Friday, May 11, 2012

Enterprise EJBCA features vs Community

EJBCA version 6 with EJBCA Enterprise and EJBCA Community is released by now. Instead of this blog post, that are getting aged, you should head over to the newer pages.

This is a continuation of the blog post EJBCA will always be Open Source.

Here we will describe the feature difference between EJBCA 5 (Enterprise) and EJBCA 4 (Community). For a high level overview you should first read EJBCA will always be Open Source.
For a list of all the features in EJBCA, visit

The freshest, most up to date, description of EJBCA Enterprise features will be available at PrimeKey.

EJBCA Enterprise Edition vs Community

EJBCA 5 has features required for high trust environments:
  • Common Criteria EAL4+ and CWA 14167 certified.
  • Certified access control and authorization module, for assurance and high trust role separation.
  • Integrity protected security audit log, with digital signature or HMAC protection.
  • Improved security audit log messages, complete information that is auditable.
  • Full database integrity protection of all tables, to detect database manipulation.
  • Authentication of local CLI users enabling role separation also for local CLI.
  • Penetration tested with improved security.
Users requiring certified operations, Common Criteria, CWA, ETSI or WebTrust will benefit greatly from EJBCA 5.
In addition to that there are other minor changes that are unique to EJBCA 5. These changes are the result of the majority of development resources now focusing on future versions of EJBCA, and will eventually water down to Community EJBCA.
  • Smaller release ZIP file.
  • Minor CLI improvements with new methods and parameters.
  • New database CLI for database export, import and verification.
  • Support for Permanent Identifiers (RFC 4043) and authorityInformationAccess in CRLs.
  • Support for SIP and Kerberos extended key usages.
  • Improved memory efficiency in certain use cases.
  • Optimized database usage.
  • Other minor improvements and bugfixes.

Normal users will be satisfied with the feature set, and the record breaking performance, of EJBCA 4.

Feature comparison table

The freshest, most up to date, description of EJBCA Enterprise features will be available at PrimeKey.
This is a snapshot at the time this blog post was written.

License Open Source LGPL v2.1 or later Open Source LGPL v2.1 or later
PKI features Full, including all protocols Full, including all protocols
Recommended for EJBCA Enterprise is recommended for Corporations, Governments and other organizations looking for an enterprise scale, production-ready, certified, open source PKI solution without any upfront license fees. EJBCA Community is recommended for developers and technical PKI users in non-mission critical environments. As this version is unsupported it is intended to be used by those prepared to spend time and resource solving issues independently.
Suitable for EJBCA is suitable for small to huge scale PKI deployments ranging from 1000 to over 100 million issued certificates. EJBCA is suitable for small to huge scale PKI deployments ranging from 1000 to over 100 million issued certificates.
Security Certifications EJBCA Enterprise has been certified under Common Criteria EAL 4+ (CIMC Protection Profile) and CWA 14167-1 (at customer locations). None
Commercial support PrimeKey provides commercial support with Service Level Agreements (SLA) for issue tracking, problem resolution, patches and fixes. None provided, community support through forums and mailing lists.
Integrity protected security audit EJBCA Enterprise features a Common Criteria certified security audit mechanism using HMAC or digital signatures for integrity protection. No
Database integrity protection EJBCA Enterprise features a Common Criteria certified database protection protecting the database from malicious DBAs. No
Penetration tested EJBCA Enterprise has been penetration tested as part of Common Criteria evaluation, and by independent security testers. No
Role separation Full role separation including local command line interface. Role separation for remote access users.
Security flaw remediation process PrimeKey have a Common Criteria evaluated tracking process for security, and other, bug reports. EJBCA Community follows an open development and issue tracking process, without guaranteed response times.
License Price / Subscription No software license fee – Provided as part of an annual subscription for commercial level support. No software license fee – free to download, free to use.
Additional features Emergency hot fixes, security alerts, best practice advice, private issue tracking portal, additional guides and tools. Most feature complete and most flexible PKI, with highest performance, compared to most open source and commercial PKIs.
Training Customers and Partners get training on latest certified PKI from PrimeKey (additional cost depending on your contract). Contact PrimeKey.

Thursday, May 3, 2012

Cert-cvc 1.3.0 released

We have released version 1.3.0 of the ePassport EAC library cert-cvc. This version is a minor release that only adds support for BouncyCastle v 1.47.
Cert-cvc now work with BC 1.46 and BC 1.47.

Visit for downloads.

PrimeKey EJBCA Team

EJBCA will always be Open Source

Since EJBCA 5 there is now one version of EJBCA that is free to download and one that is not.
This blog will try to clarify why and what this means.

Why we are doing this

EJBCA 5.0 is Common Criteria and CWA (14167) certified software. Software certification costs many hundred of thousands of euros, a substantial investment by PrimeKey Solutions to fulfil customer needs for certified software.

PrimeKey is a commercial company employing most of the EJBCA developers and makes a living out of selling support, services and training for EJBCA and SignServer.
PrimeKey can not afford to give away certification for free to large organizations with much larger funds than PrimeKey itself. Without employed EJBCA developers EJBCA can not continue to be among the top PKI software in the world.

To fulfil the needs of these customers, and also the community, two version of EJBCA are needed:
  • Certified versions of EJBCA, not available for free download.
  • Non-certified versions of EJBCA, available for free download.

EJBCA Enterprise Edition

Many organizations require that PKI software is certified according to Common Criteria and/or CWA.
Certified software can require additional features, such as secure audit logging and database integrity protection.
Software certification is a business requirement and has generally little to do with the code itself. EJBCA 5 is aimed to the Enterprises that have these higher trust requirements.

Enterprise EJBCA is:
  • available to all support customers.
  • features all newest features required for higher trust and maximum performance
  • security certified according to Common Criteria and CWA
  • supported with SLA
  • Open Source LGPL v2.1 or later
The current Enterprise EJBCA version is EJBCA 5.0.

EJBCA Community Edition

EJBCA is an open source project. It is one of the most widely used PKIs in the world with deployments on all habited continents.
Organizations that do not require certified software or SLA support can use the Community EJBCA.

PrimeKey will still maintain the Community version of EJBCA. We will continue to provide new features and bug fixes to ensure that both versions of EJBCA will remain the leading PKI software.

PrimeKey always contributes back the features from the certified version to the Community, and PrimeKey's customers pay for development of many features that goes directly into the open source project.

Community EJBCA is:
  • available for anyone to download and use
  • still maintained with new features and bug fixes
  • supported by the community
  • Open Source LGPL v2.1 or later
  • advanced features will be introduced first in Enterprise EJBCA but may eventually end up in later versions of Community EJBCA
The current Community EJBCA version is EJBCA 4.0.

Wednesday, May 2, 2012

Open Source at Security Document World 2012

I will hold a presentation called "Leveraging Open Source technologies for secure electronic documents" at Security Document World 2012.

Summary of the presentation:

Todays security documents requires the deployments of extensive security software infrastructures, primarily PKI based. Current, and future, security documents such as passports, ids, driver licenses and tachographs all require one or several public key infrastructures to produce and use.
This presentation will show open source solutions available to support these documents, including CSCS, Document Signer, CVCA, DV and Inspection Systems. We will explain how security document producers can use these solutions in the best and most efficient way, and what pitfalls to avoid. In order to reap the full benefits of open source and open standards there are a few more things to consider apart from simply viewing it as cost free software.
Finally we will display real world use cases where open source software is part of the production of millions of security documents.

I will mention several open source project:
- SignServer
- BouncyCastle
- etc

Looking forward seeing you at the conference :-)