Ask your questions here before the Meetup Workshop

[KarolinHem]

At the Keyfactor Community Tech Meetup in Stockholm on September 7, you will get a chance to meet the EJBCA founder Tomas Gustavsson and product architect Mike Agrenius Kushner and ask any questions that matter to you and your team.

In this thread, you can suggest topics you want to learn more about or ask questions that you want the workshop leaders to discuss in the workshop.

Read more and sign up for the Meetup: https://www.keyfactor.com/keyfactor-community-tech-meetup-2022/

[pos42]

Quantum-Proof/Quantum-Resistant algoritms in EJBCA

I guess symmetric algoritms and hash function are still relatively safe against quantum attacks, but experts says this is not the case for public key algoritms.

What is happening in the post-quantum crypto area. Any quantum proof signing and crypto algoritms already implemented in EJBCA? Any on its way into EJBCA? Anything that is working today for test purposes? If so… in GUI, CLI or both?

[pos42]

Arbitrary elliptic curves

This is maybe not a question that interest all the tech meet-up visitors :)

I am a little bit curious if, and in that case how, you create a CA certificate based on arbitrary elliptic curves in EJBCA instead of with named curves. It is allowed by standard, but rarely used and therefor just implemented by very few. I have only seen this used in ICAO passport signing by some countries. Verification of such arbitrary curves certificates with all prime fields in it is one thing, but I have seen very few CA softwares that can create them. And Microsoft CA (at least just a few years ago) said such a certificate was corrupt when opening it, even though is was ok.

Is creation of such certificate possible by EJBCA? How do you create such a certificate in EJBCA?

[pos42]

SCP Publisher

I think the publisher is very unpolished. It is simply not possible to set it up by just looking at the configuration fields. As a UNIX/Linux guy that are used to CLI and SSH, you just fill in what you need, create the keys, create the needed users under the hood etc etc. As it is so straight forward with SSH and keys, I did not look at the documentation. But I got stuck… Until I searched the documentation and saw the publisher needs a fingerprint that has to be manually created as most SSH use other types of fingerprints now. That should be a pop-up in the gui or at least not invisible…

Yes, there are room for improvements on the SCP publisher. But when it is set up, it is working flawlessly.

If there is time, maybe a setup of the SCP publisher and publishing of CRLs could be demonstrated so others won’t get stuck as me. And as we all know, it is not uncommon to have UNIX/Linux based web servers holding CRL:s :) Therefor I guess this could be interesting to people.

[Realiserad]

Perhaps a relevant issue: #29

[primetomas]

We have put a slide on SCP Publisher

[pos42]

What is overwritten in an upgrade of a HW and SW EJBCA appliance

What type of config and files can be added or modified “under the hood” in the HW and SW appliance and be kept after an upgrade?

Will for example an extra user in the underlying OS be kept? For example if you by security want maximum separation and therefor adds a new user for the SCP publisher instead of using the application server ”wildlfly” user… Please clarify this a little bit.

[primetomas]

Great question. But it's an Enterprise question so we will not take it up in the community event.

[primetomas]

What type of config and files can be added or modified “under the hood” in the HW and SW appliance and be kept after an upgrade?

Everything in etc is automatically saved through reboots and backup&restore.
You can add software packages called Additives for software/stuff that you want to have installed across backup&restore and firmware updates.