I'm looking for the method used by EJBCA to generate the private keys in general (CA, Sub-Ca, certificates...).
Let say for instance you want RSA 2048 key size. Is the generation process all done in EJBCA application ? Do they rely on Java EE-based application server random generation (in my case Jboss) ? Is there a link somewhere with the locally implemented random number generation, so for instance on Linux /dev/(u)random ?
What is the level of entropy, and do they guaranty one ?
I got the answer from the EJBCA mailing list and I also grabbed info in the source code.
Maybe it could be of some help to someone else, so I'll paste here the answer.
The underlying method used by EJBCA to generate private key is via the Java class java.util.Random and the class java.security.SecureRandom.
In EJBCA code, the key are generated by the method createCryptoToken from the class CryptoTokenManagementSessionBean which uses SecureRandom() from the file modules/cesecore-ejb/src/org/cesecore/keys/token/CryptoTokenManagementSessionBean.java
At the end OpenJDK SecureRandom implementation uses /dev/random. So the overall entropy is the entropy of /dev/random. There is plenty of methods to improve it's entropy pool. A solution is with using hardware token.
NB: Here it only apply to system without HSM (in that case the key is generated in the HSM so it depends on the HSM) and running on Linux (and most probably on system having /dev/random, so BSD family).