Simple Certificate Archival solution

Introduction

From syscheck 1.2 and on there is a script-based archival solution.

New and revoked certificates are stored on local disk in a file-tree and optional remote SSH server.

syscheck svn: https://ejbca.svn.sourceforge.net/svnroot/ejbca/trunk/syscheck/

Setup of publisher

Go to: EJBCA Adminweb → ”Edit Publishers” → Add new name: ”Archival publisher”

Select/ enter the following:


Publisher Type: ”Custom Publisher”

Class Path: ”org.ejbca.core.model.ca.publisher.GeneralPurposeCustomPublisher”

Properties of Custom Publisher:

crl.application /path/to/syscheck/related-enabled/902_export_crl.sh

crl.failOnStandardError true

crl.failOnErrorCode true

cert.application /path/to/syscheck/related-enabled/900_export_cert.sh

cert.failOnStandardError true

cert.failOnErrorCode true

revoke.application /path/to/syscheck/related-enabled/901_export_revocation.sh

revoke.failOnStandardError true

revoke.failOnErrorCode true

Use the publisher on CA:s

Go to: EJBCA Adminweb → ”Edit Certificate Authorites”

Select the CA you want CRL archival on, then click on edit CA

At ”CRL Publishers”:

Select ”Archival publisher”

Do this for all CA:s you want CRL Archival for.

Use the publisher on Certificate profile:s

Go to: EJBCA Adminweb → ”Edit Certifcate Profiles”

At: ”Publishers”

Select ”Archival publisher”

Do this for all Certificate profiles:s you want Certifcate Archival for.

Presentation from FSCONS

Johan and Tham went to FSCONS 2008 and presented "Secure communication with open source PKI". It's a basic introduction to PKI and a demonstration of email-signing, Apache client cert authentication and using certs in OpenVPN.



Direct link to the video (use VLC to play it if it doesn't work).

The presentation slides.

EJBCA and BouncyCastle on OSOR.eu eID/PKI/eSignature Community Workshop

I will present a "Lightening talk" on the OSOR.eu eID/PKI/eSignature Community Workshop in Brussels on the 13th of November 2008. The talk will be a short one describing experience from both the BouncyCastle and the EJBCA projects regarding open source usage in the EU. The hope is to give some input what the EU can do to help, or not to discriminate, open source projects/products.
The BouncyCastle part is made by David Hook of Lockboxlabs.

Presentation from Open Standards Forum

You can read and view my presentation from Oasis Open Standards Forum that took place in London in the beginning of October. The event was very interesting, a lot is happening in the standardization and technology arena.

Presentation slides.

Presentation movie (73MB).

EJBCA @ FSCONS 2008

Two core EJBCA developers from PrimeKey Solutions AB will be present at this years FSCONS (2008-10-24 to 26th). Since PrimeKey sponsors the conference, we will have a booth somewhere in "the lounge area". So drop by and ask questions about the latest and greatest, suggest new features or tell us how you want to use EJBCA.

It currently looks like we get a chance to talk the last day at 16:00 on the subject "Secure communications with Open Source PKI". The preliminary plan is to give a simple hands-on presentation on how easy PKI can be used for secure email, client SSL authentication, OpenVPN and more.

We hope to see you all there!

Succesful EAC ePassport PKI interoperability tests

EJBCA was present on the Prague event for PKI interoperability tests, since both Sweden and Portugal uses EJBCA for their EAC CVC PKI. The tests were a huge success and no problems were encountered in EJBCA. Interoperability was tested with many different countries using different implementations and algorithms.

Look out for EJBCA 3.7.1, that will bring ECC support (as tested on the event) and a lot of CVC usability enhancements.

Bouncycastle supported by Lock Box Labs

My favorite open source project, the Java crypto provider Bouncycastle (http://www.bouncycastle.org/) have gotten their own legal entity offering support contracts. Go get one!