Thursday, December 23, 2010

EJBCA 4.0 alpha1 released

Hi everybody!

Eagerly waiting for the next major version of the best PKI software in the world? Now is your chance to try it out.

EJBCA 4 uses Java Enterprise Edition 5 (JEE5) instead of J2EE. This is a major improvement of the core, modularization, portability and packaging, but you will not notice many functional differences.

What else?

  • The database schema is fully defined through the Java Persistence API and table create scripts are provided for all the supported databases.

  • Many bugs have been corrected. For example EJBCA Services will run more stable in a clustered environment.

  • The Ingres database can now be used with EJBCA without patching the code.

  • A JEE5 compliant application server, Java 1.6 and Ant 1.7.1 or higher is required from this version on.

Since this is and alpha release, you can expect a few rough edges. Have in mind that there will not necessarily be an upgrade path from this release to EJBCA 4.0.0.

Submit bug reports!

Happy holidays and testing,
The PrimeKey EJBCA Team

EJBCA 3.11.1 released

Today PrimeKey has released EJBCA 3.11.1.

This is a maintenance release – 16 issues have been resolved. Only fixes
and layout improvements, no new features.
This release fixes an upgrade issue from 3.6.x to 3.11.x and also a
MySQL/MyISAM related issue in the 3.11.0 release.
A few uncaught regressions from 3.10.x and 3.11.0 were fixed, and as
usual David Carella of Linagora added some Admin GUI layout improvements.

Noteworthy changes:

  • It is now possible to easily upgrade from EJBCA 3.6.x to 3.11.x.

  • Fixed a MySQL mapping that did not work when using the MyISAM storage engine and UTF-8 encoding.

  • ETSI QC value limit can now have the value zero.

  • Admin GUI improvements from David Carella of Linagora.

  • Added a favicon to the EJBCA web interfaces.

  • Fixed an issue causing cached end entity profiles (not default) to be changed for some actions in the admin GUI.

  • Fixed an issue where session information spilled over to other edits when using the "Back to certificate profiles" link.

  • Fixed an issue where using the required flag on Cardnumber in a end entity profile gave error about missing unstructured address. This also resolved an issue where the DN field Unstructured Address did not work.

You can read the full changelog in the EJBCA Jira.

In addition to making EJBCA available as full open source software, PrimeKey also supplies support services and training for EJBCA.

Wednesday, December 1, 2010


Next year at FOSDEM in Brussels, 5-6 february 2011, we will do something different. Previous years we have had a stand, but this year we will participate in the OpenSC devroom.

Anyone interested in PKI and smart cards (and any of the other hundreds of open source technologies present at FOSDEM) should go there.

See you in Brussels!


Tuesday, November 30, 2010

EJBCA 3.11.0 released

Yesterday we released EJBCA 3.11.0.

This is a major release with several new features – 47 issues have been
One major goal with this release is to prepare for a seamless migration
to EJBCA 4.0. To make the migration path to EJBCA 4.0 a simple plug-in

Following our updated QA process (by Tham) we believe that EJBCA 3.11.0
is a high quality release, the fastest and best release of EJBCA to date.
We'll see if this release can match the previous release EJBCA 3.10.5,
with virtually no serious issues reported after thousands of download.

Noteworthy changes:
- Possibility to configure CA not to use certificate and user store,
meaning that CA can issue certificates without having to access database
after service startup.
- External OCSP responder can now function as a validation authority
serving OCSP, CRLs and CA certificates.
- Certificate store access via HTTP according to RFC4387 standard.
- Possibility in WebService Interface to specify extended information
when editing users.
- Possibility to specify custom certificate serial number for end
entities using CMP protocol. CMP RA secret can now also be specified per CA.
- Upgrade database schema to be consistent across databases.
- Add a few new columns to database tables, a preparation to be used in
EJBCA 4.0.
- Improvements in the Glassfish support, now also usable with Oracle
- Several other new features and extended key usages, GUI improvements
and performance enhancements – many of which are contributed by Linagora.

PrimeKey EJBCA Team

Friday, November 26, 2010

EJBCA 3.10.6 and cert-cvc 1.2.12 released

EJBCA is our Open Source Enterprise PKI certificate authority.
Cert-cvc is our open source java library for working with EAC CV certificates.

This release is a very small maintenance release intended mostly to mark
the end of the 3.10 branch, anticipating 3.11.0 to be released within a
few days.
If you are running 3.10.5 with no issues, there is no real reason to
upgrade to 3.10.6. A few people have been waiting for the only new
feature in this release, but for others there is nothing really exciting.

EJBCA 3.11.0 however will be a stepping stone towards EJBCA 4.0, which
is nearing. EJBCA 3.11.0 will contain many new features and enhancements.

New Feature
* [ECA-1264] - Add extended information to edit user WS-API.

* [ECA-1877] - SPOC interop requires "unusual" countries which the CVC
library does not permit

* [ECA-1841] - Error adding end entity with several required and non
required OUs
* [ECA-1845] - Wrong reference in on line doc link for renew ca
* [ECA-1914] - Import of certificate profiles referring to CVC CAs
failed in CLI

You can view the changelog in Jira:

As usual you can download the new release from

The PrimeKey EJBCA Team

PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see or contact for more information.

Wednesday, November 3, 2010

EJBCA 3.9.9 released

We have released EJBCA 3.9.9. This is an informal maintenance release
with only one new feature and a few back-ported fixes from 3.10.
The release was done for a particular project. For normal usage we do
recommend the latest released version 3.10.5, which is the preferred
version and proven to be very stable. You should only upgrade to this
version if you have a specific purpose and requirements.
For regular users, even of the 3.9 branch, there is not need to upgrade
unless you need any of the specific fixes in this release.

- ExtendedInformation, such as issuance revocation reason, can now be
added when editing users with the WebService API (new feature also
present in upcoming 3.10.6 and 3.11.0 releases).
- Error adding end entity with several required and non required OUs
(new fix for rare issue, also present in upcoming 3.10.6 and 3.11.0
- Added correct URIEncoding also for port 8080 in Tomcat's server.xml
- Fixed Issuer CA DN HTML escaping when revoking through Admin GUI
- Using multiple of the same Custom OID field for OtherName in Subject
Alternative Names results in double values (back-port).

Note: The WebService WSLD has changed for adding ExtendedInformation in
the UserDataVOWS object.
Old WS clients without this should still work and we have tested with
older EJBCA clients.
However if you depend on the WS-API you must test in your environment
before bringing this new version in production.

PrimeKey EJBCA Team

Friday, October 29, 2010

EJBCA 4 basic roadmap

On request I will try to outline a better view of the roadmap for EJBCA 4 than is visible in Jira.

- EJBCA 4 is primarily a technology upgrade, move from J2EE (EJB2.1) to JEE5 (EJB3 and JPA).

What will this give us you ask?

- Leaner, meaner, faster and better code. Smaller code base and less bundled 3rd party libraries.
- Easier, thus faster, development of new features, while keeping the code cleaner.
- Better support for different application servers, JEE5 is much better standardized.
- Better support for different databases, using hibernate makes configuration easy.
- Integration of CESeCore, the Common Criteria certified security core under development. This will pave the road for having EJBCA 4.x Common Criteria certified.

All this brings us better support for, for example, Glassfish. On the other hand we must drop support for OC4J, since it will never get JEE5 capabilities. EJBCA 4 will require Java 6, since even that is getting old and Oracle does not support Java 5 anymore.

So as you see this is mostly a technical/developer friendly release, ensuring that EJBCA will continue to be a front runner of PKI for the coming years.

This is also one conscious decision, significant effort is put into migrating EJBCA to use the latest technologies. This should however not affect users, who will be able to seamlessly upgrade from EJBCA 3.11 to EJBCA 4.

There will be a few new features not available in 3.x though, mostly minor gems.

For the full roadmap visit, Jira, but be aware that especially for minor features and fixes, many of the issues targeted for EJBCA 4 might shift priorities (thus postponed), and new ones will be brought in. You can still see what has been already fixed.

What is the status of EJBCA 4?
- Subversion trunk, up and running, stable and passing most tests.
- Further improvements, structural work and upgrade testing going on.

You can follow the quality progress at our Hudson server.

So you can check out EJBCA 4 from subversion already today and give it a spin. Only for the brave technical persons.

What is the time schedule?
- EJBCA 4.0 should go beta before the end of 2010. And be released sometime Q1 2011.

What happens after that?

Once EJBCA 4.0 is out we will start focusing more on the new admin web console, and getting EJBCA common criteria certified. Naturally new features will continue to be developed, currently new features arrive at a rather aggressive pace. 2011 is destined to be an exciting year.

PrimeKey EJBCA Team

Tuesday, October 5, 2010

EJBCA SPoC presented at National eID & ePassport Conference in Athens 21-22 oct

I will shortly present the EJBCA SPoC at the upcoming National eID & ePassport Conference in Athens on the 21-22 october 2010. Anders Rundgren has made an excellent job implementing SPoC for EJBCA and has performed some successful interoperability tests. You'll learn more if you join us in Athens :-)

Wednesday, September 22, 2010

EJBCA 3.10.5 released

After a completed new and improved QA cycle, we are are proud to release
EJBCA 3.10.5. We think that EJBCA 3.10.5 is the beast EJBCA version to
date and encourage everyone to upgrade.

This is a maintenance release with 37 issues resolved, both features and
bug fixes.

Noteworthy changes:
- Fixed admin GUI error running on JBoss 5.
- Fixed some issues with audit and approvals when using admin
certificates issued by an external CA.
- Harmonized admin GUI and improved looks. Contributed by David Carella
of Linagora.
- Added and improved caches of profiles and CAs, improves performance.
CLI for clearing caches.
- Fixed installation issue on Windows when JBoss installed in root
- Fixed re-publishing of certificates when CertReqHistory is not used.
CertReqHistory is enabled by default for new CAs.
- Updated German translation, contributed by Atos Origin.
- Support unrevocation using WS-API.

Read the full changelog for details.

Download and read documentation at

Also read the product release news at PrimeKey.

Tuesday, September 21, 2010

Performance lab

We have a new small performance lab at PrimeKey, a 2U machine with 4 physical servers, each with dual quad code CPUs, 3 SSD disks (striped) and 24GB RAM. It's good for testing high loads and large volumes, and we've been doing just that for the 3.10.5 release.

I have been running postgresql on one machine, with two appservers and one test client for a while. I managed to get a single appserver with EJBCA issuing up to 300 certificates per second. It's pretty quick to issue some 20 million certs with that speed. No slowdowns so far...

Now I'm installing Oracle on one of the machines. Unfortunately you have to run an old RHEL4 to install oracle so it takes some time and frustration (compared to installing ubuntu and postgres).

Thursday, August 12, 2010

4.0 on the rise...

With the migration of beans to ejb3 done (by Johan and Mike), we can now deploy and start EJBCA 4.0. So far it looks the same as 3.10 of course, difference under the hood. Lots of JUnit tests still fail, but that will be dealt with now one by one.

EJBCA 3.10.4 released

Back from summer holidays we have a new good release to announce.

This is a maintenance release with 23 issues resolved, both features and bug fixes.

Noteworthy changes:
- Possibility to specify custom certificate serial number for end entities.
- Possibility to configure CA to not use CertReqHistory to increase performance.
- Harmonized admin GUI and improved looks. Contributed by David Carella of Linagora.
- Other performance optimizations. More than 100 certificates per second can now be issued under certain conditions.
- WS API did not work with external administrator certificates.
- Mitigate potential XSS vulnerabilities in admin GUI.
- Fixed bug when creating CRLs for CAs with single quote in the DN.
- Other admin GUI improvements with better error messages in some cases.

Read the full changelog for details.

One known issue from 3.10.4 is

There were many changes in the admin GUI for this release. Please let us know if you encounter any regressions using the admin GUI.

Monday, June 14, 2010

Howto extend a KVM virtual disk, using lvm, with larger disk space

An installed KVM Ubuntu 10.04 guest with regular disk using LVM (lvm makes the resize operation a bit more tricky).
In this example the original disk was 20 GB and I want to extend it with 20GB more.

  1. Stop guest

  2. Extend imagefile med zeroes to desired size
    - create addon space with the size you want to extend disk with
    sudo qemu-img create -f raw addon.raw 20G
    - make backup of the original disk
    mv ubuntu-dev.img
    - concatenate the extra space on top of the old image
    cat addon.raw >> ubuntu-dev.img

  3. Start guest with gparted live iso
    Partitions might look like:
    Number  Start   End     Size    Type      File system  Flags
    1 1049kB 256MB 255MB primary ext2 boot
    2 257MB 20.5GB 20.3GB extended
    5 257MB 20.5GB 20.3GB logical lvm

    - extend physical partition (2) with gparted (easiest) to fill upp the entire (new) disk

  4. Reboot into guest
    - Remove the logical partition (lvm)
    - Create a new logic partition, with exact same start but new ending
    rm 5; mkpart logical ext2 0 4000; set 5 lvm on

  5. Resize the lvm physical volume (use pvdisplay to find out the device /dev/vda5)
    - pvresize /dev/vda5

  6. Resize the lvm locial volume
    - lvresize -L+4309 /dev/www/root
    repeat the above until you fill up the entire free space, use pvdisplay and lvdisplay to see the free size

  7. fsck the filesystem, the filesystem name is visible when you do lvdisplay
    - fsck -n /dev/www/root

  8. Resize the filesystem to fill up the space
    - resize2fs /dev/www/root

Friday, June 11, 2010

New Spanish speaking EJBCA forum

We have opened up a new EJBCA forum targeted for spanish speakers.
EJBCA-usuarios. You can visit the new forum on Sourceforge.


Wednesday, June 9, 2010

Prototyping a new admin web console for EJBCA

This is the first sneak preview of the new admin console that we are working on. The new admin console is currently scheduled for EJBCA 4.1, which is due in 2011. We'll see how the progress goes though, if we can include a beta earlier than that.
The new admin console is uses a modern JSF web framework, giving it a modern look and feel. Of course there is AJAX :-)

Check the movie below to see what the prototype offers. In the first step we have focused on making the CA administration and easy to use as possible. It should be easy to get an overview of your CAs and easy to make the simple tasks, operating on one or multiple CAs. Editing CAs (and profiles) will use a tabbed interface, removing the rediculously long list of options there is today. Instead we can hide the advanced features behind tabs that you don't need to open unless you really want to.
Other usability features will surely be added.

Please feel free to provide feedback on the current prototype, aspecially the ideas on how to manage CAs.

Or watch the video on YouTube.
Or download mpeg.
Or download ogv (opens directly in newer FireFox).

PrimeKey EJBCA Team.

Monday, May 24, 2010

Celebrate 10 years of BouncyCastle

David Hook of BouncyCastle wrote this on the dev-crypto mailinglist.

Hi all,

While we're not in a habit of making a huge fuss about things, one thing
is about to come up which we thought we'd mention.

Monday 24th of May, marks 10 years since the first release of the Bouncy
Castle Cryptography APIs.

To give you an idea of what this means, the first release was on the
order of 24,000 lines of java. Ten years on we are now looking at
200,000 lines of Java and 160,000 lines of C# with a substantial
increase in functionality. The passage of time has certainly been felt.

Anyway, a lot of people outside of the core developers have contributed
over the years, so once again, thanks! And for us, them, and everyone
else, if you're inclined to celebrate 10 years of open source crypto
from this project, Monday is a good time to do it!



An incredibly consistent track record of one of the best open source projects out there!

External RA enrollment Web GUI, sponsored by APNIC

I would like to take this opportunity to remind you that in EJBCA 3.10 there is a new, much awaited, feature. A web GUI for enrollment using the External RA.
The web GUI can be used to enroll for browser certificates using most browsers on all platforms. You can also enroll for server certificates and keystores.
The new GUI is developed with JSF and Facelets, using the IceFaces component library. This gives it a nice modern look and function.

The development of this new feature was sponsored by APNIC, who makes sure internet works in the Asia Pacific.

Monday, May 17, 2010

EJBCA at the Greek police

I held a presentation about EJBCA and SignServer at two conferences, held by Eellak, in Greece this weekend. As a part of this I gave as example an installation of EJBCA at the Greek police. A short summary below.
  • Project PoL, Police on-line.
  • EJCBA replaces RSA Keon CA.
  • Installation by BYTE and PrimeKey.
  • All certificates in smart cards (~25.000).
  • Cards are used to access the PoL network and sign documents.
  • Both old cards and new cards produced with EJBCA, used simultaneously
  • to access, sign and encrypt using a new client, NetID.
  • An old RSA cards that expire is replaced with a new card.
  • Users and documents are not affected.
All in all a nice installation and a good example of usage of PKI in an organization.

Tuesday, May 4, 2010

EJBCA 3.9.7 and 3.10.1 released

Monday saw a double release of EJBCA. 3.9.7 fixes a very low number of issues in the old 3.9 branch, while 3.10.1 contains 34 fixes and feature enhancements for the 3.10 branch.

3.10.1 is the recommended release for all new installations.

Noteworthy changes in 3.10.1

  • New WS-API methods for renewing CAs. This enables the possibility for
    automated SPoCs in an EAC ePassport PKI.

  • New CMP proxy module letting you have a separate server terminating
    CMP connections and then forwarding them to the CA.

  • Possibility to renew CAs without activating new keys, enabling the CA
    to continue working until a new certificate is imported.

  • Support for SHA384WithECDSA signature algorithm.

  • Fixed deployment on JBoss EAP 5.0.0.

  • Fixed admin GUI bug with problems selecting privileges for RA

  • Fixed some issues with cli and renewal of expired CAs.

  • Fixed a bug with cli for getting delta CRLs.

  • Other minor bug fixes.

Changes in 3.9.7

  • Fixed an error when creating DVs signed by external CVCAs (EAC
    ePassport only).

  • Give better error message when the same public key is passed in
    initial CVC request (EAC ePassport only).

  • Log OCSP responder startup and shutdown.

  • Fix possible NullpointerException in

Wednesday, April 21, 2010

Better late then never... EJBCA 3.10.0 released

I missed to write about this important event. On the 26th of march EJBCA 3.10.0 was released.

This was a major release with lots of internal reorganisations, new features and fixes. It's in much a preparation for EJBCA 4.0, with restructuring of the code to make transition easier and the whole code base better organized. But also a few noteworthy features entered this release.

Noteworthy changes:
- Restructuring and refactoring to improve maintainability, prepare for the EJBCA 4 release and Common Criteria certification.
- Web Service method for creation or update of a user and creation of a certificate in a single transaction.
- Enforcement of unique public keys and subject DNs.
- New External RA API GUI for browser enrollment without ingoing traffic to the CA.
- Support for Ingres 9.3.

Wednesday, March 24, 2010

Using pure OpenSC formatted smart cards with EJBCA and FireFox

OpenSC comes with a number of tools that can be used to generate keys and store certificates on a CardOS 4.3b smart card, this can then be used in FireFox.

This makes it possible to have a completely open source solution for smart cards, one that is available simply using apt-get install in Ubuntu. Note that opensc in Ubuntu 9.10 is buggy so you need Ubuntu 10.04 or manually installed opensc packages.

You can not use a completely blank CardOS 4.3b card because there is a factory key needed in order to set the state of the card so it can be formatted with cardos-tool.
If you have a card formatted as an "instant id" card, using PrimeCard for example, you cen reformat the card with cardos-tool.

On to the howto
Check that card is found and display info:
>>cardos-tool -i

>cardos-tool -f

Create pkcs15 (E=erase, C=create pkcs15):
>pkcs15-init -EC
Init pkcs15 (P=store pin, a=auth-id, l=label of key):
>pkcs15-init -P -a 01 -l test01

Now pkcs11-tool list a slot:
>pkcs11-tool -L

Generate keys
>pkcs15-init -G RSA1024 -a 01 -l test01

Generate cert request with openssl:
>sudo apt-get install libengine-pkcs11-openssl
OpenSSL>engine -t dynamic -pre SO_PATH:/usr/lib/engines/ -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/
OpenSSL>req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -subj "/CN=Open SC"

CSR is stored as req.pem. Get certificate from EJBCA using "Create Certificate from CSR" in public web and store on card:
>pkcs15-init --store-certificate cert.pem -v -i 45

To use in FireFox you just need to add a "Security Device" with module path /usr/lib/

Friday, February 26, 2010

Register for Öppna Ekosystem in Skövde 23 april

There will be an Open Space conference (in Swedish sorry) about open ecosystems putting together developers, users and commercial entities in Skövde on the 23rd of April 2010.
Register and join: Öppna Ekosystem.
EJBCA and SignServer will most probably be there displaying and discussing.

Saturday, February 20, 2010

Join EJBCA trainings in US and Europe

Sign up for EJBCA training classes. Schedule and sign-up forms is soon up at

Two day classes for each of "EJBCA Essentials" and "EJBCA Advanced Administration" coming soon to a city near you :-)

Thursday, January 14, 2010

EJBCA at Aicto, Tunisia

We will hold a presentation introducing EJBCA, and a tutorial about PKI architectures and EJBCA at the Arab Forum on «e-transactions Security & the Public Key Infrastructure (PKI)» in Tunisia. the event takes place on th 25-27 of January, 2010.

Thursday, January 7, 2010

EJBCA 3.9.4 released

We are proud to release yet a new version of EJBCA.

This is a minor release with only a few minor fixes. Nothing critical
that makes is necessary for you to jump directly on to this release,
just a few fixes.

Noteworthy changes:
- Fixed a bug where OCSP responder would not return correct status for
archived (expired) certificates.
- Fixed a regression for the (deprecated) SafeNet JCE CA token.
- Fixed a regression where you could not renew expired CAs
- It's not possible to renew soft ECC CA keys in the admin GUI
- All language files are now encoded in UTF-8
- Fixed corner cases where bogus CRLs and certs could be published to LDAP

Read the full changelog for details.

For upgrade instructions, please see UPGRADE in the release package.

The PrimeKey EJBCA Team

Monday, January 4, 2010

Build your national ID PKI with EJBCA

We are getting several questions about using EJBCA to build large scale PKIs for national ID and similar project. EJBCA is very suitable for this purpose, so at PrimeKey we have written a short article about this.