Menu
▾
▴
ejbca-develop — Development discussions
You can subscribe to this list here.
| 2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
(3) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2002 |
Jan
(3) |
Feb
(2) |
Mar
(8) |
Apr
(3) |
May
(6) |
Jun
(1) |
Jul
(15) |
Aug
(6) |
Sep
|
Oct
(10) |
Nov
(2) |
Dec
(4) |
| 2003 |
Jan
(1) |
Feb
(7) |
Mar
(3) |
Apr
(6) |
May
(7) |
Jun
(5) |
Jul
(5) |
Aug
(25) |
Sep
(14) |
Oct
(2) |
Nov
|
Dec
(2) |
| 2004 |
Jan
(7) |
Feb
(4) |
Mar
(12) |
Apr
(16) |
May
(43) |
Jun
(56) |
Jul
(43) |
Aug
(40) |
Sep
(66) |
Oct
(12) |
Nov
(26) |
Dec
(10) |
| 2005 |
Jan
(13) |
Feb
(33) |
Mar
(16) |
Apr
(7) |
May
(10) |
Jun
(34) |
Jul
(41) |
Aug
(8) |
Sep
(4) |
Oct
(32) |
Nov
(20) |
Dec
(25) |
| 2006 |
Jan
(30) |
Feb
(101) |
Mar
(5) |
Apr
(75) |
May
(74) |
Jun
(22) |
Jul
(6) |
Aug
(70) |
Sep
(19) |
Oct
(21) |
Nov
(31) |
Dec
(50) |
| 2007 |
Jan
(15) |
Feb
(20) |
Mar
(24) |
Apr
(33) |
May
(13) |
Jun
(18) |
Jul
(13) |
Aug
(7) |
Sep
(63) |
Oct
(68) |
Nov
(29) |
Dec
(68) |
| 2008 |
Jan
(30) |
Feb
(33) |
Mar
(30) |
Apr
(103) |
May
(78) |
Jun
(48) |
Jul
(72) |
Aug
(24) |
Sep
(62) |
Oct
(63) |
Nov
(70) |
Dec
(37) |
| 2009 |
Jan
(34) |
Feb
(35) |
Mar
(64) |
Apr
(34) |
May
(34) |
Jun
(58) |
Jul
(30) |
Aug
(30) |
Sep
(46) |
Oct
(52) |
Nov
(12) |
Dec
(23) |
| 2010 |
Jan
(121) |
Feb
(18) |
Mar
(53) |
Apr
(62) |
May
(62) |
Jun
(20) |
Jul
(33) |
Aug
(20) |
Sep
(36) |
Oct
(35) |
Nov
(44) |
Dec
(63) |
| 2011 |
Jan
(19) |
Feb
(32) |
Mar
(94) |
Apr
(41) |
May
(47) |
Jun
(25) |
Jul
(34) |
Aug
(20) |
Sep
(9) |
Oct
(41) |
Nov
(33) |
Dec
(24) |
| 2012 |
Jan
(12) |
Feb
(36) |
Mar
(48) |
Apr
(32) |
May
(20) |
Jun
(15) |
Jul
(32) |
Aug
(13) |
Sep
(33) |
Oct
(54) |
Nov
(25) |
Dec
(16) |
| 2013 |
Jan
(45) |
Feb
(39) |
Mar
(38) |
Apr
(50) |
May
(29) |
Jun
(30) |
Jul
(33) |
Aug
(12) |
Sep
(9) |
Oct
(25) |
Nov
(29) |
Dec
(20) |
| 2014 |
Jan
(25) |
Feb
(19) |
Mar
(16) |
Apr
(33) |
May
(27) |
Jun
(37) |
Jul
(29) |
Aug
(27) |
Sep
(37) |
Oct
(58) |
Nov
(109) |
Dec
(26) |
| 2015 |
Jan
(4) |
Feb
(35) |
Mar
(22) |
Apr
(35) |
May
(28) |
Jun
(20) |
Jul
(4) |
Aug
(16) |
Sep
(37) |
Oct
(13) |
Nov
(13) |
Dec
(14) |
| 2016 |
Jan
(22) |
Feb
(7) |
Mar
(23) |
Apr
(30) |
May
(10) |
Jun
(10) |
Jul
(15) |
Aug
(12) |
Sep
(22) |
Oct
(31) |
Nov
(5) |
Dec
(5) |
| 2017 |
Jan
(30) |
Feb
(25) |
Mar
(28) |
Apr
(4) |
May
(19) |
Jun
(13) |
Jul
(7) |
Aug
(1) |
Sep
(2) |
Oct
(5) |
Nov
(12) |
Dec
(2) |
| 2018 |
Jan
(7) |
Feb
|
Mar
(7) |
Apr
(2) |
May
(8) |
Jun
(18) |
Jul
(6) |
Aug
(3) |
Sep
(15) |
Oct
(33) |
Nov
(13) |
Dec
(7) |
| 2019 |
Jan
(5) |
Feb
(7) |
Mar
(30) |
Apr
(5) |
May
(4) |
Jun
(69) |
Jul
(86) |
Aug
(22) |
Sep
(6) |
Oct
(7) |
Nov
(5) |
Dec
(3) |
| 2020 |
Jan
(10) |
Feb
(12) |
Mar
(22) |
Apr
(5) |
May
(1) |
Jun
(4) |
Jul
(6) |
Aug
|
Sep
(9) |
Oct
|
Nov
|
Dec
(1) |
| 2021 |
Jan
(4) |
Feb
(11) |
Mar
(7) |
Apr
(7) |
May
|
Jun
(3) |
Jul
(10) |
Aug
(6) |
Sep
|
Oct
|
Nov
(18) |
Dec
(2) |
| 2022 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(1) |
Jun
|
Jul
|
Aug
(5) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Tomas G. <to...@pr...> - 2012-07-14 07:22:46
|
Hi Bruno, You are correct in most of your analysis. EJBCA uses "InetAddress.getLocalHost" to get the local hostname. What this returns depends on what is in the host file of course. > - is this behavior may considered as a bug? (using nodename rather > binding IP name). No, it is deliberate. Hostname is much more flexible, and often more correct than ip address. EJBCA does not know which IP JBoss binds to, and it can change at any time. Most hosts have multiple IPs, and EJBCA can not know which are used for what. With a hostname the cluster nodes can have each others hostnames in the local hosts file if needed. This can point to anywhere so it is configurable by the admins. You can simply add the correct ip addresses in the cluster nodes's local hosts files. One improvement that I could think of would be if you could override the detected hostname by a configuration option. Than you could use other hostnames than the real ones, pointing to other ip-adresses? By the way, if JBoss is behind an apache proxy, it does not matter what IP JBoss binds to, since it will be apache that accepts the connection. So it is actually the IPs/hostnames that apache binds to that are relevant. > - can you confirm if I remove by hand the node in the nodelist, each > time I'll start EJBCA on a node, it will add the new member? (since > EJBCA will check if the hostname exists) Yes this is correct. > - more or less the same question when JBoss are not directly reachable > but only through an Apache (on a different nodename.. :) If "nodename" is not reachable from one cluster node to the other, even if you add the correct ip address in the local hosts file, you can not use the global "clear cache" button. Very simple :-) If you need to clear caches when the cluster nodes can not talk to each other, you need to clear the cache individually on all nodes. An error when clicking the button simply means that the cache was not cleared on that host, and you have to clear it manually. There is a CLI for clearing caches as well, so you can easily script it. Cheers, Tomas On 07/13/2012 04:19 PM, Bruno Bonfils wrote: > Hi folks, > > I'm wondering how EJBCA determines the "nodename" in a cluster > environnement. As far as I understand/remember the code, EJBCA use the > hostname of the server, which may we wrong. > > My environnement is the following: > 2 JBoss, each one use a dedicated IP address (given as -b when > starting jboss) > Each JBoss is protected by an Apache acting as reverse proxy > > When I start EJBCA, if I displays the list of nodes I can see the list > of hostnames of servere where EJBCA is running. And when I click on > "Clear all caches" button, I had a "Connexion refused" exception. > Indeed, the code is: > > "String nodeip = InetAddress.getByName(nodename).getHostAddress();" > > But, since I use a dedicated IP for JBoss, EJBCA is not reachable on the > nodename's primary address. > > So my questions are: > > - is this behavior may considered as a bug? (using nodename rather > binding IP name). > - can you confirm if I remove by hand the node in the nodelist, each > time I'll start EJBCA on a node, it will add the new member? (since > EJBCA will check if the hostname exists) > - more or less the same question when JBoss are not directly reachable > but only through an Apache (on a different nodename.. :) > > Best regards > |
|
From: Bruno B. <as...@as...> - 2012-07-13 14:36:11
|
Hi folks, I'm wondering how EJBCA determines the "nodename" in a cluster environnement. As far as I understand/remember the code, EJBCA use the hostname of the server, which may we wrong. My environnement is the following: 2 JBoss, each one use a dedicated IP address (given as -b when starting jboss) Each JBoss is protected by an Apache acting as reverse proxy When I start EJBCA, if I displays the list of nodes I can see the list of hostnames of servere where EJBCA is running. And when I click on "Clear all caches" button, I had a "Connexion refused" exception. Indeed, the code is: "String nodeip = InetAddress.getByName(nodename).getHostAddress();" But, since I use a dedicated IP for JBoss, EJBCA is not reachable on the nodename's primary address. So my questions are: - is this behavior may considered as a bug? (using nodename rather binding IP name). - can you confirm if I remove by hand the node in the nodelist, each time I'll start EJBCA on a node, it will add the new member? (since EJBCA will check if the hostname exists) - more or less the same question when JBoss are not directly reachable but only through an Apache (on a different nodename.. :) Best regards -- http://asyd.net/home/ - Home Page http://netvibes.com/asyd - Portal |
|
From: Martin P. <ma...@ma...> - 2012-07-13 09:45:52
|
Hello, On Thu, Jul 12, 2012 at 7:18 PM, Hans Witvliet <hw...@a-...> wrote: > So, to summarize, if a small org or medium company needs to start > enrolling certificates & smartcards, can anything been said about > - amount of time for implementing > - cost estimation It all depends on the actual requirements for "the PKI" - the platforms and applications in use, necessary integration, existing systems (IAM or similar), future administration capabilities etc etc For a company with few hundred (~200..500) people, with "standard requirements" of wokrstation login, online ssl auth and e-mail signatures with s/mime, I might guesstimate it to take (with open source software such as EJBCA) somewhere around 3..6 months and comparable cost for a small team (3..5) + hardware and software licenses, if any (in a Windows world, this might be relevant) This would also work if you got your organization CA certificate signed by some "trusted third party", be it a commercial CA or some actually^H^H^H^H^H^Hmore trusted third party. Maybe this helps. Martin |
|
From: Arshad N. <ars...@st...> - 2012-07-12 20:37:14
|
Hello, The "Maximizing Performance" section of the Admin Guide has this line: "Disable logging to database in log.properties, only use Log4jLogDevice. This removes a database insert and gives a big boost." Additionally, the log.properties file in the $EJBCA_HOME/conf indicates: # Internal EJBCA logging device that writes to the database. See logdevices/oldlog.properties.sample for more information. OldLogDevice=org.ejbca.core.model.log.OldLogDeviceFactory;logdevices/oldlog.properties This seems to imply that by commenting the OldLogDevice line in this file and redeploying the EAR, one can turn off DB-logging. However, this does not seem to work. Can someone shed some light on how to turn off DB logging completely? I am assuming that the server.log file is capturing all events that might normally have been logged in the DB. If this is not true, it will be helpful to know what does NOT get logged if DB-logging is turned off. Thank you. Arshad Noor StrongAuth, Inc. |
|
From: Hans W. <hw...@a-...> - 2012-07-12 16:18:43
|
On Thu, 2012-07-12 at 10:27 +0200, Andreas Bürki wrote: > Hi Hans > > How do you define: > > 1) fully implemented official PKI > > more specific, how do you define > > official? > Hi Andreas, perhaps i was a bit too brief there... I know that there are companies/organisation that have taken the lengthy trouble and have certificates signed by commercial CA's. When employees are hired/fired, certificates are created or revoked, etc etc etc So what we see is at one hand, there are companies that start looking for the possibilities that PKI offer, but have nothing implemented _yet_). And on the other hand, small organisations that do not want/need a trusted third party (only two parties involved) but want to use the possibilities that asymetric keys and certificates offer. Obviously, the needs of an airplane manufacturer are somewhat different from that of a table-tennis-organisation ;-) But even there, there must be a connection between the management of new/leaving members and revocation of their certificate. So, to summarize, if a small org or medium company needs to start enrolling certificates & smartcards, can anything been said about - amount of time for implementing - cost estimation I have no intention of being part of it, but if i say to a potential customer: "all your members/workers need a smartcard holding certificates" and "your organisation must take care of issuing and revoking", I can expect the questions that if they don't have that, what it will cost them and how long it will take.... Hence my question Hans |
|
From: Andreas B. <ab...@an...> - 2012-07-12 09:06:23
|
Hi Hans How do you define: > 1) fully implemented official PKI more specific, how do you define official? Cheers, Andreas Am 12.07.2012 09:53, schrieb Hans Witvliet: > Hi all, > > Perhaps this messages may seem O.T. from a technical point of view, but > i'll guess there are some people around here that have experience with > the organisational aspects of deploying PKI. > > Short intro: > For my employer our team made a product that heaviliy relies on a good > working PKI environment. It looks like a success: even during the pilot > phase, over 9500 co-workers volunteered (we have about 60,000 people) > > Last couple of months we got questions from other departments and > companies about our product. So we are widen our horizon. > As said, it is heavily based upon a working PKI, but not every company > has that up-and-running. > >>From my POV, there are two options: > 1) fully implemented official PKI > 2) very small (self signed) environment for cards & certificates > > We were wondering what can be expected regarding > - timescale > - costs > for doing such implementation. > >>From what i learned so far, the technical part is minuscule compared > with the organisational overhead. (i presume it's more like EAL4+ > effort) > Obviously our team is way to small to implement full PKI, but is it > possible to give an indications? > For instance companies/organisation with 100-1000 people or 5,000-50,000 > people? > > Hans > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop -- Andreas Bürki E-Mail: ab...@an... Zertifikat - SHA1-Fingerprint: 54:99:02:5F:60:CE:7A:27:0E:73:79:24:CA:C7:A0:CC:60:39:05:9F |
|
From: Hans W. <hw...@a-...> - 2012-07-12 08:18:41
|
Hi all, Perhaps this messages may seem O.T. from a technical point of view, but i'll guess there are some people around here that have experience with the organisational aspects of deploying PKI. Short intro: For my employer our team made a product that heaviliy relies on a good working PKI environment. It looks like a success: even during the pilot phase, over 9500 co-workers volunteered (we have about 60,000 people) Last couple of months we got questions from other departments and companies about our product. So we are widen our horizon. As said, it is heavily based upon a working PKI, but not every company has that up-and-running. >From my POV, there are two options: 1) fully implemented official PKI 2) very small (self signed) environment for cards & certificates We were wondering what can be expected regarding - timescale - costs for doing such implementation. >From what i learned so far, the technical part is minuscule compared with the organisational overhead. (i presume it's more like EAL4+ effort) Obviously our team is way to small to implement full PKI, but is it possible to give an indications? For instance companies/organisation with 100-1000 people or 5,000-50,000 people? Hans |
|
From: Tomas G. <to...@pr...> - 2012-06-20 08:24:31
|
Dear community, We have just released a new version of EJBCA, 4.0.11. This is a maintenance release containing a few new features, GUI improvements and support for Japanese. * Noteworthy changes: - Support for Japanese in the admin GUI. - Possibility to use custom revocation dates. - Possibility to use aliases in RFC4387 CRL download links. - Fixed support for special characters in filenames in export profiles cli command. - Admin GUI improvements for looks and consistency. You can read the full changelog at https://jira.primekey.se/browse/ECA Regards, The PrimeKey EJBCA Team |
|
From: tungdt.bk <tun...@gm...> - 2012-06-15 02:00:22
|
Duonguno <duongmn@...> writes: > > > Hi. > Thankyou very much. I fixed my error. > Hi Duong, I have a same error. How did you fix it? |
|
From: Muhammed W. K. <mw...@ma...> - 2012-06-08 14:04:12
|
Hi Guys, I have been requested to assess the possibility of using another CA (not EJBCA) to issue certs for devices which would communicate with the RA (yet to develop) using SCEP. Itts not because EJBCA is no good, its because the CA I am looking to integrate also provide other services like digital signature creation, verification etc hence it makes one stop for clients to generate end user certificates, signing, device certificates etc. I know EJBCA has implemented this but can I plug the properietary CA and using the RA API to poll the EJBCA RA and get the certificates issued. I have read this: http://www.ejbca.org/externalra.html but its not crystal clear whether this is possible. If it is what clear interfaces I have to implement? If not then this means that the properietary CA needs to implement its own RA which supports SCEP which I want to avoid. Regards, wahaj |
|
From: Amir M. m. <dar...@gm...> - 2012-06-05 15:23:55
|
Voila ….problem solved. I install EJBCA_4_0_3 connected to a ProtectServer Gold HSM (with recommended and reasonable attributes as mentioned in most new version of Admin Guide) on my CentOS-5.5 machine. Just in older versions, ejbca explicitly recommended to set CKA_EXTRACTABLE = true http://ejbca.org/older_releases/ejbca_3_9/htdocs/manual.html#SafeNet%20ProtectServer At the other side, as Tomas said ,ProtectServer Gold HSM has a bug in generating exportable keys.I tested it and unfortunately it's true. So now it seems that it’s time to migrate to a newer version of ejbca ;) Thank you all for your attention Regards Dariush 2012/6/5 Tomas Gustavsson <to...@pr...> > > Yes, fortunately Amirs analysis in not completely correct :-) > > This is what happens: > > 1. Amir, you are probably using an old version of EJBCA to generate > keys, that does not explicitly set all flags. And you do not use a > pkcs11 configuration file (described in older documentation, but not > needed anymore). > > 2. ProtectServer Gold has a bug so that it generates exportable keys by > default. Other HSMs do not do this. > > 3. Due to this bug in ProtectServer later versions of EJBCA even refuses > to use exportable keys, in order to protect the user of EJBCA. > > So, Amir, you can either set the PKCS11 parameters you want (there are > good exact samples in the documentation) or you can upgrade your EJBCA > clientToolBox to a later version that does it for you. > > The feature to refuse to use exportable keys was actually introduced > already in EJBCA 3.10.5. > > https://jira.primekey.se/browse/ECA-1823?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel > > So my best guess is that you generated your keys with a version of > clientToolBox that is older than that? > > Regards, > Tomas > > On 06/05/2012 02:21 PM, Tham Wickenberg wrote: > > Hello, > > > > The following are the default attributes when creating keys with > > EJBCA/ClientToolBox: > > > > attributes(*, *, *) = { > > CKA_TOKEN = true > > } > > attributes(*, CKO_PUBLIC_KEY, *) = { > > CKA_ENCRYPT = true > > CKA_VERIFY = true > > CKA_WRAP = true > > } > > attributes(*, CKO_PRIVATE_KEY, *) = { > > CKA_PRIVATE = true > > CKA_SENSITIVE = true > > CKA_EXTRACTABLE = false > > CKA_DECRYPT = true > > CKA_SIGN = true > > CKA_UNWRAP = true > > }"); > > > > > > This is what you will get if you do not provide the properties yourself. > > > > It does sound strange that you would get anything else, what is the > > exact command that you have run and what version of EJBCA where you > using? > > > > Kind regards, > > Tham Wickenberg > > PrimeKey Tech Support > > > > On 6/5/12 2:15 PM, ejbca-support wrote: > >> On 2012-06-05 13:45, Amir Masoud mojallal wrote: > >>> Hi > >>> > >>> According to me, in EJBCA source code there is a getPrivateKey(int > >>> purpose) method (located in > >>> org\ejbca\core\model\ca\catoken\ICAToken.java Interface) that is > >>> implemented in other concrete classed (BaseCAToken.java and > >>> PKCS11CAToken.java) and lets EJBCA to fetch private key from HSM then > >>> EJBCA itself does signing/verifying (Am I right?).These all are > >>> because in default installation, private keys in HSM are generated > >>> with both “exportable” and “modifiable” flags set to “ON”!!! . (if the > >>> key pair be generated by issuing “ejbcaClientToolBox.sh” command as > >>> mentioned in Admin Guide doc , Hardware Security Module have section) > >>> But from security point of view a private key must not leave the HSM > >>> ,otherwise it has some security risks .I can't understand the > >>> intention of doing so,instead of sending things to HSM and letting HSM > >>> itself signs/verifies the things .any idea please? > >>> My experience is on Safe Net Protect Server HSM. > >> Hi Amir, > >> > >> That is not how it works. The signatures are indeed performed in the > >> HSM. That keys would be exportable in the default installation sounds > >> very strange; where did you get this information? > >> > >> Regards > >> Anders > >> tech support > >> > >>> Regards > >>> Dariush > >>> > >>> > ------------------------------------------------------------------------------ > >>> Live Security Virtual Conference > >>> Exclusive live event will cover all the ways today's security and > >>> threat landscape has changed and how IT managers can respond. > Discussions > >>> will include endpoint security, mobile security and the latest in > malware > >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > >>> _______________________________________________ > >>> Ejbca-develop mailing list > >>> Ejb...@li... > >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > >> > >> > ------------------------------------------------------------------------------ > >> Live Security Virtual Conference > >> Exclusive live event will cover all the ways today's security and > >> threat landscape has changed and how IT managers can respond. > Discussions > >> will include endpoint security, mobile security and the latest in > malware > >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > >> _______________________________________________ > >> Ejbca-develop mailing list > >> Ejb...@li... > >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > > > ------------------------------------------------------------------------------ > > Live Security Virtual Conference > > Exclusive live event will cover all the ways today's security and > > threat landscape has changed and how IT managers can respond. Discussions > > will include endpoint security, mobile security and the latest in malware > > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Tomas G. <to...@pr...> - 2012-06-05 12:39:53
|
Yes, fortunately Amirs analysis in not completely correct :-) This is what happens: 1. Amir, you are probably using an old version of EJBCA to generate keys, that does not explicitly set all flags. And you do not use a pkcs11 configuration file (described in older documentation, but not needed anymore). 2. ProtectServer Gold has a bug so that it generates exportable keys by default. Other HSMs do not do this. 3. Due to this bug in ProtectServer later versions of EJBCA even refuses to use exportable keys, in order to protect the user of EJBCA. So, Amir, you can either set the PKCS11 parameters you want (there are good exact samples in the documentation) or you can upgrade your EJBCA clientToolBox to a later version that does it for you. The feature to refuse to use exportable keys was actually introduced already in EJBCA 3.10.5. https://jira.primekey.se/browse/ECA-1823?page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel So my best guess is that you generated your keys with a version of clientToolBox that is older than that? Regards, Tomas On 06/05/2012 02:21 PM, Tham Wickenberg wrote: > Hello, > > The following are the default attributes when creating keys with > EJBCA/ClientToolBox: > > attributes(*, *, *) = { > CKA_TOKEN = true > } > attributes(*, CKO_PUBLIC_KEY, *) = { > CKA_ENCRYPT = true > CKA_VERIFY = true > CKA_WRAP = true > } > attributes(*, CKO_PRIVATE_KEY, *) = { > CKA_PRIVATE = true > CKA_SENSITIVE = true > CKA_EXTRACTABLE = false > CKA_DECRYPT = true > CKA_SIGN = true > CKA_UNWRAP = true > }"); > > > This is what you will get if you do not provide the properties yourself. > > It does sound strange that you would get anything else, what is the > exact command that you have run and what version of EJBCA where you using? > > Kind regards, > Tham Wickenberg > PrimeKey Tech Support > > On 6/5/12 2:15 PM, ejbca-support wrote: >> On 2012-06-05 13:45, Amir Masoud mojallal wrote: >>> Hi >>> >>> According to me, in EJBCA source code there is a getPrivateKey(int >>> purpose) method (located in >>> org\ejbca\core\model\ca\catoken\ICAToken.java Interface) that is >>> implemented in other concrete classed (BaseCAToken.java and >>> PKCS11CAToken.java) and lets EJBCA to fetch private key from HSM then >>> EJBCA itself does signing/verifying (Am I right?).These all are >>> because in default installation, private keys in HSM are generated >>> with both “exportable” and “modifiable” flags set to “ON”!!! . (if the >>> key pair be generated by issuing “ejbcaClientToolBox.sh” command as >>> mentioned in Admin Guide doc , Hardware Security Module have section) >>> But from security point of view a private key must not leave the HSM >>> ,otherwise it has some security risks .I can't understand the >>> intention of doing so,instead of sending things to HSM and letting HSM >>> itself signs/verifies the things .any idea please? >>> My experience is on Safe Net Protect Server HSM. >> Hi Amir, >> >> That is not how it works. The signatures are indeed performed in the >> HSM. That keys would be exportable in the default installation sounds >> very strange; where did you get this information? >> >> Regards >> Anders >> tech support >> >>> Regards >>> Dariush >>> >>> ------------------------------------------------------------------------------ >>> Live Security Virtual Conference >>> Exclusive live event will cover all the ways today's security and >>> threat landscape has changed and how IT managers can respond. Discussions >>> will include endpoint security, mobile security and the latest in malware >>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> >> ------------------------------------------------------------------------------ >> Live Security Virtual Conference >> Exclusive live event will cover all the ways today's security and >> threat landscape has changed and how IT managers can respond. Discussions >> will include endpoint security, mobile security and the latest in malware >> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Tham W. <ejb...@pr...> - 2012-06-05 12:21:51
|
Hello,
The following are the default attributes when creating keys with
EJBCA/ClientToolBox:
attributes(*, *, *) = {
CKA_TOKEN = true
}
attributes(*, CKO_PUBLIC_KEY, *) = {
CKA_ENCRYPT = true
CKA_VERIFY = true
CKA_WRAP = true
}
attributes(*, CKO_PRIVATE_KEY, *) = {
CKA_PRIVATE = true
CKA_SENSITIVE = true
CKA_EXTRACTABLE = false
CKA_DECRYPT = true
CKA_SIGN = true
CKA_UNWRAP = true
}");
This is what you will get if you do not provide the properties yourself.
It does sound strange that you would get anything else, what is the
exact command that you have run and what version of EJBCA where you using?
Kind regards,
Tham Wickenberg
PrimeKey Tech Support
On 6/5/12 2:15 PM, ejbca-support wrote:
> On 2012-06-05 13:45, Amir Masoud mojallal wrote:
>> Hi
>>
>> According to me, in EJBCA source code there is a getPrivateKey(int
>> purpose) method (located in
>> org\ejbca\core\model\ca\catoken\ICAToken.java Interface) that is
>> implemented in other concrete classed (BaseCAToken.java and
>> PKCS11CAToken.java) and lets EJBCA to fetch private key from HSM then
>> EJBCA itself does signing/verifying (Am I right?).These all are
>> because in default installation, private keys in HSM are generated
>> with both “exportable” and “modifiable” flags set to “ON”!!! . (if the
>> key pair be generated by issuing “ejbcaClientToolBox.sh” command as
>> mentioned in Admin Guide doc , Hardware Security Module have section)
>> But from security point of view a private key must not leave the HSM
>> ,otherwise it has some security risks .I can't understand the
>> intention of doing so,instead of sending things to HSM and letting HSM
>> itself signs/verifies the things .any idea please?
>> My experience is on Safe Net Protect Server HSM.
> Hi Amir,
>
> That is not how it works. The signatures are indeed performed in the
> HSM. That keys would be exportable in the default installation sounds
> very strange; where did you get this information?
>
> Regards
> Anders
> tech support
>
>> Regards
>> Dariush
>>
>> ------------------------------------------------------------------------------
>> Live Security Virtual Conference
>> Exclusive live event will cover all the ways today's security and
>> threat landscape has changed and how IT managers can respond. Discussions
>> will include endpoint security, mobile security and the latest in malware
>> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
>> _______________________________________________
>> Ejbca-develop mailing list
>> Ejb...@li...
>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
> ------------------------------------------------------------------------------
> Live Security Virtual Conference
> Exclusive live event will cover all the ways today's security and
> threat landscape has changed and how IT managers can respond. Discussions
> will include endpoint security, mobile security and the latest in malware
> threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
|
|
From: ejbca-support <ejb...@pr...> - 2012-06-05 12:15:45
|
On 2012-06-05 13:45, Amir Masoud mojallal wrote: > Hi > > According to me, in EJBCA source code there is a getPrivateKey(int > purpose) method (located in > org\ejbca\core\model\ca\catoken\ICAToken.java Interface) that is > implemented in other concrete classed (BaseCAToken.java and > PKCS11CAToken.java) and lets EJBCA to fetch private key from HSM then > EJBCA itself does signing/verifying (Am I right?).These all are > because in default installation, private keys in HSM are generated > with both “exportable” and “modifiable” flags set to “ON”!!! . (if the > key pair be generated by issuing “ejbcaClientToolBox.sh” command as > mentioned in Admin Guide doc , Hardware Security Module have section) > But from security point of view a private key must not leave the HSM > ,otherwise it has some security risks .I can't understand the > intention of doing so,instead of sending things to HSM and letting HSM > itself signs/verifies the things .any idea please? > My experience is on Safe Net Protect Server HSM. Hi Amir, That is not how it works. The signatures are indeed performed in the HSM. That keys would be exportable in the default installation sounds very strange; where did you get this information? Regards Anders tech support > > Regards > Dariush > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Amir M. m. <dar...@gm...> - 2012-06-05 11:46:35
|
Hi According to me, in EJBCA source code there is a getPrivateKey(int purpose) method (located in org\ejbca\core\model\ca\catoken\ICAToken.java Interface) that is implemented in other concrete classed (BaseCAToken.java and PKCS11CAToken.java) and lets EJBCA to fetch private key from HSM then EJBCA itself does signing/verifying (Am I right?).These all are because in default installation, private keys in HSM are generated with both “exportable” and “modifiable” flags set to “ON”!!! . (if the key pair be generated by issuing “ejbcaClientToolBox.sh” command as mentioned in Admin Guide doc , Hardware Security Module have section) But from security point of view a private key must not leave the HSM ,otherwise it has some security risks .I can't understand the intention of doing so,instead of sending things to HSM and letting HSM itself signs/verifies the things .any idea please? My experience is on Safe Net Protect Server HSM. Regards Dariush |
|
From: ejbca-support <ejb...@pr...> - 2012-06-04 21:09:48
|
On 2012-06-04 21:19, Amir Masoud mojallal wrote: > Hi > > As I know about EJBCA it should be created an end entity in CA before > issuing its associated certificate in ExtRA side. > But how can I enrol for a new certificate in ExtrRa side without any > need to predefine an end entity in CA?Are the solutions limit to use > one of SCEP or CMP?I think about an auto enrolment ExtRA page ;) does > it exist? CMP ca do exactly what you want, creating users and certificates in one operation. CMP is though mainly used for card management systems. If you rather want a web application you will need to do some programming or scripting since there should be some way of authenticating the user before generating a certificate. Cheers, Anders tech support > > Regard > Dariush > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Amir M. m. <dar...@gm...> - 2012-06-04 19:19:11
|
Hi As I know about EJBCA it should be created an end entity in CA before issuing its associated certificate in ExtRA side. But how can I enrol for a new certificate in ExtrRa side without any need to predefine an end entity in CA?Are the solutions limit to use one of SCEP or CMP?I think about an auto enrolment ExtRA page ;) does it exist? Regard Dariush |
|
From: Tomas G. <to...@pr...> - 2012-06-04 14:39:17
|
Hi, I would like to give you information that we are holding an EJBCA training course in San Mateo, California, USA on the 9-12 July. If interested you can find more information, and other training dates/places, at http://www.primekey.se/Services/Training/Open+schedule/. Regards, Tomas Gustavsson PrimeKey Solutions AB |
|
From: ejbca-support <ejb...@pr...> - 2012-06-01 19:18:56
|
On 2012-06-01 19:55, Amir Masoud mojallal wrote: > I've installed ejbca_4_0_3 and configured it to connect to some HSM > indeed SafeNet ProtectServer.But the CA uses the pair keys created on > the HSM just to sign its own certificate at install time-I think > so-but not other's certificates that the CA issues after > installation!!! Interesting is that I can issue a client certificate > after disabling the NIC on CA's machine!!! > I want to issue the certificates be signed by HSM directly.help me please. Hi, Could you provide a part of the log so we can see what kind of error messages you get? Regards, Anders tech support > > thank you in advance > Dariush > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Amir M. m. <dar...@gm...> - 2012-06-01 17:55:34
|
I've installed ejbca_4_0_3 and configured it to connect to some HSM indeed SafeNet ProtectServer.But the CA uses the pair keys created on the HSM just to sign its own certificate at install time-I think so-but not other's certificates that the CA issues after installation!!! Interesting is that I can issue a client certificate after disabling the NIC on CA's machine!!! I want to issue the certificates be signed by HSM directly.help me please. thank you in advance Dariush |
|
From: Tomas G. <to...@pr...> - 2012-06-01 10:47:03
|
MobileID is a open source new Android app for signatures and encryption. It is still a beta version, but I though it might be interesting to know. It has been integrated with EJBCA so you can get a certificate easily. Development and further integration will continue... http://www.mobile-id.org/ http://www.primekey.se/News/All+Releases/Release+detail//Mobile_ID_client_from_Nerd_integrated_with_EJBCA_PKI_from_PrimeKey.cid3167 Cheers, Tomas |
|
From: Tomas G. <to...@pr...> - 2012-06-01 09:41:18
|
Hi, I have just finished QA for EJBCA 4.0.11, to be released next week. If anyone wants to beta test before the release, you can get it from svn, https://svn.cesecore.eu/svn/ejbca/branches/Branch_4_0/ejbca/ Notable changes are translation of admin GUI to Japaneese (courtesy of OGIS-RI, Japan) and firther admin GUI improvements (courtesy of Linagora). Regards, Tomas |
|
From: Tomas G. <to...@pr...> - 2012-05-26 07:57:32
|
Hi Community, For those that might be interested. PrimeKey is setting up open EJBCA training courses in Sweden and USA. For the schedule from June to November, visit: http://www.primekey.se/Services/Training/Open+schedule/ Cheers, Tomas |
|
From: Tomas G. <to...@pr...> - 2012-05-25 17:35:15
|
Arshad, this time I believe in my interpretation :-). Since the usage of name constraints have been actualized with the latest SSL hacks. The future usage of name constraints is layed out in a spec by Mozilla. This is the spec public CAs will have to adhere to. The spec specifies how clients should interpret this. You can never have an extension like this for the sole purpose of issuing CA software. Since the purpose is to prevent rogue CAs, who can do whatever they want, the final verdict is in the path validation algorithm in the client. If you read the path validation algorithm part in rfc5280, I think you will find the name constraints there, during path validation. (I am mobile so I cant give references to the Mozilla spec or rfc right now). The matching of altnames etc Is a completely other, unrelated thing. The purpose of name constraints is that clients should not accept a www.google.com certificate issued by the (hacked) strongauth ca, although that ca is certified by VeriSign, and issues a correct certificate with the correct distinguished name and altnames. The path validation tells the client that the strongauth ca is only permitted to issue certificates with altnames and DNs from the strongauth domain. Cheers, Tomas Arshad Noor <ars...@st...> skrev: Hi Tomas, Thanks for your response; I will look into the Custom Extensions section of the EJBCA documentation and see how easy/difficult it is to include the constraint in CA certificates. However, I believe you and I may have a misunderstanding about how the nameConstraints extension is used - although this is not the first time RFC 5280 has been misunderstood :-). Here is how I understand it: Section 4.2.1.10 of RFC 5280 says: The name constraints extension, which MUST be used only in a CA certificate, indicates a name space within which all subject names in subsequent certificates in a certification path MUST be located. My understanding is that the constraint exists primarily for the use of the CA software (like EJBCA) to constrain the certificates is issues to only the permitted sub-trees. I do not believe application software (such as browsers, e-mail, VPN software, etc.) need care about the nameConstraints extension even though they see it in the CA certificates of the chain. The reason is, they have other ways of verifying the permitted subtree. For example, a browser checks the subjectAltName extension for the FQDN and matches it up with the FQDN of the web-site it is connected to. If they do not match, you get the proverbial warnings. Since the use of SAN is universal for server SSL certificates, what would it matter if the nameConstraint had a completely different FQDN in the permitted sub-tree (as long as the site and the SAN FQDN matched? Similarly, Maul User Agents are able to verify the use of a digital certificate for S/MIME against the e-mail header - which has the sender and recipients' e-mail addresses. What would the RFC822 name in the nameConstraint tell the MUA that it doesn't already know? I believe the nameConstraints extension exists primarily for the use of CA software vendors so that issuers of certificates can constrain the issuance of digital certificates to permit or exclude sub-trees. Am I misunderstanding this? Arshad Noor StrongAuth, Inc. On 05/24/2012 11:58 PM, Tomas Gustavsson wrote: > > Hi Arshad, > > Currently you can use custom extensions to implement name constraints. > We have done that for customers. > > The main responsibility is for the client, when verifying the > certificate chain, to reject certificate violating the constraints. > The client implementations for this is currently not perfect, with > different flaws on various platforms, as our testing shows. > > I'd expect this to work better and be more widely deployed in the future > though. > > Cheers, > Tomas > > On 05/24/2012 10:14 PM, Arshad Noor wrote: >> Hi, >> >> Not sure if I'm reading this correctly, but does EJBCA have support >> for issuing/understanding certificates with the nameConstraints (OID >> 2.5.29.30) extension in them, so it can only issue certificates that >> conform to the constraint? I don't see any reference to this >> constraint in its documentation. >> >> I did find an old e-mail that seems to indicate that PrimeKey does >> NOT recommend this extension: >> >> http://osdir.com/ml/java.ejbca.devel/2006-02/msg00092.html >> >> Unfortunately, because of all the problems recently with CAs being >> compromised, TTP CAs are now planning to enforce the use of this >> extension to limit their liability. However, the CA software must >> be able to support the use of the constraint and check all CSRs to >> see if the constraint is satisfied before issuing the certificate. >> I'm unable to find anything in EJBCA docs that indicate this is >> supported; can someone please provide some clarification? Thanks. >> >> Arshad Noor >> StrongAuth, Inc. _____________________________________________ Live Security Virtual Conference Exclusive live event will cover all the ways today's security and threat landscape has changed and how IT managers can respond. Discussions will include endpoint security, mobile security and the latest in malware threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ _____________________________________________ Ejbca-develop mailing list Ejb...@li... https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: ejbca-support <ejb...@pr...> - 2012-05-25 17:31:30
|
On 2012-05-25 18:33, Arshad Noor wrote: > Hi Tomas, > > Thanks for your response; I will look into the Custom Extensions > section of the EJBCA documentation and see how easy/difficult it is > to include the constraint in CA certificates. > > However, I believe you and I may have a misunderstanding about how > the nameConstraints extension is used - although this is not the first > time RFC 5280 has been misunderstood :-). Here is how I understand it: > > > Section 4.2.1.10 of RFC 5280 says: > > The name constraints extension, which MUST be used only in a CA > certificate, indicates a name space within which all subject names > in subsequent certificates in a certification path MUST be located. > > My understanding is that the constraint exists primarily for the use > of the CA software (like EJBCA) to constrain the certificates is issues > to only the permitted sub-trees. As I understand it, name constraints is a part of path validation which means that clients indeed MUST check them as well. There was a giant discussion on PKIX recently where there was a proposal to make this a SHOULD since some leading clients do not implement this check. The prime target for name constraints are Sub-CA certificates; a root may do whatever it wants. EJBCA does currently not check name constraints but that will be added at a future date. Regards Anders > > I do not believe application software (such as browsers, e-mail, VPN > software, etc.) need care about the nameConstraints extension even > though they see it in the CA certificates of the chain. The reason is, > they have other ways of verifying the permitted subtree. > > For example, a browser checks the subjectAltName extension for the > FQDN and matches it up with the FQDN of the web-site it is connected > to. If they do not match, you get the proverbial warnings. Since the > use of SAN is universal for server SSL certificates, what would it > matter if the nameConstraint had a completely different FQDN in the > permitted sub-tree (as long as the site and the SAN FQDN matched? > > Similarly, Maul User Agents are able to verify the use of a digital > certificate for S/MIME against the e-mail header - which has the > sender and recipients' e-mail addresses. What would the RFC822 name > in the nameConstraint tell the MUA that it doesn't already know? > > I believe the nameConstraints extension exists primarily for the use > of CA software vendors so that issuers of certificates can constrain > the issuance of digital certificates to permit or exclude sub-trees. > > Am I misunderstanding this? > > Arshad Noor > StrongAuth, Inc. > > > On 05/24/2012 11:58 PM, Tomas Gustavsson wrote: >> >> Hi Arshad, >> >> Currently you can use custom extensions to implement name constraints. >> We have done that for customers. >> >> The main responsibility is for the client, when verifying the >> certificate chain, to reject certificate violating the constraints. >> The client implementations for this is currently not perfect, with >> different flaws on various platforms, as our testing shows. >> >> I'd expect this to work better and be more widely deployed in the future >> though. >> >> Cheers, >> Tomas >> >> On 05/24/2012 10:14 PM, Arshad Noor wrote: >>> Hi, >>> >>> Not sure if I'm reading this correctly, but does EJBCA have support >>> for issuing/understanding certificates with the nameConstraints (OID >>> 2.5.29.30) extension in them, so it can only issue certificates that >>> conform to the constraint? I don't see any reference to this >>> constraint in its documentation. >>> >>> I did find an old e-mail that seems to indicate that PrimeKey does >>> NOT recommend this extension: >>> >>> http://osdir.com/ml/java.ejbca.devel/2006-02/msg00092.html >>> >>> Unfortunately, because of all the problems recently with CAs being >>> compromised, TTP CAs are now planning to enforce the use of this >>> extension to limit their liability. However, the CA software must >>> be able to support the use of the constraint and check all CSRs to >>> see if the constraint is satisfied before issuing the certificate. >>> I'm unable to find anything in EJBCA docs that indicate this is >>> supported; can someone please provide some clarification? Thanks. >>> >>> Arshad Noor >>> StrongAuth, Inc. > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
106 messages has been excluded from this view by a project administrator.
