Wednesday, May 18, 2016

What does eIDAS compliance mean for a PKI?

The new eIDAS regulation that has been adopted in the EU (by 1 July 2016) comes with a new set of standard documents from ETSI, specifying particular requirements on PKI. The two new eIDAS standards relevant for PKI are:
  • EN 319 411 - Policy and security requirements for Trust Service Providers issuing certificates
  • EN 319 412 - Certificate Profiles
The standards are maintained by the standardization body ETSI and can be downloaded from the ETSI download area.

What new requirements do these standards come with? Looking closely there are only two new things needed to be able to claim "eIDAS compliance":
  • A new DN attribute organizationIdentifier
  • New fields in the QCStatement certificate extension
Let's dig a little deeper into these two requirements.


OrganizationIdentifier is a DN attribute with OID specified in X.520. This is an attribute that has, to my knowledge, never been in common use in certificates before. Its usage in the eIDAS context is described in the following sections of EN 319 412:
  • EN 319 412-1 section 5.1.1 and 5.1.4
  • EN 319 412-2 section and 4.2.4
  • EN 319 412-3 section 4.2.1
OrganizationIdentifier is supported in EJBCA Enterprise PKI from version 6.5.2.


There is already a QCStatement extension in use since long. With the new standards comes a few additions.

The new items in the QCStatement extension are:
  • QcType, claiming that the certificate is a EU qualified certificate of a particular type
  • PdsLocation, location of PKI Disclosure Statements (PDS)
The QCStatement is described in:
  • EN 319 411-2 section 6.6.1
  • EN 319 412-1 section 5.1.1 and 5.1.2
  • EN 319 412-2 section 5.1 and 5.2
  • EN 319 412-4 section 4.2
  • EN 319 412-5, full technical description
With the convenient ability to define custom extensions in the EJBCA GUI (since EJBCA 6.4.0) the new QCStatement extension can be easily added to any certificate profile.

EJBCA Enterprise

We strive to support all relevant open PKI standards and it is important to keep EJBCA Enterprise up to date with new and emerging standards. Since EJBCA 6.5.2 eIDAS compliance should be easily achieved on the level of PKI.

More information  

Basic information on EJBCA Enterprise PKI and PKI Appliance developed by PrimeKey.
EJBCA is a registered trademark of PrimeKey Solutions AB in the EU, the United States, Japan and certain other countries.

Wednesday, April 13, 2016

USB 3.1 Certificate Authentication with EJBCA

A USB standard for authentication of devices has been released a little while ago [1] as part of USB 3.1.

In short, the standard specifies the use of:
  • X509v3, DER encoding certificates 
  • ECDSA using the NIST P256 (a.k.a. secp256r1) curve, uncompressed point format 
  • SHA256 
SubjectDN fields should be:
  • CN: USB:<vendor ID>:<product ID>
  • O: organization name attribute shall contain the human-readable name of the organization that owns the private key 
  • DN Serial Number: lowercase hex-encoded value of the binary data (e.g. wafer number, lot number, production lot, etc.) necessary for uniqueness. 
In addition, there is one new certificate extension:

Custom certificate extension USB-IF ACD (OID Seems to contain static data in an OCTET STRING, which can be added via EJBCA Admin GUI.

Conclusion: EJBCA should be able to issue such certificates.

[1] "USB Authentication Specification Rev. 1.0, March 25, 2016"