2021-04-26 The QA Adventure of Common Criteria Certification This is the first time that I have been involved in a Common Criteria certification and I am proud to have been entrusted with the responsibility for the project. My name is Maggie and for the past year, my QA team and I have been on the adventure of certifying the EJBCA product for Common Criteria – the adventure has been a wild one! Let me share with you how we did it from a QA standpoint and what we learned. Even though it’s the first time for me, PrimeKey has gone through the Common Criteria certification process before. The previous Common Criteria certification of EJBCA Enterprise was performed in 2012. The certification was conducted using the CIMC protection profiles. Since then, Common Criteria has evolved and the PrimeKey EJBCA certification was based on the new type of Collaborative Protection Profiles (cPP) and more specifically the Protection Profile for Certification Authorities, Version 2.1, 2017-12-01, National Information Assurance Partnership. If you are interested in different certification profiles, you can read more about this on the Common Criteria Portal. On the journey towards Common Criteria certification, my QA team and I had the support of a Common Criteria testing laboratory that specializes in providing security testing. They assisted in assuring the systems under test adhered to the Common Criteria requirements. Their primary role was to assist us in the test efforts and the preparation of required documents, including the test plan. As a bonus, the collaboration with the common criteria test lab technicians helped my QA team and I increase our overall security testing knowledge about the use of security testing tools, techniques and scenarios that we can include to improve our overall security and performance test efforts. The testing laboratory proved to be a great asset during this endeavor. However, the collaboration was not one-sided as a lot of time was also invested from the PrimeKey side to actively support the testing laboratory in understanding our products, the underlying technologies used and developing complicated test scenarios to verify some of the trickier IT Security requirements. During this adventure, working with the testing laboratory allowed me to really rip the cover off our own products and pursue a unique discovery of our own system. The discovery contributed to aiding me to further expand the scope of our own test types which are now a part of our ongoing QA test efforts. The greatest reward for me has been learning how in depth our testing efforts should be not only for EJBCA, but for the entire PrimeKey product offering. The process of getting the Common Criteria certification was a monumental journey for me. My journey also rewarded me with knowledge on how to go beyond testing the functionality of our products’ solutions. The journey also included a deeper discovery of verifying software communication, including actual traffic between EJBCA components, peers, protocols and dependent integrations. I now better understand the anatomy of the architecture as well as the obvious and inconspicuous workflows. We found a treasure trove of test requirements that should be expanded for verifying curves, bit strengths, deterministic random bit generation, management, auditing, authorization and a host of other configurations to ensure that they are adhering to the requirements of IT Security at all times. As I have come to the end of our journey with our rewards and treasures in tow, my QA team and I can feel confident that we are not only providing PKI solutions that adhere to IT Security, but we are delivering quality solutions designed to support our customers in a secured manner. As a QA professional, this is an endeavor I would recommend for anyone delivering solutions that require high security, even if you don’t require IT Security certification. Have fun on your own Common Criteria adventures! Learn more about EJBCA Enterprise: EJBCA Enterprise Find out what it’s like to work at PrimeKey: Jobs at PrimeKey Author: Margaret Thomas, Senior QA Manager at PrimeKey Margaret “Maggie” Thomas, CSPO, has worked with Quality Assurance and Testing for over 20 years and has vast international experience in the field. Originally from Chicago, she is now an expat in Sweden. She joined PrimeKey in 2019 and is heading up the QA department of PrimeKey software.