EJBCA - Open Source PKI Certificate Authority

References

Code of conduct
IETF Request For Comments and Internet-Drafts
W3C Standards and Specifications
Java
MySQL
Swedish characters in Java/Jboss
PGP
Firefox Key Generation
Microsoft Internet Explorer Key Generation
Cisco

References

Code of conduct

The EJBCA community should try to follow the excellent Ubuntu Code of Conduct.

IETF Request For Comments and Internet-Drafts

IETF is the Internet Engineering Task Force.

RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, replaces RFC 3280
RFC 2253 - Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names
RFC 2560 - X.509 Internet Public Key Infrastructure Online Certificate Status Protocol (OCSP)
RFC 5019 - The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments
RFC 2256 - A Summary of the X.500(96) User Schema for use with LDAPv3
RFC 2616 - Hypertext Transfer Protocol -- HTTP/1.1
RFC 2818 - HTTP Over TLS
RFC 2396 - Uniform Resource Identifiers (URI): Generic Syntax
RFC 2595 - Using TLS with IMAP, POP3 and ACAP
RFC 4945 - The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX
RFC 5055 - Server-Based Certificate Validation Protocol (SCVP)
RFC 4210 - Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)
RFC 4211 - Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)
RFC 4387 - Certificate Store Access via HTTP

draft-nourse-scep-20 - Cisco Systems' Simple Certificate Enrollment Protocol (SCEP) draft-nourse-scep-20

W3C Standards and Specifications

W3C is the World Wide Web Consortium.

xkms2 - XML Key Management Specification (XKMS 2.0)

Java

The Java PKCS#11 Reference Guide.

MySQL

MySQL: Create ALTER-scrips automatically to upgrade database from old version to latest development version: http://www.mysqldiff.org/

Swedish characters in Java/Jboss

Add the following options to the JVM by modifying JAVA_OPTIONS in run.sh/cmd.

-Duser.region=SE -Duser.language=sv -Dfile.encoding=ISO-8859-1

PGP

PKCS12 files generated from EJBCA works excellent as PGP-keys.

Firefox Key Generation

KEYGEN - Netscape Extension for Key Generation

For Firefox to be able to verify client certificates the CA-certificates must have the extensions BasicConstraints and AuthorityKeyIdentifier. Client certificates also need AuthorityKeyIdentifier

There is new key generation using javascript, generating a CRMF request:
JavaScript crypto.

Microsoft Internet Explorer Key Generation

For MSIE to verify client certs, the ordering in the DN must be strictly the same in both client and CA certs. Possibly that it must also be in a specific order.

There is some bug that required a "nocache" meta tag to eliminate duplicate sending of certificate request. This duplicate sending will result in wrong behaviour, since user status will be wrong.

<HEAD>
<META HTTP-EQUIV="Pragma" CONTENT="no-cache" >
<META HTTP-EQUIV="Expires" CONTENT="-1" >
</head>

Microsoft Knowledge Base documents

q281245 - Guidelines for Enabling Smart Card Logon with Third-Party Certification Authorities
q291010 - Requirements for Domain Controller Certificates from a Third-Party CA
Certificate templates
Using the Certificate Enrollment Control Properties
Creating Certificate Requests Using the Certificate Enrollment Control and CryptoAPI

Cisco

Lab 5.3.2 - Configure a PIX Security Appliance Site-to-Site IPSec VPN Tunnel with CA support