EJBCA: Difference between revisions

EJBCA
	EJBCA 6.5.0 in English – Administration
Developer(s)	PrimeKey Solutions AB
Initial release	December 5, 2001
Stable release	7.4.3.2 / March 29, 2021
Repository	github.com/Keyfactor/ejbca-ce ;
Written in	Java on Java EE
Operating system	Cross-platform
Available in	Bosnian, Chinese, Czech, English, French, German, Japanese, Portuguese, Swedish, Ukrainian, Vietnamese
Type	PKI Software
License	LGPL-2.1-or-later
Website	www.ejbca.org

Browse history interactively

← Previous edit Next edit →

Content deleted Content added

VisualWikitext

Inline

Revision as of 18:20, 22 June 2021

EJBCA is a free software public key infrastructure (PKI) certificate authority software package maintained and sponsored by the Swedish for-profit company PrimeKey Solutions AB, which holds the copyright to most of the codebase. The project's source code is available under the terms of the Lesser GNU General Public License (LGPL). The EJBCA software package is used to install a privately operated certificate authority. This is in contrast to commercial certificate authorities that are operated by a trusted third party. Since its inception EJBCA has been used as certificate authority software for different use cases, including eGovernment^[1], endpoint management^[2], research^[3]^[4]^[5], energy^[6], eIDAS^[7], telecom^[8], networking^[9] and for usage in SMEs^[10].

External links

Official website

^ "A PKI ARCHITECTURE USING OPEN SOURCE SOFTWARE FOR E-GOVERNMENT SERVICES IN ROMANIA". Indian Journal of Computer Science and Engineering. 2. 2011. Retrieved May 5, 2021.
^ "VMware Workspace ONE UEM Product Documentation". VMWare. March 3, 2020. Retrieved May 5, 2021.
^ "A web service based architecture for authorization of unknown entities in a Grid environment". University of Windsor. January 1, 2007. Retrieved May 5, 2021.
^ "Research and application of EJBCA based on J2EE" (PDF). Springer. 2007. Retrieved May 5, 2021.
^ "Secret Sharing Framework Based on Digital Certificates" (PDF). Proceedings of the 13th European Conference on Cyber Warfare and Security. 10.13140/RG.2.1.4331.5281. January 1, 2014. Retrieved May 5, 2021.
^ "Cybersecurity: An Enabler for Critical Infrastructure". Siemens. 2021. Retrieved May 5, 2021.
^ "Zetes launches eSig division ZetesConfidens". Security Document World. October 2, 2018. Retrieved May 5, 2021.
^ "Key Management for 4G and 5G inter-PLMN Security" (PDF). GSMA. March 6, 2020. Retrieved June 8, 2021.
^ "Field Notice: FN - 72013 - Cisco APIC-EM Root Certificate Expiration Causes All IWAN DMVPN Connections to Fail - Software Upgrade Recommended". Cisco. December 18, 2020. Retrieved May 5, 2021.
^ "Building and Managing a PKISolution for Small and MediumSize Business". SANS Institute. December 16, 2013. Retrieved May 5, 2021.

[1] "A PKI ARCHITECTURE USING OPEN SOURCE SOFTWARE FOR E-GOVERNMENT SERVICES IN ROMANIA". Indian Journal of Computer Science and Engineering. 2. 2011. Retrieved May 5, 2021.

[2] "VMware Workspace ONE UEM Product Documentation". VMWare. March 3, 2020. Retrieved May 5, 2021.

[3] "A web service based architecture for authorization of unknown entities in a Grid environment". University of Windsor. January 1, 2007. Retrieved May 5, 2021.

[4] "Research and application of EJBCA based on J2EE" (PDF). Springer. 2007. Retrieved May 5, 2021.

[5] "Secret Sharing Framework Based on Digital Certificates" (PDF). Proceedings of the 13th European Conference on Cyber Warfare and Security. 10.13140/RG.2.1.4331.5281. January 1, 2014. Retrieved May 5, 2021.

[6] "Cybersecurity: An Enabler for Critical Infrastructure". Siemens. 2021. Retrieved May 5, 2021.

[7] "Zetes launches eSig division ZetesConfidens". Security Document World. October 2, 2018. Retrieved May 5, 2021.

[8] "Key Management for 4G and 5G inter-PLMN Security" (PDF). GSMA. March 6, 2020. Retrieved June 8, 2021.

[9] "Field Notice: FN - 72013 - Cisco APIC-EM Root Certificate Expiration Causes All IWAN DMVPN Connections to Fail - Software Upgrade Recommended". Cisco. December 18, 2020. Retrieved May 5, 2021.

[10] "Building and Managing a PKISolution for Small and MediumSize Business". SANS Institute. December 16, 2013. Retrieved May 5, 2021.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]

[10]

@@ Line 20: / Line 20: @@
 }}
+'''EJBCA''' is a [[free software]] [[public key infrastructure]] (PKI) [[certificate authority]] software package maintained and sponsored by the [[Sweden|Swedish]] [[Business|for-profit]] company PrimeKey Solutions AB, which holds the [[copyright]] to most of the codebase. The project's [[source code]] is available under the terms of the [[Lesser GNU General Public License]] (LGPL). The EJBCA software package is used to install a privately operated [[certificate authority]]. This is in contrast to commercial certificate authorities that are operated by a [[Trusted_third_party|trusted third party]]. Since its inception EJBCA has been used as certificate authority software for different use cases, including eGovernment<ref>{{cite web|url=https://www.researchgate.net/publication/267694127_A_PKI_ARCHITECTURE_USING_OPEN_SOURCE_SOFTWARE_FOR_E-_GOVERNMENT_SERVICES_IN_ROMANIA= |title=A PKI ARCHITECTURE USING OPEN SOURCE SOFTWARE FOR E-GOVERNMENT SERVICES IN ROMANIA |publisher=Indian Journal of Computer Science and Engineering. 2 |date=2011 |access-date=May 5, 2021}}</ref>, endpoint management<ref>{{cite web|url=https://docs.vmware.com/en/VMware-Workspace-ONE-UEM/services/Certificate_Authority_Integrations/GUID-C2CC3CB7-7C41-4036-961B-4DF8FC18B743.html |title=VMware Workspace ONE UEM Product Documentation  |publisher=VMWare |date=March 3, 2020 |access-date=May 5, 2021}}</ref>, research<ref>{{cite web|url=https://scholar.uwindsor.ca/cgi/viewcontent.cgi?article=7998&context=etd |title=A web service based architecture for authorization of unknown entities in a Grid environment. |publisher=University of Windsor |date=January 1, 2007 |access-date=May 5, 2021}}</ref><ref>{{cite web|url=https://link.springer.com/content/pdf/10.1007%2F978-0-387-75466-6_38.pdf |title=Research and application of EJBCA based on J2EE |publisher=Springer |date=2007 |access-date=May 5, 2021}}</ref><ref>{{cite web|url=https://www.researchgate.net/profile/Andrew-Liaropoulos/publication/264337838_Proceedings_of_the_13th_European_Conference_on_Cyber_Warfare_and_Security/links/53d904af0cf2e38c6331db58/Proceedings-of-the-13th-European-Conference-on-Cyber-Warfare-and-Security.pdf#page=63 |title=Secret Sharing Framework Based on Digital Certificates |publisher=Proceedings of the 13th European Conference on Cyber Warfare and Security. 10.13140/RG.2.1.4331.5281. |date=January 1, 2014 |access-date=May 5, 2021}}</ref>, energy<ref>{{cite web|url=https://profiles.siemens.com/pub/asset/get?formSubmitGuid=b196a078-cca4-4273-bfa1-0652120e223c |title=Cybersecurity: An Enabler for Critical Infrastructure |publisher=Siemens |date=2021 |access-date=May 5, 2021}}</ref>, eIDAS<ref>{{cite web|url=http://www.securitydocumentworld.com/article-details/i/13809/ |title=Zetes launches eSig division ZetesConfidens |publisher=Security Document World |date=October 2, 2018 |access-date=May 5, 2021}}</ref>, telecom<ref>{{cite web|url=https://www.gsma.com/security/wp-content/uploads/2020/12/FS.34-v1.0-1.pdf |title=Key Management for 4G and 5G inter-PLMN Security |publisher=GSMA |date=March 6, 2020 |access-date=June 8, 2021}}</ref>, networking<ref>{{cite web|url=https://www.cisco.com/c/en/us/support/docs/field-notices/720/fn72013.html |title=Field Notice: FN - 72013 - Cisco APIC-EM Root Certificate Expiration Causes All IWAN DMVPN Connections to Fail - Software Upgrade Recommended |publisher=Cisco |date=December 18, 2020 |access-date=May 5, 2021}}</ref> and for usage in SMEs<ref>{{cite web|url=https://www.sans.org/reading-room/whitepapers/certificates/building-managing-pki-solution-small-medium-size-business-34445 |title=Building and Managing a PKISolution for Small and MediumSize Business |publisher=SANS Institute |date=December 16, 2013 |access-date=May 5, 2021}}</ref>.
-'''EJBCA''' is a [[free software]] [[public key infrastructure]] (PKI) [[certificate authority]] software package maintained and sponsored by the [[Sweden|Swedish]] [[Business|for-profit]] company PrimeKey Solutions AB, which holds the [[copyright]] to most of the codebase. The project's [[source code]] is available under the terms of the [[Lesser GNU General Public License]] (LGPL).
-==Design==
-The system is implemented in [[Java Platform, Enterprise Edition|Java EE]] and designed to be [[platform independent]] and fully [[computer cluster|clusterable]], to permit a greater degree of scalability than is typical of similar software packages. Multiple instances of EJBCA are run simultaneously, sharing a database containing the current certificate authorities (CAs). This permits each instance of the software to access any CA. The software also supports the use of a [[hardware security module]] (HSM), which provides additional security. Larger-scale installations would use multiple instances of EJBCA running on a [[Computer cluster|cluster]], a fully distributed database on a separate cluster and a third cluster with HSMs keeping the different CA keys.
-EJBCA supports many common PKI architectures such as all in a single server, distributed RAs and external [[validation authority]]. An example architecture is illustrated below.
-<div style="text-align: center;">
-[[File:Validation-authority-arch.png|Example PKI architecture with external validation authority]]
-</div>
-EJBCA can be used by small and large organizations alike and EJBCA Community can be deployed as pure software installation ([[Do it yourself]]) or as an easy to test [[Docker (software)|Docker]] container.
-===Components===
-A certificate authority system typically consists of the logical components:
-* Certification Authority (CA): issues certificates, signing them using the CA's private signing key.
-* Registration Authority (RA): registers entities in the system and approves issuance from the CA. Validation and policy controls are usually divided between the CA and the RA and can vary depending on use case and installation, from a model where the RA does everything and the CA simply issues on order from the RA, to a model where the CA performs all validation and controls and the RA acts as a simply proxy front-end.
-* Validation Authority (VA): servers relying parties with data needed to validate certificates as they are used by the relying parties. The VA typically offers an [[OCSP]] services and download of [[Revocation list|CRLs]].
-These logical components can be deployed either as discrete components, physically separated, or bundled into a single physical deployment.
-==Notable features==
-*Multiple CA instances: EJBCA supports running unlimited number of CAs and levels of CAs in a single installation. Build a complete infrastructure, or several, within one instance of EJBCA.
-*Online Certificate Status Protocol: certificate validation options include X.509 [[Revocation list|CRLs]] and [[Online Certificate Status Protocol|OCSP]] ({{IETF RFC|6970}}).
-*Registration authority: The EJBCA software includes a separate [[registration authority]] (RA) front end that can run on the same instance as the CA or distributed as external RAs. Communication between the CA and the RA is only using outgoing network connections to insulate the CA from less trusted networks, where the RA is typically placed.
-*Multiple algorithms: Common algorithms for usage in PKI includes: [[RSA (cryptosystem)|RSA]], [[Elliptic Curve Digital Signature Algorithm|ECDSA]], [[EdDSA]], and [[Digital Signature Algorithm|DSA]], [[SHA-1]], [[SHA-2]], and [[SHA-3]]. Compliant with [[NSA Suite B Cryptography]].
-*Different certificate formats: EJBCA support both [[X.509]]v3 certificates and Card Verifiable certificates (CVC BSI TR-03110). Certificates are compliant with all standards such as {{IETF RFC|5280}}, [[CA/Browser Forum]], [[eIDAS]], [[International Civil Aviation Organization|ICAO]] 9303, EAC 2.10 and ISO 18013 Amendment 2 eDL.
-*PKCS#11 HSMs: Standard [[PKCS 11]] compliant hardware security modules are used to protect the CAs’ and OCSP responders’ private keys.
-*Many integration protocols and APIs: EJBCA was designed with integration in mind. Most standard protocols are supported, [[Certificate Management Protocol|CMP]], [[Simple Certificate Enrollment Protocol|SCEP]], [[Enrollment over Secure Transport|EST]], and [[Automated Certificate Management Environment|ACME]] as well as web services. Using integration APIs it is possible to integrate EJBCA as a certificate factory, not exposing its native user interfaces.
-*High capacity: Using a standard [[Relational_database#RDBMS|RDBMS]] the system have a capacity to store large amounts of issued certificates.
 == See also ==
-* [[Public_key_infrastructure#Open_source_implementations|Public Key Infrastructure Open Source Implementations]]
+* [[Public_key_infrastructure#Open_source_implementations|Public Key Infrastructure]]
 == Further reading ==
@@ Line 62: / Line 32: @@
 * [https://www.sans.org/reading-room/whitepapers/certificates/building-managing-pki-solution-small-medium-size-business-34445 ''Building and Managing a PKI Solution for Small and Medium Size Business'']; Wylie Shanks; SANS Institute InfoSec Reading Room; December 2013
 * [https://www.primekey.com/wp-content/uploads/2017/08/post-quantum-algorithms-for-pki.pdf ''Post-quantum algorithms for digital signing in Public Key Infrastructures'']; Mikael Sjöberb; Degree Project in Computer Science and Engineering at KTH, Stockholm, Sweden 2017
-* [https://arstechnica.com/information-technology/2019/03/godaddy-apple-and-google-goof-results-in-1-million-misissued-certificates/ A world of hurt after GoDaddy, Apple, and Google misissue >1 million certificates]
-* [https://www.theregister.com/2018/08/07/cisco_vpn_certificate_expiry/ Cisco let an SSL cert expire in its VPN kit – and broke network provisioning brokers]
 == External links ==