EJBCA

Last updated
EJBCA
Developer(s) PrimeKey Solutions AB
Initial releaseDecember 5, 2001 (2001-12-05)
Stable release
8.3.2 / June 27, 2024 (2024-06-27)
Repository
Written in Java on Java EE
Operating system Cross-platform
Available inBosnian, Chinese, Czech, English, French, German, Japanese, Portuguese, Swedish, Ukrainian, Vietnamese
Type PKI Software
License LGPL-2.1-or-later
Website www.ejbca.org   OOjs UI icon edit-ltr-progressive.svg

EJBCA (formerly: Enterprise JavaBeans Certificate Authority) is a free software public key infrastructure (PKI) certificate authority software package maintained and sponsored by the Swedish for-profit company PrimeKey Solutions AB, which holds the copyright to most of the codebase, being a subsidiary for Keyfactor Inc. based in United States. The project's source code is available under the terms of the GNU Lesser General Public License (LGPL). The EJBCA software package is used to install a privately operated certificate authority, validation authority and registration authority. This is in contrast to commercial certificate, validation and/or authorities that are operated by a trusted third party. Since its inception EJBCA has been used as certificate authority software for different use cases, including eGovernment, [1] endpoint management, [2] research, [3] [4] [5] energy, [6] eIDAS, [7] telecom, [8] networking, [9] and for usage in SMEs. [10]

Contents

See also

Related Research Articles

<span class="mw-page-title-main">Public-key cryptography</span> Cryptographic system with public and private keys

Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic algorithms based on mathematical problems termed one-way functions. Security of public-key cryptography depends on keeping the private key secret; the public key can be openly distributed without compromising security.

<span class="mw-page-title-main">Public key infrastructure</span> System that can issue, distribute and verify digital certificates

A public key infrastructure (PKI) is a set of roles, policies, hardware, software and procedures needed to create, manage, distribute, use, store and revoke digital certificates and manage public-key encryption.

In cryptography, a public key certificate, also known as a digital certificate or identity certificate, is an electronic document used to prove the validity of a public key. The certificate includes the public key and information about it, information about the identity of its owner, and the digital signature of an entity that has verified the certificate's contents. If the device examining the certificate trusts the issuer and finds the signature to be a valid signature of that issuer, then it can use the included public key to communicate securely with the certificate's subject. In email encryption, code signing, and e-signature systems, a certificate's subject is typically a person or organization. However, in Transport Layer Security (TLS) a certificate's subject is typically a computer or other device, though TLS certificates may identify organizations or individuals in addition to their core role in identifying devices. TLS, sometimes called by its older name Secure Sockets Layer (SSL), is notable for being a part of HTTPS, a protocol for securely browsing the web.

In cryptography, X.509 is an International Telecommunication Union (ITU) standard defining the format of public key certificates. X.509 certificates are used in many Internet protocols, including TLS/SSL, which is the basis for HTTPS, the secure protocol for browsing the web. They are also used in offline applications, like electronic signatures.

<span class="mw-page-title-main">Certificate revocation list</span> A list of revoked digital certificates

In cryptography, a certificate revocation list (CRL) is "a list of digital certificates that have been revoked by the issuing certificate authority (CA) before their scheduled expiration date and should no longer be trusted". CRLs are no longer required by the CA/Browser forum, as alternate certificate revocation technologies are increasingly used instead. Nevertheless, CRLs are still widely used by the CAs.

In cryptography, a certificate authority or certification authority (CA) is an entity that stores, signs, and issues digital certificates. A digital certificate certifies the ownership of a public key by the named subject of the certificate. This allows others to rely upon signatures or on assertions made about the private key that corresponds to the certified public key. A CA acts as a trusted third party—trusted both by the subject (owner) of the certificate and by the party relying upon the certificate. The format of these certificates is specified by the X.509 or EMV standard.

<span class="mw-page-title-main">VMware</span> Multi-cloud service provider for all apps

VMware LLC is an American cloud computing and virtualization technology company headquartered in Palo Alto, California. VMware was the first commercially successful company to virtualize the x86 architecture.

In cryptography and computer security, self-signed certificates are public key certificates that are not issued by a certificate authority (CA). These self-signed certificates are easy to make and do not cost money. However, they do not provide any trust value.

The Online Certificate Status Protocol (OCSP) is an Internet protocol used for obtaining the revocation status of an X.509 digital certificate. It is described in RFC 6960 and is on the Internet standards track. It was created as an alternative to certificate revocation lists (CRL), specifically addressing certain problems associated with using CRLs in a public key infrastructure (PKI). Messages communicated via OCSP are encoded in ASN.1 and are usually communicated over HTTP. The "request/response" nature of these messages leads to OCSP servers being termed OCSP responders.

Loren Kohnfelder is a computer scientist working in public key cryptography.

<span class="mw-page-title-main">Hardware security module</span> Physical computing device

A hardware security module (HSM) is a physical computing device that safeguards and manages secrets, performs encryption and decryption functions for digital signatures, strong authentication and other cryptographic functions. These modules traditionally come in the form of a plug-in card or an external device that attaches directly to a computer or network server. A hardware security module contains one or more secure cryptoprocessor chips.

Code signing is the process of digitally signing executables and scripts to confirm the software author and guarantee that the code has not been altered or corrupted since it was signed. The process employs the use of a cryptographic hash to validate authenticity and integrity. Code signing was invented in 1995 by Michael Doyle, as part of the Eolas WebWish browser plug-in, which enabled the use of public-key cryptography to sign downloadable Web app program code using a secret key, so the plug-in code interpreter could then use the corresponding public key to authenticate the code before allowing it access to the code interpreter's APIs.

Simple Certificate Enrollment Protocol (SCEP) is described by the informational RFC 8894. Older versions of this protocol became a de facto industrial standard for pragmatic provisioning of digital certificates mostly for network equipment.

PERMIS is a sophisticated policy-based authorization system that implements an enhanced version of the U.S. National Institute of Standards and Technology (NIST) standard Role-Based Access Control (RBAC) model. PERMIS supports the distributed assignment of both roles and attributes to users by multiple distributed attribute authorities, unlike the NIST model which assumes the centralised assignment of roles to users. PERMIS provides a cryptographically secure privilege management infrastructure (PMI) using public key encryption technologies and X.509 Attribute certificates to maintain users' attributes. PERMIS does not provide any authentication mechanism, but leaves it up to the application to determine what to use. PERMIS's strength comes from its ability to be integrated into virtually any application and any authentication scheme like Shibboleth (Internet2), Kerberos, username/passwords, Grid proxy certificates and Public Key Infrastructure (PKI).

GlobalSign is a certificate authority and a provider of internet identity and security products. As of January 2015, Globalsign was the 4th largest certificate authority in the world, according to Netcraft.

In cryptography Privilege Management is the process of managing user authorisations based on the ITU-T Recommendation X.509. The 2001 edition of X.509 specifies most of the components of a Privilege Management Infrastructure (PMI), based on X.509 attribute certificates (ACs). Later editions of X.509 have added further components to the PMI, including a delegation service and interdomain authorisation.

<span class="mw-page-title-main">DigiCert</span> Internet security company

DigiCert, Inc. is a digital security company headquartered in Lehi, Utah. DigiCert provides public key infrastructure (PKI) and validation required for issuing digital certificates or TLS/SSL certificates, acting as a certificate authority (CA) and trusted third party.

Resource Public Key Infrastructure (RPKI), also known as Resource Certification, is a specialized public key infrastructure (PKI) framework to support improved security for the Internet's BGP routing infrastructure.

The Enrollment over Secure Transport, or EST is a cryptographic protocol that describes an X.509 certificate management protocol targeting public key infrastructure (PKI) clients that need to acquire client certificates and associated certificate authority (CA) certificates. EST is described in RFC 7030. EST has been put forward as a replacement for SCEP, being easier to implement on devices already having an HTTPS stack. EST uses HTTPS as transport and leverages TLS for many of its security attributes. EST has described standardized URLs and uses the well-known Uniform Resource Identifiers (URIs) definition codified in RFC 5785.

In public key cryptography, a certificate may be revoked before it expires, which signals that it is no longer valid. Without revocation, an attacker could exploit such a compromised or misissued certificate until expiry. Hence, revocation is an important part of a public key infrastructure. Revocation is performed by the issuing certificate authority, which produces a cryptographically authenticated statement of revocation.

References

  1. "A PKI ARCHITECTURE USING OPEN SOURCE SOFTWARE FOR E-GOVERNMENT SERVICES IN ROMANIA". Indian Journal of Computer Science and Engineering. 2. 2011. Retrieved May 5, 2021.
  2. "VMware Workspace ONE UEM Product Documentation". VMWare. March 3, 2020. Retrieved May 5, 2021.
  3. "A web service based architecture for authorization of unknown entities in a Grid environment". University of Windsor. January 1, 2007. Retrieved May 5, 2021.
  4. Zhang, Liyi; Liu, Qihua; Xu, Min (2007). "Research and application of EJBCA based on J2EE" (PDF). Integration and Innovation Orient to E-Society Volume 1. IFIP — the International Federation for Information Processing. Vol. 251. Springer. pp. 337–345. doi:10.1007/978-0-387-75466-6_38. ISBN   978-0-387-75465-9 . Retrieved May 5, 2021.
  5. "Secret Sharing Framework Based on Digital Certificates". Proceedings of the 13th European Conference on Cyber Warfare and Security. 10.13140/RG.2.1.4331.5281. January 1, 2014. Retrieved May 5, 2021.
  6. "Cybersecurity: An Enabler for Critical Infrastructure". Siemens. 2021. Retrieved May 5, 2021.
  7. "Zetes launches eSig division ZetesConfidens". Security Document World. October 2, 2018. Retrieved May 5, 2021.
  8. "Key Management for 4G and 5G inter-PLMN Security" (PDF). GSMA. March 6, 2020. Retrieved June 8, 2021.
  9. "Field Notice: FN - 72013 - Cisco APIC-EM Root Certificate Expiration Causes All IWAN DMVPN Connections to Fail - Software Upgrade Recommended". Cisco. December 18, 2020. Retrieved May 5, 2021.
  10. "Building and Managing a PKISolution for Small and MediumSize Business". SANS Institute. December 16, 2013. Retrieved May 5, 2021.

Further reading