EJBCA
Encyclopedia
Enterprise Java Bean Certificate Authority, or EJBCA, is a free software
public key infrastructure
(PKI) certificate authority
software package maintained and sponsored by the Swedish
for-profit company PrimeKey Solutions AB, which holds the copyright
to most of the codebase. The project's source code
is available under terms of the Lesser GNU General Public License.
and designed to be platform independent and fully clusterable, to permit a greater degree of scalability than is typical of similar software packages. Multiple instances of EJBCA are run simultaneously, sharing a database containing the current certificate authorities (CAs). This permits each instance of the software to access any CA. The software also supports the use of a Hardware Security Module
(HSM), which provides additional security. Larger-scale installations would use multiple instances of EJBCA running on a cluster, a fully distributed database on a separate cluster and a third cluster with HSMs keeping the different CA keys.
, OCSP, CMP
, XKMS
, SCEP
, and Elliptic curves, including the new Card Verifiable Certificate
(CVC) EU standard for machine readable passports containing fingerprints, which will be mandatory as of June 26, 2009.
EJBCA supports all common asymmetric encryption algorithms, RSA, DSA and ECC, as well as the modern hash algorithms, SHA1, SHA256, SHA384, SHA512.
Apart from the features would expect from a Certificate Authority. EJBCA includes a few interesting features from a PKI point-of-view. In normal operation everything is stored and audit logged, including user entries in the built in RA. In the normal mode all properties that you would expect from a Certificate Authority applies, transactional behaviour, audit, revocation and CRL issuance.
You can however also configure EJBCA in a "throw away CA" mode, where nothing is stored in the database, but instead certificates are simply issued, to an RA, very fast. This is convenient if you don't need to store revocation information on the CA, and you need to issue huge volumes of certificates fast. In "throw away CA" mode EJBCA can issue hundreds of certificates per second from a single server.
(LGPL). The source code is hosted at SourceForge.net
. It was first posted there in November 2001. At that time the amount of source code was around 6,000 lines of code including test code. As of December 2008, it contains about 166,000 lines of code.
Note for the reader:
EJBCA is besides above samples of deployments - now (2010) also tested - in over 25 countries (Europe and ouside Europe) for different national projects: as health care cards, NeID, ePassports, Tachographs and driving licenses.
Over 250 commercial projects/deployments have been done by PrimeKey 2002–2011.
EJBCA is downloaded over 100,000 times on Global level at www.ejbca.org
Free software
Free software, software libre or libre software is software that can be used, studied, and modified without restriction, and which can be copied and redistributed in modified or unmodified form either without restriction, or with restrictions that only ensure that further recipients can also do...
public key infrastructure
Public key infrastructure
Public Key Infrastructure is a set of hardware, software, people, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates. In cryptography, a PKI is an arrangement that binds public keys with respective user identities by means of a certificate...
(PKI) certificate authority
Certificate authority
In cryptography, a certificate authority, or certification authority, is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key by the named subject of the certificate...
software package maintained and sponsored by the Swedish
Sweden
Sweden , officially the Kingdom of Sweden , is a Nordic country on the Scandinavian Peninsula in Northern Europe. Sweden borders with Norway and Finland and is connected to Denmark by a bridge-tunnel across the Öresund....
for-profit company PrimeKey Solutions AB, which holds the copyright
Copyright
Copyright is a legal concept, enacted by most governments, giving the creator of an original work exclusive rights to it, usually for a limited time...
to most of the codebase. The project's source code
Source code
In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...
is available under terms of the Lesser GNU General Public License.
Design
The system is implemented in Java EEJava Platform, Enterprise Edition
Java Platform, Enterprise Edition or Java EE is widely used platform for server programming in the Java programming language. The Java platform differs from the Java Standard Edition Platform in that it adds libraries which provide functionality to deploy fault-tolerant, distributed, multi-tier...
and designed to be platform independent and fully clusterable, to permit a greater degree of scalability than is typical of similar software packages. Multiple instances of EJBCA are run simultaneously, sharing a database containing the current certificate authorities (CAs). This permits each instance of the software to access any CA. The software also supports the use of a Hardware Security Module
Hardware Security Module
A hardware security module is a type of secure cryptoprocessor targeted at managing digital keys, accelerating cryptoprocesses in terms of digital signings/second and for providing strong authentication to access critical keys for server applications...
(HSM), which provides additional security. Larger-scale installations would use multiple instances of EJBCA running on a cluster, a fully distributed database on a separate cluster and a third cluster with HSMs keeping the different CA keys.
Features
EJBCA follows the major standards in the PKI area, such as X.509X.509
In cryptography, X.509 is an ITU-T standard for a public key infrastructure and Privilege Management Infrastructure . X.509 specifies, amongst other things, standard formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation...
, OCSP, CMP
Certificate Management Protocol
The Certificate Management Protocol is an Internet protocol used for obtaining X.509 digital certificates in a public key infrastructure . It is described in RFC 4210 and is one of two protocols so far to use the Certificate Request Message Format , described in RFC 4211, with the other protocol...
, XKMS
XKMS
XML Key Management Specification uses the web services framework to make it easier for developers to secure inter-application communication using public key infrastructure . XML Key Management Specification is a protocol developed by W3C which describes the distribution and registration of public...
, SCEP
Simple Certificate Enrollment Protocol
Simple Certificate Enrollment Protocol is an Internet Draft in the Internet Engineering Task Force . This protocol is being referenced by several manufacturers of network equipment and software who are developing simplified means of handling certificates for large-scale implementation to everyday...
, and Elliptic curves, including the new Card Verifiable Certificate
Card Verifiable Certificate
Card Verifiable Certificates are digital certificates that are designed to be processed by devices with limited computing power such as smart cards....
(CVC) EU standard for machine readable passports containing fingerprints, which will be mandatory as of June 26, 2009.
EJBCA supports all common asymmetric encryption algorithms, RSA, DSA and ECC, as well as the modern hash algorithms, SHA1, SHA256, SHA384, SHA512.
Apart from the features would expect from a Certificate Authority. EJBCA includes a few interesting features from a PKI point-of-view. In normal operation everything is stored and audit logged, including user entries in the built in RA. In the normal mode all properties that you would expect from a Certificate Authority applies, transactional behaviour, audit, revocation and CRL issuance.
You can however also configure EJBCA in a "throw away CA" mode, where nothing is stored in the database, but instead certificates are simply issued, to an RA, very fast. This is convenient if you don't need to store revocation information on the CA, and you need to issue huge volumes of certificates fast. In "throw away CA" mode EJBCA can issue hundreds of certificates per second from a single server.
Development
EJBCA is licensed under the standard GNU Lesser General Public LicenseGNU Lesser General Public License
The GNU Lesser General Public License or LGPL is a free software license published by the Free Software Foundation . It was designed as a compromise between the strong-copyleft GNU General Public License or GPL and permissive licenses such as the BSD licenses and the MIT License...
(LGPL). The source code is hosted at SourceForge.net
SourceForge.net
SourceForge is a web-based source code repository. It acts as a centralized location for software developers to control and manage open source software development. The website runs a version of SourceForge Enterprise Edition, forked from the last open-source version available...
. It was first posted there in November 2001. At that time the amount of source code was around 6,000 lines of code including test code. As of December 2008, it contains about 166,000 lines of code.
Known major installations
There are many known installations all over the world, among them:- USA, California: Concealed customer (up to 150.000.000 users)
- Sweden: Bankgirocentralen BGC AB/BankID (National eID), 2,500.000 users (up to 4,000.000 users)´
- Sweden: The Swedish Police, 25,000 users
- Sweden: Ministry of Justice, The Swedish Police, ePassports for Citizens, up to 9,000.000
- Norway: Ministry of Interior - Norwegian Police (PDMT), ePassports for Norwegian Citizens and diplomats (up to 4,500.000 users)
- Iceland: Registry of Persons, ePassports for Citizens, up to 300,000.
- Lithuania: Ministry of Foreign Affairs, ePassport for Diplomats, up to 10,000.
- Germany: LVM AG, 15,000 Users
- France: Societe Generale S.A, up to 400,000 Users
- Turkey: Ministry of Foreign Affairs, ePassports for Turkish citizens and diplomats, 10,000 Passports per day, up to 80,000.000.
- Bahrain: Manama, CIO-Office, NeID for Citizens, up to 600,000.
- France: Ministry of Defence, 1,500 Users
- Greece: The Greek Police, 30,000 Users
- France: Ministry of Finance, 80,000 Users
- China: ZhuHai Local Taxation Bureau, 50,000 Users
- Spain: Grupo Safa, Spain, 20,000 users
- Brazil: Serasa.com, 20,000 users
- Spain: Autoritat de Certificació de la Comunitat Valenciana, over 75,000 users
Note for the reader:
EJBCA is besides above samples of deployments - now (2010) also tested - in over 25 countries (Europe and ouside Europe) for different national projects: as health care cards, NeID, ePassports, Tachographs and driving licenses.
Over 250 commercial projects/deployments have been done by PrimeKey 2002–2011.
EJBCA is downloaded over 100,000 times on Global level at www.ejbca.org
External links
- EJBCA at SourceForge
- EJBCA evaluation report from University of Queensland, AU
- Finding and Preventing Run-Time Error Handling Mistakes; Westley Weimer, George C. Necula; University of California, Berkeley
- Migration guide from OpenSSL CAs
- Migration guide from MS CAs
- EJBCA at java-source.net
- EJBCA is used as a component in Chillout
- Information about EJBCA in French
- EJBCA proposed as a solution for How to Overcome the Challenges to Large Scale Adoption of Open Source Software and Systems in Pakistan Business and Industrial Environment ; Athar Mahboob and Nassar Ikram; National University of Sciences & Technology, Karachi
EJBCA in literature
- Research and application of EJBCA based on J2EE; Liyi Zhang, Qihua Liu and Min Xu; IFIP International Federation for Information Processing Volume 251/2008; ISBN 978-0-387-75465-9
- Chapter "Securing Connections and Remote Administration" in Hardening Linux; James Turnbull; ISBN 978-1-59059-444-5
- Exception-Handling Bugs in Java and a Language Extension to Avoid Them; Westley Weimer; Advanced Topics in Exception Handling Techniques Volume 4119/2006; ISBN 978-3-540-37443-5
- A workflow based architecture for Public Key Infrastructure; Johan Eklund; TRITA-CSC-E 2010:047