15/05/10 1

An introduction to EJBCAand SignServer

PrimeKey Solutions AB

Tomas Gustavssonhttp://www.primekey.setomas@primekey.se

EJBCA and SignServer

Euro PKI projects and use cases

15/05/10 2

EJBCA- Open Source Enterprise PKI

EJBCA PKI Central Certificate Authority

EJBCA OCSP Online certificate status validation

SignServer Modular server­side signature and validation PDF, XML, ODF, OOXML signing MRTD Document Signer Time Stamp Authority …

Enterprise class PKI built on JEE technology.

15/05/10 3

EJBCA- Open Source Enterprise PKI

Open Source LGPL v2.1 or later

Freely available ejbca.org, signserver.org Hosted on sourceforge, public svn Download all versions with full source from sourceforge.net

Open community Forum, mail lists, irc Patches, translations, documentation

Professional open source PKI by PrimeKey Full time development staff Commerical support with different SLAs, standard, advanced, 24/7 Professional services

15/05/10 4

EJBCA- Open Source Enterprise PKI

Secure communication with SSL servers and SSL clients.

Strong authentication for users (web, email, custom apps, etc).

Network authentication (802.1x).

Smart card logon to Windows, Linux, etc

VPN connections and client VPN access with certificates in users VPN clients.

Single sign­on by using a single certificate to secure logon to web applications.

Document signing (personal or enterprise signatures).

Signing and encrypting email.

Issue certificates to electronic IDs.

BAC and EAC ePassports.

... and many many more ...

15/05/10 5

Certificate Lifecycle Mgmt

Certificate Lifecycle Management, what does it mean?

Managing certificates through all the stages during it's life time.

CertificateIssue

Renew

Revoke/expire

Suspend/re-activate

Certificate states:•Not yet valid•Valid/active•Expired•Revoked•Suspended

15/05/10 6

Certificate Lifecycle Mgmt

Manual lifecycle management• Small scale• High maintenance• Labor intensive

Automatic lifecycle management• Several protocols suited for automation of issuance,

renewal and revocation:• CMP• SCEP• Web service• XKMS

15/05/10 7

ValidationValidation of certificates – check if a certificate is revoked.

Currently two standard ways of validation:• OCSP – Online Certificate Status Protocol• CRL – Certificate Revocation Lists

15/05/10 8

Enterprise signatures•Digital signing of documents with an Enterprise signature.•Enterprise signature is in contrast to personal signatures where every user must have a personal signature certificate and associated software.

•Suitable for receipts, official documents, passports, message passing systems, etc.

15/05/10 9

EJBCA- Open Source Enterprise PKI

Multiple CAs and PKIs in a single installation, Root CAs, SubCAs, cross certification, ...

RSA, DSA, ECDSA, many hash algorithms

X.509 v3 and CVC EAC 1.11

Web based admin GUI in many languages

Soft tokens or PKCS#11 based HSMs, SafeNet, Utimaco, nCipher, AEP, …

Flexible architecture, all in one, external RAs, external OCSP, …

Many protocols, web, SCEP, CMP, WebService, XKMS

CRLs and OCSP

Standard and custom certificate extensions

Publishers for LDAP (and AD), files, or custom publishers

Email notifications

Profiles for end entities and certificates

Cluster support, high availability

Health check for load balancers and monitoring

Support for many application servers and databases

Standards compliant (RFC5280), open source, open APIs, etc etc

15/05/10 10

EJBCA- Open Source Enterprise PKI

15/05/10 11

EJBCA- Open Source Enterprise PKI

15/05/10 12

Platform independentOperating systems Linux, Solaris, Windows, OS X, BSD, …

(Java 5 or higher)

Application servers JBoss, Glassfish, Weblogic, (OC4J, Websphere)

EJB 2.1

Databases MySQL, Oracle, DB2, PostgreSQL, MS­SQL, Ingres, ...

Hardware Security Modules SafeNet, Utimaco, nCipher, AEP, …

(PKCS#11)

15/05/10 13

Integrated PKI

2007-01-31 Copyright © 2007 PrimeKey Solutions AB

EJBCA Enrollment/RA interfaces

EJBCA

Web clients Routers/vpn

HTTP/SSL certificates SCEP/VPN

certificates

Other clients

CMP

XKMS

External RA

ExtRA API

External RA

WebService

CMP

Smart card personalization

Logon certificates

SignServer MRTD

DS CertificateInspection system

IS Certificate (CVC)

2007-01-31 Copyright © 2007 PrimeKey Solutions AB

EJBCA architecture

PKI core

PKI Services

RA-adminCA-adminPublic

Public web Admin web

Publishers Certificate store

Protocols

SCEP CMP XKMS OCSP

Bouncycastle

15/05/10 16

Simple architecture

Everything in a single server EJBCA installation• Simple• Cost­affective• Medium availability (~99%)• Medium performance (~1 million certificates)

15/05/10 17

Cold standby high availability

Database replication in order to make sure information is not lost.• Relatively simple• Cost­affective• Medium availability (~99.99%)• Medium performance (~1 million certificates)

15/05/10 18

Fully clustered, separate Root CA

Separate root CA to isolate trust­point for security reasons.• Complex• Expensive• High availability (99.999%)• High performance (>10 million certificates)

15/05/10 19

Euro PKI projectsPKI is everywhere...

Electronic/biometric passports BAC EAC

Health cards

Tachographs

National ID cards

Government login

Banks

Insurance companies

Electronic invoicing

...

15/05/10 20

Swedish Police EJBCA and SignServer for BAC and EAC ePassport. EJBCA and smart cards for authentication of 25.000 internal users. EJBCA for qualified electronic signatures. VPN, Server certificates, …SignServer for signing of temporary passports (mrtd).

Use cases

15/05/10 21

Organizational cluster- Swedish police use case

Cold standby clusters• Medium volume, 24/7 operations, many CAs• Different security zones• Database replication• CA availability, sufficient with cold standby• Additional OCSP validation servers

15/05/10 22

Enterprise PDF signing

• File drop for documents• 24/7 operations, several signers• Signer certificates from internal and/or external CA• Authentication of users• Archival of signed documents

15/05/10 23

Use cases

BGC (swedish banks clearing house) Certificate issuance of national, and bank IDs. OCSP validation with high performance demands.

Liechtensteinische Landesbank AG EJBCA for issuing certificates to users and systems.

Cartes Bancaires, France EJBCA for issuing certificates to users and systems.

15/05/10 24

Bank electronic IDs

• Active­active cluster • High volume, 24/7 operations, many CAs• Distributed registration authorities

• Cluster database• CA availability, high• OCSP availability, very high

15/05/10 25

Use cases

MULTICERT, Portugal EJBCA EAC PKI ePassport Certificate issuance on national IDs

Commfides- TrustCenter, Norway EJBCA for issuing qualified certificate to citizens.

Slovenian health card Certificate issuance on national health cards

15/05/10 26

National ID / ePassport / health cards

One PKI server• Huge volume eID, 30.000 certs/day, multiple CAs• Very large CRLs• High availability database avoids data loss• CA availability, sufficient with cold standby

15/05/10 27

Thank you!

PrimeKey Solutions AB

www.ejbca.orgwww.signserver.org

Tomas Gustavssonhttp://www.primekey.se