Smart cards working with OpenSC/Linux/Firefox

I just tested the Aventra MyEID smart card with the latest opensc (trunk). Works like a charm.

You need OpenSSL development libs to build the pkcs15-init tool in opensc, for Ubuntu this means installing the libss-dev package.

sudo apt-get install libssl-dev autoconf libtool
sudo apt-get install pkg-config libpcsclite-dev
svn co http://www.opensc-project.org/svn/opensc/trunk opensc
cd opensc
./bootstrap
./configure --prefix=/usr
make
sudo make install
pkcs15-init -E
pkcs15-init -C --pin foo123 --puk foo123
(or just 'pkcs15-init -C' but you have to enter pin code about 20 times)
pkcs15-init -P -a 01 -l test01
pkcs15-init -F

After this is done, you need to add the /usr/lib/opensc-pkcs11.so as a Security Device in Firefox. To enroll, simply add a new user in EJBCA, go to Public Web and do a browser enrollment. I used Medium Security in order to get 1024 bit RSA keys, that I know works with my cardreader that does not have Extended APDU using CCID.
Browser enrollment will generate a new key on the smart card, get a certificate from EJBCA and store the certificate on the smart card.

With this test we now know about three cards that works well to do browser enrollment with FireFox.

• SafeSign from AET
  
• MyEID from Aventra
  
• Feitian from Gooze
  

Also see the old blog post about using openssl enging to make certificate requests and import certificates to the smart card.

New WebServiceRA Application

PrimeKey is pleased to announce the availability of WebServiceRA , an RA (Registration Authority) Administration application.
WebServiceRA is a functioning Java application that communicates with EJBCA certificate authorities using EJBCA web services.

In addition to providing many Java code examples of using the EjbcaWS web service interface, this program provides a simple UI for creating and querying end entities, as well as generating certificates (as either P12 or JKS files).

The source code and instructions for building and running this application may be downloaded from Sourceforge

EJBCA 4.0 alpha1 released

Hi everybody!

Eagerly waiting for the next major version of the best PKI software in the world? Now is your chance to try it out.

EJBCA 4 uses Java Enterprise Edition 5 (JEE5) instead of J2EE. This is a major improvement of the core, modularization, portability and packaging, but you will not notice many functional differences.

What else?

• The database schema is fully defined through the Java Persistence API and table create scripts are provided for all the supported databases.


• Many bugs have been corrected. For example EJBCA Services will run more stable in a clustered environment.


• The Ingres database can now be used with EJBCA without patching the code.


• A JEE5 compliant application server, Java 1.6 and Ant 1.7.1 or higher is required from this version on.

Since this is and alpha release, you can expect a few rough edges. Have in mind that there will not necessarily be an upgrade path from this release to EJBCA 4.0.0.

Download!
Submit bug reports!

Happy holidays and testing,
The PrimeKey EJBCA Team

EJBCA 3.11.1 released

Today PrimeKey has released EJBCA 3.11.1.

This is a maintenance release – 16 issues have been resolved. Only fixes
and layout improvements, no new features.
This release fixes an upgrade issue from 3.6.x to 3.11.x and also a
MySQL/MyISAM related issue in the 3.11.0 release.
A few uncaught regressions from 3.10.x and 3.11.0 were fixed, and as
usual David Carella of Linagora added some Admin GUI layout improvements.

Noteworthy changes:

• It is now possible to easily upgrade from EJBCA 3.6.x to 3.11.x.


• Fixed a MySQL mapping that did not work when using the MyISAM storage engine and UTF-8 encoding.


• ETSI QC value limit can now have the value zero.


• Admin GUI improvements from David Carella of Linagora.


• Added a favicon to the EJBCA web interfaces.


• Fixed an issue causing cached end entity profiles (not default) to be changed for some actions in the admin GUI.


• Fixed an issue where session information spilled over to other edits when using the "Back to certificate profiles" link.


• Fixed an issue where using the required flag on Cardnumber in a end entity profile gave error about missing unstructured address. This also resolved an issue where the DN field Unstructured Address did not work.

You can read the full changelog in the EJBCA Jira.

In addition to making EJBCA available as full open source software, PrimeKey also supplies support services and training for EJBCA.

EJBCA at FOSDEM 2011

Next year at FOSDEM in Brussels, 5-6 february 2011, we will do something different. Previous years we have had a stand, but this year we will participate in the OpenSC devroom.


Anyone interested in PKI and smart cards (and any of the other hundreds of open source technologies present at FOSDEM) should go there.

See you in Brussels!

Cheers,
Tomas

EJBCA 3.11.0 released

Yesterday we released EJBCA 3.11.0.

This is a major release with several new features – 47 issues have been
resolved.
One major goal with this release is to prepare for a seamless migration
to EJBCA 4.0. To make the migration path to EJBCA 4.0 a simple plug-in
upgrade.

Following our updated QA process (by Tham) we believe that EJBCA 3.11.0
is a high quality release, the fastest and best release of EJBCA to date.
We'll see if this release can match the previous release EJBCA 3.10.5,
with virtually no serious issues reported after thousands of download.

Noteworthy changes:
- Possibility to configure CA not to use certificate and user store,
meaning that CA can issue certificates without having to access database
after service startup.
- External OCSP responder can now function as a validation authority
serving OCSP, CRLs and CA certificates.
- Certificate store access via HTTP according to RFC4387 standard.
- Possibility in WebService Interface to specify extended information
when editing users.
- Possibility to specify custom certificate serial number for end
entities using CMP protocol. CMP RA secret can now also be specified per CA.
- Upgrade database schema to be consistent across databases.
- Add a few new columns to database tables, a preparation to be used in
EJBCA 4.0.
- Improvements in the Glassfish support, now also usable with Oracle
database.
- Several other new features and extended key usages, GUI improvements
and performance enhancements – many of which are contributed by Linagora.

Regards,
PrimeKey EJBCA Team

EJBCA 3.10.6 and cert-cvc 1.2.12 released

EJBCA is our Open Source Enterprise PKI certificate authority.
Cert-cvc is our open source java library for working with EAC CV certificates.

This release is a very small maintenance release intended mostly to mark
the end of the 3.10 branch, anticipating 3.11.0 to be released within a
few days.
If you are running 3.10.5 with no issues, there is no real reason to
upgrade to 3.10.6. A few people have been waiting for the only new
feature in this release, but for others there is nothing really exciting.

EJBCA 3.11.0 however will be a stepping stone towards EJBCA 4.0, which
is nearing. EJBCA 3.11.0 will contain many new features and enhancements.

Changes:
New Feature
* [ECA-1264] - Add extended information to edit user WS-API.

Improvement
* [ECA-1877] - SPOC interop requires "unusual" countries which the CVC
library does not permit

Bug
* [ECA-1841] - Error adding end entity with several required and non
required OUs
* [ECA-1845] - Wrong reference in on line doc link for renew ca
* [ECA-1914] - Import of certificate profiles referring to CVC CAs
failed in CLI

You can view the changelog in Jira:


As usual you can download the new release from EJBCA.org:


Regards,
The PrimeKey EJBCA Team

PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.