The P12 files you get from EJBCA are created using Bouncy Castle like this:
Bouncy Castle uses 3-DES for key protection and 40 bit RC2 to protect the certificates by default. These ciphers are not great by today's standards and if would be nice if we could use AES instead. Currently, there is no option in EJBCA to configure how P12 files are created, or what kind of encryption is used.
If my understanding is correct, even though the PKCS#12 format itself allows other types of encryption, some clients (e.g. Windows) do not support AES for P12 keystores. However, using 3-DES for both certificates and the private key should be widely supported and would work on FIPS as well:
Bouncy Castle also has their own "FIPS compliant" P12 keystore, and that could be offered as an alternative to the 3-DES P12 keystore. I need to investigate (i.e. ask David) how this is archieved in Bouncy Castle. Example code is available in BC-FJA 1.0.2 (Bouncy Castle FIPS Java API) - User Guide, section 7.1.1 - BCFKS key store.
I have two customers who have offered their help to test if the new keystore is compatible with their systems.
Create a new branch fb-
Add a method KeyTools.createFipsCompliantP12 which creates a FIPS compliant PKCS#12 keystore using Bouncy Castle.
Create a new token type called BCFKS.
Invoke this method in RaMasterApiProxyBean.generateKeystore, KeyStoreCreateSessionBean.generateKeyStore and BatchMakeP12Command.createKeysForUser.
Harden existing P12 keystores using PKCS12-3DES-3DES.
Add REST API support
Configure BCFKS token type in an end entity profile. Test issuance using the RA web
Open the P12 keystore in Portecle.
Command that can be used to test a keystore in OpenSSL and print some information about it.
Send sample P12 files to Sven,
Update the "End Entity Profiles Fields" page in the documentation. "Token type" is currently not documented at all, so we would have to add some documentation for existing token types as well.