EJBCA 3.0 Released: Open Source Certificate Authority


News: EJBCA 3.0 Released: Open Source Certificate Authority

  1. EJBCA 3.0 final has been released. EJBCA is a fully functional open source Certificate Authority built on J2EE. EJBCA aims to be a robust, high performance, platform independent, flexible, and component based CA to be used standalone or integrated in J2EE applications.

    The most important improvment in version 3.0 is that it is now possible to run several PKI infrastructures within one single instance of EJBCA. Among other major improvements are also complete support for OCSP, enhanced hard token interface and flexible LDAP configuration through the Web-GUI.

    Major features:
    - Open Source (LGPL) license.
    - Built on the J2EE 1.3 (EJB 2.0) specification.
    - Flexible, component based architecture.
    - Multiple CAs and levels of CAs, build a complete infrastructure (or several) within one instance of EJBCA.
    - Standalone or integrated in any J2EE application.
    - Simple installation and configuration.
    - Powerful Web based administration GUI using strong authentication.
    - Command line administration for scripts etc.
    - Individual enrollment or batch production of certificates.
    - Server and client certificates can be exported as PKCS12, JKS or PEM.
    - Browser enrollment with Netscape, Mozilla, IE, etc.
    - Enrollment for other applications through open APIs and tools.
    - E-mail notification to new users added by RA.
    - Random or manual password for initial user authentication.
    - Hard token module for integrating with hard token issuing system (smart cards).
    - Supports the Simple Certificate Enrollment Protocol (SCEP).
    - Multiple levels of administrators with specified privileges and user groups.
    - Configurable certificate profiles for different types and contents of certificates.
    - Configurable entity profiles for different types of users.
    - Follows X509 and PKIX (RFC3280) standards where applicable.
    - Revocation and Certificate Revocation Lists (CRLs).
    - Fully supports the Online Certificate Status Protocol (OCSP), including AIA-extension.
    - CRL creation and URL-based CRLDistribution Points according to RFC3280.
    - Stores Certificates and CRLs in any SQL database (handled by application server).
    - Optional multiple publishers for publishing certificates and CRLs in LDAP and other stores.
    - Key recovery module to store private keys for recovery for selected users and certificates.
    - Component based architecture for publishing certificates and CRLs to different sources.
    - Component based architecture for various authorization methods of entities when issuing certificates.
    - Easy to integrate into large applications for optimal integration into bussiness process.

    Check out EJBCA at: http://ejbca.sourceforge.net/
  2. Kewl Stuff!!

    Few Queries :
    What are the alternatives supported for CA's own Private-Key-Storage?
    Can one use Smart-Card(s) for private-key-storage and ingintion?
    Can one use key-splitting mechanism,where a key is splitted and maintained at more then 3 smart-cards/hard-tokens.
    Besides RSA can we use other algorithms like ECC?
  3. 1. CAs private keys are stored in database. There is an interface for hard token support (HSM, Smart cards). No HSM device has been implemented yet as part of the project. We have heard it's beeing used by someone though...
    Support for different HSM/smartcard can be added using a plug-in mechanism, so independent developers can implement a plug-in for their smart card etc. (at least in theory :)
    2. See 1.
    3. No, there is no support for that now.
    4. Same as three. DSS support is on the todo-list, no timeframe is specified for this though. If there is large interest things will move up on the todo-list naturally.