an introduction to ejbca and signserver · enterprise class pki built on jee technology. 15/05/10 3...
TRANSCRIPT
![Page 1: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/1.jpg)
15/05/10 1
An introduction to EJBCAand SignServer
PrimeKey Solutions AB
Tomas Gustavssonhttp://[email protected]
EJBCA and SignServer
Euro PKI projects and use cases
![Page 2: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/2.jpg)
15/05/10 2
EJBCA- Open Source Enterprise PKI
EJBCA PKI Central Certificate Authority
EJBCA OCSP Online certificate status validation
SignServer Modular serverside signature and validation PDF, XML, ODF, OOXML signing MRTD Document Signer Time Stamp Authority …
Enterprise class PKI built on JEE technology.
![Page 3: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/3.jpg)
15/05/10 3
EJBCA- Open Source Enterprise PKI
Open Source LGPL v2.1 or later
Freely available ejbca.org, signserver.org Hosted on sourceforge, public svn Download all versions with full source from sourceforge.net
Open community Forum, mail lists, irc Patches, translations, documentation
Professional open source PKI by PrimeKey Full time development staff Commerical support with different SLAs, standard, advanced, 24/7 Professional services
![Page 4: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/4.jpg)
15/05/10 4
EJBCA- Open Source Enterprise PKI
Secure communication with SSL servers and SSL clients.
Strong authentication for users (web, email, custom apps, etc).
Network authentication (802.1x).
Smart card logon to Windows, Linux, etc
VPN connections and client VPN access with certificates in users VPN clients.
Single signon by using a single certificate to secure logon to web applications.
Document signing (personal or enterprise signatures).
Signing and encrypting email.
Issue certificates to electronic IDs.
BAC and EAC ePassports.
... and many many more ...
![Page 5: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/5.jpg)
15/05/10 5
Certificate Lifecycle Mgmt
Certificate Lifecycle Management, what does it mean?
Managing certificates through all the stages during it's life time.
CertificateIssue
Renew
Revoke/expire
Suspend/re-activate
Certificate states:•Not yet valid•Valid/active•Expired•Revoked•Suspended
![Page 6: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/6.jpg)
15/05/10 6
Certificate Lifecycle Mgmt
Manual lifecycle management• Small scale• High maintenance• Labor intensive
Automatic lifecycle management• Several protocols suited for automation of issuance,
renewal and revocation:• CMP• SCEP• Web service• XKMS
![Page 7: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/7.jpg)
15/05/10 7
ValidationValidation of certificates – check if a certificate is revoked.
Currently two standard ways of validation:• OCSP – Online Certificate Status Protocol• CRL – Certificate Revocation Lists
![Page 8: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/8.jpg)
15/05/10 8
Enterprise signatures•Digital signing of documents with an Enterprise signature.•Enterprise signature is in contrast to personal signatures where every user must have a personal signature certificate and associated software.
•Suitable for receipts, official documents, passports, message passing systems, etc.
![Page 9: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/9.jpg)
15/05/10 9
EJBCA- Open Source Enterprise PKI
Multiple CAs and PKIs in a single installation, Root CAs, SubCAs, cross certification, ...
RSA, DSA, ECDSA, many hash algorithms
X.509 v3 and CVC EAC 1.11
Web based admin GUI in many languages
Soft tokens or PKCS#11 based HSMs, SafeNet, Utimaco, nCipher, AEP, …
Flexible architecture, all in one, external RAs, external OCSP, …
Many protocols, web, SCEP, CMP, WebService, XKMS
CRLs and OCSP
Standard and custom certificate extensions
Publishers for LDAP (and AD), files, or custom publishers
Email notifications
Profiles for end entities and certificates
Cluster support, high availability
Health check for load balancers and monitoring
Support for many application servers and databases
Standards compliant (RFC5280), open source, open APIs, etc etc
![Page 10: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/10.jpg)
15/05/10 10
EJBCA- Open Source Enterprise PKI
![Page 11: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/11.jpg)
15/05/10 11
EJBCA- Open Source Enterprise PKI
![Page 12: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/12.jpg)
15/05/10 12
Platform independentOperating systems Linux, Solaris, Windows, OS X, BSD, …
(Java 5 or higher)
Application servers JBoss, Glassfish, Weblogic, (OC4J, Websphere)
EJB 2.1
Databases MySQL, Oracle, DB2, PostgreSQL, MSSQL, Ingres, ...
Hardware Security Modules SafeNet, Utimaco, nCipher, AEP, …
(PKCS#11)
![Page 13: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/13.jpg)
15/05/10 13
Integrated PKI
![Page 14: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/14.jpg)
2007-01-31 Copyright © 2007 PrimeKey Solutions AB
EJBCA Enrollment/RA interfaces
EJBCA
Web clients Routers/vpn
HTTP/SSL certificates SCEP/VPN
certificates
Other clients
CMP
XKMS
External RA
ExtRA API
External RA
WebService
CMP
Smart card personalization
Logon certificates
SignServer MRTD
DS CertificateInspection system
IS Certificate (CVC)
![Page 15: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/15.jpg)
2007-01-31 Copyright © 2007 PrimeKey Solutions AB
EJBCA architecture
PKI core
PKI Services
RA-adminCA-adminPublic
Public web Admin web
Publishers Certificate store
Protocols
SCEP CMP XKMS OCSP
Bouncycastle
![Page 16: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/16.jpg)
15/05/10 16
Simple architecture
Everything in a single server EJBCA installation• Simple• Costaffective• Medium availability (~99%)• Medium performance (~1 million certificates)
![Page 17: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/17.jpg)
15/05/10 17
Cold standby high availability
Database replication in order to make sure information is not lost.• Relatively simple• Costaffective• Medium availability (~99.99%)• Medium performance (~1 million certificates)
![Page 18: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/18.jpg)
15/05/10 18
Fully clustered, separate Root CA
Separate root CA to isolate trustpoint for security reasons.• Complex• Expensive• High availability (99.999%)• High performance (>10 million certificates)
![Page 19: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/19.jpg)
15/05/10 19
Euro PKI projectsPKI is everywhere...
Electronic/biometric passports BAC EAC
Health cards
Tachographs
National ID cards
Government login
Banks
Insurance companies
Electronic invoicing
...
![Page 20: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/20.jpg)
15/05/10 20
Swedish Police EJBCA and SignServer for BAC and EAC ePassport. EJBCA and smart cards for authentication of 25.000 internal users. EJBCA for qualified electronic signatures. VPN, Server certificates, …SignServer for signing of temporary passports (mrtd).
Use cases
![Page 21: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/21.jpg)
15/05/10 21
Organizational cluster- Swedish police use case
Cold standby clusters• Medium volume, 24/7 operations, many CAs• Different security zones• Database replication• CA availability, sufficient with cold standby• Additional OCSP validation servers
![Page 22: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/22.jpg)
15/05/10 22
Enterprise PDF signing
• File drop for documents• 24/7 operations, several signers• Signer certificates from internal and/or external CA• Authentication of users• Archival of signed documents
![Page 23: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/23.jpg)
15/05/10 23
Use cases
BGC (swedish banks clearing house) Certificate issuance of national, and bank IDs. OCSP validation with high performance demands.
Liechtensteinische Landesbank AG EJBCA for issuing certificates to users and systems.
Cartes Bancaires, France EJBCA for issuing certificates to users and systems.
![Page 24: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/24.jpg)
15/05/10 24
Bank electronic IDs
• Activeactive cluster • High volume, 24/7 operations, many CAs• Distributed registration authorities
• Cluster database• CA availability, high• OCSP availability, very high
![Page 25: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/25.jpg)
15/05/10 25
Use cases
MULTICERT, Portugal EJBCA EAC PKI ePassport Certificate issuance on national IDs
Commfides- TrustCenter, Norway EJBCA for issuing qualified certificate to citizens.
Slovenian health card Certificate issuance on national health cards
![Page 26: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/26.jpg)
15/05/10 26
National ID / ePassport / health cards
One PKI server• Huge volume eID, 30.000 certs/day, multiple CAs• Very large CRLs• High availability database avoids data loss• CA availability, sufficient with cold standby
![Page 27: An introduction to EJBCA and SignServer · Enterprise class PKI built on JEE technology. 15/05/10 3 EJBCA - Open Source Enterprise PKI Open Source LGPL v2.1 or later Freely available](https://reader031.vdocuments.us/reader031/viewer/2022020122/5d6179fb88c9939b3d8be1e0/html5/thumbnails/27.jpg)
15/05/10 27
Thank you!
PrimeKey Solutions AB
www.ejbca.orgwww.signserver.org
Tomas Gustavssonhttp://www.primekey.se