Monday, December 30, 2013

EJBCA Community 6.0 is here!

EJBCA, the open source PKI, has been around for quite some time now, since 2001 to be exact. The last major release of EJBCA Community was EJBCA 4, which saw many updates up to the final release 4.0.16 in June 2013. EJBCA 5 was Common Criteria certified, and therefore never released to the public. After a long wait, and much development, EJBCA Community version 6 is now here.

The latest release of EJBCA Enterprise 6.0.3, also marks the release of EJBCA Community 6.0.3. Enjoy! But if you have the means, please help support EJBCA by subscribing to an EJBCA Enterprise support subscription.

EJBCA 6 is the base for future releases of EJBCA Community. This is a good time to Contribute.

More information about EJBCA 6:

Upplagd av tomas kl. 8:44 AM 0 kommentarer

EJBCA Enterprise 6.0.3 released

PrimeKey is happy to announce that EJBCA Enterprise 6.0.3 has been released! This is a maintenance release – 21 issues have been resolved.
Running on the latest technology platforms, this PKI is faster, more resource efficient, more secure and more user friendly than ever. EJBCA Enterprise v.6 is so flexible it is suitable for any organization, cloud, social or mobile system.

EJBCA Enterprise 6.0.3 release notes

A maintenance release containing a few new features and improvements. The following are a selection of the most noteworthy changes.

  • New features

    • Support for OCSP extended revoked status compliant with RFC6960.

  • Improvements

    • EJBCA now ensures that OCSP RFC5019 responses with unknown response code are not cached.
    • OCSP now uses archive cutoff date for expired certificates, compliant with RFC6960.
    • Speedups when starting the Command Line Interface.
    • Bug fixes for Internal Key Bindings.

More information

Basic information on EJBCA Enterprise PKI is available here.
For entire technical details view the changelog in the issue tracker.
EJBCA is a registered trademark of PrimeKey Solutions AB in the EU, the United States, Japan and certain other countries.

Upplagd av tomas kl. 8:38 AM 0 kommentarer

Friday, December 20, 2013

Possibilities and restrictions with SPOC for EAC

SPOC stands for Single Point of Contact: the standard specified by the EU for exchanging certificates needed to perform EAC (Extended Access Control), between member states.

To analyze the possibilities and restrictions related to implementing SPOC for EAC, a bachelor thesis study has recently been performed at the University of Skövde and at PrimeKey Solutions AB.

Conducted in three steps, the study begins with an analysis of the SPOC standard. The results of that analysis were used as input to the next step in which several people involved in developing SPOC were interviewed. Finally a case study was made, with the attempt to see whether or not it was possible to use elliptic curve cryptography in an interoperable environment.

The study analyses potential shortcomings in the SPOC specification, which are believed to potentially cause lack of interoperability between different implementations of SPOC. Also studied are potential interoperability issues arising from the use of elliptic curve cryptography (ECC) for TLS communication between SPOCs.

An abstract of the thesis is available for download (English version), as well as the full thesis written in Swedish.

More information

For more information about the thesis, contact the author:
Joakim Kävrestad, joakim.kavrestad(at)his.se

For more information about PrimeKey SPOC and ePassport PKI contact:
Tomas Gustavsson, tomas(at)primekey.se

Upplagd av Unknown kl. 12:32 PM 2 kommentarer

Wednesday, December 18, 2013

EJBCA Enterprise 6.0 released

This is a copy of the product release from PrimeKey.

17 Dec 2013 — Stockholm, Sweden

PrimeKey proudly presents the next generation open source enterprise PKI, EJBCA Enterprise 6.0.
Running on the latest technology platforms, this PKI is faster, more resource efficient, more secure and more user friendly than ever.
EJBCA Enterprise v.6 is so flexible it is suitable for any organization, cloud, social or mobile system.

EJBCA Enterprise *6.0* release notes

Having already passed two maintenance releases, EJBCA Enterprise 6.0 is now ready for production! The following are a selection of the most noteworthy changes.

  • New features

    • New Crypto Token concept, giving complete GUI support for configuring signature and keys, either in software or on hardware security modules. Hardware security modules has never been easier.
    • CMP configuration can now be done in the GUI, and supports multiple different configurations through CMP Aliases. More flexible than ever you can easily set up CMP to talk to any type of device, all with a single instance of EJBCA.
    • The new Internal Key binding concept merges the Certificate Authority and Validation Authority functionality. Use the same instance, or multiple instances, using the same well known admin GUI as a Certificate Authority or Validation Authority or both.
    • Full support for the latest platforms. Java 7 and JBoss 7 are now the default recommended platforms, faster, more secure and more resource efficient.

  • Improvements

    • More than 300 issues have been resolved during the development of EJBCA Enterprise v.6.
More information on EJBCA Enterprise PKI is available here. For entire technical details view the changelog in the issue tracker.

EJBCA is a registered trademark of PrimeKey Solutions AB in the EU, the United States, Japan and certain other countries.

Upplagd av tomas kl. 9:37 AM 0 kommentarer

Wednesday, December 4, 2013

Bouncy Castle establishes not-for-profit association, accepts donations. FIPS or bust!

Finally there is an actual legal entity established for Bouncy Castle. Legion of the Bouncy Castle Inc., is a not-for-profit association based in Australia. Bouncy Castle is glad to announce that as of the 7th November this year (2013), Legion of the Bouncy Castle Inc. ABN 84 166 338 567 is now officially recognised by the Australian Government as a charity established for the benefit of education and the benefit of the public in general.

Support contracts are handled through Crypto Workshop Pty Ltd, however the recognition of the charity does mean two important things, you can stop worrying about something weird happening in corporate life affecting the availability of the APIs as everything is getting signed over to the charity, and also importantly, Bouncy Castle is actually authorised to start fund raising for things like FIPS.

So in honor of this, and the upcoming 50th Java release, we're launching our 2013 "FIPS or bust!" Fund Raiser.

Click this donations link!
https://www.bouncycastle.org/donate/index.cgi

It's using paypal so if anyone wants to chip in a large amount, direct transfer would be a better option, but you are still recommended to look at the page due to the graphics!

Bouncy Castle currently see over 10000 downloads a week, and gets lots of "When will you be FIPS certified?" emails. The Java API is now over 300,000 lines, the C# one well past 140,000. There are more standards being published every day, and most of the old ones are getting revised. Further on there is trying to constantly monitor for and identify vulnerabilities, as well as taking time out to review contributed code so that the project continues to be a community based effort as well as an Open Source one.

PrimeKey, and me Tomas, supports Bouncy Castle. You should to!




Upplagd av tomas kl. 6:15 PM 0 kommentarer

Wednesday, November 27, 2013

What's new in EJBCA 6 part 4: Enterprise and Community

Welcome to the fourth part of the series about what is new in the upcoming EJBCA 6.

For the first part in the series, read Part 1: Crypto Tokens in GUI.
For the second part in the series, read Part 2: CMP aliases and GUI configuration.
For the third part in the series, read Part 3: Internal Key Bindings.

In part 4 we will dig into the concepts of EJBCA Enterprise and Community. The separation was started with the Common Criteria certification of EJBCA 5, and is now completely harmonized with EJBCA 6. EJBCA Enterprise brings additional value to organizations that subscribe to support services, this blog post will tell you what, and why.

The freshest, most up to date, description of EJBCA Enterprise will be available at PrimeKey.

Open Source Enterprise Editions

Enterprise editions is a common way for open source projects and companies to offer additional value to organizations that subscribe to support services, and hence indirectly pay the bills for the developers of the software.
Not a completely unproblematic issue since part of the soul of Open Source is that you can freely download and use the software. So why choose the Enterprise edition? Here is the reasoning:
  • The requirements on professional enterprise software are very high nowadays and the users demand high quality, lots of features, software certifications etc. There is simply need for a lot of full time staff to develop and support an enterprise scale software today. Income is needed to pay salaries.
  • The Community is one of the founding pillars of Open Source software, the community has made us what we are. The community needs a comfortable way to use, interact and to contribute to the future of the project.
To keep up that pace of development, and support, there is of course a need for constant business. What we need, as a company, is to provide added value so that you find that you get great benefit from the money. This is where the Enterprise edition comes in.

There are many very appreciated organizations in the world, that subscribes to support. 
Thank you, you know who you are!

There are many appreciated community members, thank you as well! 

EJBCA Enterprise

PrimeKey, with EJBCA, started out with an Enterprise edition as of EJBCA 5, where PrimeKey, together with partners, made a huge investment to make the software Common Criteria certified.

We have written a little bit about this before in two previous (older) blog posts:
With EJBCA 6 we want to finalize and harmonize the concept and versions.

The idea behind EJBCA Enterprise is simply:
  • Provide organizations with the best, most hassle free, sleep good at night, PKI experience money can buy - with EJBCA Enterprise
  • Allow do it yourselfers (DIY), who are confident they can roll their own, to use the best PKI product they can find - with EJBCA Community
  • All this with Open Source!
 A little more in detail, the strategy is:
  • To focus the enterprise additions on the main target markets where we compete with proprietary software and can provide support services to organization that are prepared to pay for these services. Providing the best PKI services from the most experienced staff, with add-ons that makes their PKI the most efficient and cost-effective PKI on the market.
  • Enabling the Open Source Community with the best PKI product on the market with full features, allowing everyone to contribute directly to the latest version of the project in a simple way, with full access to the source code.

PrimeKey EJBCA Enterprise features and services

The freshest, most up to date, description of EJBCA Enterprise will be available at PrimeKey.
This is a snapshot at the time this blog post was written.

These are the main value adding features and services that will be available only with EJBCA Enterprise:
  • Professional support with different SLAs and private support portal access.
  • Additional development services.
  • Training courses.
  • Bug, security and hot fixes.
  • Additional integration guides and supported integration with 3rd part products (for example token management).
  • Common Criteria certification with specific features:
    • Database integrity protection.
    • Secure audit logging (log signing).
  • High Availability setups with redundant clusters and disaster recovery.
  • EAC ePassport PKI, with BAC, EAC, SPOC, PKD etc.
  • GOST and DSTU algorithms.
  • 3GPP/LTE CMP support.
  • Add-on tools:
    • Database CLI for migration between databases, verification of integrity protection etc.
    • Tools for speeding up deployments across environments.
    • Validation tool for conformance checking of certificates and OCSP responders.
  • Upgrade assistance, also from very old versions of EJBCA Community to the latest EJBCA Enterprise.
  • Last but not least, soon to be available in a plug and play PKI Appliance.

Find out more

If you are using EJBCA Community, and are interested in EJBCA Enterprise, or if you just want to know more. Don't hesitate to contact me at tomas@primekey.se. Migrations from Community to Enterprise is of course trouble free and we can help you every step of the way.

If you are interested in getting to know the different subscription options, contact sales@primekey.se, we are flexible.

 Check in with PrimeKey, or follow us on Twitter, for the latest news and events.

Another interesting blog post on Open Source and Enterprises is Feed the Fish, from the people behind TomEE.

The Team

The great team that, with pride, brings you EJBCA, Signserver, PKI Appliance, SPOC and everything around it is:

Joonas, Mike, Marcus, Markus, Johan, Aveen, Samuel, Lars, Konstantin, Admir, Anna, Björn, Anna, Tomas, Lars, Maikel, Marko, Raoul, Joakim, Branko, Dimitrios, Tham, Manuel, Roland, Martin.



Questions and answers

Here are some questions asked by people reading the above:

Q1. Do the improvements in EJBCA Enterprise ever find their way to Community.

Answer: As I tried to state above, EJBCA Enterprise does not contain improvements of Community features. It contains specific features used for specific Enterprise use cases. These features are planned to remain Enterprise features until the concept changes (if it changes).
Improvements to common functionality will be released in both Enterprise and Community. The times will only be constrained by release schedules. Enterprise is expected to have more releases than Community.

Q2. Is it possible to migrate from EJBCA Enterprise back to community? If so, what is the difficulty.

Answer: Yes that is possible. Naturally you will loose the Enterprise functionality such as audit log signing. The CA will continue to work, just without this feature.

Q3. When someone licenses EJBCA Enterprise, if they do not wish to maintain support contract do they have to downgrade when the support contract ends.

Answer: No. Naturally they will however no longer get upgrades from PrimeKey.

Q4. Do improvements in Community ever find their way back into Enterprise? If yes, how long does that take.

Answer: Yes, this will be included in following releases.

Q5. When will EJBCA Community version 6 be released?

Answer: We are currently working on the distinction between Enterprise and Community as described above. There is no fixed date, since this depends on developer resource availability. It will not be too long, don't despair.

Upplagd av tomas kl. 1:42 PM 1 kommentarer

Tuesday, November 19, 2013

OpenSSL commands every PKI expert should know

Let's face it, OpenSSL is the number one toolkit for any PKI expert when it comes to dissecting and manipulating files such as CSRs, certificates, PKCS#12 keystores, asymmetric keys etc. We use it all the time when developing EJBCA, Open Source PKI.

Using openssl is not always the easiest task in the world, but there are a number of commands that I find myself using over and over again. So much that I can almost type them in my sleep.

Parsing certificates

Reading X.509 certificates in PEM format:
openssl x509 -in cert.pem -text

Reading X.509 certificates in DER format:
openssl x509 -inform DER -in cert.der -text

Converting X.509 certificates from DER to PEM:
openssl x509 -inform DER -in cert.der -outform PEM -out cert.pem

You can also add parameters to only output specific fields, like certificate serial number, public key etc. I rarely use those though, I just dump the cert and look at the whole thing.



Parsing certificate signing requests (CSRs)

Reading a CSR in PEM format:


openssl req -in req.pem -text



Reading a CSR in DER format:




openssl req -inform DER -in req.pem -text









Converting a CSR from DER to PEM:


openssl req -inform DER -in req.der -outform PEM -out req.pem







Parsing pure ASN.1



Sometimes you really want to see the nitty gritty details of a certificate or CSR, to find out what encoding is used in the DN, how the extensions look, what order fields actually are in the file etc.








openssl asn1parse -in cert.pem









add the dump parameter to dump the (unknown) contents of sequences:






openssl asn1parse -in cert.pem -dump







Generating certificate signing requests (CSRs)





To generate a new key pair and a certificate request, for example for getting a certificate for an apache server:




openssl req -out csr.csr -new -newkey rsa:2048 -nodes -keyout private.key







Check the private key:



openssl rsa -in cesecore2013.key -check





When generating CSRs you can add a lot of options to put in the CSR, like Subject Alternative names, certificate purposes, OCSP URLs etc. When creating CSRs to be sent to a CA this is normally not needed. The CA will populate all the fields for you, and normally ignore any additional fields that you specify (a real CA have no reason to trust arbitrary input from you). If you are generating your own self-signed certificates however, this may be of interest. 



Kevin McArthur has written a nice blog post how to work with OpenSSL to create certificates and CSRs. It's a bit outdated, but Kevin may update it.











Parsing PKCS#12 keystores



Reading a PKCS#12 file, giving output with encrypted private key in PEM format:




openssl pkcs12 -in superadmin.p12









Reading a PKCS#12 file, output with unencrypted private key:




openssl pkcs12 -in superadmin.p12 -nodes









The following commands are useful for splitting a PKCS#12 file up into PEM components (for example for an apache server or for manual sign/verify operations):







Reading a PKCS#12 file, outputing only the certificate to a file:




openssl pkcs12 -in server.p12 -nodes -nokeys -clcerts -out server.pem





Reading a PKCS#12 file, outputing only the private key to a file:




openssl pkcs12 -in server.p12 -nodes -nocerts -out server.priv











Reading the cert, extracting the public key in RSA format:






openssl x509 -in server.pem -pubkey -noout > server.pub





Signing and verifying large files



Signing of large files are done by making a digest (hash) of the file and then signing the hash:




openssl dgst -sign superadmin.key -sha1 file.txt > file.txt.sign









Verification of a file is done by verifying the signed hash (extracting the original hash) and comparing that to a newly calculated hash of the file:




openssl dgst -verify superadmin.pubkey -signature file.txt.sign -sha1 file.txt





See also Code signing over in the EJBCA Admin Guide.





Cmpforopenssl

I have previously written about cmpforopenssl. This is a great tool for using the CMP protocol.

You can read more about cmpforopenssl and EJBCA in the EJBCA Admin Guide.



OCSP



A popular openssl command for me is the OCSP request command. I use this to test OCSP responders all the time:






openssl ocsp -issuer Test-CA.pem -CAfile Test-CA.pem -cert Test.pem -req_text -url http://localhost:8080/ejbca/publicweb/status/ocsp





The tricky thing here is if you have an external OCSP responder, i.e. not requesting directly from the CA, then you must have the right combination of -CAfile and chain commands in order for the verification to succeed without having openssl claim that issuer is not trusted.
The above command is perfect if you are requesting directly from the CA...







TLS client





You can test TLS/SSL servers using OpenSSL's s_client command. This is great for debugging TLS connections. It will show you the certificates used by the server and the accepted CA certificates sent by the server when asking for client certificate authentication. It can also be used to see the cipher suites negotiated.

openssl s_client -debug -msg -connect servername:443 > debug-log.txt < /dev/null





Converting between JKS and PKCS#12 (not using openssl)





Another old popular blog post I wrote was about converting between JKS and P12 using simple java commands, keytool.











Remove MS CSP information from a PKCS12/PFX





George L wrote an interesting comment on LinkedIn.

It's about MS adding CSP information when exporting a PKCS12 files, and this can cause errors when importing it into other versions of Windows. He provided a cool script that removes this information, using openssl.




----------------- removeCSP.bat --------------


@echo off


rem make sure you've got openssl and grep either in your path or in the same directory as the batch file


set /p pass=Please enter keystore password:


cd /d "%~dp0"


openssl pkcs12 -in "%~f1" -nodes -passin pass:"%pass%" | grep -v 
Microsoft | openssl pkcs12 -export -out "%~f1".new.pfx -passout 
pass:"%pass%"


echo Conversion complete.


pause


------------------ removeCSP.bat --------------
















Upplagd av
tomas


kl.
4:09 PM






3
kommentarer



























        

      









Subscribe to:
Comments (Atom)