Presentation is loading. Please wait.

Presentation is loading. Please wait.

27/09/2016 © 2009 PrimeKey Solutions AB 1 EJBCA PKI PrimeKey Solutions AB Tomas Gustavsson

Published byEdwin Clifford Parks Modified over 8 years ago

Similar presentations

Presentation on theme: "27/09/2016 © 2009 PrimeKey Solutions AB 1 EJBCA PKI PrimeKey Solutions AB Tomas Gustavsson"— Presentation transcript:

1 27/09/2016 © 2009 PrimeKey Solutions AB 1 EJBCA PKI PrimeKey Solutions AB Tomas Gustavsson http://www.primekey.se tomas@primekey.se www.ejbca.org www.primekey.se

2 27/09/2016 © 2009 PrimeKey Solutions AB 2 What is EJBCA? CMS = Certificate Management System EJBCA PKI Central Certificate Authority EJBCA OCSP Online certificate status; validation Java EE

3 27/09/2016 © 2009 PrimeKey Solutions AB 3 What is EJBCA? CMS Manage life cycle of digital certificate Issue  Multiple clients  Multiple protocols  Different content Revoke  Multiple clients and protocols Issue revocation lists Hardware Security Modules...

4 27/09/2016 © 2009 PrimeKey Solutions AB 4 Features RSA, DSA and ECDSA Support for PKCS#11 HSMs Unlimited number of CAs in one installation X.509 and CVC (ePassport) certificates Any type of certificates; SSL, smart card logon, VPN, ePassport, email, document signing, QC,... Supports multiple architectures – all in one, clustered, external RA, external OCSP etc Individual enrolment or batch creation, through web pages, protocols or APIs Configurable certificate and end entity profiles Administrator privileges CMP, SCEP, OCSP, XKMS Web service API CLI for scripting, local and web service Cluster support Supports different application servers and databases Embeddable SQL storage with optional publishing to LDAP, or anything else through scripts or plug-ins Plug-in APIs...

5 27/09/2016 © 2009 PrimeKey Solutions AB 5 A brief history of EJBCA v1.0 Basic issuing functionality CRLs Single CA RSA Java 1.3 and 1.4 Jboss 2.x v2.0 EJB 2.0 Profiles Admin web GUI Hard tokens Java 1.4 Jboss 3.x v3.4 ECDSA CMP, XMKS Weblogic 9 Custom OIDs Custom extensions v3.2 Qualified certificates Eracom HSM External OCSP Chineese v3.0 Virtual CAs Java 1.4 and 1.5 v3.1 nCipher HSM Sha256 EN, FR, IT, ES languages 2002 20072006 20032004 2005 v1.1 LDAP v1.3 Weblogic 7 v2.0.1 MS smart card logon v2.1 Active Directory SCEP, OCSP v3.0.5 MS domain controller certs Jboss 4.x, Weblogic 8 v3.1.3 RSASSA-PSS v3.3 Cluster enhancements External RA API Approvals (dual auth) User data sources SafeNet Luna HSM

6 27/09/2016 © 2009 PrimeKey Solutions AB 6 History - EJBCA EJBCA 1.0 ~ 2MB 2001/2002 EJB1 technology EJBCA 2.0 ~ 3MB 2003 EJB2 technology EJBCA 3.0 ~ 6MB 2004 EJB2 technology EJBCA 3.8 ~ 44 MB 2008/2009 EJBCA 4.0 ~ 30 MB 2009 EJB3 / JDK6 technology

7 27/09/2016 © 2009 PrimeKey Solutions AB 7 Open source Hosted on Sourceforge.net Public svn All releases Forums and mailing lists ejbca.org #ejbca on freenode 87000 downloads, 1500-2500 per month LGPL v2.1 or later

8 27/09/2016 © 2009 PrimeKey Solutions AB 8 Issue tracker Supports development process Issue tracker Public access at http://jira.primekey.se/

9 27/09/2016 © 2009 PrimeKey Solutions AB 9 Quality assurance Improving quality assurance New continuous integration server Constantly testing on supported platforms Public access at http://hudson.primekey.se/

10 27/09/2016 © 2009 PrimeKey Solutions AB 10 EJBCA PKI SignServer MRTD DS Certificate (X.509) IS Certificate (CVC) Inspection system VPN certificates SSL server certificates Logon certificates Email certificates PKI usages Document signing SSL clent certificate

11 27/09/2016 © 2009 PrimeKey Solutions AB 11 Build complex PKI

12 27/09/2016 © 2009 PrimeKey Solutions AB 12 Complicated, yes Admin interfaces for generic PKI will be complicated. Suitable only for PKI administrators. Even PKI administrators don't understand half of the options. Challenge to build a more user friendly interface next year...

13 27/09/2016 © 2009 PrimeKey Solutions AB 13

14 27/09/2016 © 2009 PrimeKey Solutions AB 14 Complicated, yes How to use it then? Hide complexity for other administrators (IAM) by integrating. PKI is a function suitable for back ground work. Users and normal administrators do not see EJBCA. Example, get a browser certificate is only a simple web page.

15 27/09/2016 © 2009 PrimeKey Solutions AB 15 End user interface

16 27/09/2016 © 2009 PrimeKey Solutions AB 16 Demo If possible...

17 27/09/2016 © 2009 PrimeKey Solutions AB 17 Demo

18 27/09/2016 © 2009 PrimeKey Solutions AB 18 Demo

19 27/09/2016 © 2009 PrimeKey Solutions AB 19 Demo

20 27/09/2016 © 2009 PrimeKey Solutions AB 20 Demo

21 27/09/2016 © 2009 PrimeKey Solutions AB 21 EJBCA high volume architecture CA node Load balancer HA database HSM OCSP node Load balancer Database HSM Database Master Slave Replication

22 27/09/2016 © 2009 PrimeKey Solutions AB 22 Fullblown architecture

23 27/09/2016 © 2009 PrimeKey Solutions AB 23 External OCSP responder Out of the box EJBCA have pre-configured internal OCSP responder. EJBCA can be configured using External OCSP responders where EJBCA writes out to an external certificate status database which is used by the OCSP responder. This means no ingoing traffic from a DMZ to the CA is necessary. The responders can be clustered using a load balancer. The OCSP responder can be configured to use HSMs for signing the OCSP responses. High performance, > 500 req/s on low end server and good HSM. OCSP responders CA Load balancer

24 27/09/2016 © 2009 PrimeKey Solutions AB 24 External RA API EJBCA provides a secure java API for communication with EJBCA from external locations. It is built up around an external 'Message' database where external users can put their requests and to which the CA periodically fetches and processes requests. This to deny all inbound traffic to the CA. The ExtRA API contains the most basic functions like: ● Generate Certificate from PKCS10 ● Generate PKCS12 for the end user ● KeyRecovery of the users key (if requested using PKCS12) ● Edit user, revoke certificate,... External RA servers CA Load balancer

25 27/09/2016 © 2009 PrimeKey Solutions AB 25 Web service API Remote Webservice API for administration commands. Command line client suitable for scripting or calling from other systems. tomas@kubuntu:~/ejbca/dist/ejbcawscli$./ejbcawsracli.sh Usage: edituser | finduser | findcerts | pkcs10req | pkcs12req | revokecert | revoketoken | revokeuser | checkrevokationstatus tomas@tomas-kubuntu:~/ejbca/dist/ejbcawscli$./ejbcawsracli.sh edituser ws1 \ foo123 true "CN=ws1,C=SE" NULL NULL AdminCA1 1 \ PEM NEW EMPTY ENDUSER Trying to add user: Username: ws1 Subject DN: CN=ws1,C=SE... User 'ws1' has been added/edited.

26 27/09/2016 © 2009 PrimeKey Solutions AB 26 Who are using it? Swedish national police board Swedish labor market administration German insurance company LVM Societe Generale Cartes Bancaires Tax authority of Guangzou Stock market in Brazil Asia Pacific NIC Many small companies for VPN, browser etc...

27 27/09/2016 © 2009 PrimeKey Solutions AB 27 ePassport First (and only) open source ePassport project. EJBCA PKI HSM SignServer MRTD Passport production Sign document DS Certificate (X.509) DV Certificate (CVC) Inspection system

28 27/09/2016 © 2009 PrimeKey Solutions AB 28 IAM integration Integrating EJBCA with IAM products Tomas Gustavsson http://www.primekey.se tomas@primekey.se www.ejbca.org www.signserver.org

29 27/09/2016 © 2009 PrimeKey Solutions AB 29 Integration interfaces Many different standard, and non standard, interfaces exists. CMP (IETF rfc4210, 4211) SCEP (IETF) XKMS (oasis xml standard) Web service HTTP Custom...

30 27/09/2016 © 2009 PrimeKey Solutions AB 30 PKI and IAM Certificates are good for strong(er) authentication and single sign-on. Issue certificate to user for web access First session browser asks for password Same certificate can be used to authenticate to all services Multiple certificates can also be used, still single-sign on.

31 27/09/2016 © 2009 PrimeKey Solutions AB 31 PKI and IAM Allows for different levels of assurance Public parts – no authentication Internal non-sensitive/read-only parts – username + password Internal sensitive/write parts – browser certificate Sensitive/confidential parts – smart cards Demo with EJBCA and OpenSSO with three levels of authentication for Norwegian government.

32 27/09/2016 © 2009 PrimeKey Solutions AB 32 Integrated administration We don't want user administration in both IAM and EJBCA. Admin adds user in IAM, the rest is handled automatically. IAM/OpenSSO Admin Add user Webservice client EJBCA User Add user Retrieve your certificate Get certificate Target system

33 27/09/2016 © 2009 PrimeKey Solutions AB 33 Integrated infrastructure idP Web Server OpenSSO Access Mgmt EJBCA PKI LDAP server SmartCard 2.0 Token Mgmt External user Internal user SignServer PDF

34 27/09/2016 © 2009 PrimeKey Solutions AB 34 Thank you PrimeKey Solutions AB Tomas Gustavsson http://www.primekey.se tomas@primekey.se www.ejbca.org www.signserver.org

Download ppt "27/09/2016 © 2009 PrimeKey Solutions AB 1 EJBCA PKI PrimeKey Solutions AB Tomas Gustavsson"

Similar presentations

SafeNet Luna XML Hardware Security Module

SafeNet Luna XML Hardware Security Module
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.

Public Key Infrastructure (PKI) Providing secure communications and authentication over an open network.
PKI Administration Using EJBCA and OpenCA

PKI Administration Using EJBCA and OpenCA
Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer

Sentry: A Scalable Solution Margie Cashwell Senior Sales Engineer Sept 2000 Margie Cashwell Senior Sales Engineer
Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.

Windows Vista And Longhorn Server PKI Enhancements Avi Ben-Menahem Lead Program Manager Windows Security Microsoft Corporation.
Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.

Dartmouth PKI Deployment Robert Brentrup PKI Summit July 14, 2004.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 9: Planning and Managing Certificate Services.
Understanding Active Directory

Understanding Active Directory
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
TrustPort Public Key Infrastructure. WWW.TRUSTPORT.COM Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.

TrustPort Public Key Infrastructure. Keep It Secure Table of contents  Security of electronic communications  Using asymmetric cryptography.
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Public Key Infrastructure from the Most Trusted Name in e-Security.

Public Key Infrastructure from the Most Trusted Name in e-Security.
Virginia Tech Overview of Tech Secure Enterprise Technology Initiatives e-Provisioning Group Frank Galligan Fed/Ed.

Virginia Tech Overview of Tech Secure Enterprise Technology Initiatives e-Provisioning Group Frank Galligan Fed/Ed.
Managing Client Access

Managing Client Access
Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.

Module 4 Managing Client Access. Module Overview Configuring the Client Access Server Role Configuring Client Access Services for Outlook Clients Configuring.
Cognizance Identity and Access Management Identity Management ● Authentication ● Authorization ● Administration The next generation security solution www.cognizancesecurity.com.

Cognizance Identity and Access Management Identity Management ● Authentication ● Authorization ● Administration The next generation security solution
Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.

Wolfgang Schneider NSI: A Client-Server-Model for PKI Services.
May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

May 30 th – 31 st, 2006 Sheraton Ottawa. Microsoft Certificate Lifecycle Manager Saleem Kanji Technology Solutions Professional - Windows Server Microsoft.

Similar presentations

Ads by Google