Tuesday, December 29, 2009


Yes, EJBCA and SignServer will have a stand at the geek fest FOSDEM on the 6-7 february 2010. Visit FOSDEM, it's great!

Using Brainpool ECC curves in Java (with HSM)

In EAC ePassports the Brainpool family of curves can be used, and is used by some countries. Java (or more specifically the Sun JCE and PKCS#11 provider) does not have support for this curve naturally, it is not a named curve that it knows about. The kind guys over at Ministerie van Binnenlandse Zaken en Koninkrijksrelaties in Netherlands experimented and showed us how to use it with a SafeNet ProtectServer Gold.

I tested it out and wrote a howto for EJBCA. The downside is that you have to generate the keys with the HSM tools, so you can not generate new keys from within the EJBCA admin gui.

Of course if you are not using an HSM, the Bouncycastle provider has support for them out of the box.

Monday, December 21, 2009

EJBCA 3.9.3 released

Very convenient, so you have something to play with during the christmas holidays...here is EJBCA 3.9.3.

This is a minor release but packed with new minor features and fixes, 42 issues have been resolved.
Some minor features and options and some bug fixes and stabilizations.

Noteworthy changes:
- Fixed a regression in 3.9.2 where you could not upload files in the admin GUI.
- Certificate profiles can now specify a different signature algorithm than the CA. Useful to start migrating SHA1 CAs to issue SHA256 certificates.
- Possibility to use part of user data in LDAP DN but not in certificate DN when publishing certificate to LDAP.
- Possibility to set fixed end date of certificates in certificate profile and CA configuration.
- Possibility to configure several notification services for expiring certificates, notifying at different times, i.e. 30 days, 7 days, etc.
- Browser enrollment tested with Windows 7.
- ECC improvements and fixes for CAs and HSMs, CA renew keys, CA import, brainpool curves, explicit ec parameters, clientToolBox etc.
- GUI improvement to the admin GUI with nicer navigation menu and CSS. Contributed by Linagora, France.
- cert-cvc: fixed rare possibility to get bad encoding of EC points in certificates. Contributed by DGBK, Netherlands.
- CVC CA fixes and improvements for EAC PKI, approvals, import CAs, fix cli info command, .cvcert instear of .crt when downloading certs, etc.
- Don't publish certificates for inactive CA services to LDAP.
- Fix so renewing CA keys in admin GUI does not reload all CA tokens.
- Fixed an OutOfMemory error when failing to publish large CRLs with connection closed error.
- Fix download issues with IE for exported CA keystores.
- Many small optimizations, fixes and improvements.

Read the full changelog for details.

Sunday, December 13, 2009

EJBCA PKI webcasts

There is a series of webcasts about PKI in general and EJBCA in particular. Watch these cool clips at http://www.primekey.se/Company/Webcasts/.