The Ministry of Justice and Security is responsible for maintaining the rule of law in the Netherlands so that people can live together in freedom, regardless of their lifestyle or views. The Ministry is working towards a safer, more just society by giving people legal protection and, where necessary, intervening in their lives — for example, by putting convicted criminals in prison or helping prisoners return to society and providing support for victims of crime.

All of the content on the e-passport chips must be protected. And, we needed to enable law enforcement, border control, and police officers to verify information including who the e-passport holder is and whether they have any outstanding issues with law enforcement. So, we identified PKI as a way to accomplish this,” explains Cor de Jonge, who leads a PKI team within the judicial information services department of the Ministry of Justice.

When this need came about, de Jonge’s team was starting from scratch with PKI, standing up certificates to enable the entire process. However, they knew this would only be the first of many PKI-related needs and began the search for a scalable solution.

The Ministry of Justice quickly identified Keyfactor EJBCA as an ideal solution for its PKI needs. EJBCA came as a recommendation from the Swedish police, and after attending a few Keyfactor workshops in Stockholm, de Jonge’s team knew they had found exactly what they needed.

“We started with the community edition of EJBCA and chose it in part because it’s open source, which is one of our main requirements. There are a lot of other vendors that say they offer the same type of services, but it’s always proprietary. And that doesn’t work for our team: We want to be in control security-wise over all the things we do, so we don’t want any black box solutions. We want to know exactly what’s happening behind the scenes so we can prepare accordingly,” de Jonge shares.

Beyond the fact that EJBCA is an open source-based PKI solution, the Ministry of Justice quickly found several other reasons to validate their choice as more and more use cases for PKI cropped up.

For example, new regulations from the EU led to the addition of 2D barcodes on visa stickers that required secure digital signatures. From there, de Jonge’s team also began to support PKI internally at the Ministry of Justice, working with government organizations in the Netherlands, like the national police and the public prosecutor, to secure IT services and workstations. And in 2020, even more needs arose with the introduction of digital health certificates related to the COVID-19 pandemic. Notably, EJBCA scaled seamlessly to support all of these growing use cases.

“Whenever we reach out to the Keyfactor team behind EJBCA and ask if it’s possible to support new use cases, it always is. We’re very transparent with our team about how we can help them, and Keyfactor supports us well in return,” de Jonge says.

To support all of these use cases, the Ministry of Justice maintains its own data center, where everything is mutually authenticated. The team has its own root CA as well as various domain CAs for different purposes.

As the number of use cases for EJBCA scaled rapidly, de Jonge began to talk to the Keyfactor team about moving from the community to the enterprise edition of EJBCA. De Jonge hails this as an important move given the number of critical government use cases his team uses EJBCA to support. Ultimately, he says moving to the enterprise edition ensured his team was using the right tools to achieve even more — all without sacrificing the agility and open source nature of where they started with EJBCA.

In the nearly 15 years since the Ministry of Justice got started with EJBCA, de Jonge’s team has established true expertise around PKI and normative documents.

“We’re responsible for everything — back-end infrastructure, front-end infrastructure, and delivering user interfaces — and our team is certified to support all of that. We’re a fairly small, multidisciplinary team, but we’re able to handle all kinds of needs from internal audits to verifications, all working within the Netherlands and between member states of the EU,” de Jonge says.

Recognizing this expertise and the value it’s brought to a variety of needs so far, de Jonge’s team recently put together a four-day training course about PKI and chip technology for border officers and policymakers across the EU. In addition to the live training (which is now recurring), the team also created a detailed reference guide with their approach to leading PKI and best practices. de Jonge notes that everything in the training and the guide is based on using EJBCA, as the team views it as the ideal open source solution for a variety of PKI-related use cases.

Notably, he credits their ability to establish this level of expertise and share their knowledge with others to the time they’ve spent working successfully on the EJBCA solution, with continued support from the Keyfactor team.

“EJBCA works so well for us because we can use it every way we want. We’ve had such a positive experience using the product because it’s truly transparent. Some vendors just give you a black box and say it’s working, but what if that’s not the way you want it to work? We always know exactly what’s going on with EJBCA,” de Jonge explains.

Overall, he says the fact that EJBCA has been able to support so many different use cases for his team — and for other government bodies to which they’ve recommended it — is a testament to its scalability and agility. This success over time has more than proven EJBCA as a highly reliable solution for even the most critical PKI use cases.

Importantly, de Jonge concludes, Keyfactor has a strong team to back up their technology: “We’ve developed a good relationship with the Keyfactor team. We can always turn to them and know we’ll have a good interaction, and that’s what counts.”