EJBCA Certificate Lifecycle

Contents Different ways to call with EJBCA The dialogue with EJBCA Web Pages command Line Interface API JAVA SCEP CMP & CRMF XKMS Questions / Awsers

Differents ways to call EJBCA

The dialogue with EJBCA The methods of call supplied by EJBCA are the following ones: ● Frontend Web ● Command Line Interface (CLI) ● API Java to integrate into components WebService ● Through the protocol SCEP for routers ● By using the procotol CMP (Certificate Management Protocol) ● XKMS (XML Key Management specification) calls

Web Pages EJBCA provide a public front end for the generation of certificates and for download public information, such as CRL or the CA certificates. Or provided HTML or JSP pages to integrate in your intranet, code examples for the generation of keys and certificate requests is supplied by EJBCA Web page is similar to cgi-bin with method post Page allows to : Request certificate (PKCS10 request) Generate certificate with your browser Get your certificate (PKCS12) Request revocation Get CRL Get certificates AC

Command Line Interface (1/2) Overview EJBCA provide a CLI which supplies certain features of the RA and CA. EJBCA proposes two types of CLI : CLI batch for Unix and Windows CLI WebService CLI batch for Unix and Windows CA command (get CRL, create CRL, lists CA, import CA, active or deactive CA, info about CA, etc.) RA Command (add, delete, list, find, revoke user, recovery, etc.) OCSP client batch : To execute the realized commands Example usage : bin/ejbca.sh ra revokeuser $username $reason

Command Line Interface (2/2) CLI WebService Web Service Interface used to access the basic functions. This CLI uses the specification Web service such as SOAP, WSDL, etc. The calls towards EJBCA are made through HTTPS The functionality currently available through the Web Service Interface are: ● editUser : Edits/adds userdata ● findUser : Retrieves the userdata for a given user ● findCerts : Retrieves the certificates generated for a user ● pkcs10Req : Generates a certificate using the given userdata and the public key from the PKCS10 ● pkcs12Req : Generates a PKCS12 keystore (with the private key) using the given userdata ● revokeCert : Revokes the given certificate ● revokeUser : Revokes all certificates for a given user ● revokeToken : Revokes all certificates placed on a given hard token ● checkRevokationStatus : Checks the revokation status of a certificate Example usage: ejbcawsracli.cmd pkcs12req testuser2 foo NONE tmp

API Java You can use the Web Service interface to integrate EJBCA from other applications. The Web service is based on JAX-WS 2.0 This project develops and evolves the code base for the reference implementation of the Java API for XML Web Services (JAX-WS) specification Extensions : OASIS WS-Security Support WSIT (JAXWS M1 and latter) WS-ReliableMessaging WS-Policy WS-MEX (Metadata Exchange) WS-Security SOAP/TCP Pluggable transports (SOAP over TCP, JMS, Servlet transport, etc.) FastInfoset (standardized binary encoding for the XML Information Set)

SCEP Overview Simple Certificate Enrollment Protocol (SCEP) is a simple protocol for certificates enrollment into the router. This protocol is developed by Cisco Systems. This protocol uses PKCS#7 and PKCS#10 Characteristics EJBCA implements features from (at least) draft 11 of the SCEP specification. This means that we implement the following SCEP messages: Extensions : PKCSReq (Certificate request) GetCRL (get Certificat List Revovation) GetCACert (get CA certificate ) GetCACertChain (get CA certificate chain) GetCACaps (list of CA capabilities) EJBCA does succesfully receive SCEP 'PKCSReq' requests and send back the certifificate/CRL immediately in a proper SCEP reply message. EJBCA does not support the 'polling' model, EJBCA uses the direct method, where a request is granted or denied immediately.

CMP and CRMF Overview Certificate Management Protocol (RFC4210) provides on-line interactions between PKI components, including an exchange between a Certification Authority (CA) and a client system. Certificate Request Message Format (RFC4211). This syntax is used to convey a request for a certificate to a Certification Authority (CA), possibly via a Registration Authority (RA), for the purposes of X.509 certificate production. EJBCA does implement some parts of CMP. The following CMP messages are supported: Initialization request (ir) Certification request (cr) Certification Confirm (certConf) CMP in EJBCA can work in two modes: Normal When a request comes in EJBCA verifies the request and issues a certificate to a user that has been previously registered in EJBCA. RA When the RA sends a certificate request to EJBCA, no user is pre-registered in EJBCA. When EJBCA receives the request, the message will be authenticated using PasswordBasedMAC.

XKMS (1/2) Overview XML Key Management Spécification (XKMS) is protocols for distributing and registering public keys. protocols employing the Simple Object Access Protocol (SOAP) and relationships among messages defined by the Web Services Definition Language (WSDL). XKMS comprises two parts : XML Key Information Service Specification (X-KISS) XML Key Registration Service Specification (X-KRSS) The X-KISS specification defines a protocol for a Trust service that resolves public key information, with two service : Validate service Locate service The X-KRSS specification defines a protocol for a web service that accepts registration of public key information. Once registered, the public key may be used in conjunction with other web services including X-KISS. Registration Revocation Key recovery reissue

XKMS (2/2) EJBCA and XKMS EJBCA support XKISS : validate and locate service EJBCA support : register, reissue, revoke and Key recovery XKMS provide 4 types of request-response : Synchronous Asynchronous Two-phase Compound EJBCA support only synchronous pair request-response EJBCA provide server and client XKMS EJBCA provide client in batch mode for Windows & Unix EJBCA provide a server XKMS integrated into EJBCA PKI, not standalone yet

Questions / answers

More informations:  France : & ww.linagora.com  EJBCA Project: