Presentation is loading. Please wait.

Presentation is loading. Please wait.

EJBCA Certificate Lifecycle. Contents Different ways to call with EJBCA The dialogue with EJBCA Web Pages command Line Interface API JAVA SCEP CMP & CRMF.

Published byAleesha Hancock Modified over 8 years ago

Similar presentations

Presentation on theme: "EJBCA Certificate Lifecycle. Contents Different ways to call with EJBCA The dialogue with EJBCA Web Pages command Line Interface API JAVA SCEP CMP & CRMF."— Presentation transcript:

1 EJBCA Certificate Lifecycle

2 Contents Different ways to call with EJBCA The dialogue with EJBCA Web Pages command Line Interface API JAVA SCEP CMP & CRMF XKMS Questions / Awsers

3 Differents ways to call EJBCA

4 The dialogue with EJBCA The methods of call supplied by EJBCA are the following ones: ● Frontend Web ● Command Line Interface (CLI) ● API Java to integrate into components WebService ● Through the protocol SCEP for routers ● By using the procotol CMP (Certificate Management Protocol) ● XKMS (XML Key Management specification) calls

5 Web Pages EJBCA provide a public front end for the generation of certificates and for download public information, such as CRL or the CA certificates. Or provided HTML or JSP pages to integrate in your intranet, code examples for the generation of keys and certificate requests is supplied by EJBCA Web page is similar to cgi-bin with method post Page allows to : Request certificate (PKCS10 request) Generate certificate with your browser Get your certificate (PKCS12) Request revocation Get CRL Get certificates AC

6 Command Line Interface (1/2) Overview EJBCA provide a CLI which supplies certain features of the RA and CA. EJBCA proposes two types of CLI : CLI batch for Unix and Windows CLI WebService CLI batch for Unix and Windows CA command (get CRL, create CRL, lists CA, import CA, active or deactive CA, info about CA, etc.) RA Command (add, delete, list, find, revoke user, recovery, etc.) OCSP client batch : To execute the realized commands Example usage : bin/ejbca.sh ra revokeuser $username $reason

7 Command Line Interface (2/2) CLI WebService Web Service Interface used to access the basic functions. This CLI uses the specification Web service such as SOAP, WSDL, etc. The calls towards EJBCA are made through HTTPS The functionality currently available through the Web Service Interface are: ● editUser : Edits/adds userdata ● findUser : Retrieves the userdata for a given user ● findCerts : Retrieves the certificates generated for a user ● pkcs10Req : Generates a certificate using the given userdata and the public key from the PKCS10 ● pkcs12Req : Generates a PKCS12 keystore (with the private key) using the given userdata ● revokeCert : Revokes the given certificate ● revokeUser : Revokes all certificates for a given user ● revokeToken : Revokes all certificates placed on a given hard token ● checkRevokationStatus : Checks the revokation status of a certificate Example usage: ejbcawsracli.cmd pkcs12req testuser2 foo123 2048 NONE tmp

8 API Java You can use the Web Service interface to integrate EJBCA from other applications. The Web service is based on JAX-WS 2.0 This project develops and evolves the code base for the reference implementation of the Java API for XML Web Services (JAX-WS) specification Extensions : OASIS WS-Security Support WSIT (JAXWS 2.0.1 M1 and latter) WS-ReliableMessaging WS-Policy WS-MEX (Metadata Exchange) WS-Security SOAP/TCP Pluggable transports (SOAP over TCP, JMS, Servlet transport, etc.) FastInfoset (standardized binary encoding for the XML Information Set)

9 SCEP Overview Simple Certificate Enrollment Protocol (SCEP) is a simple protocol for certificates enrollment into the router. This protocol is developed by Cisco Systems. This protocol uses PKCS#7 and PKCS#10 Characteristics EJBCA implements features from (at least) draft 11 of the SCEP specification. This means that we implement the following SCEP messages: Extensions : PKCSReq (Certificate request) GetCRL (get Certificat List Revovation) GetCACert (get CA certificate ) GetCACertChain (get CA certificate chain) GetCACaps (list of CA capabilities) EJBCA does succesfully receive SCEP 'PKCSReq' requests and send back the certifificate/CRL immediately in a proper SCEP reply message. EJBCA does not support the 'polling' model, EJBCA uses the direct method, where a request is granted or denied immediately.

10 CMP and CRMF Overview Certificate Management Protocol (RFC4210) provides on-line interactions between PKI components, including an exchange between a Certification Authority (CA) and a client system. Certificate Request Message Format (RFC4211). This syntax is used to convey a request for a certificate to a Certification Authority (CA), possibly via a Registration Authority (RA), for the purposes of X.509 certificate production. EJBCA does implement some parts of CMP. The following CMP messages are supported: Initialization request (ir) Certification request (cr) Certification Confirm (certConf) CMP in EJBCA can work in two modes: Normal When a request comes in EJBCA verifies the request and issues a certificate to a user that has been previously registered in EJBCA. RA When the RA sends a certificate request to EJBCA, no user is pre-registered in EJBCA. When EJBCA receives the request, the message will be authenticated using PasswordBasedMAC.

11 XKMS (1/2) Overview XML Key Management Spécification (XKMS) is protocols for distributing and registering public keys. protocols employing the Simple Object Access Protocol (SOAP) and relationships among messages defined by the Web Services Definition Language (WSDL). XKMS comprises two parts : XML Key Information Service Specification (X-KISS) XML Key Registration Service Specification (X-KRSS) The X-KISS specification defines a protocol for a Trust service that resolves public key information, with two service : Validate service Locate service The X-KRSS specification defines a protocol for a web service that accepts registration of public key information. Once registered, the public key may be used in conjunction with other web services including X-KISS. Registration Revocation Key recovery reissue

12 XKMS (2/2) EJBCA and XKMS EJBCA support XKISS : validate and locate service EJBCA support : register, reissue, revoke and Key recovery XKMS provide 4 types of request-response : Synchronous Asynchronous Two-phase Compound EJBCA support only synchronous pair request-response EJBCA provide server and client XKMS EJBCA provide client in batch mode for Windows & Unix EJBCA provide a server XKMS integrated into EJBCA PKI, not standalone yet

13 Questions / answers

14 More informations:  France : www.ejbca-fr.org & ww.linagora.com  EJBCA Project: www.ejbca.org www.primekey.com www.ejbca.org

Download ppt "EJBCA Certificate Lifecycle. Contents Different ways to call with EJBCA The dialogue with EJBCA Web Pages command Line Interface API JAVA SCEP CMP & CRMF."

Similar presentations

Web Service Architecture

Web Service Architecture
Report on Attribute Certificates By Ganesh Godavari.

Report on Attribute Certificates By Ganesh Godavari.
Lecture 23 Internet Authentication Applications

Lecture 23 Internet Authentication Applications
SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.

SOA and Web Services. SOA Architecture Explaination Transport protocols - communicate between a service and a requester. Messaging layer - enables the.
Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.

Environmental Council of States Network Authentication and Authorization Services The Shared Security Component February 28, 2005.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.

Exchange Network Key Management Services A Security Component February 28, 2005 The Exchange Network Node Mentoring Workshop.
G O B E Y O N D C O N V E N T I O N WORF: Developing DB2 UDB based Web Services on a Websphere Application Server Kris Van Thillo, ABIS Training & Consulting.

G O B E Y O N D C O N V E N T I O N WORF: Developing DB2 UDB based Web Services on a Websphere Application Server Kris Van Thillo, ABIS Training & Consulting.
2006 IEEE International Conference on Web Services ICWS 2006 Overview.

2006 IEEE International Conference on Web Services ICWS 2006 Overview.
CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+

CN1276 Server Kemtis Kunanuraksapong MSIS with Distinction MCTS, MCDST, MCP, A+
Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,

Securing Web Services Using Semantic Web Technologies Brian Shields PhD Candidate, Department of Information Technology, National University of Ireland,
Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.

Christopher Chapman | MCT Content PM, Microsoft Learning, PDG Planning, Microsoft.
Configuring Active Directory Certificate Services Lesson 13.

Configuring Active Directory Certificate Services Lesson 13.
Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.

Digital Certificates With Chuck Easttom. Digital Signatures  Digital Signature is usually the encryption of a message or message digest with the sender's.
M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,

M. Taimoor Khan * Java Server Pages (JSP) is a server-side programming technology that enables the creation of dynamic,
Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.

Lecture 23 Internet Authentication Applications modified from slides of Lawrie Brown.
Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®
Web Services An introduction for eWiSACWIS May 2008.

Web Services An introduction for eWiSACWIS May 2008.
J2EE Structure & Definitions Catie Welsh CSE 432

J2EE Structure & Definitions Catie Welsh CSE 432
Web Services Description Language CS409 Application Services Even Semester 2007.

Web Services Description Language CS409 Application Services Even Semester 2007.

Similar presentations

Ads by Google