An introduction to EJBCA and SignServer

An introduction to EJBCA and SignServer PrimeKey Solutions AB Tomas Gustavsson http://www.primekey.se tomas@primekey.se EJBCA and SignServer Euro PKI projects and use cases 1

EJBCA - Open Source Enterprise PKI EJBCA PKI Central Certificate Authority EJBCA OCSP Online certificate status validation SignServer Modular server side signature and validation PDF, XML, ODF, OOXML signing MRTD Document Signer Time Stamp Authority Enterprise class PKI built on JEE technology. 2

EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available ejbca.org, signserver.org Hosted on sourceforge, public svn Download all versions with full source from sourceforge.net Open community Forum, mail lists, irc Patches, translations, documentation Professional open source PKI by PrimeKey Full time development staff Commerical support with different SLAs, standard, advanced, 24/7 Professional services 3

EJBCA - Open Source Enterprise PKI Secure communication with SSL servers and SSL clients. Strong authentication for users (web, email, custom apps, etc). Network authentication (802.1x). Smart card logon to Windows, Linux, etc VPN connections and client VPN access with certificates in users VPN clients. Single sign on by using a single certificate to secure logon to web applications. Document signing (personal or enterprise signatures). Signing and encrypting email. Issue certificates to electronic IDs. BAC and EAC epassports.... and many many more... 4

Certificate Lifecycle Mgmt Certificate Lifecycle Management, what does it mean? Managing certificates through all the stages during it's life time. Renew Issue Certificate Revoke/expire Suspend/re-activate Certificate states: Not yet valid Valid/active Expired Revoked Suspended 5

Certificate Lifecycle Mgmt Manual lifecycle management Small scale High maintenance Labor intensive Automatic lifecycle management Several protocols suited for automation of issuance, renewal and revocation: CMP SCEP Web service XKMS 6

Validation Validation of certificates check if a certificate is revoked. Currently two standard ways of validation: OCSP Online Certificate Status Protocol CRL Certificate Revocation Lists 7

Enterprise signatures Digital signing of documents with an Enterprise signature. Enterprise signature is in contrast to personal signatures where every user must have a personal signature certificate and associated software. Suitable for receipts, official documents, passports, message passing systems, etc. 8

EJBCA - Open Source Enterprise PKI Multiple CAs and PKIs in a single installation, Root CAs, SubCAs, cross certification,... RSA, DSA, ECDSA, many hash algorithms X.509 v3 and CVC EAC 1.11 Web based admin GUI in many languages Soft tokens or PKCS#11 based HSMs, SafeNet, Utimaco, ncipher, AEP, Flexible architecture, all in one, external RAs, external OCSP, Many protocols, web, SCEP, CMP, WebService, XKMS CRLs and OCSP Standard and custom certificate extensions Publishers for LDAP (and AD), files, or custom publishers Email notifications Profiles for end entities and certificates Cluster support, high availability Health check for load balancers and monitoring Support for many application servers and databases Standards compliant (RFC5280), open source, open APIs, etc etc 9

EJBCA - Open Source Enterprise PKI 10

EJBCA - Open Source Enterprise PKI 11

Platform independent Operating systems Linux, Solaris, Windows, OS X, BSD, (Java 5 or higher) Application servers JBoss, Glassfish, Weblogic, (OC4J, Websphere) EJB 2.1 Databases MySQL, Oracle, DB2, PostgreSQL, MS SQL, Ingres,... Hardware Security Modules SafeNet, Utimaco, ncipher, AEP, (PKCS#11) 12

Integrated PKI 13

EJBCA Enrollment/RA interfaces Routers/vpn Web clients HTTP/SSL certificates SCEP/VPN certificates Other clients CMP Logon certificates XKMS SignServer MRTD Inspection system DS Certificate IS Certificate (CVC) EJBCA ExtRA API CMP WebService External RA 2007-01-31 Smart card personalization External RA Copyright 2007 PrimeKey Solutions AB

EJBCA architecture SCEP CMP XKMS OCSP Public web Admin web Protocols Public CA-admin RA-admin PKI Services PKI core Publishers 2007-01-31 Bouncycastle Certificate store Copyright 2007 PrimeKey Solutions AB

Simple architecture Everything in a single server EJBCA installation Simple Cost affective Medium availability (~99%) Medium performance (~1 million certificates) 16

Cold standby high availability Database replication in order to make sure information is not lost. Relatively simple Cost affective Medium availability (~99.99%) Medium performance (~1 million certificates) 17

Fully clustered, separate Root CA Separate root CA to isolate trust point for security reasons. Complex Expensive High availability (99.999%) High performance (>10 million certificates) 18

Euro PKI projects PKI is everywhere... Electronic/biometric passports BAC EAC Health cards Tachographs National ID cards Government login Banks Insurance companies Electronic invoicing... 19

Use cases Swedish Police EJBCA and SignServer for BAC and EAC epassport. EJBCA and smart cards for authentication of 25.000 internal users. EJBCA for qualified electronic signatures. VPN, Server certificates, SignServer for signing of temporary passports (mrtd). 20

Organizational cluster - Swedish police use case Cold standby clusters Medium volume, 24/7 operations, many CAs Different security zones Database replication CA availability, sufficient with cold standby Additional OCSP validation servers 21

Enterprise PDF signing File drop for documents 24/7 operations, several signers Signer certificates from internal and/or external CA Authentication of users Archival of signed documents 22

Use cases BGC (swedish banks clearing house) Certificate issuance of national, and bank IDs. OCSP validation with high performance demands. Liechtensteinische Landesbank AG EJBCA for issuing certificates to users and systems. Cartes Bancaires, France EJBCA for issuing certificates to users and systems. 23

Bank electronic IDs Active active cluster High volume, 24/7 operations, many CAs Distributed registration authorities Cluster database CA availability, high OCSP availability, very high 24

Use cases MULTICERT, Portugal EJBCA EAC PKI epassport Certificate issuance on national IDs Commfides- TrustCenter, Norway EJBCA for issuing qualified certificate to citizens. Slovenian health card Certificate issuance on national health cards 25

National ID / epassport / health cards One PKI server Huge volume eid, 30.000 certs/day, multiple CAs Very large CRLs High availability database avoids data loss CA availability, sufficient with cold standby 26

Thank you! PrimeKey Solutions AB Tomas Gustavsson http://www.primekey.se www.ejbca.org www.signserver.org 27