EJBCA - Open Source PKI Certificate Authority


IETF Request For Comments and Internet-Drafts

IETF is the Internet Engineering Task Force.

  • RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile, replaces RFC 3280
  • RFC 2253 - Lightweight Directory Access Protocol (v3): UTF-8 String Representation of Distinguished Names
  • RFC 2560 - X.509 Internet Public Key Infrastructure Online Certificate Status Protocol (OCSP)
  • RFC 5019 - The Lightweight Online Certificate Status Protocol (OCSP) Profile for High-Volume Environments
  • RFC 2256 - A Summary of the X.500(96) User Schema for use with LDAPv3
  • RFC 2616 - Hypertext Transfer Protocol -- HTTP/1.1
  • RFC 2818 - HTTP Over TLS
  • RFC 2396 - Uniform Resource Identifiers (URI): Generic Syntax
  • RFC 2595 - Using TLS with IMAP, POP3 and ACAP
  • RFC 4945 - The Internet IP Security PKI Profile of IKEv1/ISAKMP, IKEv2, and PKIX
  • RFC 5055 - Server-Based Certificate Validation Protocol (SCVP)
  • RFC 4210 - Internet X.509 Public Key Infrastructure Certificate Management Protocol (CMP)
  • RFC 4211 - Internet X.509 Public Key Infrastructure Certificate Request Message Format (CRMF)
  • RFC 4387 - Certificate Store Access via HTTP

  • draft-nourse-scep-20 - Cisco Systems' Simple Certificate Enrollment Protocol (SCEP) draft-nourse-scep-20

W3C Standards and Specifications

W3C is the World Wide Web Consortium.


MySQL: Create ALTER-scrips automatically to upgrade database from old version to latest development version: http://www.mysqldiff.org/

Swedish characters in Java/Jboss

Add the following options to the JVM by modifying JAVA_OPTIONS in run.sh/cmd.

-Duser.region=SE -Duser.language=sv -Dfile.encoding=ISO-8859-1


PKCS12 files generated from EJBCA works excellent as PGP-keys.

Firefox Key Generation

For Firefox to be able to verify client certificates the CA-certificates must have the extensions BasicConstraints and AuthorityKeyIdentifier. Client certificates also need AuthorityKeyIdentifier

Microsoft Internet Explorer Key Generation

For MSIE to verify client certs, the ordering in the DN must be strictly the same in both client and CA certs. Possibly that it must also be in a specific order.

There is some bug that required a "nocache" meta tag to eliminate duplicate sending of certificate request. This duplicate sending will result in wrong behaviour, since user status will be wrong.

<META HTTP-EQUIV="Pragma" CONTENT="no-cache" >

Microsoft Knowledge Base documents