EJBCA eIDAS Introduction

EIDAS This is an EJBCA eIDAS feature.

The following provides an introduction to the EJBCA eIDAS edition.

Background

The Electronic Identification and Trust Services (eIDAS) is a European Union regulation on electronic identification and trust services for electronic transactions across the EU. It provides a regulatory environment to enable secure and seamless electronic transactions, and drive digital growth within the European Union. For more information, refer to Regulation (EU) No 910/2014.

The eIDAS regulation has created an internal market area for trust services within Europe. Trust service providers (TSPs) are companies or organization, that provides third-party trust services in the form of cert issuance, signatures and authentication. The eIDAS regulation specifies requirements for any public TSP operating within the EU, to ensure that the entire EU is operating using the same set of standards for certificate trustworthiness.

The European Telecommunications Standards Institute (ETSI) and the European Committee for Standardization (CEN) have developed a set of standards and guidelines that organizations must meet in order to become a TSP.

PrimeKey’s Public Key Infrastructure and electronic signing solutions help to reduce the complexity of becoming an eIDAS compliant TSP. The EJBCA eIDAS edition provides issuance, registration and validation services within the eIDAS context.

EJBCA eIDAS

The EJBCA eIDAS edition is released to facilitate compliance with new and updated eIDAS regulations and requirements and support for certified HSMs going forward.

To support our EJBCA Enterprise customers who want to become an eIDAS qualified Trust Service Provider and issue qualified certificates for application areas such as qualified electronic signing, the EJBCA eIDAS edition currently supports the Utimaco CryptoServer CP5 HSM, certified according to Common Criteria Protection Profile EN 419 221-5.

We expect to implement future support for Common Criteria Certified HSMs from other vendors as they become available.

Utimaco CryptoServer CP5

The EJBCA eIDAS edition supports the Utimaco CryptoServer CP5 HSM.

The Utimaco CryptoServer CP5 is eIDAS-compliant and Common Criteria Certified according to the Protection Profile EN 419 221-5 “Cryptographic Module for Trust Services”.  

The Utimaco CryptoServer CP5 supports Trust Service Providers (TSPs) in fulfilling policy and security requirements defined in various ETSI technical standards. Application areas include eIDAS-compliant qualified signature creation and remote signing, as well as the issuing of certificates, OCSP status requests and time-stamping.

For more information, see Utimaco CryptoServer CP5.

Key Authorization

One of the key features in EJBCA eIDAS edition is the support for the eIDAS specific key management process with the eIDAS-compliant Utimaco CryptoServer CP5 HSM.

In the EJBCA eIDAS edition, the HSM key is uniquely connected to a second key, the Key Authorization Key. The Key Authorization Key is used for initialization and authorization of the Common Criteria Certified HSM keys and thereby adds an additional layer of authorization when managing HSM keys.

For more information on the Key Authorization Key and how to set up a Crypto Token, see CP5 Crypto Token. For information on the EJBCA P11NG-CLI tool, providing commands to manage keys on CP5-specific HSMs, see P11NG-CLI.