Affects Version/s: None
Fix Version/s: None
We are getting suport questions around ePassport and eID PKI. Currently we have some documentation, but it is a bit spread out, and there are important parts that are not documented.
Topic that should be documented, should be separated between X.509 (ICAO) and CVC (EAC):
- Creating a new CSCA (ICAO)
- Renewing CSCA with name change, in EJBCA
- Renewing CSCA without name change, in EJBCA
- Creating link certificates when renewing in EJBCA
- Creating link certificate when there is an old CSCA in another product, and new CSCA in EJBCA
- Creating link certificate when there is an old CSCA in EJBCA, and new CSCA inanother product,
- Importing CRL from an old CSCA into a new CSCA in EJBCA
- Having the CRL entries imported appear in the new CSCA CRL (when the old CSCA has a different CA subjectDN)
- Creating DS certificates (ICAO)
- Creating DVs and IS certificates (CVC/EAC)
- Using algorithms that are non-standard in Java PKCS#11 (i.e. patching java)
- Using EC keys which must be encoded with explicit parameters in CSCAs (ICAO)
In general it can be divided in five groups:
- Creating and renewing CAs
- Creating link certificates
- Handling CRLs, according to ICAO special requirements
- Using CAs, creating end entity certificates
- Algorithm management (patching java, explicit EC parameters, etc)
For link certificates we have two tools, in the Admin GUI of EJBCA, and also using clientToolBox which has been the most commonly used tool recently.
Having this in an easy to understand documentation will help users manage their ePassport and eID PKIs, while minimizing support.