EJBCA 5 receives Common Criteria, EAL4+, certificate

We are pleased to announce that PrimeKey Solutions AB has successfully completed Common Criteria EAL4+ Certification of EJBCA version 5. The much awaited Common Criteria certificate, issued by ANSSI (Agence nationale de la sécurité des systèmes d’information), is an important milestone in EJBCAs 10+ years rich history of achievements.
With this formal evidence that EJBCA confirms to the rigorous security standards for Certificate Issuance and Management Systems, this Common Criteria certification benefits Primekey’s customers and partners, as well as the community, and strengthens EJBCA’s position as the top pick of secure Certificate Authority software around the world.

EJBCA is certified based on the CIMC Protection Profile (v1.0) at security level 3. The assurance level is EAL4+ (EAL4 augmented with ALC_FLR.2).

Beyond a Shadow of a Doubt

Due to regulations and legislations, the Common Criteria EAL4+ Certification is often mandatory to reach the highest level of security requirements in computer software. The proof of achieved CC certification is a neccessity for EJBCA users who need to run mission critical PKI, and who will have their own software, solution or service, certified and audited for standards compliance, such as CWA and WebTrust. PrimeKey welcomes, of course, the certification as an additional proof that our EJBCA development adheres to the strictest security practices and enables us to reach out to customers that require formal certification.

“Our clients' projects often have to undergo own strict security certification and audit processes. This official proof of EJBCA's Common Criteria Certification will help them reach positive outcome, which sometimes is crucial for us in order to sign a new contract”, says CEO Konstantin Papaxanthis.

From now on, no organisation has to refrain from using EJBCA because of any particular security requirements. PrimeKey's customers can go straight ahead having their EJBCA based projects security evaluated and formally certified as audit compliant to the most demanding standards.
For more info on “EJBCA v.5” please visit www.primekey.se/.

The EJBCA community can also be assured that the development of EJBCA Community Edition follows the same certified development process.

About Common Criteria

The Common Criteria for Information Technology Security Evaluation (abbreviated as Common Criteria or CC) is an international standard for computer security certification. Common Criteria provides assurance that the process of specification, implementation and evaluation of a computer security product has been conducted in a rigorous and standard manner.
For more info on “Common Criteria” please visit www.commoncriteriaportal.org/.

About EJBCA PKI

A serious enterprise class PKI, EJBCA is utilized as a Certification Authority, to build complete PKI infrastructures within organizations who issue certificates for different purposes, such as:

• Strong authentication for users accessing your intranet/extranet/internet resources.
• Secure communication with SSL servers and SSL clients.
• Smart card logon.
• Signing and encrypting email.
• VPN connections by issuing certificates to your VPN routers.
• Client VPN access with certificates in users VPN clients.
• Secure logon to web applications (Single sign-on).
• Creating signed documents.
• Mobile PKI, like enrolling iOS.
• Secure mobile networks, i.e. 3GPP/LTE/4G using the CMP protocol.
• Counterfeit prevention.
• Issue national eIDs.
• Issue and inspect electronic passports, including EU EAC ePassports.
• ... and many many more ...

For more info on “EJBCA” please visit www.ejbca.org/.

SignServer 3.2.3 Released

The PrimeKey SignServer team is happy to announce that SignServer 3.2.3 has been released!

This is a maintenance release - in total 34 features, options, bugs and stabilizations have been fixed or added.

Development continues beyond this version and all requests from the community are scheduled for SignServer 3.2.4 or later releases.

More information is available at the project web site and the complete changelog can be viewed in the issue tracker.

The most noteworthy changes can be seen below.

Major new features and improvements:

• Support for running SignServer without database
• Configurable to disable the key usage counter 
• Signer certificate check in Health check for all Signers
• Check that the timestamp signer certificate is included in the certificate chain
• Health check response of TimeStampSigner now considers status of time source
• Down-for-maintenance support in Health check
• Support for supplying filename as request metadata 

Bug fixes:

• Client CLI only supported 10 arguments on Windows
• Null value was inserted when removing last wsadmin on Oracle
• PDF Signature could not be larger than 15000 bytes
• Sample configuration for renewal worker not functional
• Various documentation updates 

Notice:
Some internal API changes has been done as part of DSS-528. If you have custom code some changes might be required.

Regards,
The PrimeKey SignServer team

CESeCore gains Common Criteria certification

After 2 years of work, and 6 months of administrative waiting period CESeCore has finally received the final, signed, Common Criteria certification.

Providing a certified component library

By June 2012 the CESeCore project fullfilled its primary purposes: to make the CESeCore Security Core 1); Common Criteria EAL 4+ certified and 2); publicly available for integration with enterprise applications.
Vendors aiming to attain their own Common Criteria certification will continue to draw significant benefits through the use of the fully approved CESeCore library, which greatly shortens and simplifies implementation of many important security functions.
The certified CESeCore has also taken PrimeKey's EJBCA Enterprise edition a steady leap forward towards its own final Common Criteria certification.

"When we created CESeCore, we added the most important security functions from certificate management, certificate validation and timestamping, into a re-usable Java Enterprise component library. And we worked patiently to have it Common Criteria certified! Anyone who needs these security functions no longer have to re-invent the wheel."
— Tomas Gustavsson, PrimeKey CTO

Certification details

CESeCore is certified based on the CIMC Protection Profile (v1.0) at security level 3. The assurance level is EAL4+ (EAL4 augmented with ALC_FLR.2).
For those interested all details are available in the CESeCore Security Target.

EJBCA to be completed

Building on the CESeCore, EJBCA 5.0 has already completed the evaluation for the Common Criteria evaluation at the same level. We are only awaiting the administrative process to receive the final certificate also for EJBCA.

EJBCA 5.0.5 released

4 Jun 2012 — Stockholm, Sweden

Primekey proudly presents the 5.0.5 maintenance release of EJBCA.
Quite some effort was put into stabilizing the 5.0.x release for production use, including bug fixes and improvements of usability for issues discovered during production deployments.

To find out how to access EJBCA 5 visit PrimeKey's PKI Shop.

EJBCA PKI *5.0.5* release notes
A maintenance release containing a couple of small features and many bug fixes. The following are a selection of the most noteworthy:

New features

• Index recommendations have changed.
• CVC CAs can now be created from the Command Line Interface.
• EJBCA now supports Japanese localization.
• Overall performance increases.
• Removed redundant and excessive logging to audit logs.

Bug fixes

• Fixed bug where recursive deny rules caused deny for system user.

Development continues beyond this version and all requests from the community are scheduled for EJBCA 5.0.6 or later releases.
More information is available at the project web site and the complete changelog can be viewed in the issue tracker.

Mobile ID client from Nerd integrated with EJBCA PKI from PrimeKey

Mobile ID is a open source new Android app for signatures and encryption developed by Nerd in Greece. It is still a beta version, but I though it might be interesting to know. It has been integrated with EJBCA so you can get a certificate easily. Development and further integration will also continue beyond this point. Also see press release.

Enterprise EJBCA features vs Community

EJBCA version 6 with EJBCA Enterprise and EJBCA Community is released by now. Instead of this blog post, that are getting aged, you should head over to the newer pages.

This is a continuation of the blog post EJBCA will always be Open Source.

Here we will describe the feature difference between EJBCA 5 (Enterprise) and EJBCA 4 (Community). For a high level overview you should first read EJBCA will always be Open Source.
For a list of all the features in EJBCA, visit EJBCA.org.

The freshest, most up to date, description of EJBCA Enterprise features will be available at PrimeKey.

EJBCA Enterprise Edition vs Community

EJBCA 5 has features required for high trust environments:

• Common Criteria EAL4+ and CWA 14167 certified.
• Certified access control and authorization module, for assurance and high trust role separation.
• Integrity protected security audit log, with digital signature or HMAC protection.
• Improved security audit log messages, complete information that is auditable.
• Full database integrity protection of all tables, to detect database manipulation.
• Authentication of local CLI users enabling role separation also for local CLI.
• Penetration tested with improved security.

Users requiring certified operations, Common Criteria, CWA, ETSI or WebTrust will benefit greatly from EJBCA 5.
In addition to that there are other minor changes that are unique to EJBCA 5. These changes are the result of the majority of development resources now focusing on future versions of EJBCA, and will eventually water down to Community EJBCA.

• Smaller release ZIP file.
• Minor CLI improvements with new methods and parameters.
• New database CLI for database export, import and verification.
• Support for Permanent Identifiers (RFC 4043) and authorityInformationAccess in CRLs.
• Support for SIP and Kerberos extended key usages.
• Improved memory efficiency in certain use cases.
• Optimized database usage.
• Other minor improvements and bugfixes.

Normal users will be satisfied with the feature set, and the record breaking performance, of EJBCA 4.

Feature comparison table

The freshest, most up to date, description of EJBCA Enterprise features will be available at PrimeKey.

This is a snapshot at the time this blog post was written.

Feature	Enterprise	Community
License	Open Source LGPL v2.1 or later	Open Source LGPL v2.1 or later
PKI features	Full, including all protocols	Full, including all protocols
Recommended for	EJBCA Enterprise is recommended for Corporations, Governments and other organizations looking for an enterprise scale, production-ready, certified, open source PKI solution without any upfront license fees.	EJBCA Community is recommended for developers and technical PKI users in non-mission critical environments. As this version is unsupported it is intended to be used by those prepared to spend time and resource solving issues independently.
Suitable for	EJBCA is suitable for small to huge scale PKI deployments ranging from 1000 to over 100 million issued certificates.	EJBCA is suitable for small to huge scale PKI deployments ranging from 1000 to over 100 million issued certificates.
Security Certifications	EJBCA Enterprise has been certified under Common Criteria EAL 4+ (CIMC Protection Profile) and CWA 14167-1 (at customer locations).	None
Commercial support	PrimeKey provides commercial support with Service Level Agreements (SLA) for issue tracking, problem resolution, patches and fixes.	None provided, community support through forums and mailing lists.
Integrity protected security audit	EJBCA Enterprise features a Common Criteria certified security audit mechanism using HMAC or digital signatures for integrity protection.	No
Database integrity protection	EJBCA Enterprise features a Common Criteria certified database protection protecting the database from malicious DBAs.	No
Penetration tested	EJBCA Enterprise has been penetration tested as part of Common Criteria evaluation, and by independent security testers.	No
Role separation	Full role separation including local command line interface.	Role separation for remote access users.
Security flaw remediation process	PrimeKey have a Common Criteria evaluated tracking process for security, and other, bug reports.	EJBCA Community follows an open development and issue tracking process, without guaranteed response times.
License Price / Subscription	No software license fee – Provided as part of an annual subscription for commercial level support.	No software license fee – free to download, free to use.
Additional features	Emergency hot fixes, security alerts, best practice advice, private issue tracking portal, additional guides and tools.	Most feature complete and most flexible PKI, with highest performance, compared to most open source and commercial PKIs.
Training	Customers and Partners get training on latest certified PKI from PrimeKey (additional cost depending on your contract).	Contact PrimeKey.

Cert-cvc 1.3.0 released

We have released version 1.3.0 of the ePassport EAC library cert-cvc. This version is a minor release that only adds support for BouncyCastle v 1.47.
Cert-cvc now work with BC 1.46 and BC 1.47.

Visit EJBCA.org for downloads.

Regards,
PrimeKey EJBCA Team