Cryptography and Security

Where are software based CA keys stored in the database?

These keys are stored in a PKCS#12 file, encrypted with a password. The PKCS#12 is stored in the database in the CAData table.

When a new end entity is created, where and how is the password stored?

A one-time password is stored hashed with BCrypt in the UserData table in the database. If the checkbox 'clear text password' is checked when adding the user the password is stored in clear text, to be used for server side generation.

If I enable key recovery, where are the end entities private keys stored in the database?

The private keys for key recovery is stored in the KeyRecoveryData table in the database. The data is encrypted with the CAs encryption key. The private keys are only stored if key recovery is enabled.

What is EJBCA's export classification (ECCN code)?

In theory EJBCA would be classified under ECCN code 5D002.c.1, and the PrimeKey PKI Appliance under 5A002.a.1 and approved for export under License Exception TSU. See The Bureau of Industry and Security website for further details. However, in EJBCA, SignServer and the PrimeKey PKI Appliance encryption is only used for authentication and digital signatures. The products are therefore not controlled according to 5D002.c.1 or 5A002.a.1.

I get the error "Signature was not correctly verified" when running an HSM in FIPS mode

You've probably set the same key to be used for signatures and encryption, which is not allowed according to FIPS.