus," says our guide. There are 120 safe deposit boxes inside nine fireproof media storage safes within a burglar-proof cage with a special lock. No one can enter the room alone, and multiple keys are needed to open the locks, with only specific people trusted with the access combinations.
symantec-vault-7897.jpg
14 of 21 James Martin/CNET

Expanded metal mesh

Expanded metal mesh is used in the walls to create a secure vault at the most central core of the building.
symantec-vault-7860.jpg
15 of 21 James Martin/CNET

Cryptographic Hardware Security Module tokens

The Hardware Security Modules are cryptographic tokens that are used to create the public and private key pairs used to prove that Web sites are legitimate. These are stored in the most interior core of the Symantec Vault, protected by layer on layer of military grade security.
symantec-vault-7868.jpg
16 of 21 James Martin/CNET

Tokens are used to generate a key pair

The token used to generate a key pair is inserted into a card reader connected to a PIN entry device. The PIN device is connected in turn to the computers where the operator is using the Certificate Authority application. The device also reads the data off the plastic USB shares that the shareholders have in their possession.
symantec-vault-7876.jpg
17 of 21 James Martin/CNET

Keys to password bits

These "keys" are used to unlock different parts of the password that's used to unlock a token so that a key pair can be created during the Key Ceremony authentication process.
symantec-vault-7857.jpg
18 of 21 James Martin/CNET

The Key Ceremony script

A thick packet serves as the Key Ceremony script, detailing the steps needed to create digital keys and certificates, something few outsiders have seen. The entire Key Ceremony is videotaped, with every keystroke and mouse click recorded for posterity.

This formal process can last from 20 minutes to multiple hours, depending on the size and complexity of the keys created.
symantec-vault-7925.jpg
19 of 21 James Martin/CNET

The Key Ceremony begins

Other than the security cameras and motion sensors, it's a rather ordinary looking conference room with half a dozen chairs, a large table, and a few pens at its center. A video camera on a tripod hooked up to a recording console is pointed at two normal looking Windows computers against the wall. These machines, which are disconnected from the Internet for security reasons, are used to create the cryptographic keys and their digital certificate wrappers.
symantec-vault-7931.jpg
20 of 21 James Martin/CNET

Key Ceremony PIN entry device

The PIN entry device is connected to the computers where the operator is using the Certificate Authority application during the Key Ceremony.
symantec-vault-7899.jpg
21 of 21 James Martin/CNET

Uniquely serialized tamper evident envelopes

After the Key Ceremony is completed and the cryptographic keys and their digital certificate wrappers are created, the master is filed away in a uniquely serialized, tamper evident envelope and locked in the safe, in the cage, in the vault, inside the corridors of one of the Internet's best kept, and most secure, secrets, where billions of safe and secure transactions are made possible each day.

More Galleries

My Favorite Shots From the Galaxy S24 Ultra's Camera
A houseplant

My Favorite Shots From the Galaxy S24 Ultra's Camera

20 Photos
Honor's Magic V2 Foldable Is Lighter Than Samsung's Galaxy S24 Ultra
magic-v2-2024-foldable-1383

Honor's Magic V2 Foldable Is Lighter Than Samsung's Galaxy S24 Ultra

10 Photos
The Samsung Galaxy S24 and S24 Plus Looks Sweet in Aluminum
Samsung Galaxy S24

The Samsung Galaxy S24 and S24 Plus Looks Sweet in Aluminum

23 Photos
Samsung's Galaxy S24 Ultra Now Has a Titanium Design
The Galaxy S24 Ultra in multiple colors

Samsung's Galaxy S24 Ultra Now Has a Titanium Design

23 Photos
I Took 600+ Photos With the iPhone 15 Pro and Pro Max. Look at My Favorites
img-0368.jpg

I Took 600+ Photos With the iPhone 15 Pro and Pro Max. Look at My Favorites

34 Photos
17 Hidden iOS 17 Features You Should Definitely Know About
Invitation for the Apple September iPhone 15 event

17 Hidden iOS 17 Features You Should Definitely Know About

18 Photos
AI or Not AI: Can You Spot the Real Photos?
img-1599-2.jpg

AI or Not AI: Can You Spot the Real Photos?

17 Photos