Tuesday, January 2, 2018

EJBCA 6.11: Adding EST, Modular Configuration and External Validators to the Mix

Hey folks, and welcome to 2018. We have an exciting year to look forward to, but I'll go a bit deeper into the currently projected roadmap in a bit, because this blog post is as usual devoted to a deeper dive into the release notes for the latest release.


First and foremost, EJBCA 6.11 introduces a long awaited feature: support for the EST protocol, as defined in RFC 7030. For those of you now in the know, EST is an enrollment protocol similar to SCEP. Much like CMP and SCEP, EST can be configured through multiple aliases, and can like CMP also have calls proxied from an RA up a CA using the Peers Protocol.

External Command Certificate Validators

The second main feature of this release is the concept of External Validators, a feature which has been widely requested by quite a few of our enterprise users. An External Validator functions much like the existing validators (RSA, CAA, etc), but it runs on either a certificate or pre-certificate object and calls on local script on the local system.

As a security feature we've added a configuration value under System Configuration that disables both the External Validator and the General Purpose Custom Publisher. This configuration value is set to be disabled by default unless you're currently running a General Purpose Custom Publisher in your installation. To avoid a malicious user using the External Validator to run system commands, we've also added a command whitelist.

Modular Protocol Configuration

We've also added a few of features to make VA/RA installations more secure in the DMZ. In order to guard against possible 0-days or protocol vulnerabilities we've added the Protocol Configuration-tab to System Configuration. Through this tab all incoming protocols or servlets can be disabled.

Additionally, we've added access rules to allow prohibiting CMP and WS calls being sent from the RA/VA to the CA via Peers in case the RA/VA runs the risk of being compromised.

Upgrade Concerns

Lastly, we've updated the VA so that SHA1WithRSA and SHA1WithECDSA are no longer acceptable signature algorithms for an OCSP responder, see the upgrade document for more information.

Mike Agrenius Kushner
Product Owner EJBCA

No comments: