Managing CVC CAs

The following sections cover information on handling Card Verifiable Certificate (CVC) CAs and CVC specific operations.

For a feature overview and sections providing information on CVC CAs, see CVC CA.

Creating CVC CAs

For instructions on how to create a Card Verifiable Certificate (CVC) CA, see:

Creating a CVC CA

Importing CVC CAs

For test purposes, you may receive a private key and a CV certificate for the CVCA trust point used by the passport manufacturer when creating specimen passports.

To test your process and inspection systems, if you have a PKCS#8 private key and a CV certificate with the public key, you can import a CVCA (with soft keystore) in EJBCA:

$ bin/ejbca.sh ca importcvca

Example import command using the given CV Certificate:

$ bin/ejbca.sh ca importcvca importcvca1 GO_CVCA_RSA2008.pkcs8 GO_CVCA_RSA2008.cvcert C=SE,CN=IMPCA1

Example import command using the same private/public keys, but generating a new certificate:

$ bin/ejbca.sh ca importcvca importcvca1 GO_CVCA_RSA2008.pkcs8 GO_CVCA_RSA2008.cvcert C=SE,CN=IMPCA1 SHA1WithRSA 365

Creating Document Verifiers (DVs)

For instructions on how to create a Document Verifier (DV) CA and issuing Inspection System certificates, see:

Creating a DV CA and Issuing Inspection System Certificates

Importing DVs

You can also import DVs. Doing that you need a chain with the DV certificate first, and the CVCA certificate second.

# Import the CVCA
$ bin/ejbca.sh ca importcvcca --caname CVCARSA -f CVCARSA.pkcs8 -c SECVCARSA00000_SECVCARSA00000.cacert.pem
# Create the certificate chain PEM file
$ cat SECVCARSA00000_SEDVCARSA00000.cacert.pem SECVCARSA00000_SECVCARSA00000.cacert.pem > chain.pem
# Import the DV
$ bin/ejbca.sh ca importcvcca --caname DVCARSA -f DVCARSA.pkcs8 -c chain.pem

Creating Authenticated Requests

To sign CV certificate requests by your Country Verifying CA (CVCA), go to Edit Certificate Authorities, select your CVCA and then click Create Authenticated Certificate Signing Request. You can upload the CV certificate request to the CVCA, and get an Authenticated request back. This is required when sending certificate requests from your DVs to other member states.

By renewing a Document Verifier (DV) and sending a request to another member state you can get the request automatically authenticated by signing the request with the DVs old keys. You can do this by creating a CSR for the new DV key, and making an authenticated request signed with the old key. After generating new keys on the Crypto Token, go to Certification Authorities, select the desired DV, and click Edit. Ensure that the sequence is updated, then select to generate a new CSR for the new key in the Externally signed CA creation/renewal section. If it is a renewal, an authenticated request, authenticated with the DVs current key, will be returned (the new key is not yet activated).

To view the authenticated DV request using the clientToolBox CLI tool, use the following:

$ ./ejbcaClientToolBox.sh CvcWsRaCli cvcprint SEDVCA00100001.pem

To verify the authenticated DV request, you need the whole chain in case of ECDSA, since the EC curve parameters are only present in the CVCA certificate.

$ ./ejbcaClientToolBox.sh CvcWsRaCli cvcprint SEDVCA00100001.pem SECVCA00100000_SEDVCA00100000.cacert.pem SECVCA00100000_SECVCA00100000.cacert.pem

To automate renewing of DVCAs using the WS API, use the following:

$ ./ejbcaClientToolBox.sh EjbcaWsRaCli cacertrequest
$ ./ejbcaClientToolBox.sh EjbcaWsRaCli cacertresponse

For more information, see Web Service Interface.

Creating Link Certificates

Issuing a link certificate must be done when a CVCA is renewed. It can be used to switch CA completely, new keys, new algorithms, and new Country/Mnemonic.

When renewing a Country Verifying CA (CVCA) in the EJBCA Admin UI, a link certificate is automatically created. Requirements on link certificates are specified in Common Certificate Policy for the Extended Access Control Infrastructure for Travel and Residence Documents (BSI TR-03139). When renewing a CVCA, the signature algorithm can be changed. Note that the algorithm identifier in the link certificate itself is the new algorithm as the algorithm is tied to the public key, not to the certificate signature and the link certificate itself is signed by the old CVCA certificate, with the algorithm specified on the public key in the old CVCA certificate.

It is also possible to manually create link certificates using the clientToolBox CLI tool.

$ ./ejbcaClientToolBox.sh PKCS11HSMKeyTool linkcert

To create CVCA link certificates, the same approach is used. First renew the CVCA (generating new keys), which creates a new self-signed CVCA certificate internally. Download the new self-signed CVCA certificate (for example from Basic Functions). After this, you can create a link certificate by specifying the CVCAs name in the text field in Edit Certificate Authorities and clicking Sign Certificate Request. Upload the new CVCA certificate and select Use previous key and Create link certificate.