EJBCA EAC

ePassport ready PKI solution

Among its many interesting aspects, EJBCA delivers a complete set of features covering all requirements of an EAC ePassport PKI. Entirely compliant with the EU common certificate policy for EAC infrastructures.

Since EJBCA EAC is a sub function of EJBCA PKI it allows integration of all your PKI needs in one product.

Saves time and resources

EJBCA and SignServer are cost-effective, flexible and work on all major platforms. These eminent softwares are installed in various production environments with different directories, databases and HSMs, including ePassport installations in EU countries. By choosing EJBCA and SignServer for your ePassport solution you can save time and resources.

EJBCA - signs and reads passport data

EJBCA is used as a certification authority, issuing two different kinds of certificates:

  • Country Signing Certificates - for signing of ePassport data.
  • EAC Verifying Certificates - for reading sensitive ePassport data.

Sign express passports

SignServer is a product used to create on-line MRTD signatures. It is ideal for issuance of express passports:

  • As step one, the Country Signing CA issues a document signer certificate to SignServer.
  • The certificate is then used to sign MRTD data from the passport issuer.

Handle CVCAs and DVs

Using EJBCA you can set up the infrastructure CAs for EAC. This includes the root CVCA as well as your domestic DVs. You can sign other member states DVs and get your DVs signed by other member states. Naturally, you can also create CVCA link certificates.

Issue IS certificates

You can issue IS certificates to your inspection systems and easily integrate your IS systems with the PKI. Using the web service interface you can manage the whole life-cycle of IS certificates.

Flexible integration APIs

To issue certificates in an efficient and easy process, integration with legacy systems and organization work flows are needed. EJBCA offers several integration interfaces making it the most flexible product on the market:

  • industry standard, cross-platform web services
  • Java interfaces
  • HTTP interfaces
  • and even the possibility to create your own API.

Production ready and tested for interoperability

EJBCA was present - and passed the tests - at the “ePassports EAC Conformity & Interoperability Tests” in Prague, September 7th - 12th 2008, where the following tests were performed:

  • Member states passport issuance test.
  • Reading of biometric data from other member states passports on the inspection system test.

The EJBCA EAC PKI is in use within the EU for issuing EAC ePassports.

Open and fully supported infrastructure

Both EJBCA and SignServer are fully supported open source products, giving you the best of two worlds:

  • Using open source you can easily integrate with, and extend, the infrastructure to meet your specific needs.
  • Being fully supported you can rest assured that help is available when you need it.

Features related to ePassports

The EAC features are modeled to support the EAC specification and the EU common certificate policy for EAC control infrastructure.

  • Supports CVC certificates according to the EAC 1.11 specification.
  • Setting up CVCAs.
  • Setting up Document Verifiers (DVs).
  • Issuing certificates for Inspection Systems (ISs).
  • Supports RSA algorithms specified in the EAC specification.
  • Supports ECC algorithms specified in the EAC specification.
  • Automatic handling of Sequences for identifying the public key of CVC CAs and DVs.
  • Automatic handling of EAC roles (CVCA, DV-D, DV-F, IS) when issuing certificates with different certificate profiles and with different country codes.
  • DVs signed by own CVCA, or by creating requests to be signed by foreign CVCAs.
  • Sign requests from your DVs with your CVCA to send to other member states.
  • Sign foreign DVs with your own CVCA.
  • Automatic renewal of domestic DVs in EJBCA, generating new keys when DVs are renewed.
  • Add ISs as users and issue IS certificates.
  • Create CVCA link certificates to change CVCA or roll over keys.
  • Web service API for integration and automatic processing of IS, and foreign DV,certificate requests.
  • Command line client to test, display, and verify CVC certificates and requests.
  • Import and export functionality of CVCAs and DVs when using soft keystores for easy testing and integration with passport manufacturers.
  • Support for various HSMs via PKCS#11.

 

Product Info

Downloads

Wish to run EJBCA PKI, OCSP or EAC? Simply download the EJBCA package and configure the software to your liking! The SourceForge.net download page offers links to installation guidelines.

 

Community