Tech-Summit-26-Banner
Tech-Summit-26-Banner
CableLabs Logo
Technologies
Get Involved
Specifications
Company
Blog
Search
Account Login
CableLabs Logo
Search
My Account
Open Menu
Close Menu
Back
Get Involved

Working Groups

Join us to collaborate, solve challenges and make an impact as we determine what’s next.

Events

In person & virtual CableLabs-hosted events and webinars.

 

Community
Become a Member
Become a Vendor
Back

Search Specifications

More
Certification
About Specifications
Security Document Library
DOCSIS Certification
Back
Company

About Us

Learn more about us, our team, board of directors and more.

In the News

The latest CableLabs news and announcements.

Press

Media resources, brand assets and speaker request information.

 

Contact Us

Have questions? Reach out to us for answers.

 

Subsidiaries

Kyrio

Testing, Certification and Software Services

SCTE

Education & Standards Development

PROTECT YOUR DATA AND YOUR NETWORK DEVICES

The DOCSIS® PKI

Since the standardization of version 1.1 of the protocol for our DOCSIS® public key infrastructure (PKI), the broadband industry has been relying upon public key cryptography (PKC) to ensure secure and strong authentications across networks.

Evolving and Adapting Technology

Generations of DOCSIS PKI

How Does DOCSISKI Work?

How Can I Participate?

Beyond DOCSIS: PacketCable PKI and OpenCable PKI

DOCSIS PKI supports a range of infrastructure needs

The use of strong cryptography helps cable operators deter the theft of—or unauthorized access to—cable services and enables confidentiality that protects subscriber network traffic. Specifically, the DOCSIS protocol uses X.509 certificates issued from the DOCSIS PKI to verify that a device is a legitimate entity authorized to join the network. This applies, for example, to cable modems or Remote PHY (R-PHY) nodes.

DOCSIS PKI X.509 digital certificates and PKIs protect DOCSIS identities and have resulted in a scalable, interoperable and easy-to-deploy key management system for the entire industry.

Evolving and Adapting Technology

CableLabs maintains and operates the secure PKI for issuing digital certificates for use in DOCSIS networks. The DOCSIS PKI currently supports two separate generations of the infrastructure (the “legacy” and the “modern” PKI). With hundreds of millions of active certificates and billions of issued certificates overall, our trust infrastructure has become one of the largest ever deployed worldwide.

Want more information on forms, pricing, test certificates and FAQ’s? Visit the Security Document Library

Existing PKI participants can directly download the authorization agreement from the Security Document Library. Make sure to fill out all relevant fields and return it, signed, to the PKI Operations Team.

Generations of DOCSIS PKI

The first-generation “legacy” DOCSIS PKI was established in 2001 and provides certificates used in DOCSIS 1.1-3.0 and other protocols—for example, DOCSIS Provision of EPON (DPoE). The second-generation DOCSIS PKI is referred to as the “modern” PKI. CableLabs established this ecosystem in 2014. It provides certificates used in DOCSIS 3.1 and DOCSIS 4.0 protocols, as well as others (e.g., R-PHY). CableLabs routinely and regularly submit evidence for the WebTrust for Certification Authorities (CA) Audits to ensure that the PKI is operated at a high level of trust.

Line Boxes
10G Security

How Does DOCSIS PKI Work?

The DOCSIS protocol uses X.509 certificates to verify the identity of devices connecting to the network. Device certificates are issued from the DOCSIS PKI and installed during manufacturing. When a cable modem (CM) is connected to the network, the installed certificate securely authenticates it. In order for the cable modem termination system (CMTS) to authorize a CM on the network, it must check that the CM certificate is valid and chains to (or is signed by) the DOCSIS root CA certificate (also called a trust anchor).

Because DOCSIS PKI certificates can be used only on certified devices, manufacturers are required to certify that their products meet CableLabs’s standards for DOCSIS compliance and interoperability with other devices.

How Can I Participate?

If you’re an existing CableLabs vendor/partner or a new manufacturer seeking to deploy secured equipment within a DOCSIS network, there are resources available for you to initiate the account setup process with us. Please fill out the contact form for direct access to the CableLabs DOCSIS PKI Team.

10G Speed
Circle

Beyond DOCSIS: PacketCable PKI and OpenCable PKI

In addition to the DOCSIS ecosystem, CableLabs administers the PKI infrastructure for equipment that utilizes standards for OpenCable (video) and PacketCable (telephony).

If you’re a manufacturer of equipment that operates across any of these standards, please contact the CableLabs PKI Team.

DOCSIS PKI supports various products for a range of infrastructure needs:

Device Certificates

Device Certificates for DOCSIS Devices allow for secure authentications of your devices and network nodes. These certificates are installed at the time of manufacturing.

Code Validation Certificates (CVCs)

CVCs allow for signing of software images. Both manufacturers and operators can acquire this type of certificate to securely manage the secure software download (SSD) process.

Service Provider Certificates (SPCs)

SPCs provide support for the infrastructure certificates as needed by operators. This type of certificate is available only to operators.