- EJBCA Introduction
- EJBCA Installation
-
EJBCA Operations
-
EJBCA CA Concept Guide
- Certificate Authority Overview
- Crypto Tokens Overview
- End Entities Overview
- Publishers Overview
- Validators Overview
- Certificate Profiles Overview
- Approval Profiles
- Services
- Peer Systems
- Internal Key Bindings Overview
- Roles and Access Rules
- Protocols
- Logging
- Character Limitations
- User Data Sources
- EJBCA RA Concept Guide
-
EJBCA Operations Guide
-
CA Operations Guide
- Approving Actions
- CA UI Overview
- Configure EJBCA for Public Access
- CRL Generation
- EJBCA Configuration Checker
- EJBCA Maintenance
- End Entities
- End Entity Profile Operations
- Exporting and Importing Profiles
- Importing Certificates
- Key Recovery
- Managing CAs
- Managing Certificate Profiles
- Managing Crypto Tokens
- Managing Internal Keybindings
- Modular Protocol Configuration
- OCSP Management
- Peer Systems Operations
- Roles and Access Rules Operations
- RA Operations Guide
- Command Line Interfaces
- EJBCA Batch Enrollment GUI
- ConfigDump Export and Audit Tool
-
CA Operations Guide
-
EJBCA CA Concept Guide
-
EJBCA Integration
-
Integrating with Third-Party Applications
- Access EJBCA using USB Tokens and Smart Cards
- Native Certificate Autoenrollment for Windows
- Script based Autoenrollment for Windows clients with EJBCA
- Integrating EJBCA with GreyLog
- Versasec Card Management System Integration
- Ciphermail Email Gateway and EJBCA Integration
- Microsoft Smart Card Logon
- EJBCA and Cisco IOS
- OpenSSH and X509 Authentication
- Configure EJBCA with OpenSSO
- Setting up an Apache Web Server as a Proxy
- Setting up an Apache Web Server with mod_jk
- Setting up a HA Proxy in front of EJBCA
- EJBCA with GemSAFE Toolbox
- SensorNet PKI
- Issuing Certificates to Kubernetes Services using cert-manager
- Hardware Security Modules (HSM)
-
Integrating with Third-Party Applications
- Troubleshooting Guide
-
Tutorials and Guides
- Quick Install Guide
- Migrating from other CAs to EJBCA
- Modifying EJBCA
- Enabling Debug Logging
- Creating a custom RA application using EJBCA Web Services and Java
- Using EJBCA as a Certificate Management System (CMS)
- Batch Creating Certificates
- Making an ASN.1 Dump of a Certificate
- Using the Demo Servlet
-
EJBCA Release Information
-
EJBCA Release Notes
- EJBCA 7.2.1 Release Notes
- EJBCA 7.2 Release Notes
- EJBCA 7.1 Release Notes
- EJBCA 7.0.1 Release Notes
- EJBCA 7.0.0 Release Notes
- EJBCA 6.15.2 Release Notes
- EJBCA 6.15.1 Release Notes
- EJBCA 6.15 Release Notes
- EJBCA 6.14.1 Release Notes
- EJBCA 6.14 Release Notes
- EJBCA 6.13 Release Notes
- EJBCA 6.12 Release Notes
- EJBCA 6.11 Release Notes
- EJBCA 6.10 Release Notes
- EJBCA 6.9 Release Notes
- EJBCA 6.8 Release Notes
- EJBCA 6.7 Release Notes
- EJBCA 6.6 Release Notes
- EJBCA 6.5 Release Notes
- EJBCA 6.4 Release Notes
- EJBCA 6.3 Release Notes
- EJBCA 6.2 Release Notes
- EJBCA 6.1 Release Notes
- EJBCA 6.0 Release Notes
- EJBCA Release Notes Summary
- EJBCA Change Log Summary
-
EJBCA Upgrade Notes
- EJBCA 7.2.1 Upgrade Notes
- EJBCA 7.2 Upgrade Notes
- EJBCA 7.1 Upgrade Notes
- EJBCA 7.0.1 Upgrade Notes
- EJBCA 7.0 Upgrade Notes
- EJBCA 6.15 Upgrade Notes
- EJBCA 6.14 Upgrade Notes
- EJBCA 6.13 Upgrade Notes
- EJBCA 6.12 Upgrade Notes
- EJBCA 6.11 Upgrade Notes
- EJBCA 6.10 Upgrade Notes
- EJBCA 6.9 Upgrade Notes
- EJBCA 6.8 Upgrade Notes
- EJBCA 6.7 Upgrade Notes
- EJBCA 6.6 Upgrade Notes
- EJBCA 6.5 Upgrade Notes
- EJBCA 6.4 Upgrade Notes
- EJBCA 6.3 Upgrade Notes
- EJBCA 6.2 Upgrade Notes
- EJBCA 6.1 Upgrade Notes
- EJBCA 6.0 Upgrade Notes
- EJBCA Upgrade Notes Summary
-
EJBCA Release Notes
Key Validators
Key Validators validate the quality of keys, foremost as a result of incoming CSRs. There are currently three types of Key Validators.
Key Validator Types
RSA Key Validator
The RSA Key Validator inspects RSA key parameters and validates key quality beyond key length and size. This key validator can enforce the CA/B-Forum requirements on public keys, and also performs the following tests on the RSA exponent and modulus:
- That the value of the public exponent is an odd number equal to 3 or more.
- That the public exponent is in the range between 2^16+1 and 2^256-1.
- That the modulus is an odd number, not the power of a prime, and have no factors smaller than 752.
ECC Key Validator
The ECC Key validator inspects the full public key validation (NIST SP 56A) routine on ECC keys.
Blacklist Key Validator
This validator compares public keys against a blacklist of known bad public keys, such as the Debian bad keys.
The blacklist is empty by default and must be filled manually. PrimeKey can provide a blacklist of Debian weak keys as created by the Metasploit project.
The public key blacklisted entries can be added using the CLI:
bin/ejbca.sh ca updatepublickeyblacklist --command add --dir <directory of blacklisted public keys> where the directory contains public key files in PEM format. If you have a list of PEM formatted private keys, you can create the public key entries, and CSRs to test with using these commands:
openssl req -key blacklisted-privatekey.pem -out blacklisted.csr -new
openssl rsa -in blacklisted-privatekey.pem -pubout > tmp/blacklisted-publickey.pemYou can import a blacklist fingerprint file (a file with one blacklist fingerprint per line) with:
bin/ejbca.sh ca updatepublickeyblacklist --command add --mode fingerprint --keyspecs RSA2048 --dir <directory where blacklist fingerprint file resides> You can also remove fingerprints using the fingerprint file:
bin/ejbca.sh ca updatepublickeyblacklist --command remove --mode fingerprint --dir <directory where blacklist fingerprint file resides>Common Key Validator Settings
| Setting | Description |
|---|---|
Certificate Validity Not Before | Only perform validation if certificate validity NotBefore matches the condition, i.e. is less than or greater than the given date. If no date is set, this condition is not used. Date in the format 2017-02-28 will for example only validate certificates valid from the 28th of February 2017. |
Certificate Validity Not After | Only perform validation if certificate validity NotAfter matches the condition. The format of the date entered is 'yyyy-MM-dd [HH:mm:ss]', for example 2022-08-25 for the 25th of August 2022, or if you want to specify a time '2022-08-25 14:50:55'. The displayed date is converted to the server's timezone, and you can specify timezone as well '2022-08-25 14:50:55-0000' for UTC. |