PKI Administration Using EJBCA and OpenCA

Presented By:

Ayesha Ghori and Asra Parveen

PKI: Public Key Infrastructure

A trusted third Party.

Secured communication.

Provides digital certificates that can identify an individual or an organization.

Stores and revokes Certificates.

Provides services like Encryption, digital Signatures, data integrity, key establishment, zero knowledge/minimum knowledge protocols.

PKI Components

Certificate Authority: A CA issues certificates to, and vouches for the authenticity of entities.

Registration Authority: An RA is an administrative function that registers entities in the PKI.

End entity: An end-entity is a user, such as an e-mail client, a web server, a web browser or a VPN-gateway.

PKI HIERARCHY

GMU CATOP CA

GMU FAIRFAXCASUBCA

GMU MANASSAS CASUBCA

GMU PW CAMPUS CASUBCA

RA INSTANCEGMU FAIRFAX

RA INSTANCEGMU MANASSAS

RA INSTANCEGMU PW CAMPUS

GMU Fairfax CA Administrator

GMU Manassas CA Administrator

Super Administrator

GMU Fairfax RA Administrator

GMU Manassas RA Administrator

GMU PW RA Administrator

GMU PW CA Administrator

EJBCA and OpenCASoftware Requirements

Software Requirements of EJBCAJava JDK 1.5 – Java 2 Platform Standard Development Kit.

Apache Ant – Java Build Utility, used to compile and build Java programs.

JBoss 4.0.5 – J2EE Application ServerEJBCA download

Software Requirements of OpenCAOpenLDAP.

OpenSSL.

Apache Project.

Apache mod_ssl.

EJBCA

EJBCA is a fully functional Certificate Authority built in Java.

Based on J2EE technology.

Robust

High performance, component based CA. Flexible and platform independent.

EJBCA can be used as standalone or integrated in any J2EE application.

EJBCA: Architecture

EJBCA AdministrationCreate and Initialize the Super AdministratorCreating and Configuring data sourcesCreating PublishersCreating Certificate AuthoritiesCreating Registration AuthoritiesCreating End EntitiesCreating CRL’sGenerating Certificates

The EJBCA Super Admin Certificate

OpenCA

Linux based.

Provides the choice of algorithms- des, des3, idea.

Extensions Provided: SKI and AKI.

In Addition to the PKI components of EJBCA, OpenCA also has a Registration Authority Operator.

OpenCA: Architecture

OpenCA Administration

Initializing the Certification Authority

Create the initial administrator

Create the initial RA Certificate

Submit a Certificate Request

Approve the Certificate

Issue the Certificate

Importing the Root Certificate

User CertificateUser Certificate

Comparison

Parameters EJBCA OpenCA

Ease of Configuration

Very Complex Complex

Confidentiality Offers Confidentiality using encryption

Offers Confidentiality using encryption

Integrity Offers Integrity by encryption

Offers Integrity by encryption

Authentication Offers Authentication by Digital Signature

Offers Authentication by Digital Signature

NonRepudiation YES YES

Ability to choose the algorithm to use

Yes Yes

OCSP Yes Yes

Ability to choose CSP

Yes No

CRL updates Automatic Manual

Cost Free Free

Extensions Yes Yes

LDAP Support Yes Yes

Support for smart cards

Yes No

Platform Java J2EE Perl CGI on Unix

Certificate Repositories

HSQL MySQL

Modules EJB Perl Modules

Components based

Yes Yes

Standalone Component

Present Not Present

Supported Browsers

Multiple Multiple

Scalability Good Bad

Conclusion

EJBCA is the simplest to use

Complexity during installation

Provides for automatic CRL updates

OpenCA is the best for Linux users

Manual revocations

Both can be used by various clients