EJBCA: Difference between revisions

EJBCA

Developer(s)	PrimeKey Solutions AB
Initial release	December 5, 2001 (2001-12-05)
Stable release	4.0.3 / June 1, 2011 (2011-06-01)
Repository	github.com/Keyfactor/ejbca-ce
Written in	Java on Java EE
Operating system	Cross-platform
Available in	Chinese, English, French, German, Italian, Portuguese, Spanish, Swedish
Type	PKI Software
License	LGPL
Website	www.ejbca.org

Enterprise Java Bean Certificate Authority, or EJBCA, is a free software public key infrastructure certificate authority software package maintained and sponsored by the Swedish for-profit company PrimeKey Solutions AB, which holds the copyright to most of the codebase. The project's source code is available under terms of the Lesser GNU General Public License.

Design

The system is implemented in Java EE and designed to be platform independent and fully clusterable,^[1] to permit a greater degree of scalability than is typical of similar software packages. Multiple instances of EJBCA are run simultaneously, sharing a database containing the current certificate authorities (CAs). This permits each instance of the software to access any CA. The software also supports the use of a Hardware Security Module (HSM), which provides additional security. Larger-scale installations would use multiple instances of EJBCA running on a cluster, a fully distributed database on a separate cluster and a third cluster with HSMs keeping the different CA keys.

Features

EJBCA follows the major standards in the PKI area, such as X509, OCSP, CMP, XKMS, SCEP, and Elliptic curves,^[2] including the new Card Verifying Certificate (CVC) EU standard for machine readable passports containing fingerprints, which will be mandatory as of June 26, 2009.

EJBCA supports all common asymmetric encryption algorithms, RSA, DSA and ECC, as well as the modern hash algorithms, SHA1, SHA256, SHA384, SHA512.

Apart from the features wou expect from a Certificate Authority. EJBCA includes a few interesting features from a PKI point-of-view. In normal operation everything is stored and audit logged, including user entries in the built in RA. In the normal mode all properties that you would expect from a Certificate Authority applies, transactional behaviour, audit, revocation and CRL issuance. You can however also configure EJBCA in a "throw away CA" mode, where nothing is stored in the database, but instead certificates are simply issued, to an RA, very fast. This is convenient if you don't need to store revocation information on the CA, and you need to issue huge volumes of certificates fast. In "throw away CA" mode EJBCA can issue hundreds of certificates per second from a single server.

Development

EJBCA is licensed under the standard GNU Lesser General Public License (LGPL). The source code is hosted at SourceForge.net. It was first posted there in November 2001. At that time the amount of source code was around 6,000 lines of code including test code. As of December 2008, it contains about 166,000 lines of code.

Known major installations

There are many known^[3] installations all over the world, among them:

• USA, California: Concealed customer, (up to 150.000.000 users)
• Sweden: Bankgirocentralen BGC AB/BankID (National eID), 2,500.000 Users (up to 4,000.000 Users)´
• Sweden: The Swedish Police, 25,000 Users
• Sweden: Ministry of Justice, The Swedish Police, ePassports for Citizens, up to 9,000.000
• Norway: Ministry of Interior - Norwegian Police (PDMT), ePassports for Norwegian Citizens and Dimplomats (up to 4,500.000 Users)
• Iceland: Registry of Persons, ePassports for Citizens, up to 300,000.
• Lithuania: Ministry of Foreign Affairs, ePassport for Diplomats, up to 10,000.
• Germany: LVM AG, 15,000 Users
• France: Societe Generale S.A, up to 400,000 Users
• Turkey: Ministry of Foreign Affairs, ePassports for Turkish Citizens and Dimplomats, 10,000 Passports per day, up to 80,000.000.
• Bahrain: Manama, CIO-Office, NeID for Citizens, up to 600,000.
• France: Ministry of Defence, 1,500 Users
• Greece: The Greek Police, 30,000 Users
• France: Ministry of Finance, 80,000 Users
• China: ZhuHai Local Taxation Bureau, 50,000 Users
• Spain: Grupo Safa, Spain, 20,000 Users
• Brazil: Serasa.com, 20,000 Users
• Spain: Autoritat de Certificació de la Comunitat Valenciana, +75,000 Users

Note for the reader: EJBCA is besides above samples of deployments - now (2010) also tested - in over 25 countries (Europe and ouside Europe) for different national projects: as Healthcare Cards, NeID, ePassports, Tachographs and Driving Licenses. Over 250 commercial projects/deployments have been done by PrimeKey 2002–2011. EJBCA is downloaded over 100,000 times on Global level at www.ejbca.org

References

1. Typical large scale setup
2. List of features
3. Reference installations

External links

• EJBCA at SourceForge
• EJBCA evaluation report from University of Queensland, AU
• Finding and Preventing Run-Time Error Handling Mistakes; Westley Weimer, George C. Necula; University of California, Berkeley
• Migration guide from OpenSSL CAs
• Migration guide from MS CAs
• EJBCA at java-source.net
• EJBCA is used as a component in Chillout
• Information about EJBCA in French
• EJBCA proposed as a solution for How to Overcome the Challenges to Large Scale Adoption of Open Source Software and Systems in Pakistan Business and Industrial Environment ; Athar Mahboob and Nassar Ikram; National University of Sciences & Technology, Karachi

EJBCA in literature

• Research and application of EJBCA based on J2EE; Liyi Zhang, Qihua Liu and Min Xu; IFIP International Federation for Information Processing Volume 251/2008; ISBN 978-0-387-75465-9
• Chapter "Securing Connections and Remote Administration" in Hardening Linux; James Turnbull; ISBN 978-1-59059-444-5
• Exception-Handling Bugs in Java and a Language Extension to Avoid Them; Westley Weimer; Advanced Topics in Exception Handling Techniques Volume 4119/2006; ISBN 978-3-540-37443-5
• A workflow based architecture for Public Key Infrastructure; Johan Eklund; TRITA-CSC-E 2010:047