Saturday, May 12, 2018

EST for Certificate Enrollment

There are multiple protocols available to enroll for certificates from a CA. Some are standardized and some are proprietary.
The most popular standardized ones are SCEP, CMP and EST. SCEP has been around since 2000 and show severa ageing issues, most notably the lack of ability to work with EC keys in a usable matter.
CMP has been around since 2005, is multi functional and handles both RSA and EC keys well. It's a true Swiss knife of PKI enrollment protocols. Being so functional is also it largest criticism, being advanced also becomes complex. CMP works well for a large number of uses cases and we have discussed some of them here and here.
The new kid on the block is EST, which in 2013. EST re-uses other standards such as TLS to try to make it easier to use while at the same time providing much functionality. EJBCA Enterprise has implemented EST since EJBCA 6.11 and it can be used for efficient certificate enrollment from a management system (mobile device management, token management system, IoT platform, etc), using both RSA and EC keys. The management system acts as a Registration Authority (RA) in PKI terminology and this is the notation we'll use throughout.

A typical use case for certificate enrollment is to have an RA that handles initial enrollment for users, mobiles or devices. After initial enrollment (provisioning) the device can automatically re-enroll for updated certificates as long as it still have a valid certificate.

We'll walk through this use case, using EJBCA as the CA server supporting EST, and the open source Cisco EST Client. In order to use EST an EST Alias must be configured in EJBCA, as described in the EST documentation.

Adding an EST Alias

Configuring an EST alias is easily done in the EJBCA Admin UI in the EST Configuration section.

Using EST Client

Before doing any enrollment the RA can fetch the latest CA certificate from EJBCA.
estclient -g -s 127.0.0.1 -p 8442 -o certs --pem-output

After a device has been approved by the RA, the RA can get a certificate for the device from the CA.
estclient -e -s 127.0.0.1 -p 8442 -o certs -u estadmin -h foo123 --pem-output --common-name myclient

In this case the RA i authenticates to the CA using a username (estadmin) and a password (foo123). The RA can also use client certificate authentication instead of username/password.
The issued client certificate will contain the distinguished name (subjectDN) "CN=myclient". This command will automatically generate an RA key for the client.

The device can automatically re-enroll for a new certificate, authenticating itself using the private key and certificate it received from the RA.
estclient -r -s 127.0.0.1 -p 8443 -o certs -c certs/cert-0-0.pem -k certs/key-x-x.pem --pem-output


If an EC key is desired instead of RSA, this key must first be generated before enrolling for the certificate.
openssl ecparam -name prime256v1 -genkey -noout -out prime256v1-key.pem
estclient -e -s 127.0.0.1 -p 8442 -o certs -u estadmin -h foo123 --pem-output --common-name myclient -x prime256v1-key.pem

The corresponding re-enrollment command is.
estclient -r -s 127.0.0.1 -p 8443 -o certs -c certs/cert-0-0.pem -k prime256v1-key.pem --pem-output -x prime256v1-key.pem

This command re-enrolls using the same key as used in the initial certificate, but a new key can equally well be generated, which is in general the prefferred option.

Re-using keys for subsequent re-enrollment can be prohibited in EJBCA by a configuration in the EST Alias.

Monday, May 7, 2018

Roadmap: Rethinking our UI

A common point of pain for anybody who has ever tried to interface with EJBCA is the UI.  It stinks like something died, got eaten by something else which then in turn also died but did so after eating a pair of old sneakers and then not being found for two weeks. We know. 

It's a problem which we've been trying to fix for something like the last decade, but in my entire career legacy UIs seem to be the most common technical debt issue that software companies have. I've seen it happen before, and PrimeKey has also tried rewriting our UI from scratch at least once; it always fails for many of the common reasons. Joel Spolsky wrote an article nearly 20 years ago (which I first read something like 10 years ago) describing why redoing your UI from scratch is a bad idea, and what he says mostly rings true.

The Problem(s)

Why change something that works? Well, when designing an interface the concept of quality comes to mind. EJBCA obviously does most of what is required of it - its extensive use out in the wild wouldn't be possible otherwise. The support questions and the frustrations of both our customers and our own staff witness to the fact that much remains to be done though. Looking fairly objectively at the CA UI (still titled the Admin UI), it reflects several issues:

It Was Designed a Long Time Ago

EJBCA has been alive and kicking since 2001, which of course means eons in internet time. Not that frames were a modern concept even then (and hey, we kicked ours last year!), but it's from a day that preceded widespread adoption of proper MVC design, and the existence of fancy javascript libraries. As a consequence...

It Doesn't follow Consistent MVC Design 

Through the years we've put a lot of effort into moving functionality to where it belongs  - moving down logic into the business beans and caching into the session beans from the UI layer (in some cases even inlined in the UI code) while moving up formatting instructions into the MBeans of the view layer - much still remains though. An added difficulty is the fact that...

Large Parts are Still in Ancient JSP

I know, JSF is hardly bleeding edge technology, but that's what we're aiming for at this point. The fact that we have a UI written in two different coding schemes with three different styles make all and any usability changes hell to try to implement. Trying to rewrite the UI to something more modern is difficult because...

It Does a Lot

From Hyperbole and a Half
This is where previous efforts have always failed, as such efforts have in so many software projects. We've made attempts in the past (though only one properly in earnest) of rewriting the UI, and they've simply failed due to the lead times being so great that there has never been a way of updating the spec at the same rate as development, and this is just what we're adding as the tiny development team we are. The huge amount of functionality in EJBCA is one of its greatest strengths, but it adds a huge amount of inertia to any major changes - not only can't we lose features, our huge feature set also adds a risk of causing regressions; these may be anything from annoying to fatal for our users. The other problem about our huge feature set is that a lot of it is quite obscure because...

Our UI is Designed By Developers

Our UI really does cover everything - the problem is that we're a bunch of developers who have designed it. If you want to have a deep understanding for how EJBCA's data model looks like the UI is really a great guide, because it mirrors it exactly. Honestly, do you as a user care what an Internal Key Binding is? Why does setting up a Peer require background knowledge of TLS to be comprehensible? Why are both of these required when setting up a remote VA Responder, and why is that option nowhere in the menu? 

We have a long way to go in usability. 

Where We Want to Go

Does that mean that we've given up? Nope, not in the least. Divide and conquer is a heuristic that never goes out of style, and the RA Web we introduced back in 2016 takes care of some of those concerns. In addition to all the other advantages provided by having a separate RA, it also allowed us to move some functionality from the CA Web into the RA Web. As stated in the last roadmap update, most functionality which is today duplicated between the two interfaces will soon be officially deprecated, then unlinked, then finally deleted. 

Technology Update 

Our goal is to move the entirety of the CA Web to JSF in XHTML. While well aware of the fact that there are tons of neat noun.js javascript libraries out there, due to the business we're in we want as much as possible to avoid dependencies linked to specific corporations, and shy very much away from non-FOSS libraries. JSF does what we need, and there is little risk of it being abandoned. Once there we're at a far better place - changes no longer need to be made in two languages, we can have far more code in common, we're working in an environment which is far less painful. 



This is the first part of our UI project, is currently ongoing, and is slated to be complete by the beginning of Q4 of this year (in parallel with other development). We will be avoiding usability changes as much as possible in order to make keep the usability delta minimal, thus making life easier for our QA staff. 

Layout Update

The next step will be moving the entire layout of the UI to the CSS files, much like the RA Web. 





This not only allows us to be entirely flexible with the layout (you do know you can customize the RA Web as much as you like, right?) but also work with several designs at once, being able to provide both a "legacy" layout and to work on something brand new. 
Customizable stylesheets for the RA web. 

Usability Normalization

EJBCA currently badly lacks consistency - similar functions have been developed by different developers at different periods in different technologies. There are very few unified ways of perform an action, and the learning curve for using our UI is very low as a result. Having normalized technology and layout, our next avenue is to give our design a single voice, a feel. 

Workflow Based Design

Ah, the holy grail - we're I've dreamt about ending up for years. 


Gone will be all connections between data models and frontend, remaining will be an interface based on what you as users actually wish to accomplish within PKI. We have some exciting times ahead.

Cheers,
Mike Agrenius Kushner
Product Owner, EJBCA

Thursday, May 3, 2018

EJBCA 6.13.0 - Our VA is GDPR Ready!

What now, another feature release so soon? Fear not, all is well  - instead we felt that some of the work we've put in to the trunk should be made available as soon as possible. We hope that as many of you as possible have had a chance to check out the ConfigDump tool we released with EJBCA 6.12, please give us any available feedback that we can plug in to future versions.


Adapting the VA to GDPR

We've added an option to the VA Peer Publisher to restrict publishing identifying certificate metadata from the CA to VA, such as subject DN, SAN or usernames. 

 Key Ceremony Utilities added to the RA Web


During key ceremonies, auditors typically require a copy of all CA Certificate fingerprints. To spare you the process of downloading CA certificates and computing the fingerprints manually using a third-party tool, we've added the following functionality to the RA Web:
  • Download Fingerprints: Downloads a YAML text document with the CA Certificate fingerprints of all CAs you have access to.
  • Download Certificate Bundle: Downloads a compressed zip file containing the CA certificates of all CAs you have access to.
For more information, see RA Web CA Certificates and CRLs.


Roadmap Update


As always we tend to be very restrictive with discussing our roadmap, but one very long awaited project we're very pleased to finally have time to redo the CA UI, a point of contention which I'm sure all of you are painfully aware of. As refactoring interfaces is always a minefield we'll be taking it in minor steps, beginning with the conversion of the antiquated JSP pages into more modern-ish JSF before beginning to make more concrete improvements in usability. Expect to see some pages in the UI slightly change appearance in the autumn, and keep tuned to this blog for more updates on this subject. 

Cheers!
Mike Agrenius Kushner
Product Owner EJBCA

Monday, April 9, 2018

EJBCA 6.12 - Brand New Documentation and Auditing Capabilities Galore!

The PrimeKey EJBCA team is pleased to announce the feature release EJBCA 6.12, and a small step but important step forward in the development of EJBCA. The first changes I'd like to divulge are organisational, we added some very important personell to our team. PrimeKey has hired a dedicated tech writer, Annica, who will be helping both the EJBCA and SignServer teams to get our much maligned documentation in order. Secondly, we've started taking in some outside help for development work, integrating them into our core team in order to increase throughput. So, what is new with this release?

Revamped Documentation


Having listened to all your calls of woe and distress over the state of the documentation (and I may add, much of our own), our tech writer Annica has performed a Herculean effort in shifting the entire thing over to Confluence instead of the ancient xdoc format.
Naturally, this is just a first step towards a far more organized, updated and user friendly documentation. You may notice a sense of chaos and disarray in the current structure, and while we agree with you fully, that is merely a consequence of the already existent structure coming to light. Major changes to take notice to that the release notes (this document), change log and upgrade instructions have all been moved in here as well. They're still available offline from within the doc folder in the release zip, but are now also published both online and deployed with EJBCA to the application server.

Configurable OCSP Extensions


We've put quite a bit of work into OCSP Extensions. Those of you familiar with OCSP Extensions will probably remember configuring them through ocsp.properties configuration file.

In order to make extension configuration simpler and more precise we've moved it to the UI, and set it up to act per keybinding instead. Any existing extensions defined in the configuration files will automatically be added to existing OCSP keybinding configurations, but please read more about that and more in the upgrade notes.

Additional Proxying Capabilities in the RA

As response to external demand, we've added two new features to the RA:
  1. The ability to proxy SCEP requests, much as is done with CMP and EST already
  2. We added forwarding of revocation and revocation status requests over SOAP. The full list of methods in the EJBCA WS that can be proxied via the RA are:
  • certificateRequest
  • checkRevokationStatus
  • getLastCertChain
  • keyRecover
  • keyRecoverEnroll
  • revokeCert

The ConfigDump Export and Audit Tool

Some of you may be previously familiar with our StateDump tool, an application for exporting and importing installations. While this has solved many problems for us and some of our customers in our past, a very common deficiency in the tool has always been that the XML based dumps are difficult to read, edit and manage, and that the data therein has never been human readable. We have thus decided to venture on remaking this tool from the ground up, and making the first iteration (which is only export capable) publicly available. It is built and run from the command line:
This results in a neat structure of export files sorted by type:
Which are serialized and normalized as yaml objects. Any UID references are replaced with their human-readable names.
We very much hope that you'll find this tool useful in the future for change handling and auditing.
Cheers!
Mike Agrenius Kushner
Product Owner EJBCA

Tuesday, February 13, 2018

Roadmap Update: EJBCA 7 and What Lies in Store

Getting roadmap information out of me is usually about as rewarding as mining obscure crypto currencies, but for once I feel that this is a very good opportunity to talk a bit about the roadmap in the next half year, about EJBCA 7 and what is to come.

Technology Leap

Now, the easy announcement is that EJBCA 7 will be released before the end of Q2 of 2018, and the most marked technology leap will be dropping support för JDK7 and JEE6, so those of you who haven't migrated to JDK8 or greater yet should start planning to do so very soon. Things to have in mind:

  • JDK7 had its final support release over a year ago, which is one reason we've chosen to move on.
  • This means that your application server will have to be JBoss EAP 6.3.3 or later.
  • From EJBCA 7 and beyond we'll being using JDK8 features in the source, meaning that you will have to upgrade your JDK/AS before then. In any case we very much recommend upgrading to the latest version of EJBCA as well if you haven't done so yet.

User Interface Changes 

The primary changes you'll be seeing is that we're going to start optimizing and improving workflow in the existing UI. For that reason we'll be removing a lot of pages which have turned redundant or which are too antiquated to maintain.

Public Web


This is going to be the biggest change for many of you, and one of the most dramatic ones: the Public Web is going to be considered deprecated. The reasons for doing so are many, but foremost the fact that the new RA Web does (or nearly, but will do) everything the Public Web does, but better. While I hope that most of you have had a chance to explore and hopefully even start using the RA Web, this is a very good time to start migrating your workflows. If this leaves you with any sense of dread, fret not: we have documented how workflows translate between the Public Web and the RA Web here and here

Note that we won't be removing the Public Web initially but simply not link to, refer to or update it anymore, so there will be an overlap period. 

Admin Web/CA Web

The first major change is a simple one: a question of branding. We have traditionally, both in code and in UI misused the terms Administrator and Administration. In the line of defining an administrator as somebody who performs administrative tasks (which doesn't cover all users of the UI) we'll be renaming the current Admin Web as the CA Web to reflect the fact that its purpose mainly covers setting up CAs and profiles, while the RA Web covers all aspects of of end entity creation and lifecycle management. 

The introduction of the RA Web may have raised some questions about the overlap between the two interfaces, such as the ability to create end entities in both. Naturally, our end goal is to eliminate these overlaps in order to make workflow feel natural an intuitive. For that reason, we'll be deprecating some pages in the CA Web by removing links and references, though as with the Public Web we'll let the pages exist for some time to allow for some overlap. The pages in the CA Web that are going to disappear are (sorted by category):

  • RA Functions
    • Add End Entity
    • Search End Entities
  • Supervision Functions
    • Approve Actions
All of these pages have superior analogues on the RA Web, and it's our goal that our workflows become so intuitive that there will be no need to switch between the two. 

What Comes Next? 

In addition to this, I'd like to let you know a bit about workflows in the UI. Currently the workflows are what could generously be called unintuitive, which is something we're looking to remedy come 2018 and beyond. The design currently largely mirrors the architecture, which while straight forward from a developer's perspective requires way too much domain knowledge from a user's point of view. Our ambition is to start refining and redefining workflows during the coming year to make more sense from what one is trying to accomplish, but we'll be doing so gently and properly documenting and motivating all changes.

We hope you're looking forward to these changes as much as we are!

Cheers!
Mike Agrenius Kushner
Product Owner EJBCA

Friday, January 12, 2018

Feature Highlight: Approval Profiles

So the concept of approvals is a rather well known concept in EJBCA. The basic concept is that your organization may not trust lower level or individual administrators to perform certain actions (such as enrolling end entities or renewing certificates), and thus require either higher level administrators (with specific approval rights) or a multitude of administrators (requiring a conspiracy) to perform certain actions, or a mixture of both.

In EJBCA 6.6 we introduced the concept of Approval Profiles due to the fact that we got a customer request to implement a more dynamic and complex approvals process, while we were at the same time unwilling to drop the old one.

Accumulative Approvals

Accumulative Approvals represents the type of approval process which existed prior to EJBCA 6.6, now given a name to differentiate it from later implementations. The concept is rather simple: say that we have a PKI organization containing a relatively flat structure, simple three administrators:
For the sake of argument, let's presume that these three are all equal, but their policies require that none of them be able to perform any enrollment actions without the cooperation of at least one of the other. Traditionally we would simply set the number of approvals in the CA or Certificate Profile to two, but now that we use Approval Profiles we set up an Accumulative Approval Profile instead:

Partitioned Approvals

In EJBCA 6.6 we added a more complex form of approvals, which we've decided to call Partitioned Approvals. Partitioned approvals consist of two basic temporal concepts: steps and partitions. The diagram below tries to explain this in simple terms: 

The basic concept is that steps are solve sequentially, while partitions are solved in parallel within their step. What this means is that (for example) Step2:Partition1 can't be approved until all three partitions in Step 1 have been approved. Now, how might this be used? Well, let's presume the following organization:
This structure resembles an actual PKI organization far more. The players here are:
  • Alita  -  An RA Administrator whose role is to meet certificate applicants after they've enrolled using the RA UI and to verify their identities. 
  • Björn - Works for Financial Services. Does not have any rights to enroll customers, but has been tasked in verifying that customers have payed their fees. 
  • Beatrix - Works for the company's security division. Lacks like Björn the ability to enroll customers, but is tasked in performing background checks on prospective clients. 
  • Cilla  -  A supervisor who has to approve the work of the previous three. If she's happy, then the customer can next retrieve their certificate. 
Now, looking at the graph above you may infer that Alita's, Björn's and Beatrix' tasks are all part of Step 1. The reason for this is that Cilla  isn't interested (or allowed) to give her approval until she's verified the results of Alita, Björn and Beatrix. 

On the other hand, there is nothing stopping Alita, Björn and Beatrix from solving their tasks in parallel. Once all of them approved their respective partitions, the process will automatically transition to Step 2. Combining these two diagrams we get the following, with blue representing view access and green representing approval rights:



So, what does this look like in EJBCA? Well, an initial Partitioned Profile will look like this:
As you can see above, we initially have a single step containing a single partition, which is the minimum possible. You'll also notice in the center of the partition the two multi-selects that display all available Roles with approval rights. Let's add another step by clicking on the Add Step button on the bottom right:
Next lets create the partitions in Step 1. First we'll click the Add Partition button on the bottom right of that step twice, name the partitions and assign the roles: 

Notice above that the roles do not have view rights of each others' partitions (except the RA Administrator partition, who anybody can review), and that the Supervisor role can review all. Next, let's edit Alita's partition so that she can add a bit more information for the records:
By clicking on the Add Field button (which is hidden in the above screenshot behind the drop-down) we can add meta data fields to the partition. In this case we've added a check box, a radio button list to identify the type of identification provided and a free form text field for any other information (such as passport number). 

We'll set up Beatrix' and Björn's partition in the same way, then lastly make sure that only the Supervisor group has approval and review access to the final step:
This way the supervisor can review and verify that all previous actions have been performed correctly and without fault before allowing the enrollment process to continue.

Practical Example

Now, let's see what this looks like in real life! For this example we're going to follow closely the RA Administrator Alita and her supervisor Cilla, while letting Beatrix and Björn do their work in the background for brevity. First of all, we make sure that the familiar WidgetCorp CA is set up to use the above approval profile for enrollment:
Then along rolls our old friend Alan Widget, who's about to request that the CA generate a keypair for him:
As we've activated approval for the CA, naturally Alan will have to wait a bit to receive his keypair:
Logging in as our RA Administrator we can see that she now has an approval request pending:
And viewing that request, we can fill in the relevant data about the request:
Logging in as the Supervisor on the other hand, you'll notice that the To Approve tab is empty as the Supervisor doesn't have anything to approve in the current step, while the request is instead under the Pending Approval tab as the Supervisor can still review the other's work.
Once Security and Finances have approved (or denied) their respective partitions of the request, the step is automatically completed and moves on to the final step that we've defined, which is the approval of the Supervisor. She now has the request under the To Approve tab, where she can also review all of the previous steps that she has view access to:

Approving the final step will leave the entire request executed, and our end user is now free to retrieve their certificate:
So, that is in a nutshell how to use Partitioned Approvals in EJBCA. If you have any feedback, feature requests or questions, please let us know! And if there are other EJBCA features you'd like me to dive into, please comment here on the blog!

Cheers!
Mike Agrenius Kushner
Product Owner EJBCA

Tuesday, January 2, 2018

EJBCA 6.11: Adding EST, Modular Configuration and External Validators to the Mix

Hey folks, and welcome to 2018. We have an exciting year to look forward to, but I'll go a bit deeper into the currently projected roadmap in a bit, because this blog post is as usual devoted to a deeper dive into the release notes for the latest release.

EST

First and foremost, EJBCA 6.11 introduces a long awaited feature: support for the EST protocol, as defined in RFC 7030. For those of you now in the know, EST is an enrollment protocol similar to SCEP. Much like CMP and SCEP, EST can be configured through multiple aliases, and can like CMP also have calls proxied from an RA up a CA using the Peers Protocol.

External Command Certificate Validators

The second main feature of this release is the concept of External Validators, a feature which has been widely requested by quite a few of our enterprise users. An External Validator functions much like the existing validators (RSA, CAA, etc), but it runs on either a certificate or pre-certificate object and calls on local script on the local system.


As a security feature we've added a configuration value under System Configuration that disables both the External Validator and the General Purpose Custom Publisher. This configuration value is set to be disabled by default unless you're currently running a General Purpose Custom Publisher in your installation. To avoid a malicious user using the External Validator to run system commands, we've also added a command whitelist.

Modular Protocol Configuration

We've also added a few of features to make VA/RA installations more secure in the DMZ. In order to guard against possible 0-days or protocol vulnerabilities we've added the Protocol Configuration-tab to System Configuration. Through this tab all incoming protocols or servlets can be disabled.

Additionally, we've added access rules to allow prohibiting CMP and WS calls being sent from the RA/VA to the CA via Peers in case the RA/VA runs the risk of being compromised.

Upgrade Concerns

Lastly, we've updated the VA so that SHA1WithRSA and SHA1WithECDSA are no longer acceptable signature algorithms for an OCSP responder, see the upgrade document for more information.

Cheers!
Mike Agrenius Kushner
Product Owner EJBCA