ejbca-develop Mailing List for EJBCA, JEE PKI Certificate Authority (Page 66)

Brought to you by: anatom, hsunmark, karolinhem, mikekushner, and 2 others

ejbca-develop — Development discussions

You can subscribe to this list here.

2001	Jan	Feb	Mar	Apr	May	Jun	Jul	Aug	Sep	Oct	Nov (1)	Dec (3)
2002	Jan (3)	Feb (2)	Mar (8)	Apr (3)	May (6)	Jun (1)	Jul (15)	Aug (6)	Sep	Oct (10)	Nov (2)	Dec (4)
2003	Jan (1)	Feb (7)	Mar (3)	Apr (6)	May (7)	Jun (5)	Jul (5)	Aug (25)	Sep (14)	Oct (2)	Nov	Dec (2)
2004	Jan (7)	Feb (4)	Mar (12)	Apr (16)	May (43)	Jun (56)	Jul (43)	Aug (40)	Sep (66)	Oct (12)	Nov (26)	Dec (10)
2005	Jan (13)	Feb (33)	Mar (16)	Apr (7)	May (10)	Jun (34)	Jul (41)	Aug (8)	Sep (4)	Oct (32)	Nov (20)	Dec (25)
2006	Jan (30)	Feb (101)	Mar (5)	Apr (75)	May (74)	Jun (22)	Jul (6)	Aug (70)	Sep (19)	Oct (21)	Nov (31)	Dec (50)
2007	Jan (15)	Feb (20)	Mar (24)	Apr (33)	May (13)	Jun (18)	Jul (13)	Aug (7)	Sep (63)	Oct (68)	Nov (29)	Dec (68)
2008	Jan (30)	Feb (33)	Mar (30)	Apr (103)	May (78)	Jun (48)	Jul (72)	Aug (24)	Sep (62)	Oct (63)	Nov (70)	Dec (37)
2009	Jan (34)	Feb (35)	Mar (64)	Apr (34)	May (34)	Jun (58)	Jul (30)	Aug (30)	Sep (46)	Oct (52)	Nov (12)	Dec (23)
2010	Jan (121)	Feb (18)	Mar (53)	Apr (62)	May (62)	Jun (20)	Jul (33)	Aug (20)	Sep (36)	Oct (35)	Nov (44)	Dec (63)
2011	Jan (19)	Feb (32)	Mar (94)	Apr (41)	May (47)	Jun (25)	Jul (34)	Aug (20)	Sep (9)	Oct (41)	Nov (33)	Dec (24)
2012	Jan (12)	Feb (36)	Mar (48)	Apr (32)	May (20)	Jun (15)	Jul (32)	Aug (13)	Sep (33)	Oct (54)	Nov (25)	Dec (16)
2013	Jan (45)	Feb (39)	Mar (38)	Apr (50)	May (29)	Jun (30)	Jul (33)	Aug (12)	Sep (9)	Oct (25)	Nov (29)	Dec (20)
2014	Jan (25)	Feb (19)	Mar (16)	Apr (33)	May (27)	Jun (37)	Jul (29)	Aug (27)	Sep (37)	Oct (58)	Nov (109)	Dec (26)
2015	Jan (4)	Feb (35)	Mar (22)	Apr (35)	May (28)	Jun (20)	Jul (4)	Aug (16)	Sep (37)	Oct (13)	Nov (13)	Dec (14)
2016	Jan (22)	Feb (7)	Mar (23)	Apr (30)	May (10)	Jun (10)	Jul (15)	Aug (12)	Sep (22)	Oct (31)	Nov (5)	Dec (5)
2017	Jan (30)	Feb (25)	Mar (28)	Apr (4)	May (19)	Jun (13)	Jul (7)	Aug (1)	Sep (2)	Oct (5)	Nov (12)	Dec (2)
2018	Jan (7)	Feb	Mar (7)	Apr (2)	May (8)	Jun (18)	Jul (6)	Aug (3)	Sep (15)	Oct (33)	Nov (13)	Dec (7)
2019	Jan (5)	Feb (7)	Mar (30)	Apr (5)	May (4)	Jun (69)	Jul (86)	Aug (22)	Sep (6)	Oct (7)	Nov (5)	Dec (3)
2020	Jan (10)	Feb (12)	Mar (22)	Apr (5)	May (1)	Jun (4)	Jul (6)	Aug	Sep (9)	Oct	Nov	Dec (1)
2021	Jan (4)	Feb (11)	Mar (7)	Apr (7)	May	Jun (3)	Jul (10)	Aug (6)	Sep	Oct	Nov (18)	Dec (2)
2022	Jan (1)	Feb (1)	Mar	Apr	May	Jun (2)	Jul	Aug (4)	Sep	Oct	Nov	Dec
2023	Jan	Feb	Mar	Apr (1)	May (1)	Jun	Jul	Aug (5)	Sep	Oct	Nov	Dec

Flat | Threaded

<< < 1 .. 64 65 66 67 68 .. 233 > >> (Page 66 of 233)

Re: [Ejbca-develop] What's coming up in EJBCA version 6, part 1

From: Christian F. <hos...@ip...> - 2013-08-21 14:02:48

Hi Tomas,

one question which may arise, is upgrade from Ejbca 4.0.x to 6.x possible w/o data loss?

Cheers
Christian

Am 19.08.13 10:01, schrieb Tomas Gustavsson:
> EJBCA v6 is brewing, for release later this autumn. I have started a

[Ejbca-develop] What's coming up in EJBCA version 6, part 1

From: Tomas G. <to...@pr...> - 2013-08-19 08:01:46

Hi,

EJBCA v6 is brewing, for release later this autumn. I have started a 
short blog series about what is coming up in v6. There are many exiting 
features and improvements, I can promise that.

Part 1: Crypto Token management, in GUI
http://blog.ejbca.org/2013/08/whats-new-in-ejbca-6-part-1-crypto.html

Cheers,
Tomas

[Ejbca-develop] Call for digital signature support in free PDF readers

From: Markus K. <ma...@pr...> - 2013-08-15 12:44:59

Hi,

Today there are good and free PDF readers available as an alternative to
the large proprietary reader [1]. One missing feature though, is support
for digital signatures.


I am reaching out on this mailing list as I know many people with
knowledge of PKI and an interest in digital signatures are available here.


There is a ticket available in Poppler [2] for implementing support for
verifying digital signatures and during the last five years some initial
patches as been developed [3]. Poppler is the PDF rendering library used
by many PDF applications such as Evince and Okular.

Recently some people has started to donate money at FreedomSponsors to
get the implementation going:
http://www.freedomsponsors.org/core/issue/319/support-for-digital-signatures


So if you want to step up and do the implementation or to support those
that will by placing a bounty at FreedomSponsors, now is a good time :)


[1] http://PDFReaders.org/
[2] http://freedesktop.org/wiki/Software/poppler/
[3] https://bugs.freedesktop.org/show_bug.cgi?id=16770
[4]
http://www.freedomsponsors.org/core/issue/319/support-for-digital-signatures


Best regards,
Markus

Re: [Ejbca-develop] Slot management with nCipher

From: Manuel D. <ma...@de...> - 2013-08-12 07:55:21

On Mon, Aug 12, 2013 at 9:45 AM, Daniel JAMET <Dan...@e-...> wrote:
> I sent this mail a month ago but my problem isn't resolve.
>
>
>
> I don't understand why i can't create key with clientToolBox for the
> following reason: slotListIndex is 1 but token only has 1 slots

I would guess that the first/only slot has index 0.

Hope that helps,
Manuel

[Ejbca-develop] Slot management with nCipher

From: Daniel J. <Dan...@e-...> - 2013-08-12 07:45:15

I sent this mail a month ago but my problem isn't resolve.



I don't understand why i can't create key with clientToolBox for the 
following reason: slotListIndex is 1 but token only has 1 slots 

ckinfo display: 

PKCS#11 library CK_INFO 
       interface version 2.01 
                   flags 0 
          manufacturerID "nCipher Corp. Ltd               " 
      libraryDescription "nCipher PKCS#11 1.71.21         " 
  implementation version 1.71 

slots[0] CK_SLOT_INFO 
         slotDescription "Racine                " 
          manufacturerID "nCipher Corp. Ltd               " 
                   flags 6 
                   flags & CKF_REMOVABLE_DEVICE 
                   flags & CKF_HW_SLOT 
        hardware version 0.00 
        firmware version 0.00 


slots[0] Token not present 
slots[1] CK_SLOT_INFO 
         slotDescription "SRV                " 
          manufacturerID "nCipher Corp. Ltd               " 
                   flags 6 
                   flags & CKF_REMOVABLE_DEVICE 
                   flags & CKF_HW_SLOT 
        hardware version 0.00 
        firmware version 0.00 


slots[1] Token not present 


I have created the file /opt/nfast/cknfastrc : 

CKNFAST_LOADSHARING=1 
CKNFAST_NO_ACCELERATOR_SLOTS=1 
CKNFAST_NO_UNWRAP=1 
CKNFAST_OVERRIDE_SECURITY_ASSURANCES=import 
# CKNFAST_DEBUG=10 
# CKNFAST_DEBUGFILE=/tmp/nfast.debug 

the trace log is: 

2013-07-10 09:36:01,053 DEBUG [org.ejbca.util.keystore.KeyTools] name = 
libcknfast.so-slot1 
library = /opt/nfast/toolkits/pkcs11/libcknfast.so 
slotListIndex = 1 
attributes(*, *, *) = { 
  CKA_TOKEN = true 
} 
attributes(*, CKO_PUBLIC_KEY, *) = { 
  CKA_ENCRYPT = true 
  CKA_VERIFY = true 
  CKA_WRAP = true 
} 
attributes(*, CKO_PRIVATE_KEY, *) = { 
  CKA_PRIVATE = true 
  CKA_SENSITIVE = true 
  CKA_EXTRACTABLE = false 
  CKA_DECRYPT = true 
  CKA_SIGN = true 
  CKA_UNWRAP = true 
} 

2013-07-10 09:36:01,054 DEBUG [org.ejbca.util.keystore.KeyTools] 
{SLOT_ID=[1], 
PKCS11_NATIVE_MODULE=/opt/nfast/toolkits/pkcs11/libcknfast.so} 
2013-07-10 09:36:01,058 INFO  [org.ejbca.util.keystore.KeyTools] Using SUN 
PKCS11 provider: sun.security.pkcs11.SunPKCS11 
2013-07-10 09:36:01,156 ERROR [org.ejbca.util.keystore.KeyTools] Error 
constructing pkcs11 provider: null 
2013-07-10 09:36:01,158 ERROR [org.ejbca.ui.cli.HSMKeyTool] Command 
'PKCS11HSMKeyTool generate /opt/nfast/toolkits/pkcs11/libcknfast.so null 
pkcs11 4096 defaultSRV i1' could not be executed. 
java.io.IOException: Error constructing pkcs11 provider: null 
        at 
org.ejbca.util.keystore.KeyTools.getP11Provider(KeyTools.java:908) 
        at 
org.ejbca.util.keystore.KeyTools.getP11Provider(KeyTools.java:864) 
        at 
org.ejbca.util.keystore.KeyStoreContainerP11.getInstance(KeyStoreContainerP11.java:51) 

        at 
org.ejbca.util.keystore.KeyStoreContainerFactory.getInstance(KeyStoreContainerFactory.java:55) 

        at org.ejbca.ui.cli.HSMKeyTool.doIt(HSMKeyTool.java:137) 
        at org.ejbca.ui.cli.HSMKeyTool.execute(HSMKeyTool.java:290) 
        at 
org.ejbca.ui.cli.PKCS11HSMKeyTool.execute(PKCS11HSMKeyTool.java:47) 
        at 
org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40) 
        at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:70) 
Caused by: java.lang.reflect.InvocationTargetException 
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native 
Method) 
        at 
sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:57) 

        at 
sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45) 

        at java.lang.reflect.Constructor.newInstance(Constructor.java:532) 

        at 
org.ejbca.util.keystore.KeyTools.getP11Provider(KeyTools.java:905) 
        ... 8 more 
Caused by: java.security.ProviderException: Initialization failed 
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:358) 
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:107) 
        ... 13 more 
Caused by: java.security.ProviderException: slotListIndex is 1 but token 
only has 1 slots 
        at sun.security.pkcs11.SunPKCS11.<init>(SunPKCS11.java:340) 
        ... 14 more 


ckinfo give the index 1 for SRV.   How do yo explain this ? 

EJBCA 4.0.13
JBOSS 6.10

Kind regards 
Daniel JAMET
Direction DPM
Tél : +33 1 55 23 31 70 
dan...@e-...
____________________________
Société d'Exploitation de Réseaux et de Services Sécurisés
Immeuble "Le Linéa" 
1, rue du Général Leclerc
92800 PUTEAUX

Re: [Ejbca-develop] Opening the project in an IDE

From: Tomas G. <to...@pr...> - 2013-08-02 14:37:03

Check in wiki.EJBCA.org, there is a chapter för developers there.

Cheers,
Tomas


Marcio Pereira <mar...@gm...> skrev:
>I'm starting with JEE and encryption. And I need to open the source
>code of
>EJBCA in some IDE (netbeans, eclipse). Whenever I try to open the
>project, the
>"imports" into the ".java" files are unresolved and can not find each
>other.
>
>Please, how can I do (or fix) this? I need to open the source code to
>make some
>changes, "linking" the project files to each ohter in an IDE...
>
>Thanks for help.
>
>
>------------------------------------------------------------------------
>
>------------------------------------------------------------------------------
>Get your SQL database under version control now!
>Version control is standard for application code, but databases havent 
>caught up. So what steps can you take to put your SQL databases under 
>version control? Why should you start doing it? Read more to find out.
>http://pubads.g.doubleclick.net/gampad/clk?id=49501711&iu=/4140/ostg.clktrk
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Ejbca-develop mailing list
>Ejb...@li...
>https://lists.sourceforge.net/lists/listinfo/ejbca-develop

[Ejbca-develop] Opening the project in an IDE

From: Marcio P. <mar...@gm...> - 2013-08-02 13:52:23

I'm starting with JEE and encryption. And I need to open the source code of
EJBCA in some IDE (netbeans, eclipse). Whenever I try to open the project, the
"imports" into the ".java" files are unresolved and can not find each other.

Please, how can I do (or fix) this? I need to open the source code to make some
changes, "linking" the project files to each ohter in an IDE...

Thanks for help.

Re: [Ejbca-develop] Issue with key escrow and Luna HSM

From: Tomas G. <to...@pr...> - 2013-07-29 15:55:33

On 07/29/2013 03:13 PM, Bruno Bonfils wrote:
> On Mon 29 July, Tomas Gustavsson wrote:
>>
>> Hi Bruno,
>>
>
> Hi Tomas,
>
> thanks for you feedback.
>
>>
>> It is so that it tries to use PKCS#11 for the symmetric encryption as
>> well, not only for asymmetric. So flags on your keys do not matter.
>> Unfortunately symmetric ciphers on HSMs is a nightmare, where you have
>> to code specifically for each HSM. So this might work with another HSM,
>> but not the Luna. The solution was to use BC (soft) for the symmetric
>> session keys and asymmetric (HSM) for session key wrapping.
>>
>> This requires a later version of BC than present in EJBCA 4, something
>> that is a big task. So backporting the fix to EJBCA 4 is unfortunately
>> not an option at this point.
>>
>> You best options currently might currently be:
>> - Move to Enterprise Edition (CC certified EJBCA 5)
>> - Use soft CA keys
>> - Wait for EJBCA 6 (sometimes during autumn)
>
> It is possible to use a soft key only for key ciphering?

Unfortunately you can not mix HSM keys with Soft keys in a CA :-(

Cheers,
Tomas

Re: [Ejbca-develop] Issue with key escrow and Luna HSM

From: Bruno B. <as...@as...> - 2013-07-29 13:13:11

On Mon 29 July, Tomas Gustavsson wrote:
> 
> Hi Bruno,
> 

Hi Tomas,

thanks for you feedback.

> 
> It is so that it tries to use PKCS#11 for the symmetric encryption as 
> well, not only for asymmetric. So flags on your keys do not matter. 
> Unfortunately symmetric ciphers on HSMs is a nightmare, where you have 
> to code specifically for each HSM. So this might work with another HSM, 
> but not the Luna. The solution was to use BC (soft) for the symmetric 
> session keys and asymmetric (HSM) for session key wrapping.
> 
> This requires a later version of BC than present in EJBCA 4, something 
> that is a big task. So backporting the fix to EJBCA 4 is unfortunately 
> not an option at this point.
> 
> You best options currently might currently be:
> - Move to Enterprise Edition (CC certified EJBCA 5)
> - Use soft CA keys
> - Wait for EJBCA 6 (sometimes during autumn)

It is possible to use a soft key only for key ciphering?

Anyway, thanks you again.

-- 
http://asyd.net/home/    - Home Page
http://netvibes.com/asyd - Portal

Re: [Ejbca-develop] Issue with key escrow and Luna HSM

From: Tomas G. <to...@pr...> - 2013-07-29 13:07:10

Hi Bruno,

Since it is key recovery I think you have been bit by 
https://jira.primekey.se/browse/ECA-2739.

It is so that it tries to use PKCS#11 for the symmetric encryption as 
well, not only for asymmetric. So flags on your keys do not matter. 
Unfortunately symmetric ciphers on HSMs is a nightmare, where you have 
to code specifically for each HSM. So this might work with another HSM, 
but not the Luna. The solution was to use BC (soft) for the symmetric 
session keys and asymmetric (HSM) for session key wrapping.

This requires a later version of BC than present in EJBCA 4, something 
that is a big task. So backporting the fix to EJBCA 4 is unfortunately 
not an option at this point.

You best options currently might currently be:
- Move to Enterprise Edition (CC certified EJBCA 5)
- Use soft CA keys
- Wait for EJBCA 6 (sometimes during autumn)

Cheers,
Tomas
**********
PrimeKey Solutions AB
Anderstorpsvägen 16, 171 54 Solna, Sweden
Mob: +46 (0)707421096
Internet: www.primekey.se
Twitter: twitter.com/primekeyPKI
**********

On 07/29/2013 02:01 PM, Bruno Bonfils wrote:
> Hello,
>
> I have an exception: "No key recovery data exists for user" when I try
> to reissue a P12 keystore issued by a CA stored in a Luna HSM. The
> entity is marked as 'Key recoverable' and status is set to 'Key
> Recovery'.
>
> I also have the following error:
> "sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCONSISTENT"
>
> Here the CA PKCS11 properties:
>
> sharedLib=/usr/lunasa/lib/libCryptoki2_64.so
> slot=1
> certSignKey=key
> crlSignKey=key
> defaultKey=key
> pin=<pin code>
>
> Any help will be appreciated!
>
> Best regards
>

[Ejbca-develop] Issue with key escrow and Luna HSM

From: Bruno B. <as...@as...> - 2013-07-29 12:19:17

Hello,

I have an exception: "No key recovery data exists for user" when I try
to reissue a P12 keystore issued by a CA stored in a Luna HSM. The
entity is marked as 'Key recoverable' and status is set to 'Key
Recovery'.

I also have the following error:
"sun.security.pkcs11.wrapper.PKCS11Exception: CKR_TEMPLATE_INCONSISTENT"

Here the CA PKCS11 properties:

sharedLib=/usr/lunasa/lib/libCryptoki2_64.so
slot=1
certSignKey=key
crlSignKey=key
defaultKey=key
pin=<pin code>

Any help will be appreciated!

Best regards

-- 
http://asyd.net/home/    - Home Page
http://netvibes.com/asyd - Portal

Re: [Ejbca-develop] Issue with key escrow and Luna HSM

From: Bruno B. <as...@as...> - 2013-07-29 12:19:16

On Wed 10 July, Bruno Bonfils wrote:
> Hello,

Hi,

any idea? I thought the issue was about CKA flags like DECRYPT and
UNWRAP, but these flags are set on the private key (output of cmu):

class=privateKey
token=true
private=true
label=
keytype=RSA
subject=
id=636963612d6361
sensitive=true
decrypt=true
unwrap=true
sign=true
derive=false
startdate=
enddate=

Any help will be appreciated!

Thanks
-- 
http://asyd.net/home/    - Home Page
http://netvibes.com/asyd - Portal

Re: [Ejbca-develop] Require approval for certificate creation when sending a CSR

From: Tomas G. <to...@pr...> - 2013-07-16 12:11:32

Hi,

The username/password on the public web is not a login that can be shared. It is a one time enrollment code (password).

Perhaps the self registration is something for you? http://ejbca.org/adminguide.html#Self%20Registration

EJBCA can encompass almost any workflows. Most of them are not implemented directly in the gui, its too complicated for the users. If not available out of the box, you can easily implement it using the plug in mechanism.
http://ejbca.org/adminguide.html#EJBCA%20Plugins

Cheers,
Tomas


Henrik <Hen...@Go...> skrev:
>Hi Anders,
>
>Thanks for the fast response!
>
>> AFAIK there is no such function since it is only applicable to
>low-volume
>certification systems.
>
>I got a use case where it would be very convenient, even for a
>high-volume
>PKI.
>
>Actually, I'm not sure that I understand the way EJBCA is supposed to
>be
>used for server certificates.
>So every End Entity is a server, hence needs an EJBCA user with login
>credentials. But if servers are administered by more than one
>administrator
>and if these administrators change continuously (someone leaves,
>someone
>joins), it would require to share and manage login credentials for the
>EJBCA users that belong to these machines.
>
>I'm currently "solving" this by building an external RA that uses the
>SOAP
>API of EJBCA.
>However, I find myself giving the RA more and more privileges, making
>it
>too complex and powerful.
>
>What I'm currently having is an interface that allows a user to log in
>and
>see a list of all EJBCA End Entities administered by that user.
>The user can then upload a new public key (as part of a CSR) to request
>a
>cert, which sends a request to EJBCA and also opens a ticket in our
>JIRA.
>*IF* EJBCA would require approval for that new public key, an EJBCA
>admin
>could now look at the JIRA ticket, review and approve the action in
>EJBCA
>and leave the ticket number as a comment in the approval (for
>reference).
>That way, it would be clear who requested which certificate and who
>approved the action.
>Though it seems I have to rework that workflow, in case I don't want to
>build the approval step into the external application as well.
>
>How would the official/intended way of requesting and signing server
>certificates look like, for machines that can be administrated by
>multiple
>changing administrators?
>
>Kind regards,
>henrik
>
>
>
>On Mon, Jul 15, 2013 at 8:34 PM, ejbca-support
><ejb...@pr...>wrote:
>
>> On 2013-07-15 18:30, Henrik wrote:
>> > Hello,
>> >
>> > is it possible to configure EJBCA so it requires an admin to
>approve
>> certificate creation when receiving a CSR?
>> > So when an approved user requests a certificate, I want to have an
>> approval step for the public key in the CSR.
>> > (I'm not referring to the approval of the End Entity, which can be
>> configured via the certificate profile.)
>>
>> Hi,
>> AFAIK there is no such function since it is only applicable to
>low-volume
>> certification systems.
>> However, you can inspect CSRs before using them with EJBCA.
>>
>> EJBCA can though automatically test public keys with respect to
>length if
>> that is what you aim to do.
>>
>> Cheers
>> Anders
>> tech support
>>
>> >
>> > Kind regards,
>> > Henrik
>> >
>> >
>> >
>>
>------------------------------------------------------------------------------
>> > See everything from the browser to the database with AppDynamics
>> > Get end-to-end visibility with application monitoring from
>AppDynamics
>> > Isolate bottlenecks and diagnose root cause in seconds.
>> > Start your free trial of AppDynamics Pro today!
>> >
>>
>http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>> >
>> >
>> >
>> > _______________________________________________
>> > Ejbca-develop mailing list
>> > Ejb...@li...
>> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>> >
>>
>>
>
>
>------------------------------------------------------------------------
>
>------------------------------------------------------------------------------
>See everything from the browser to the database with AppDynamics
>Get end-to-end visibility with application monitoring from AppDynamics
>Isolate bottlenecks and diagnose root cause in seconds.
>Start your free trial of AppDynamics Pro today!
>http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>
>------------------------------------------------------------------------
>
>_______________________________________________
>Ejbca-develop mailing list
>Ejb...@li...
>https://lists.sourceforge.net/lists/listinfo/ejbca-develop

Re: [Ejbca-develop] Require approval for certificate creation when sending a CSR

From: ejbca-support <ejb...@pr...> - 2013-07-16 09:42:44

On 2013-07-16 11:05, Henrik wrote:
> Hi Anders,
> 
> Thanks for the fast response!
> 
>> AFAIK there is no such function since it is only applicable to low-volume certification systems.
> 
> I got a use case where it would be very convenient, even for a high-volume PKI.

Hi Henrik,

I can only speak for myself but adding tons of RA functionality to EJBCA is maybe
not the right way because RA schemes tend to be driven by local demands and associated
"business logic".  PrimeKey has developed several special-purpose RA systems and they
appear all quite different.  To configure

If you have an Android phone you may even try one of them: https://mobilepki.org/scc


> Actually, I'm not sure that I understand the way EJBCA is supposed to be used for server certificates.
> So every End Entity is a server, hence needs an EJBCA user with login credentials. But if servers are administered by more than one administrator and if these administrators change continuously (someone leaves, someone joins), it would require to share and manage login credentials for the EJBCA users that belong to these machines.

Yes, but doesn't that problem belong to any scheme requiring administrators?

> 
> I'm currently "solving" this by building an external RA that uses the SOAP API of EJBCA.
> However, I find myself giving the RA more and more privileges, making it too complex and powerful.

In most scenarios an RA needs to be able to create and optionally revoke certificates.

However, an RA does typically not have to adjust CA parameters or creating new profiles (=policies).

In most real-world usages, EJBCA administrators are more like system administrators who creates
CAs, profiles and integrates various RA stuff (and limiting access from these).


> What I'm currently having is an interface that allows a user to log in and see a list of all EJBCA End Entities administered by that user.
> The user can then upload a new public key (as part of a CSR) to request a cert, which sends a request to EJBCA and also opens a ticket in our JIRA.
> *IF* EJBCA would require approval for that new public key, an EJBCA admin could now look at the JIRA ticket, review and approve the action in EJBCA and leave the ticket number as a comment in the approval (for reference). That way, it would be clear who requested which certificate and who approved the action.
> Though it seems I have to rework that workflow, in case I don't want to build the approval step into the external application as well.
> 
> How would the official/intended way of requesting and signing server certificates look like, 
> for machines that can be administrated by multiple changing administrators?

There's no official solution but it is common having a group of trusted people who are allowed to issue
server certificates.  This is similar to having a group of administrators managing enterprise users in AD.

Cheers
Anders
tech support

> 
> Kind regards,
> henrik
> 
> 
> 
> On Mon, Jul 15, 2013 at 8:34 PM, ejbca-support <ejb...@pr... <mailto:ejb...@pr...>> wrote:
> 
>     On 2013-07-15 18:30, Henrik wrote:
>     > Hello,
>     >
>     > is it possible to configure EJBCA so it requires an admin to approve certificate creation when receiving a CSR?
>     > So when an approved user requests a certificate, I want to have an approval step for the public key in the CSR.
>     > (I'm not referring to the approval of the End Entity, which can be configured via the certificate profile.)
> 
>     Hi,
>     AFAIK there is no such function since it is only applicable to low-volume certification systems.
>     However, you can inspect CSRs before using them with EJBCA.
> 
>     EJBCA can though automatically test public keys with respect to length if that is what you aim to do.
> 
>     Cheers
>     Anders
>     tech support
> 
>     >
>     > Kind regards,
>     > Henrik
>     >
>     >
>     > ------------------------------------------------------------------------------
>     > See everything from the browser to the database with AppDynamics
>     > Get end-to-end visibility with application monitoring from AppDynamics
>     > Isolate bottlenecks and diagnose root cause in seconds.
>     > Start your free trial of AppDynamics Pro today!
>     > http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
>     >
>     >
>     >
>     > _______________________________________________
>     > Ejbca-develop mailing list
>     > Ejb...@li... <mailto:Ejb...@li...>
>     > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>     >
> 
> 
> 
> 
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> 
> 
> 
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

Re: [Ejbca-develop] Require approval for certificate creation when sending a CSR

From: Henrik <Hen...@Go...> - 2013-07-16 09:05:40

Hi Anders,

Thanks for the fast response!

> AFAIK there is no such function since it is only applicable to low-volume
certification systems.

I got a use case where it would be very convenient, even for a high-volume
PKI.

Actually, I'm not sure that I understand the way EJBCA is supposed to be
used for server certificates.
So every End Entity is a server, hence needs an EJBCA user with login
credentials. But if servers are administered by more than one administrator
and if these administrators change continuously (someone leaves, someone
joins), it would require to share and manage login credentials for the
EJBCA users that belong to these machines.

I'm currently "solving" this by building an external RA that uses the SOAP
API of EJBCA.
However, I find myself giving the RA more and more privileges, making it
too complex and powerful.

What I'm currently having is an interface that allows a user to log in and
see a list of all EJBCA End Entities administered by that user.
The user can then upload a new public key (as part of a CSR) to request a
cert, which sends a request to EJBCA and also opens a ticket in our JIRA.
*IF* EJBCA would require approval for that new public key, an EJBCA admin
could now look at the JIRA ticket, review and approve the action in EJBCA
and leave the ticket number as a comment in the approval (for reference).
That way, it would be clear who requested which certificate and who
approved the action.
Though it seems I have to rework that workflow, in case I don't want to
build the approval step into the external application as well.

How would the official/intended way of requesting and signing server
certificates look like, for machines that can be administrated by multiple
changing administrators?

Kind regards,
henrik

On Mon, Jul 15, 2013 at 8:34 PM, ejbca-support <ejb...@pr...>wrote:

> On 2013-07-15 18:30, Henrik wrote:
> > Hello,
> >
> > is it possible to configure EJBCA so it requires an admin to approve
> certificate creation when receiving a CSR?
> > So when an approved user requests a certificate, I want to have an
> approval step for the public key in the CSR.
> > (I'm not referring to the approval of the End Entity, which can be
> configured via the certificate profile.)
>
> Hi,
> AFAIK there is no such function since it is only applicable to low-volume
> certification systems.
> However, you can inspect CSRs before using them with EJBCA.
>
> EJBCA can though automatically test public keys with respect to length if
> that is what you aim to do.
>
> Cheers
> Anders
> tech support
>
> >
> > Kind regards,
> > Henrik
> >
> >
> >
> ------------------------------------------------------------------------------
> > See everything from the browser to the database with AppDynamics
> > Get end-to-end visibility with application monitoring from AppDynamics
> > Isolate bottlenecks and diagnose root cause in seconds.
> > Start your free trial of AppDynamics Pro today!
> >
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> >
> >
> >
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >
>
>

Re: [Ejbca-develop] Require approval for certificate creation when sending a CSR

From: ejbca-support <ejb...@pr...> - 2013-07-15 18:34:46

On 2013-07-15 18:30, Henrik wrote:
> Hello,
> 
> is it possible to configure EJBCA so it requires an admin to approve certificate creation when receiving a CSR?
> So when an approved user requests a certificate, I want to have an approval step for the public key in the CSR.
> (I'm not referring to the approval of the End Entity, which can be configured via the certificate profile.)

Hi,
AFAIK there is no such function since it is only applicable to low-volume certification systems.
However, you can inspect CSRs before using them with EJBCA.

EJBCA can though automatically test public keys with respect to length if that is what you aim to do.

Cheers
Anders
tech support

> 
> Kind regards,
> Henrik
> 
> 
> ------------------------------------------------------------------------------
> See everything from the browser to the database with AppDynamics
> Get end-to-end visibility with application monitoring from AppDynamics
> Isolate bottlenecks and diagnose root cause in seconds.
> Start your free trial of AppDynamics Pro today!
> http://pubads.g.doubleclick.net/gampad/clk?id=48808831&iu=/4140/ostg.clktrk
> 
> 
> 
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>

[Ejbca-develop] Require approval for certificate creation when sending a CSR

From: Henrik <Hen...@Go...> - 2013-07-15 16:31:25

Hello,

is it possible to configure EJBCA so it requires an admin to approve
certificate creation when receiving a CSR?
So when an approved user requests a certificate, I want to have an approval
step for the public key in the CSR.
(I'm not referring to the approval of the End Entity, which can be
configured via the certificate profile.)

Kind regards,
Henrik