Creating Authenticated Requests and Link Certificates

The following covers creating Authenticated Requests and Link Certificates.

Authenticated Requests

To sign CV certificate requests by your Country Verifying CA (CVCA), go to Edit Certificate Authorities, select your CVCA and then click Create Authenticated Certificate Signing Request. You can upload the CV certificate request to the CVCA, and get an Authenticated request back. This is required when sending certificate requests from your DVs to other member states.

By renewing a Document Verifier (DV) and sending a request to another member state you can get the request automatically authenticated by signing the request with the DVs old keys. You can do this by creating a CSR for the new DV key, and making an authenticated request signed with the old key. After generating new keys on the Crypto Token, go to Certification Authorities, select the desired DV, and click Edit. Ensure that the sequence is updated, then select to generate a new CSR for the new key in the Externally signed CA creation/renewal section. If it is a renewal, an authenticated request, authenticated with the DVs current key, will be returned (the new key is not yet activated).

To view the authenticated DV request using the clientToolBox CLI tool, use the following.

ejbcaClientToolBox.sh CvcWsRaCli cvcprint SEDVCA00100001.pem

To verify the authenticated DV request, you need the whole chain in case of ECDSA, since the EC curve parameters are only present in the CVCA certificate:

./ejbcaClientToolBox.sh CvcWsRaCli cvcprint SEDVCA00100001.pem  SECVCA00100000_SEDVCA00100000.cacert.pem SECVCA00100000_SECVCA00100000.cacert.pem 

To automate renewing of DVCAs using the WS API, use the following:

ejbcaClientToolBox.sh EjbcaWsRaCli cacertrequest
ejbcaClientToolBox.sh EjbcaWsRaCli cacertresponse

For more information , see Web Service Interface.

Link Certificates

Issuing a link certificate must be done when a CVCA is renewed. It can be used to switch CA completely, new keys, new algorithms, and new Country/Mnemonic.

When renewing a Country Verifying CA (CVCA) in the EJBCA Admin UI, a link certificate is automatically created. Requirements on link certificates are specified in Common Certificate Policy for the Extended Access Control Infrastructure for Travel and Residence Documents (BSI TR-03139). When renewing a CVCA, the signature algorithm can be changed. Note that the algorithm identifier in the link certificate itself is the new algorithm as the algorithm is tied to the public key, not to the certificate signature and the link certificate itself is signed by the old CVCA certificate, with the algorithm specified on the public key in the old CVCA certificate.

It is also possible to manually create link certificates using the clientToolBox CLI tool.

ejbcaClientToolBox.sh PKCS11HSMKeyTool linkcert

To create CVCA link certificates, the same approach is used. First renew the CVCA (generating new keys), which creates a new self-signed CVCA certificate internally. Download the new self-signed CVCA certificate (for example from Basic Functions). After this you can create a link certificate by specifying the CVCAs name in the text field in Edit Certificate Authorities and clicking Sign Certificate Request. Upload the new CVCA certificate and select Use previous key and Create link certificate.