ejbca enterprise cloud edition va configuration and ......ejbca: enterprise java beans certificate...

EJBCA Enterprise

Cloud Edition VA

Configuration and

Administration Guide

Print date: 2018-10-19

EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide

2( )23 © 2018 PRIMEKEY

Table of Contents

Introduction _______________________________________________________________________ 3

Documentation __________________________________________________________________ 3

Related Guides _______________________________________________________________ 3

EJBCA VA Introduction _____________________________________________________________ 4

EJBCA Validation Authority (VA) _____________________________________________________ 4

Concepts _______________________________________________________________________ 4

External OCSP Responders ________________________________________________________ 4

Features ____________________________________________________________________ 5

AWS Operating Environment _________________________________________________________ 6

EC2 ___________________________________________________________________________ 6

VPC Configuration ________________________________________________________________ 6

Security Groups ___________________________________________________________________ 7

CA and VA Configuration ____________________________________________________________ 9

Apache Certificate Generation for the VA ______________________________________________ 9

Step 1: On the CA _____________________________________________________________ 9

Step 2: On the VA Server ______________________________________________________ 10

Import the CAs Public Certificate Chain into the VA _____________________________________ 12

Step 1: On the CA ____________________________________________________________ 12

Step 2: On the VA ____________________________________________________________ 12

Configure TLS Connections Between the CA and VA ___________________________________ 12

Step 1: Import Profiles on the CA ________________________________________________ 12

Step 2: Create Crypto Token to store Peer Systems authentication key on CA _____________ 13

Step 3: Set up Authentication Key Binding for Mutual Authentication on CA _______________ 14

Step 4: Generate Certificate for TLS Connection ____________________________________ 15

Step 5: Import Peer Systems certificate into Authentication Key Binding on CA ____________ 15

Setup Peer Systems _____________________________________________________________ 17

Step 1: On the CA ____________________________________________________________ 17

Step 2: On the RA ____________________________________________________________ 18

Step 3: On the CA ____________________________________________________________ 18

Create a Peer Publisher on the CA __________________________________________________ 19

Edit a Certificate Profile to use the Publisher __________________________________________ 19

Create Crypto Token to store Peer Systems authentication key on VA ______________________ 19

Set up OCSP Key Binding for Mutual Authentication on the VA _________________________ 20

Testing OCSP __________________________________________________________________ 22

Revoking the certificate ________________________________________________________ 22


© 2018 PRIMEKEY 3( )23

Introduction

This guide is intended to assist an EJBCA Enterprise Cloud Edition administrator with EJBCA CA to

VA configuration and administration tasks related to VA management.

This configuration will assume that the user has procured at least two nodes in the AWS Marketplace

following the .EJBCA ECE Launch Guide

This guide also assumes that a CA (Certificate Authority) is configured that requires OCSP services.

OCSP replies are stamped by a key from a CA for validation. That CA must exist to stamp the OCSP

responses for the purposes of this configuration guide.

Documentation

EJBCA Enterprise Cloud Edition documentation is available on:

https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/

EJBCA Enterprise Edition documentation is available on:

https://download.primekey.com/docs/EJBCA-Enterprise/latest/

Additional information on EJBCA Community Edition is available on: www.ejbca.org

Related Guides

EJBCA ECE Launch Guide

EJBCA ECE Backup Guide

https://aws.amazon.com/marketplace/seller-profile?id=7edf9048-58e6-4086-9d98-b8e0c1d78fce&ref=dtl_B078PLGJWL

https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/ejbca-ece-launch-guide.pdf

https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/

https://download.primekey.com/docs/EJBCA-Enterprise/latest/

https://www.ejbca.org

https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/ejbca-ece-launch-guide.pdf

https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/ejbca-cloud-backup-guide.pdf


4( )23 © 2018 PRIMEKEY

EJBCA VA Introduction

EJBCA Validation Authority (VA)

VA Services, refer to the online EJBCA Documentation or refer to For detailed information on ejbca.org

.

Concepts

EJBCA: Enterprise Java Beans Certificate Authority, includes both CA, VA and RA.

Certificate Authority (CA): A CA issues certificates to, and vouches for the authenticity of

entities. The level of trust you can assign to a CA is individual, per CA, and depends on the CAs

Policy (CP) and CA Practices Statement (CPS).

Validation Authority (VA): A VA is responsible for providing information on whether certificates

are valid or not. There can be one or more VAs connected to each CA in the PKI. Can be run as

part of the CA or as a separate service.

Peer Systems: A mechanism for connections initiated from the CA to the VA (or RA), where

messages for control and operations are passed.

CA Certificate Store: The CA Certificate Store is used to get a certificate chain to the root CA

in order to verify that the certificate is signed by a valid CA (it is valid if the root is trusted). RFC

specifies how the certificates are retrieved. The configuration file conf/certstore.properties 4387

is used to configure the service.

CRL Store: The CRL Store is used to get a Certificate Revocation List (a signed list of revoked

certificates) for a CA. specifies how the CRLs are retrieved. The configuration file confRFC 4387

/crlstore.properties is used to configure the service.

OCSP Responder: The OCSP Responder is used to ask if a certificate is revoked or not. The

OCSP protocol is specified in and the successor RFC 2560 RFC 696.

External OCSP Responders

External OCSP responders serves multiple purposes:

Separating the validation service from the CA service. This increases security because the CA

service does not have to accept any incoming connections.

Ensure highest availability of the validation service. Using external OCSP responders you can

have several completely independent nodes. This means that you can do maintenance on the

CA, or some of the OCSP nodes without disturbing availability to the validation service.

Ensure highest performance. The external OCSP responder is very fast and one single

responder can answer hundreds of requests per second. In addition to this the external OCSP

responders can be scaled linearly by adding multiple independent OCSP nodes.

The following diagram is a rough schema of the architecture using external OCSP responders.

http://www.ejbca.org

https://www.ejbca.org/docs/services-va.html#RFC%204387



http://www.ietf.org/rfc/rfc2560.txt



© 2018 PRIMEKEY 5( )23

The EJBCA external OCSP responder does not rely on CRLs being issued by the CA. Instead the

OCSP responder uses it's own database with certificate status information. This can be a replica of the

CertificateData table in EJBCA. In normal operation the EJBCA CA pushes status changes to the

external OCSP database when certificates are issued and revoked in EJBCA.

The external OCSP responder is not limited to usage in combination with EJBCA though. The external

OCSP database can simply be updated by other tools, for example being fed with CRLs from other

CAs.

Features

Implements , and .RFC 2560 RFC 6960 RFC 5019

Independent of CA software used (various degrees of integration is possible and may be

required).

One responder can respond for any number of CAs.

Status information stored in SQL database.

Not depending on CRLs. Status information can be updated in real-time.

Plug-in mechanism for custom OCSP extensions.

Highly configurable audit and transaction logging. Suitable for invoicing.

Supports PKCS#11 HSMs and soft keys.

Built in health check used by load balancers and for monitoring.

Configurable for requiring signed requests, authorized signers, etc.

Can answer good or unknown to non-existing certificates, with different configuration based on

request URI.

Linear scalability for performance and high availability by adding multiple nodes.

High performance, >500 request per second on a single server.

On-line renewal of OCSP responder keys and certificates.

OCSP client in Java ( ).Client ToolBox

Support for Norwegian extension.Unid FNR

Support for German extension.CertificateHash





6( )23 © 2018 PRIMEKEY

AWS Operating Environment

EC2

Begin by starting two instances. In this example we will have the EJBCA Enterprise Cloud Edition

following 2 nodes:

Node 1 using IP 172.16.0.144 – US East 1 – 172.16.0.0/16 address space

Node 2 using IP 172.31.0.115 – US East 2 – 172.31.0.0/16 address space

One of the nodes is in US-East-1 and the other in US-East-2. For the purposes of this guide we are

going to be using the instance ID from Node 1 as the password. You can obtain this from the EC2

console in the instance details, or run the following command:

# curl -s http://169.254.169.254/latest/meta-data/instance-id

VPC Configuration

To get the nodes to communicate, it is assumed a VPC Peering Connection is setup and in place. For

assistance with configuring a VPC Peering Connection, refer to Amazon's .VPC Peering Guide

Optionally, for testing purposes, all nodes can be setup within the same VPC. This is not ideal and

does not provide any availability guarantees if one of the AWS sites has an outage.

A Route Table needs to be created that allows these nodes to communicate over the Peering

Connection. For more information on configuring Route Tables between VPCs, refer to Amazon's

documentation on .Updating Your Route Tables for a VPC Peering Connection

A security group is also needed in each VPC. That configuration will be outlined below since it pertains

directly to the Galera communication.

https://aws.amazon.com/marketplace/seller-profile?id=7edf9048-58e6-4086-9d98-b8e0c1d78fce

https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/Welcome.html

https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-routing.html


© 2018 PRIMEKEY 7( )23

Security Groups

Galera replication uses the following port for communication:

443 - For TLS connections between the CA and the RA/VA.

To create a security group that allows for TLS traffic within the VPCs, follow the steps below.

In this example, the VPC internal address space is 172.16.0.0/16 in US-East-1 and the address space

in US-East-2 is 172.31.0.0/16.

Create a Security Group called "TLS 443 Traffic to US-East" with the following rules:

This will allow any connections outbound to any address and any inbound connection on port 443 from

any address on the 172.16.0.0/16 and 172.31.0.0/16 subnets. The same rule in the other VPC will also

need the same rule configured. These rules may be tightened as required for the organization.

To apply these Security Groups to the EJBCA Enterprise Cloud Edition Nodes in each of the

VPCs, right-click the node, select and then .Networking Change Security Groups


8( )23 © 2018 PRIMEKEY

Apply the security group to the instance so that it can communicate with the other nodes in the

cluster:


© 2018 PRIMEKEY 9( )23

CA and VA Configuration

The CA and VA configuration is described in the following sections:

Apache Certificate Generation for the VA

Import the CAs Public Certificate Chain into the VA

Configure TLS Connections Between the CA and VA

Setup Peer Systems

Create a Peer Publisher on the CA

Edit a Certificate Profile to use the Publisher

Create Crypto Token to store Peer Systems authentication key on VA

Testing OCSP

Apache Certificate Generation for the VA

Generate the Apache Certificate for the VA by following the instructions for the CA and the VA Server

below.

Step 1: On the CA

SSH into the CA server and navigate to the directory./opt/PrimeKey/support

Start by taking a backup of the system:

# /opt/PrimeKey/support/system_backup.sh

Generate TLS certificates for the VA server on the CA. Since a VA will most likely have two IP

addresses and two DNS addresses, those are indicated with the and flags. In this case the IP -d -i

and DNS names the host has are:

ec2-13-59-110-179.us-east-2.compute.amazonaws.com

ip-172-31-0-115.ec2.internal

35.153.160.120

172.31.0.115

# /opt/PrimeKey/support/create_ra_tls_certs.sh -d ec2-13-59-110-179.us-east-2.compute.

amazonaws.com -d ip-172-31-0-115.ec2.internal -i 35.153.160.120 -i 172.31.0.115

The script will prompt to request to generate the certificates in the format that Apache will expect them

on the VA.

Choose and press Enter. It will output these files into the /home/ec2-user/pem directory for easy Y

copying.


10( )23 © 2018 PRIMEKEY

The three files output will be:

managementca.ca-mgmt.pem

server-mgmt.key

server-mgmt.pem

Copy these files to the VA server and put them into place with the instructions in the next section.

Step 2: On the VA Server

SSH into the VA server and start by taking a backup of the system.

# /opt/PrimeKey/support/system_backup.sh

Copy the three files that were copied to /home/ec2-user/pem to the new RA. Copy the files (most likely

in /home/ec2-user/ to the /etc/httpd/ssl directory and restart Apache:

# cp /home/ec2-user/managementca.ca-mgmt.pem /home/ec2-user/server*

/etc/httpd/ssl/

# service httpd restart

Convert the server to a VA using the script. Note that this is the same script that is install_ra.sh

used to configure the server into an RA. There are many configuration commonalities between RAs

and VAs from a system standpoint. The Peer Connections and permissions are where they differ. The

script will import the ManagementCA certificate from the CA server so that the RA is install_ra.sh

managed by the same ManagementCA as the CA server.

# /opt/PrimeKey/support/install_ra.sh

The script will ask for the path to the ManagementCA PEM file from the CA server.

Use the managementca PEM that was copied to the /etc/httpd/ssl directory or copy a new one.


© 2018 PRIMEKEY 11( )23

Access the VA Administration GUI with the same certificate used to access the CA server. Test this by

going to the EJBCA Admin Web on the VA. Note that there is no Management CA configured, an

external ManagementCA is used.


12( )23 © 2018 PRIMEKEY

1.

2.

a.

b.

c.

3.

a.

b.

c.

Import the CAs Public Certificate Chain into the VA

For the VA to be aware of the CA we need to import the CAs certificates into the VA. If you need

assistance with setting up a CA structure, see the .EJBCA Evaluation Guide

Step 1: On the CA

Click on the CACA Structure and CRLs

Download the PEM file for the Root and Issuing CAs

Step 2: On the VA

Click .Certification Authorities

Click .Import CA certificate

Enter the name for the Root CA.

Click and browse to the CA cert downloaded in the last section.Browse

Click .Import CA Certificate

Click Import CA Certificate

Enter the name for the Issuing CA.

Click and browse to the CA cert downloaded in the last section.Browse

Click .Import CA Certificate

Configure TLS Connections Between the CA and VA

Step 1: Import Profiles on the CA

SSH into the CA server and import the profiles that are going to be used for generating the key binding

and peer connection certificates. This imports OSCP and Peer systems profiles.

# /opt/ejbca/bin/ejbca.sh ca importprofiles -d /opt/PrimeKey/ra_profiles/

https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/ejbca-evaluation-guide.pdf


© 2018 PRIMEKEY 13( )23

1.

2.

3.

4.

5.

6.

a.

b.

Step 2: Create Crypto Token to store Peer Systems authentication key on CA

Create a Crypto Token for the key binding to use. Navigate to and select .Crypto Tokens Create new

Enter a name: Peer Systems Token.

Select Type: Soft.

Enter and repeat Authentication Code.

Enable Auto-activation.

Click Save.

Generate new key pair:

Alias: peer_systems_auth_key.

Key Spec: RSA 4096.


14( )23 © 2018 PRIMEKEY

1.

2.

3.

4.

5.

6.

7.

Step 3: Set up Authentication Key Binding for Mutual Authentication on CA

Create an internal key binding for authenticating the TLS connection to the VA. Start by selecting

on the CA.Internal Key Bindings

Start by selecting on the CA.Internal Key Bindings

Click on the tab.Create new AuthenticationKeyBinding

Enter a name: Peer System Key Binding to VA.

Select Crypto Token: "Peer Systems Token".

Key Pair Alias: peer_systems_auth_key.

Signature Algorithm: SHA256WithRSA.

Click Create.

Click to go back to the tab and select under the Back to overview AuthenticationKeyBinding CSR

column and save the file (Peer System Key Binding to RA.pkcs10.pem).Action


© 2018 PRIMEKEY 15( )23

1.

2.

3.

4.

5.

6.

7.

1.

2.

Step 4: Generate Certificate for TLS Connection

Click on the left side navigation and open the CAs RA web. Select .RA Web Make New Request

Select Certificate Type: "Peer Systems User EE Profile"

CA: "ManagementCA".

Click and select the "Peer System Key Binding to RA.pkcs10.pem" file.Browse

Change to "peersystems".CN, Common Name

Change the to be the "peersystems"Username

Click .Download PEM

Save the file (peersystems.pem).

Step 5: Import Peer Systems certificate into Authentication Key Binding on CA

Choose > .System Functions Internal Key Bindings

Click the tab.AuthenticationKeyBinding


16( )23 © 2018 PRIMEKEY

3.

a.

b.

c.

d.

4.

a.

5.

Under :Import externally issued certificate

Target Peer System Key Binding to CA.AuthenticationKeyBinding:

Click .Browse

Select the filepeersystems.pem .

Click .Import

Under :Action

Click .Enable

The Peer Systems Authentication Key Binding should now be Active.


© 2018 PRIMEKEY 17( )23

1.

2.

3.

a.

b.

c.

d.

e.

4.

5.

Setup Peer Systems

Follow the steps below to setup Peer Systems:

Step 1: On the CA

Step 2: On the RA

Step 3: On the CA

Step 1: On the CA

Choose > .System Functions Peer Systems

Under , click .Outgoing Peer Connectors Add

For Create Peer Connector, specify the following:

Name: Peer Connection to RA

URL: This should be the internal FQDN of the RA. For this example: "https:// ip-

172.31.0.115.us-east-2.compute.internal/ejbca/peer/v1"

EJBCA ECE Uses Apache and no port designation is necessary.

In the list menu, select Authentication Key Binding Peer System Key Binding to vA

Select .Enabled

Clear .Process Incoming Requests

Click .Create

Click . You should see the error Ping Unable to connect to peer. Unauthorized ote

If the error displays, this is due to the security groups Unable to connect to peer

configuration. Also, make sure that the IP address is used and not an FQDN unless you have

internal name resolution across VPCs.


18( )23 © 2018 PRIMEKEY

1.

2.

3.

4.

5.

6.

7.

8.

9.

10.

11.

1.

2.

3.

4.

5.

6.

Step 2: On the RA

Choose > .System Functions Peer Systems

You should see a connection attempt from the CA under Incoming Connections.

Click Create Role.

Ensure that is selected, and click – Create new role – Select.

Additional properties will show. Change the Role name to "External VA Role".

Select .Accept Long Hanging Connections

Ensure that is selected.Accept RA requests

Select and any other CAs desired for the VA to access.Access ManagementCA

Select Publish Certificate.

Select .Compare certificate synchronization status

Click .Create new role

Step 3: On the CA

Click .Peer Systems

Click on the peer connection.Manage Peer Connection to RA

Click Start.

It will say "Running".

Click Refresh.

You should see certificates added or synchronized.


© 2018 PRIMEKEY 19( )23

1.

2.

3.

4.

5.

6.

7.

8.

9.

1.

2.

3.

4.

1.

2.

3.

4.

5.

6.

a.

b.

Create a Peer Publisher on the CA

To create a Peer Publisher on the CA, do the following:

Select in the Administration GUI.Publishers

Enter a name such as VA Peer Publisher.

Click .Add

Select the publisher and click .Edit

From the drop down select .PublisherType Validation Authority Peer Publisher

Ensure the correct Peer System is selected.

Select . Store CRL at the Validation Authority

Click .Save and Test Connection

You should see at the top. Click .Connection Tested Successfully Save

Edit a Certificate Profile to use the Publisher

In order for generated certificates to be published to the VA, the profiles for the CA need to be

configured to use the Peer Publisher.

In the Admin GUI, select .CA Functions > Certificate Profiles

Click next to the profile from which you want to issue certificates (or create a new one).Edit

Under the section , select VA Peer Publisher next to .Other Data Publishers

Click .Save

Create Crypto Token to store Peer Systems authentication key on VA

On the VA, Create a Crypto Token for the key binding to use.

Navigate to and select .Crypto Tokens Create new

Enter a name: OcspKeyBindingToken.

Type: SOFT.

Enter and repeat Authentication Code.

Enable Auto-activation.

Click .Save

Generate new key pair:

Alias: OcspKeyBindingKey

Key Spec: RSA 4096


20( )23 © 2018 PRIMEKEY

1.

2.

3.

4.

5.

6.

7.

8.

9.

1.

2.

3.

4.

5.

6.

7.

1.

2.

3.

4.

5.

Set up OCSP Key Binding for Mutual Authentication on the VA

To setup OCSP Key Binding for Mutual Authentication on the VA, do the following:

Click on on the VA and then select the tab.InternalKeyBindings OcspKeyBinding

Click .Create new

Enter a name for the key binding, for example “OCSPKeyBinding_IssuingCA”.

Select the .OCSPKeyBindingToken

Ensure the correct key par alias is chosen

Click .Create

Click .Back to Overview

Click under the actions column.CSR

Save the file.OCSPKeyBinding_IssuingCA.pkcs10.pem

On the CA

In the Admin GUI, select RA Web.

Click .Make New Request

Select the .OCSP Signer EE Profile

Select the . This is the CA certificate that is going to stamp the OCSP responses.Issuing CA

Browse to the OCSPKeyBinding_IssuingCA.pkcs10.pem file.

Enter a username, for example “OCSPKeyBinding_IssuingCA”.

Click download PEM.

On the VA

On the Internal tab, click to browse to the Key Bindings > OCSP Key Bindings Browse

certificate that was downloaded from the RA Web.

Click .Import

The following message displays “Operation completed without errors.”

Click .Update

Click . An hourglass will show in the Active Column and the text Enable

“OCSPKeyBinding_IssuingCA status is now ACTIVE” will appear at the top


© 2018 PRIMEKEY 21( )23

6. Set the Default Responder to be the OCSP Key Binding created.

You need to repeat these steps for any other CAs you want the VA to be an OCSP responder for.


22( )23 © 2018 PRIMEKEY

1.

2.

3.

4.

5.

6.

7.

Testing OCSP

Generate a certificate from the Issuing CA using the RA Web. The instructions will not be outlined

here. It is easiest to have the key generated server side and the certificate downloaded as PEM. Once

completed run the following SSL command:

# openssl ocsp -issuer Corporate_Issuing_CAG1.cacert.pem -CAfile Corporate_Root_CAG1.

cacert.pem -cert server1.pem -req_text -url https://ec2-54-161-138-211.compute-1.amazonaws.

com/ejbca/publicweb/status/ocsp

Where the flags are:

Option Description

-issuer OS the Issuing CA Public Certificate.

-CAfile The Root certificate or Chain of the CA.

-url The URL to the OCSP server.

-req_text Optional but gives more output.

The output should appear as the following:

Where “Response Verify: OK” means that the stamped OCSP reply from the OCSP server was able to

be validated with the certs provided in the command. “server1.pem: good” means the certificate status

is good.

Revoking the certificate

Select Search End Entities.

Search by username (end entity name).

Find the End Entity in the search results.

Click on the right side.ViewCertificates

Select from the revocation reasons.CertificateHold

Click .Revoke

Run the openssl command again and the status should now be “revoked” with a reason of

“Certificate Hold”.

ejbca enterprise cloud edition va configuration and ......ejbca: enterprise java beans certificate...

Documents