Workflow of cert req and cert and associated ejbca steps

I am a bit confused on how ejbca handle certificate request to and from other countries.

Assume two countries, CountryA (with CVCA-A) and CountryB (with CVCA-B) and both are using ejbca (using GUI).

(1) A DV in CountryA (DV-A) wants to send a certificate request to CountryB for their "signature" so that IS-A can read epassports of CountryB.  Are the correct ejbca procedures correct?
a. in Edit Certificate Authorities, select DV-A, click Edit
b. in Edit CA, click Make Certificate Request
c. in Make Certificate Request, Browse to select the CVCA-A's PEM file (obtained from Basic Functions), then click Make Certificate Request
d. in Certificate Request Generated, click Download PEM file and get the certificate request file
e. send the certificate request through the SPOC RequestCertificate message to CouontryB

(2) If CountryB want to process the certificate request from CountryA and return a "signed" CV certificate to CountryA, are the following ejbca procedures correct?
a. in Edit Certificate Authorities, enter the name "DV-A" in the text box and then click Process Certificate Request
b. in Process Certificate Request, Browse to locate the certificate request file and click Process Certificate Request
c. in Process Certificate Request, complete the details and click Process Certificate Request
d. in Certificate Generated, click Download PEM file and get the certificate file
e. send the certificate request through the SPOC SendCertificate message to CountryA

(3) If CountryA want to use the received certificate from CountryA, what is the appropriate procedures?

Typo mistakes for (3), which should be "If CountryA want to use the received certificate from CountryB, what is the appropriate procedures? "

stupidtss wrote:

I am a bit confused on how ejbca handle certificate request to and from other countries.

Assume two countries, CountryA (with CVCA-A) and CountryB (with CVCA-B) and both are using ejbca (using GUI).

(1) A DV in CountryA (DV-A) wants to send a certificate request to CountryB for their "signature" so that IS-A can read epassports of CountryB.  Are the correct ejbca procedures correct?
a. in Edit Certificate Authorities, select DV-A, click Edit
b. in Edit CA, click Make Certificate Request
c. in Make Certificate Request, Browse to select the CVCA-A's PEM file (obtained from Basic Functions), then click Make Certificate Request
d. in Certificate Request Generated, click Download PEM file and get the certificate request file
e. send the certificate request through the SPOC RequestCertificate message to CouontryB

(2) If CountryB want to process the certificate request from CountryA and return a "signed" CV certificate to CountryA, are the following ejbca procedures correct?
a. in Edit Certificate Authorities, enter the name "DV-A" in the text box and then click Process Certificate Request
b. in Process Certificate Request, Browse to locate the certificate request file and click Process Certificate Request
c. in Process Certificate Request, complete the details and click Process Certificate Request
d. in Certificate Generated, click Download PEM file and get the certificate file
e. send the certificate request through the SPOC SendCertificate message to CountryA

(3) If CountryA want to use the received certificate from CountryA, what is the appropriate procedures?

Regarding (3), is there no need to import the received cert back to EJBCA and the received cert should be feed to the IS system directly?

Typo mistakes for (3), which should be "If CountryA want to use the received certificate from CountryB, what is the appropriate procedures? "

stupidtss wrote:

I am a bit confused on how ejbca handle certificate request to and from other countries.

Assume two countries, CountryA (with CVCA-A) and CountryB (with CVCA-B) and both are using ejbca (using GUI).

(1) A DV in CountryA (DV-A) wants to send a certificate request to CountryB for their "signature" so that IS-A can read epassports of CountryB.  Are the correct ejbca procedures correct?
a. in Edit Certificate Authorities, select DV-A, click Edit
b. in Edit CA, click Make Certificate Request
c. in Make Certificate Request, Browse to select the CVCA-A's PEM file (obtained from Basic Functions), then click Make Certificate Request
d. in Certificate Request Generated, click Download PEM file and get the certificate request file
e. send the certificate request through the SPOC RequestCertificate message to CouontryB

(2) If CountryB want to process the certificate request from CountryA and return a "signed" CV certificate to CountryA, are the following ejbca procedures correct?
a. in Edit Certificate Authorities, enter the name "DV-A" in the text box and then click Process Certificate Request
b. in Process Certificate Request, Browse to locate the certificate request file and click Process Certificate Request
c. in Process Certificate Request, complete the details and click Process Certificate Request
d. in Certificate Generated, click Download PEM file and get the certificate file
e. send the certificate request through the SPOC SendCertificate message to CountryA

(3) If CountryA want to use the received certificate from CountryA, what is the appropriate procedures?

Hi a few corrections inline:

stupidtss wrote: Since we want DV-A to be signed by CVCA-B you need to browse to CVCA-B's
 certificate.

> d. in Certificate Request Generated, click Download PEM file and get the
> certificate request file
> e. send the certificate request through the SPOC RequestCertificate message
> to CouontryB

You can also add the step of letting CVCA-A sign the request with an
outer signature to create an authenticated request. This is required at
least for the initial certification.
You can do this in two ways actually. Either you can create a new CA,
like you do, so DV-A will be visible in countryB's CA list.
Or
you can add DV-A as an end entity in countryB's EJBCA and issue the
certificate to the end entity.

> (3) If CountryA want to use the received certificate from CountryA, what is
> the appropriate procedures?

If DV-A is the same DV as is certified by CVCA-A, then there is nothing
to do in EJBCA. Just feed it to the IS a part of the certificate chain.

If DV-A is a new DV (because countryB uses another algorithm than
countryA) then DV-A will have status (waiting for certificate response),
and you need tom import the certificate in EJBCA.

See attached document for some descriptions and screen shots of the
process. Note that it's not the only way to do things. there are always
several options in EJBCA so you can integrate it in different
environments :-)

Regards,
Tomas



------------------------------------------------------------------------------
Come build with us! The BlackBerry(R) Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay
ahead of the curve. Join us from November 9 - 12, 2009. Register now!
http://p.sf.net/sfu/devconference
_______________________________________________
Ejbca-develop mailing list
Ejbca-develop@...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop