Wednesday, June 15, 2011

New EJBCA + SignServer LiveCD available

I have just created a new EJBCA LiveCD with EJBCA 4.0.3 and SignServer 3.2-svn.

On this LiveCD there is the latest release of OpenSC (0.12.1). Smart card enrollment and authentication has been tested with both Feitian and Aventra smart cards.

The LiveCD is available to download from the EJBCA web site.


Sunday, June 12, 2011

CMP for OpenSSL, new tool in the PKI professionals toolbox

I was hinted by a user of EJBCA at CMP for OpenSSL. It's a nice new open source toolkit, both development API and client tools.

The cmpclient works perfect with EJBCA CMP in RA mode. I have documented how it works, with a sample command in the EJBCA Admin Guide.

All in all, good signs for CMP I think.

Tuesday, June 7, 2011

CMP interoperability

I have been making more tests, and some improvements, on CMP interoperability for EJBCA.

You can see some of the results here.

In short, CMP mostly seems to work purely technical. What is cumbersome with the CMP protocol is that there are so many options. For a CA to say that you support CMP does not mean much. You must explicitly say which specific CMP work-flows, with technical details that you support. Otherwise it does not mean much. For example, how are enrolling clients authenticated? Common options include:
  • Shared secret used for Password based MAC, where keyId is username (specified in profile in RFC). Shared secret must be in clear text in CA database, which is a down-side. Pre-registration of end entities needed.
  • Shared secret with one-time password in regToken control. Pre-registration of end entities needed.
  • Digital signature protected request message, where digital signature is based on an out-of-band issued certificate, possibly from another CA. Pre-registration of end entities needed.
  • RA type application with Password based HMAC, where RA specifies the certificate contents in the request, and authenticated using a shared secret. No pre-registration of end entities needed.
  • RA type application with digital signature authentication. No pre-registration of end entities needed.
  • Etc...

The options virtually have no limits.

As you see it is a very large work to implement all options. The rule we use is that we implement options that we actually see usage of, which of course means that we need to improve continuously. I think it is the only way to work efficiently however, not to implement functions that will never be used. The downside is of course that someone can come along and find our implementation not supporting their use-case. Usually new things can be implemented with rather short investment.

Thursday, June 2, 2011

EJBCA 4.0.3 released

On the 1st of June we released EJBCA 4.0.3. This is a minor release with only a few fixes. In all 5 issues have been resolved.

Noteworthy changes:
  • Improved CMP interoperability, with minor improvement and bugfixes.
  • Fixed a bug that made it impossible to delete end entity profile on certain databases, in particular hsql (test database).
In particular the release is aimed at resolving a minor issue when using the HSQL database used for testing. We wanted to make this release in order for any testing of EJBCA to run smoothly. At the same time we took the chance to make some CMP improvements, making some improvement that makes CMP client mode now work using the BouncyCastle 1.46 API.

Read the full Changelog for details,

The PrimeKey EJBCA Team