PKI Administration Using EJBCA and OpenCA

Presented By: Ayesha Ghori and Asra Parveen

PKI: Public Key Infrastructure

A trusted third Party. Secured communication. Provides digital certificates that can identify an individual or an organization. Stores and revokes Certificates. Provides services like Encryption, digital Signatures, data integrity, key establishment, zero knowledge/minimum knowledge protocols.

PKI Components
Certificate Authority: A CA issues
certificates to, and vouches for the authenticity of entities. Registration Authority: An RA is an administrative function that registers entities in the PKI. End entity: An end-entity is a user, such as an e-mail client, a web server, a web browser or a VPN-gateway.

PKI HIERARCHY
Super Administrator GMU CA TOP CA

GMU FAIRFAXCA SUBCA GMU Fairfax CA Administrator

GMU MANASSAS CA SUBCA

GMU PW CAMPUS CA SUBCA GMU Manassas CA Administrator GMU PW CA Administrator

RA INSTANCE GMU FAIRFAX

RA INSTANCE GMU MANASSAS

RA INSTANCE GMU PW CAMPUS

GMU Fairfax RA Administrator

GMU Manassas RA Administrator

GMU PW RA Administrator

EJBCA and OpenCA Software Requirements

Software Requirements of EJBCA
Java JDK 1.5 Java 2 Platform Standard Development Kit. Apache Ant Java Build Utility, used to compile and build Java programs. JBoss 4.0.5 J2EE Application Server EJBCA download

Software Requirements of OpenCA

OpenLDAP. OpenSSL. Apache Project. Apache mod_ssl.

EJBCA
EJBCA is a fully functional Certificate Authority built in Java. Based on J2EE technology. Robust High performance, component based CA. Flexible and platform independent. EJBCA can be used as standalone or integrated in any J2EE application.

EJBCA: Architecture

EJBCA Administration
Create and Initialize the Super Administrator Creating and Configuring data sources Creating Publishers Creating Certificate Authorities Creating Registration Authorities Creating End Entities Creating CRLs Generating Certificates

The EJBCA Super Admin Certificate

OpenCA
Linux based. Provides the choice of algorithms- des, des3, idea. Extensions Provided: SKI and AKI. In Addition to the PKI components of EJBCA, OpenCA also has a Registration Authority Operator.

OpenCA: Architecture

OpenCA Administration
Initializing the Certification Authority Create the initial administrator Create the initial RA Certificate Submit a Certificate Request Approve the Certificate Issue the Certificate Importing the Root Certificate

User Certificate

Comparison
Parameters Ease of Configuration Confidentiality EJBCA Very Complex Offers Confidentiality using encryption Offers Integrity by encryption Offers Authentication by Digital Signature OpenCA Complex Offers Confidentiality using encryption Offers Integrity by encryption Offers Authentication by Digital Signature

Integrity Authentication

Ability to choose the algorithm to use OCSP

Yes

Yes

Yes

Yes

Ability to choose Yes CSP CRL updates Automatic

Cost Extensions LDAP Support Support for smart cards Free Yes Yes Yes

No
Manual Free Yes Yes No

Platform Certificate Repositories Modules Components based Standalone Component Supported Browsers Scalability

Java J2EE HSQL

Perl CGI on Unix MySQL

EJB
Yes Present Multiple Good

Perl Modules
Yes Not Present Multiple Bad

Conclusion
EJBCA is the simplest to use Complexity during installation Provides for automatic CRL updates OpenCA is the best for Linux users Manual revocations Both can be used by various clients