I missed to write about this important event. On the 26th of march EJBCA 3.10.0 was released.
This was a major release with lots of internal reorganisations, new features and fixes. It's in much a preparation for EJBCA 4.0, with restructuring of the code to make transition easier and the whole code base better organized. But also a few noteworthy features entered this release.
Noteworthy changes:
- Restructuring and refactoring to improve maintainability, prepare for the EJBCA 4 release and Common Criteria certification.
- Web Service method for creation or update of a user and creation of a certificate in a single transaction.
- Enforcement of unique public keys and subject DNs.
- New External RA API GUI for browser enrollment without ingoing traffic to the CA.
- Support for Ingres 9.3.
Wednesday, April 21, 2010
Wednesday, March 24, 2010
Using pure OpenSC formatted smart cards with EJBCA and FireFox
OpenSC comes with a number of tools that can be used to generate keys and store certificates on a CardOS 4.3b smart card, this can then be used in FireFox.
This makes it possible to have a completely open source solution for smart cards, one that is available simply using apt-get install in Ubuntu. Note that opensc in Ubuntu 9.10 is buggy so you need Ubuntu 10.04 or manually installed opensc packages.
You can not use a completely blank CardOS 4.3b card because there is a factory key needed in order to set the state of the card so it can be formatted with cardos-tool.
If you have a card formatted as an "instant id" card, using PrimeCard for example, you cen reformat the card with cardos-tool.
On to the howto
---------------
Check that card is found and display info:
>>cardos-tool -i
Format:
>cardos-tool -f
Create pkcs15 (E=erase, C=create pkcs15):
>pkcs15-init -EC
Init pkcs15 (P=store pin, a=auth-id, l=label of key):
>pkcs15-init -P -a 01 -l test01
Now pkcs11-tool list a slot:
>pkcs11-tool -L
Generate keys
>pkcs15-init -G RSA1024 -a 01 -l test01
Generate cert request with openssl:
>sudo apt-get install libengine-pkcs11-openssl
>openssl
OpenSSL>engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
OpenSSL>req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -subj "/CN=Open SC"
CSR is stored as req.pem. Get certificate from EJBCA using "Create Certificate from CSR" in public web and store on card:
>pkcs15-init --store-certificate cert.pem -v -i 45
To use in FireFox you just need to add a "Security Device" with module path /usr/lib/opensc-pkcs11.so
This makes it possible to have a completely open source solution for smart cards, one that is available simply using apt-get install in Ubuntu. Note that opensc in Ubuntu 9.10 is buggy so you need Ubuntu 10.04 or manually installed opensc packages.
You can not use a completely blank CardOS 4.3b card because there is a factory key needed in order to set the state of the card so it can be formatted with cardos-tool.
If you have a card formatted as an "instant id" card, using PrimeCard for example, you cen reformat the card with cardos-tool.
On to the howto
---------------
Check that card is found and display info:
>>cardos-tool -i
Format:
>cardos-tool -f
Create pkcs15 (E=erase, C=create pkcs15):
>pkcs15-init -EC
Init pkcs15 (P=store pin, a=auth-id, l=label of key):
>pkcs15-init -P -a 01 -l test01
Now pkcs11-tool list a slot:
>pkcs11-tool -L
Generate keys
>pkcs15-init -G RSA1024 -a 01 -l test01
Generate cert request with openssl:
>sudo apt-get install libengine-pkcs11-openssl
>openssl
OpenSSL>engine -t dynamic -pre SO_PATH:/usr/lib/engines/engine_pkcs11.so -pre ID:pkcs11 -pre LIST_ADD:1 -pre LOAD -pre MODULE_PATH:/usr/lib/opensc-pkcs11.so
OpenSSL>req -engine pkcs11 -new -key id_45 -keyform engine -out req.pem -text -subj "/CN=Open SC"
CSR is stored as req.pem. Get certificate from EJBCA using "Create Certificate from CSR" in public web and store on card:
>pkcs15-init --store-certificate cert.pem -v -i 45
To use in FireFox you just need to add a "Security Device" with module path /usr/lib/opensc-pkcs11.so
Friday, February 26, 2010
Register for Öppna Ekosystem in Skövde 23 april
There will be an Open Space conference (in Swedish sorry) about open ecosystems putting together developers, users and commercial entities in Skövde on the 23rd of April 2010.
Register and join: Öppna Ekosystem.
EJBCA and SignServer will most probably be there displaying and discussing.
Register and join: Öppna Ekosystem.
EJBCA and SignServer will most probably be there displaying and discussing.
Saturday, February 20, 2010
Join EJBCA trainings in US and Europe
Sign up for EJBCA training classes. Schedule and sign-up forms is soon up at www.primekey.se/Services/Training/.
Two day classes for each of "EJBCA Essentials" and "EJBCA Advanced Administration" coming soon to a city near you :-)
Two day classes for each of "EJBCA Essentials" and "EJBCA Advanced Administration" coming soon to a city near you :-)
Thursday, January 14, 2010
EJBCA at Aicto, Tunisia
We will hold a presentation introducing EJBCA, and a tutorial about PKI architectures and EJBCA at the Arab Forum on «e-transactions Security & the Public Key Infrastructure (PKI)» in Tunisia. the event takes place on th 25-27 of January, 2010.
Thursday, January 7, 2010
EJBCA 3.9.4 released
We are proud to release yet a new version of EJBCA.
This is a minor release with only a few minor fixes. Nothing critical
that makes is necessary for you to jump directly on to this release,
just a few fixes.
Noteworthy changes:
- Fixed a bug where OCSP responder would not return correct status for
archived (expired) certificates.
- Fixed a regression for the (deprecated) SafeNet JCE CA token.
- Fixed a regression where you could not renew expired CAs
- It's not possible to renew soft ECC CA keys in the admin GUI
- All language files are now encoded in UTF-8
- Fixed corner cases where bogus CRLs and certs could be published to LDAP
Read the full changelog for details.
For upgrade instructions, please see UPGRADE in the release package.
Regards,
The PrimeKey EJBCA Team
This is a minor release with only a few minor fixes. Nothing critical
that makes is necessary for you to jump directly on to this release,
just a few fixes.
Noteworthy changes:
- Fixed a bug where OCSP responder would not return correct status for
archived (expired) certificates.
- Fixed a regression for the (deprecated) SafeNet JCE CA token.
- Fixed a regression where you could not renew expired CAs
- It's not possible to renew soft ECC CA keys in the admin GUI
- All language files are now encoded in UTF-8
- Fixed corner cases where bogus CRLs and certs could be published to LDAP
Read the full changelog for details.
For upgrade instructions, please see UPGRADE in the release package.
Regards,
The PrimeKey EJBCA Team
Monday, January 4, 2010
Build your national ID PKI with EJBCA
We are getting several questions about using EJBCA to build large scale PKIs for national ID and similar project. EJBCA is very suitable for this purpose, so at PrimeKey we have written a short article about this.
Subscribe to:
Comments (Atom)
Posts
