Thursday, June 27, 2019

EJBCA 7.2.0 - CT improvements & Extended REST API

Summer is here and as promised, so is EJBCA 7.2.0! Highlighted news are performance improvements to Certificate Transparency and additional functionality added to the REST API.

Persistent Storage of Certificate Transparency SCT Responses

Persistent caching of Certificate Transparency SCTs (Signed Certificate Timestamps), in the form of a database-backed storage, has been added in addition to the existing in-memory caching. This reduces the number of requests to the CT log server and increases the performance in the following ways:

  •  The database-backed storage will be used after a restart when the in-memory cache is empty.
  • The in-memory storage has a limit of 100 000 certificates by default, and will only keep the SCTs for the most recently requested certificates. The database-backed storage has no such limit and will be used for SCTs for less frequently requested certificates.
  • The database-backed storage will store partial results for a certificate, allowing EJBCA to retry a submission efficiently at a later point.

Additionally, the default configuration was changed to rate-limit connections to logs that are down or return error codes. This reduces the load on both log servers and
EJBCA. For example, if a CT log rate-limits EJBCA, then EJBCA will back off for 1 second by default.

Crypto Token and CA Management REST API

The EJBCA REST API has so far been limited to Certificate Management operations. We've now extended the REST API, adding resources for CA administration as well. This allows simpler remote integration and management as an option to the GUI. New endpoints support Crypto Token and CA Management including:
  • CA activation and deactivation.
  • Crypto Token activation and deactivation.
  • Key generation and removal.
New REST end points in Swagger-UI

Expect more news from us this autumn!

the PrimeKey EJBCA Team

Tuesday, June 25, 2019

EJBCA ♥ YubiKey

With the keygen tag in its final death throes, time has come to move on to new and better ways of managing keys on tokens. We here at PrimeKey are big fans of our friends at Yubico, so here is a neat little guide of how to get up and running with using your YubiKey with EJBCA.

Disclaimer: This blog post is in no way sponsored nor endorsed by Yubico, though they were quite kind and provided us with a couple of tokens to play around with. We just honestly like them. 


To get going, you're going to need to have the following installed on your workstation:

Creating a key pair on your YubiKey

1. Start up the YubiKey Manager
2. Under Applications, pick PIV and then Configure Certificates

3. Under the Authentication tab, click Generate to create a new key pair on the token. This will take you through a guide of creating a key pair by picking an algorithm, key size and setting the Common Name for your token. 
4. Make sure that you specify that you was a Certificate Signing Request (CSR)
5. This will result in a CSR that you can use to enroll the key pair to EJBCA. 

Enrolling the YubiKey to EJBCA

Enrolling the newly created key pair is done just like with any other enrollment.

1. Go to the EJBCA RA UI
2. Click on Enroll, choose the appropriate certificate type and sub-type and choose Generated by User, which will prompt you to upload your CSR from the previous step.
3. Fill in any other pertinent information, then choose Download PEM

Importing the Certificate to the YubiKey 

1. Open the YubiKey Manager, and again choose Applications, pick PIV and then Configure Certificates
2. Click Import and pick the new newly generated certificate.
3. Congratulations - your YubiKey is now up and running, but we still need to configure the browser to play along. 

Configuring FireFox to use YubiKey

1. Open Firefox and enter about:preferences in the address bar
2. Under Privacy and Security click on Security Devices 
3. Click on Load to install OpenSC's PKCS#11 Driver
4. Name the module and then locate the (or similar) library
5. The YubiKey will now be shown as a security module

Configuring Access Rights in EJBCA 

This is done using Roles as with any user EJBCA administrator, but here are the exact steps:

1. In the EJBCA CA UI, pick Roles and either create a new Role or add the new administrator to an existing Role
2. To add the administrator, click on Members, pick the appropriate CA and enter the identifying the information for the certificate, preferably the serial number
3. An easy way to find the serial number is to view the certificate in OpenSSL using the command:
$ openssl x509 -in alanwidget.pem -text -noout
The serial number can be copied, converted from hex to decimal using a converter and then used in EJBCA.

4. Finally, click on Access Rules and set the required rules for your administrator
5. The next time you start a new session, your YubiKey will be offered as an option