ePassport PKI — with EJBCA EAC

Among its many interesting aspects, EJBCA delivers a complete set of features covering all requirements of an EAC ePassport PKI - entirely compliant with the EU common certificate policy for EAC infrastructures.

Cost-effective & Flexible

PrimeKey ePassport PKI is used by governments worldwide, to successfully issue and read ePassports.

EJBCA - lets you sign and read ePassport data

EJBCA is implemented as the certification authority (CA), to issue two kinds of certificates:

• Country Signing Certificates - for signing of ePassport data.
• EAC Verifying Certificates - for reading sensitive ePassport data.

Passport (BAC) Document Signer

SignServer is a product used to create on-line MRTD signatures, and is ideal for issuance of ePassports (BAC):

• As step one, the Country Signing CA issues a document signer certificate to SignServer.
• The certificate is then used by SignServer to sign MRTD data from the passport issuer.

Handle CVCAs and DVs

Using EJBCA you can set up the infrastructure CAs for EAC. This includes the root CVCA as well as your domestic DVs. You can sign other member states DVs and get your DVs signed by other member states. Naturally, you can also create CVCA link certificates.

Issue IS certificates

You can issue IS certificates to your inspection systems and easily integrate your IS systems with the PKI. Using the web service interface you can manage the whole life-cycle of IS certificates.

SPoC - Single Point of Contact

In order to exchange and read EAC passport certificates between countries, EU has specified a standard protocol named SPoC - Single Point of Contact.

EJBCA SPoC is a product that integrates with EJBCA EAC to automate the
whole process of issuing and requesting certificiates internationally.

Flexible integration APIs

To issue certificates in an efficient and easy process, integration with legacy systems and organization work flows are needed. EJBCA offers several integration interfaces making it the most flexible product on the market:

• industry standard, cross-platform web services
• Java interfaces
• HTTP interfaces
• and even the possibility to create your own API.

Production ready and tested for interoperability

EJBCA was present - and passed the tests - at the “ePassports EAC Conformity & Interoperability Tests” in Prague, September 7th - 12th 2008, where the following tests were performed:

• Member states passport issuance test.
• Reading of biometric data from other member states passports on the inspection system test.

The EJBCA EAC PKI is in use within the EU for issuing EAC ePassports.

Open and fully supported infrastructure

Both EJBCA and SignServer are fully supported open source products, giving you the best of two worlds:

• Using open source you can easily integrate with, and extend, the infrastructure to meet your specific needs.
• Being fully supported you can rest assured that help is available when you need it.

Features related to ePassports

The EAC features are modeled to support the EAC specification and the EU common certificate policy for EAC control infrastructure.

• Supports CVC certificates according to the EAC 1.11 specification.
• Setting up CVCAs.
• Setting up Document Verifiers (DVs).
• Issuing certificates for Inspection Systems (ISs).
• Supports RSA algorithms specified in the EAC specification.
• Supports ECC algorithms specified in the EAC specification.
• Automatic handling of Sequences for identifying the public key of CVC CAs and DVs.
• Automatic handling of EAC roles (CVCA, DV-D, DV-F, IS) when issuing certificates with different certificate profiles and with different country codes.
• DVs signed by own CVCA, or by creating requests to be signed by foreign CVCAs.
• Sign requests from your DVs with your CVCA to send to other member states.
• Sign foreign DVs with your own CVCA.
• Automatic renewal of domestic DVs in EJBCA, generating new keys when DVs are renewed.
• Add ISs as users and issue IS certificates.
• Create CVCA link certificates to change CVCA or roll over keys.
• Web service API for integration and automatic processing of IS, and foreign DV,certificate requests.
• Command line client to test, display, and verify CVC certificates and requests.
• Import and export functionality of CVCAs and DVs when using soft keystores for easy testing and integration with passport manufacturers.
• Support for various HSMs via PKCS#11.