Jellyfish

Deployment Resource Reference 

Jellyfish is Cogito Group’s modular platform for identity, device, crypto, PKI, certificate lifecycle, and smartcard management. It’s built as a set of microservices that you can run all-in-one for pilots or distribute and scale for production (Cloud, Hybrid, On-Prem).  

Jellyfish System

Figure 1 - Jellyfish System

System Architecture 

Primary Systems 

Jellyfish brings together a complete suite of enterprise security services, including Identity and Device Management, Cryptographic Services, Certificate Lifecycle Management, Public Key Infrastructure (with RA, VA, and CA connectors), and Card Management. These core systems operate with shared database and audit components, powered by PostgreSQL with optional Redis acceleration for performance and scalability. 

Design Principles 

Built on a modern microservice architecture, Jellyfish delivers flexibility, resilience, and security at scale. Services communicate over gRPC, with REST APIs and webhooks enabling easy integration into existing environments. Advanced RBAC, SSO, MFA, and mTLS between services ensure a secure and governed operational framework. All audit data can be forwarded to SIEM systems for centralized visibility. 

Security Foundation 

Jellyfish’s cryptographic core is anchored in HSM-backed key protection using the PKCS11 standard. The platform supports BYOK and key export with end-to-end encryption, along with OCSP/CRL validation, offline root CA support, and true random number generation (TRNG) through certified HSMs ensuring the highest levels of trust and compliance. 

Deployment Models 

Model 

Orchestration 

Use Case 

All-in-One (Pilot/Lab) 

Single Linux VM with Docker Compose 

Quick start, training, testing, offline installs. 

Integrated 

Self-managed VMs/Cloud (multi-VM), external DB/HSM 

External DB/HSM 

Online issuance with RA/VA, CLM, directory and network integrations. 

Enterprise / HA 

Swarm, Orchestrator or manual install microservices on multiple hosts 

High availability, horizontal scale, SIEM, HSM partitions. 

Core Components 

Component 

Role 

IDM, Authentication 

Identity, SSO/OIDC, MFA, RBAC/ABAC, API/service accounts. 

CMDB, Monitoring, NetworkAccess 

Device inventory & lifecycle, 802.1X RADIUS (EAP-TLS), SSH key & IP/VLAN tracking. 

Crypto, CogHSM 

Keygen, signing, encryption; TRNG; BYOK/key export. 

PKI, CogVA, CA Connectors 

Template/CSR rules, issuance/renewal/revocation, OCSP/CRL responses. 

Discovery, Polling, ACME, SCEP, AEX, EST, CMPv2

Certificate discovery, monitoring, auto-renewal, domain violation reporting. 

Security Client, CMS, Agents 

Smartcard issuance, PIN services, PACS/LACS integration. 

Database, PostgreSQL, Redis 

Central data layer; ORM access; backups/DR. 

Audit, SIEM 

System-wide event capture, view in portal, forward to SIEM. 

Quick Installation 

The Jellyfish platform can be deployed in a few straightforward stages to get your PKI environment up and running. Each stage focuses on preparing core services, establishing trust with a Certificate Authority, and enabling secure certificate operations. Whether deployed via Docker, Linux, or Windows, the process ensures a consistent and controlled setup for both production and evaluation environments. 

Jellyfish Installation

Figure 2 - Jellyfish Installation

Stage 1: Run Containers 

Start the Jellyfish containers or operating system services. Ensure all core components are running and accessible within your environment. 

Stage 2: Connect HSM 

Configure your chosen HSM provider that supports the PKCS#11/Cryptoki standard. This establishes secure key storage and hardware-backed cryptographic operations. 

Stage 3: Create Certificate Authority 

Set up your first Certificate Authority by either connecting to an existing CA or bootstrapping a new one within Jellyfish. This forms the trust anchor for your environment. 

Stage 4: Enrol Certificates  

Define certificate templates to standardize certificate issuance across different systems, users, and applications. Enrol your first certificates through the Jellyfish portal or setup automation through ACME, SCEP, or AEX, EST, or CMPv2. 

Stage 5: Bootstrap Tenancy 

Access the Jellyfish web portal to create the initial management tenancy and superuser account. This establishes administrative control and access to the platform. 

System Integrations 

Supported Hosts 

Base 

Provider 

Notes 

Docker 

Jellyfish Orchestrator 

Automated deployment with streamlined service coordination and lifecycle management. 

Swarm 

Native Docker clustering for scaling services across multiple hosts. 

Compose 

Simplified configuration for pilot/lab scenario. 

Linux 

Ubuntu 24.04+, Debian 12+ 

Debian packages offering a straightforward installation process. 

RHEL 8+, AlmaLinux 8+ 

Executables aligning with Red Hat–based infrastructure and compliance standards. 

Windows 

Windows Server 2022+ 

Provides full integration into Windows environments, supporting Active Directory. 

 

Supported HSMs 

Provider 

Performance 

Security 

Setup Simplicity 

Entrust nCipher nFast 

★ ★ ★ ★ ★ 

★ ★ ★ ★ ★ 

★ ★ ★ ☆ ☆ 

Thales Luna HSM 

★ ★ ★ ★ ★ 

★ ★ ★ ★ ★ 

★ ★ ★ ☆ ☆ 

Utimaco CSe/Se 

★ ★ ★ ★ ★ 

★ ★ ★ ★ ★ 

★ ★ ★ ☆ ☆ 

SoftHSM 

★ ☆ ☆ ☆ ☆ 

★ ★ ☆ ☆ ☆ 

★ ★ ★ ★ ☆ 

SoftKeys 

★ ★ ☆ ☆ ☆ 

★ ☆ ☆ ☆ ☆ 

★ ★ ★ ★ ★ 

  • Hardward key security - PKCS11/Cryptoki enables access to most HSM providers 
  • Software key security – SoftHSM, SoftKeys or PKCS12 support. 

Jellyfish integrates with HSM providers that support the PKCS#11/Cryptoki standard. It is compatible with leading hardware solutions such as Entrust nCipher, Thales Luna, and Utimaco CSe, providing high performance and hardware-grade key protection for enterprise deployments. For pilot or lab environments, SoftHSM and SoftKeys offer flexible, software-based alternatives that simplify setup and testing. 

Supported CAs 

Provider 

Notes 

Jellyfish Leviathan 

Leviathan is Cogito Group’s high-performance, enterprise-grade PKI solution designed to provide organisations with complete control over their digital trust infrastructure. Built with scalability at its core, Leviathan adapts to environments of any size from self-contained deployments to complex, multi-region clustered architectures. 

EJBCA 

EJBCA Enterprise covers certificate issuing, management, and certificate validation. The open-source CA can easily be scaled to match the needs of your PKI with the latest quantum cryptography support. 

AD CS 

Microsoft Windows Active Directory Certificate Services provides public key infrastructure for cryptography, digital certificates and signature capabilities. 

Unicert 

provides all the functionality needed to implement a Public Key Infrastructure (PKI) system - the system that provides certificate registration, PKI management, a Certification Authority, and certificate lifecycle management functions. 

ACM 

AWS Certificate Manager handles the complexity of creating, storing, and renewing public and private SSL/TLS X.509 certificates and keys that protect your AWS websites and applications. 

System Requirements 

Host Requirements 

Resource 

Minimum 

Recommended 

CPU 

2 cores 

8 cores 

Memory 

2 GB 

12 GB 

Disk 

30 GB 

100GB 

High Availability Requirements 

Jellyfish PKI platform is designed for continuous operation across multiple hosts and regions. 

Multi-Host Deployment 

  • Supports distributed deployment across multiple servers or containers. 
  • Eliminates single points of failure through redundancy and load balancing. 
  • Enables automatic failover and horizontal scaling within the same environment. 
  • Compatible with container orchestration or OS-level clustering. 

Multi-Region Deployment 

  • Supports deployment across geographically separated regions. 
  • Provides regional redundancy for disaster recovery and service continuity. 
  • Synchronizes key components to maintain consistent operations. 
  • Optimizes performance and resilience in cloud or hybrid infrastructures. 

Protocols & Features 

Certificate Authorities 

Jellyfish manages and secures Certificate Authorities to establish trusted digital identities within your organization. It supports both internal and external CAs, ensuring centralized control, policy enforcement, and compliance with security standards. 

Certificate Templates 

Create and manage certificate templates to standardize issuance across your environment. Templates simplify configuration, enforce consistent policies, and streamline certificate requests for users, devices, and applications. Jellyfish templates support multiple Certificate Authorities, allowing organizations to define and apply consistent settings across different CAs. 

Certificate Enrolment Automation 

Automate certificate enrolment with support for ACME, SCEP, AD, EST and CMPv2 protocols. These standards enable seamless integration with devices, servers, and applications to ensure certificates are issued, renewed, and replaced without manual effort. 

Certificate Lifecycle Management 

Gain complete visibility and control over every certificate in your environment. Easily view, issue, renew, or revoke certificates from a single interface to reduce risk and maintain continuous trust. 

Smartcard Management 

Jellyfish smartcard management with integrated printing, provisioning, and PIN management tools. Supports both logical (LACS) and physical (PACS) access systems, making credential issuance fast, secure, and efficient. 

Audit Stack 

Maintain full accountability with comprehensive auditing and reporting. Every certificate, user action, and policy change is logged to support compliance, transparency, and forensic review when needed. 

Operational Recommendations 

  • Network: Low-latency connectivity between components not exceeding 250 ms. 
  • Time Sync: all nodes must use NTP with ≤ 100 ms drift. 
  • Security Controls: Mutual TLS, N-of-M Custodian access, and restricted OS accounts. 
  • Operating Systems: RHEL 8+/Ubuntu 22.04+/Windows Server 2022+. 
  • Compliance: FIPS 140-3 HSM modules with Post-Quantum algorithms