An introduction to EJBCA
and SignServer
PrimeKey Solutions AB
Tomas Gustavsson http://www.primekey.se [email protected] EJBCA and SignServer Euro PKI projects and use casesEJBCA
- Open Source Enterprise PKI
EJBCA PKI Central Certificate Authority EJBCA OCSP Online certificate status validation SignServer Modular serverside signature and validation PDF, XML, ODF, OOXML signing MRTD Document Signer Time Stamp Authority … Enterprise class PKI built on JEE technology.
EJBCA
- Open Source Enterprise PKI
Open Source LGPL v2.1 or later Freely available ejbca.org, signserver.org Hosted on sourceforge, public svn Download all versions with full source from sourceforge.net Open community Forum, mail lists, irc Patches, translations, documentation Professional open source PKI by PrimeKey Full time development staff Commerical support with different SLAs, standard, advanced, 24/7 Professional services
EJBCA
- Open Source Enterprise PKI
Secure communication with SSL servers and SSL clients. Strong authentication for users (web, email, custom apps, etc). Network authentication (802.1x). Smart card logon to Windows, Linux, etc VPN connections and client VPN access with certificates in users VPN clients. Single signon by using a single certificate to secure logon to web applications. Document signing (personal or enterprise signatures). Signing and encrypting email. Issue certificates to electronic IDs. BAC and EAC ePassports.
Certificate Lifecycle Mgmt
Certificate Lifecycle Management, what does it mean?
Managing certificates through all the stages during it's life
time.
Certificate
Issue
Renew
Revoke/expire
Suspend/re-activate
Certificate states: •Not yet valid •Valid/active •Expired•Revoked •Suspended
Certificate Lifecycle Mgmt
Manual lifecycle management
• Small scale
• High maintenance
• Labor intensive
Automatic lifecycle management
• Several protocols suited for automation of issuance,
renewal and revocation:
• CMP
• SCEP
• Web service
• XKMS
Validation
Validation of certificates – check if a certificate is revoked.
Currently two standard ways of validation:
• OCSP – Online Certificate Status Protocol
• CRL – Certificate Revocation Lists
Enterprise signatures
•Digital signing of documents with an Enterprise signature.
•Enterprise signature is in contrast to personal signatures
where every user must have a personal signature certificate
and associated software.
•Suitable for receipts, official documents, passports, message
passing systems, etc.
EJBCA
- Open Source Enterprise PKI
Multiple CAs and PKIs in a single installation, Root CAs, SubCAs, cross certification, ... RSA, DSA, ECDSA, many hash algorithms X.509 v3 and CVC EAC 1.11 Web based admin GUI in many languages Soft tokens or PKCS#11 based HSMs, SafeNet, Utimaco, nCipher, AEP, … Flexible architecture, all in one, external RAs, external OCSP, … Many protocols, web, SCEP, CMP, WebService, XKMS CRLs and OCSP Standard and custom certificate extensions Publishers for LDAP (and AD), files, or custom publishers Email notifications Profiles for end entities and certificates Cluster support, high availability Health check for load balancers and monitoring Support for many application servers and databases Standards compliant (RFC5280), open source, open APIs, etc etc
EJBCA
EJBCA
Platform independent
Operating systems Linux, Solaris, Windows, OS X, BSD, … (Java 5 or higher) Application servers JBoss, Glassfish, Weblogic, (OC4J, Websphere) EJB 2.1 Databases MySQL, Oracle, DB2, PostgreSQL, MSSQL, Ingres, ... Hardware Security Modules SafeNet, Utimaco, nCipher, AEP, … (PKCS#11)EJBCA Enrollment/RA interfaces
EJBCA Web clients Routers/vpn
HTTP/SSL
certificates SCEP/VPN certificates
Other clients CMP XKMS ExtRA API WebService CMP Smart card Logon certificates SignServer MRTD DS Certificate Inspection system IS Certificate (CVC)
EJBCA architecture
PKI core
PKI Services
RA-admin
CA-admin
Public
Public web Admin web
Publishers
Certificate store
Protocols
SCEP
CMP
XKMS
OCSP
Simple architecture
Everything in a single server EJBCA installation
Cold standby high availability
Database replication in order to make sure information is not lost. • Relatively simple • Costaffective • Medium availability (~99.99%) • Medium performance (~1 million certificates)Fully clustered, separate
Root CA
Separate root CA to isolate trustpoint for security reasons.
Euro PKI projects
PKI is everywhere... Electronic/biometric passports BAC EAC Health cards Tachographs National ID cards Government login Banks Insurance companies Electronic invoicing ...Swedish Police
EJBCA and SignServer for BAC and EAC ePassport.
EJBCA and smart cards for authentication of 25.000 internal users. EJBCA for qualified electronic signatures.
VPN, Server certificates, …
SignServer for signing of temporary passports (mrtd).
Use cases
Organizational cluster
- Swedish police use case
Cold standby clusters • Medium volume, 24/7 operations, many CAs • Different security zones • Database replication • CA availability, sufficient with cold standby • Additional OCSP validation servers
Enterprise PDF signing
• File drop for documents
Use cases
BGC (swedish banks clearing house)
Certificate issuance of national, and bank IDs. OCSP validation with high performance demands.
Liechtensteinische Landesbank AG
EJBCA for issuing certificates to users and systems.
Cartes Bancaires, France
Bank electronic IDs
Use cases
MULTICERT, Portugal
EJBCA EAC PKI ePassport
Certificate issuance on national IDs Commfides- TrustCenter, Norway
EJBCA for issuing qualified certificate to citizens. Slovenian health card
National ID / ePassport /
health cards
One PKI server
• Huge volume eID, 30.000 certs/day, multiple CAs
![Bis{tris[3 (2 pyridyl) 1H pyrazole]cadmium(II)} dodecamolybdo(V,VI)phosphate hexahydrate](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACH5BAEAAAAALAAAAAABAAEAAAICRAEAOw==)