Main Concepts
This is a brief explanation of all the the concepts in EJBCA like end entity profile, certificate profile and so on and how they relate to one and another.
EJBCA implements the CA part of a PKI according to standards such as X.509 and IETF-PKIX. As such it follows the general PKI concepts closely. The administration of the PKI has some EJBCA-specific concepts in order to implement unique flexibility.
Terminology
| EJBCA | Enterprise Java Beans Certificate Authority |
| CA | Certificate Authority |
| RA | Registration Authority |
| DN | Distinguished Name |
| HSM | Hardware Security Module |
| CRL | Certificate Revocation List |
| OCSP | Online Certificate Status Protocol |
| SCEP | Simple Certificate Enrollment Protocol |
| JBoss | Open source J2EE application server |
| AD | Active Directory |
General concepts
Certification Authority (CA)
A CA issues certificates to, and vouches for the authenticity of entities. The level of trust you can assign to a CA is individual, per CA, and depends on the CAs policy and practices statement.
RootCA
A RootCA has a self-signed certificate and is also called Trusted Root. Verification of other certificates in the PKI ends with the RootCAs self-signed certificate. Since the RootCAs certificate is self-signed it must somehow be configured as a trusted root with all clients in the PKI.
SubCA
A subordinate CA, or SubCA for short, is a CA whose certificate is signed by another CA, that can be another SubCA or a RootCA. Since the SubCAs certificate is signed by another CA, it does not have to be configured as a trusted root. It is part of a certificate chain that ends in the RootCA.
Registration Authority (RA)
An RA is an administrative function that registers entities in the PKI. The RA is trusted to identify and authenticate entities according to the CAs policy. There can be one or more RAs connected to each CA in the PKI.
End-entity
An end-entity is a user, such as an e-mail client, a web server, a web browser or a VPN-gateway. End-entities are not allowed to issue certificates to other entities, they make up the leaf nodes in the PKI.
EJBCA specific concepts
Certificate Profile
A certificate profile determines non uses specific content and behaviour of certificates. The largest part is extensions and here you decide if a specific extension is present and wether it is critical or not. Some extensions are populated with a value, where it is the same value for all certificates such as CRLDistributionPoint. For other extensions only the presence is determined, where the value is user- or cert-specific such as SubjectAlternativeName. Here is also determined if these certificates will be published and with which publisher.
End Entity Profile
End Entity Profiles determine what data can or must be present for users connected with this profile. Some values can also be pre-determined such as the organization, o in the dn.
When adding a user in the pki, the user must be conneted with an end entity profile. The end entity profile specifies one or more certificate profiles used when generating certificates.
Publishers
A publisher stores issued certificates to a central location. EJBCA have implemented support for LDAP and Active Directory but it's also possible to create customized plug-ins.
Hard Token Profiles
A hard token profile contains information like keylength used on cards, certificate profiles that should be used, and templates for the visual graphics printed on the smartcard or on a PIN/PUK letter.
Hard Token Issuers
A hard token issuer represents a physical location running PrimeCard were hard tokens can be issued.
External RA
In some cases, for security reasons, is it preferable to deny all inbound traffic to the CA and instead let the CA periodically fetch and process information from external trusted data sources. For this reason there is an add-on pack to EJBCA called extra, which is short for External RA API.
