an introduction to ejbca and signserver · enterprise class pki built on jee technology. 15/05/10 3...
TRANSCRIPT
15/05/10 1
An introduction to EJBCAand SignServer
PrimeKey Solutions AB
Tomas Gustavssonhttp://[email protected]
EJBCA and SignServer
Euro PKI projects and use cases
15/05/10 2
EJBCA- Open Source Enterprise PKI
EJBCA PKI Central Certificate Authority
EJBCA OCSP Online certificate status validation
SignServer Modular serverside signature and validation PDF, XML, ODF, OOXML signing MRTD Document Signer Time Stamp Authority …
Enterprise class PKI built on JEE technology.
15/05/10 3
EJBCA- Open Source Enterprise PKI
Open Source LGPL v2.1 or later
Freely available ejbca.org, signserver.org Hosted on sourceforge, public svn Download all versions with full source from sourceforge.net
Open community Forum, mail lists, irc Patches, translations, documentation
Professional open source PKI by PrimeKey Full time development staff Commerical support with different SLAs, standard, advanced, 24/7 Professional services
15/05/10 4
EJBCA- Open Source Enterprise PKI
Secure communication with SSL servers and SSL clients.
Strong authentication for users (web, email, custom apps, etc).
Network authentication (802.1x).
Smart card logon to Windows, Linux, etc
VPN connections and client VPN access with certificates in users VPN clients.
Single signon by using a single certificate to secure logon to web applications.
Document signing (personal or enterprise signatures).
Signing and encrypting email.
Issue certificates to electronic IDs.
BAC and EAC ePassports.
... and many many more ...
15/05/10 5
Certificate Lifecycle Mgmt
Certificate Lifecycle Management, what does it mean?
Managing certificates through all the stages during it's life time.
CertificateIssue
Renew
Revoke/expire
Suspend/re-activate
Certificate states:•Not yet valid•Valid/active•Expired•Revoked•Suspended
15/05/10 6
Certificate Lifecycle Mgmt
Manual lifecycle management• Small scale• High maintenance• Labor intensive
Automatic lifecycle management• Several protocols suited for automation of issuance,
renewal and revocation:• CMP• SCEP• Web service• XKMS
15/05/10 7
ValidationValidation of certificates – check if a certificate is revoked.
Currently two standard ways of validation:• OCSP – Online Certificate Status Protocol• CRL – Certificate Revocation Lists
15/05/10 8
Enterprise signatures•Digital signing of documents with an Enterprise signature.•Enterprise signature is in contrast to personal signatures where every user must have a personal signature certificate and associated software.
•Suitable for receipts, official documents, passports, message passing systems, etc.
15/05/10 9
EJBCA- Open Source Enterprise PKI
Multiple CAs and PKIs in a single installation, Root CAs, SubCAs, cross certification, ...
RSA, DSA, ECDSA, many hash algorithms
X.509 v3 and CVC EAC 1.11
Web based admin GUI in many languages
Soft tokens or PKCS#11 based HSMs, SafeNet, Utimaco, nCipher, AEP, …
Flexible architecture, all in one, external RAs, external OCSP, …
Many protocols, web, SCEP, CMP, WebService, XKMS
CRLs and OCSP
Standard and custom certificate extensions
Publishers for LDAP (and AD), files, or custom publishers
Email notifications
Profiles for end entities and certificates
Cluster support, high availability
Health check for load balancers and monitoring
Support for many application servers and databases
Standards compliant (RFC5280), open source, open APIs, etc etc
15/05/10 10
EJBCA- Open Source Enterprise PKI
15/05/10 11
EJBCA- Open Source Enterprise PKI
15/05/10 12
Platform independentOperating systems Linux, Solaris, Windows, OS X, BSD, …
(Java 5 or higher)
Application servers JBoss, Glassfish, Weblogic, (OC4J, Websphere)
EJB 2.1
Databases MySQL, Oracle, DB2, PostgreSQL, MSSQL, Ingres, ...
Hardware Security Modules SafeNet, Utimaco, nCipher, AEP, …
(PKCS#11)
15/05/10 13
Integrated PKI
2007-01-31 Copyright © 2007 PrimeKey Solutions AB
EJBCA Enrollment/RA interfaces
EJBCA
Web clients Routers/vpn
HTTP/SSL certificates SCEP/VPN
certificates
Other clients
CMP
XKMS
External RA
ExtRA API
External RA
WebService
CMP
Smart card personalization
Logon certificates
SignServer MRTD
DS CertificateInspection system
IS Certificate (CVC)
2007-01-31 Copyright © 2007 PrimeKey Solutions AB
EJBCA architecture
PKI core
PKI Services
RA-adminCA-adminPublic
Public web Admin web
Publishers Certificate store
Protocols
SCEP CMP XKMS OCSP
Bouncycastle
15/05/10 16
Simple architecture
Everything in a single server EJBCA installation• Simple• Costaffective• Medium availability (~99%)• Medium performance (~1 million certificates)
15/05/10 17
Cold standby high availability
Database replication in order to make sure information is not lost.• Relatively simple• Costaffective• Medium availability (~99.99%)• Medium performance (~1 million certificates)
15/05/10 18
Fully clustered, separate Root CA
Separate root CA to isolate trustpoint for security reasons.• Complex• Expensive• High availability (99.999%)• High performance (>10 million certificates)
15/05/10 19
Euro PKI projectsPKI is everywhere...
Electronic/biometric passports BAC EAC
Health cards
Tachographs
National ID cards
Government login
Banks
Insurance companies
Electronic invoicing
...
15/05/10 20
Swedish Police EJBCA and SignServer for BAC and EAC ePassport. EJBCA and smart cards for authentication of 25.000 internal users. EJBCA for qualified electronic signatures. VPN, Server certificates, …SignServer for signing of temporary passports (mrtd).
Use cases
15/05/10 21
Organizational cluster- Swedish police use case
Cold standby clusters• Medium volume, 24/7 operations, many CAs• Different security zones• Database replication• CA availability, sufficient with cold standby• Additional OCSP validation servers
15/05/10 22
Enterprise PDF signing
• File drop for documents• 24/7 operations, several signers• Signer certificates from internal and/or external CA• Authentication of users• Archival of signed documents
15/05/10 23
Use cases
BGC (swedish banks clearing house) Certificate issuance of national, and bank IDs. OCSP validation with high performance demands.
Liechtensteinische Landesbank AG EJBCA for issuing certificates to users and systems.
Cartes Bancaires, France EJBCA for issuing certificates to users and systems.
15/05/10 24
Bank electronic IDs
• Activeactive cluster • High volume, 24/7 operations, many CAs• Distributed registration authorities
• Cluster database• CA availability, high• OCSP availability, very high
15/05/10 25
Use cases
MULTICERT, Portugal EJBCA EAC PKI ePassport Certificate issuance on national IDs
Commfides- TrustCenter, Norway EJBCA for issuing qualified certificate to citizens.
Slovenian health card Certificate issuance on national health cards
15/05/10 26
National ID / ePassport / health cards
One PKI server• Huge volume eID, 30.000 certs/day, multiple CAs• Very large CRLs• High availability database avoids data loss• CA availability, sufficient with cold standby
15/05/10 27
Thank you!
PrimeKey Solutions AB
www.ejbca.orgwww.signserver.org
Tomas Gustavssonhttp://www.primekey.se