TA2 Certificate Extensions

  • Anonymous - 2012-12-13


    hello from Bosnia & Herzegovina. First of all, we are using EJBCA for issuing CVC certificates for our biometric passport.

    Now, we are finishing new project of eID. It is based on German BSI documents which adds some certificate extensions for Terminal Authentication version 2.

    I try to add this extensions as Basic or Advanced Extensions. May be I am wrong but this custom extensions are only added to end user certificates and not to Root and SubRoot certificates?

    Is it possible to use this way of adding this extensions or I have to do some cource code changes?

    Best regards,

    Đorđe Cvijanović

  • Tomas Gustavsson

    You can also select certificate profiles for issuing CA certificates, no problem. There is a certificate profile field in "Edit CAs".

    Will you provide your extensions to the community?


    PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.

  • Anonymous - 2012-12-16

    Dear Thomas,

    yes I will provide source code changes to community. Ofcourse, if community wants it…

    I have two tasks to finish:
    1. Change of cert-cvc lib:
        a) add CertificateDescription extension (sequence) (Used for giving info to end user about use od data from eID) - contains OID and info about issuer, subject, terms of usage and url with more info.
        b) add TerminalSector extension (used for RestrictedIdentification - psedonym) - contains OID and two hashes of public key data objects.
        c) change AuthorizationField class to support different types of terminals (Inspection, Authenticated and Sign Terminals)
        d) change createCertificate function in class CertificateGenerator and all other which calls or are called from this method according to new AuthorizationField class (and CertificateDescription and Terminal Sector).

    2) Change ejbca source code:
        a) Admin GUI
        b) Web Service calls

    1.c) and 1.d) are allready finished. I changed source code and everything works nice.
    I finished 2.a) too.

    I am not sure that I do it in correct manner.

    That's why I send question to this forum to see what is the best way of dooing this. I am not lazy to do source code changes but if there is some better way of making ejbca compatibile with German profile it is much better to use it.

    So, do you have some suggestions how to do this tasks?

    Best regards,

    Đorđe Cvijanović

  • Tomas Gustavsson


    Sounds very nice.

    Is this EAC v2.05 you are talking about?

    I think your list of steps is the right one. Some things to consider:
    - Cert-cvc must be backwards compatible with EAC 1.11 (since this is the one used in production for Epassports today). That means all new things must be optional and configurable
    - Certificate profile in EJBCA/Admin GUI should probably be used to configure which EAC profile to use, and the values of the fields.

    In addition there should be:
    - Junit tests in cert-cvc library
    - JUnit tests to verify backward compatibility and the new fields

    I think you are on the right track.


  • Anonymous - 2012-12-20

    Dear Thomas,

    as reference document I use BSI "Technical Guideline TR-03110-2". Version od this document is 2.10 (March, 2012).

    Yes, I now that cert-cvc must remain backwards compatibile. We must keep it that way because we use old certificates for Inspection Systems. I added parametar AccessTerminalType (of type AccesTerminalTypeEnum) which then leeds code to generate one or five byte length AccessRights. I change parameter rights (CertificateGenerator.createCertificate) from "enum" to "set of".

    On the GUI I added five fields for Authenticated Terminals acces rights. If you select value in old fields for access rights than I use Inspection System as value for AccessTerminalType. If you select some values in new five fields than I create AuthenticatedTerminal certificate.

    You mean to add some preinstalled certficate profile? OK, my question is how to add some new extenisions to this profile?

    Thanks for your info.

    Best reagrds


  • Tomas Gustavsson

    Great. No I did not mean to add a preinstalled certificate profile. I meant what I think you have done, to add the fields to be able to select new values, and not use them if not selected.
    If should be user friendly and clear to the user when EAC 1.11 or 2.10 is used so there will be no mistakes.



Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks