ejbca enterprise cloud edition va configuration and ......ejbca: enterprise java beans certificate...
TRANSCRIPT
EJBCA Enterprise
Cloud Edition VA
Configuration and
Administration Guide
Print date: 2018-10-19
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
2( )23 © 2018 PRIMEKEY
Table of Contents
Introduction _______________________________________________________________________ 3
Documentation __________________________________________________________________ 3
Related Guides _______________________________________________________________ 3
EJBCA VA Introduction _____________________________________________________________ 4
EJBCA Validation Authority (VA) _____________________________________________________ 4
Concepts _______________________________________________________________________ 4
External OCSP Responders ________________________________________________________ 4
Features ____________________________________________________________________ 5
AWS Operating Environment _________________________________________________________ 6
EC2 ___________________________________________________________________________ 6
VPC Configuration ________________________________________________________________ 6
Security Groups ___________________________________________________________________ 7
CA and VA Configuration ____________________________________________________________ 9
Apache Certificate Generation for the VA ______________________________________________ 9
Step 1: On the CA _____________________________________________________________ 9
Step 2: On the VA Server ______________________________________________________ 10
Import the CAs Public Certificate Chain into the VA _____________________________________ 12
Step 1: On the CA ____________________________________________________________ 12
Step 2: On the VA ____________________________________________________________ 12
Configure TLS Connections Between the CA and VA ___________________________________ 12
Step 1: Import Profiles on the CA ________________________________________________ 12
Step 2: Create Crypto Token to store Peer Systems authentication key on CA _____________ 13
Step 3: Set up Authentication Key Binding for Mutual Authentication on CA _______________ 14
Step 4: Generate Certificate for TLS Connection ____________________________________ 15
Step 5: Import Peer Systems certificate into Authentication Key Binding on CA ____________ 15
Setup Peer Systems _____________________________________________________________ 17
Step 1: On the CA ____________________________________________________________ 17
Step 2: On the RA ____________________________________________________________ 18
Step 3: On the CA ____________________________________________________________ 18
Create a Peer Publisher on the CA __________________________________________________ 19
Edit a Certificate Profile to use the Publisher __________________________________________ 19
Create Crypto Token to store Peer Systems authentication key on VA ______________________ 19
Set up OCSP Key Binding for Mutual Authentication on the VA _________________________ 20
Testing OCSP __________________________________________________________________ 22
Revoking the certificate ________________________________________________________ 22
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
© 2018 PRIMEKEY 3( )23
Introduction
This guide is intended to assist an EJBCA Enterprise Cloud Edition administrator with EJBCA CA to
VA configuration and administration tasks related to VA management.
This configuration will assume that the user has procured at least two nodes in the AWS Marketplace
following the .EJBCA ECE Launch Guide
This guide also assumes that a CA (Certificate Authority) is configured that requires OCSP services.
OCSP replies are stamped by a key from a CA for validation. That CA must exist to stamp the OCSP
responses for the purposes of this configuration guide.
Documentation
EJBCA Enterprise Cloud Edition documentation is available on:
https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/
EJBCA Enterprise Edition documentation is available on:
https://download.primekey.com/docs/EJBCA-Enterprise/latest/
Additional information on EJBCA Community Edition is available on: www.ejbca.org
Related Guides
EJBCA ECE Launch Guide
EJBCA ECE Backup Guide
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
4( )23 © 2018 PRIMEKEY
EJBCA VA Introduction
EJBCA Validation Authority (VA)
VA Services, refer to the online EJBCA Documentation or refer to For detailed information on ejbca.org
.
Concepts
EJBCA: Enterprise Java Beans Certificate Authority, includes both CA, VA and RA.
Certificate Authority (CA): A CA issues certificates to, and vouches for the authenticity of
entities. The level of trust you can assign to a CA is individual, per CA, and depends on the CAs
Policy (CP) and CA Practices Statement (CPS).
Validation Authority (VA): A VA is responsible for providing information on whether certificates
are valid or not. There can be one or more VAs connected to each CA in the PKI. Can be run as
part of the CA or as a separate service.
Peer Systems: A mechanism for connections initiated from the CA to the VA (or RA), where
messages for control and operations are passed.
CA Certificate Store: The CA Certificate Store is used to get a certificate chain to the root CA
in order to verify that the certificate is signed by a valid CA (it is valid if the root is trusted). RFC
specifies how the certificates are retrieved. The configuration file conf/certstore.properties 4387
is used to configure the service.
CRL Store: The CRL Store is used to get a Certificate Revocation List (a signed list of revoked
certificates) for a CA. specifies how the CRLs are retrieved. The configuration file confRFC 4387
/crlstore.properties is used to configure the service.
OCSP Responder: The OCSP Responder is used to ask if a certificate is revoked or not. The
OCSP protocol is specified in and the successor RFC 2560 RFC 696.
External OCSP Responders
External OCSP responders serves multiple purposes:
Separating the validation service from the CA service. This increases security because the CA
service does not have to accept any incoming connections.
Ensure highest availability of the validation service. Using external OCSP responders you can
have several completely independent nodes. This means that you can do maintenance on the
CA, or some of the OCSP nodes without disturbing availability to the validation service.
Ensure highest performance. The external OCSP responder is very fast and one single
responder can answer hundreds of requests per second. In addition to this the external OCSP
responders can be scaled linearly by adding multiple independent OCSP nodes.
The following diagram is a rough schema of the architecture using external OCSP responders.
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
© 2018 PRIMEKEY 5( )23
The EJBCA external OCSP responder does not rely on CRLs being issued by the CA. Instead the
OCSP responder uses it's own database with certificate status information. This can be a replica of the
CertificateData table in EJBCA. In normal operation the EJBCA CA pushes status changes to the
external OCSP database when certificates are issued and revoked in EJBCA.
The external OCSP responder is not limited to usage in combination with EJBCA though. The external
OCSP database can simply be updated by other tools, for example being fed with CRLs from other
CAs.
Features
Implements , and .RFC 2560 RFC 6960 RFC 5019
Independent of CA software used (various degrees of integration is possible and may be
required).
One responder can respond for any number of CAs.
Status information stored in SQL database.
Not depending on CRLs. Status information can be updated in real-time.
Plug-in mechanism for custom OCSP extensions.
Highly configurable audit and transaction logging. Suitable for invoicing.
Supports PKCS#11 HSMs and soft keys.
Built in health check used by load balancers and for monitoring.
Configurable for requiring signed requests, authorized signers, etc.
Can answer good or unknown to non-existing certificates, with different configuration based on
request URI.
Linear scalability for performance and high availability by adding multiple nodes.
High performance, >500 request per second on a single server.
On-line renewal of OCSP responder keys and certificates.
OCSP client in Java ( ).Client ToolBox
Support for Norwegian extension.Unid FNR
Support for German extension.CertificateHash
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
6( )23 © 2018 PRIMEKEY
AWS Operating Environment
EC2
Begin by starting two instances. In this example we will have the EJBCA Enterprise Cloud Edition
following 2 nodes:
Node 1 using IP 172.16.0.144 – US East 1 – 172.16.0.0/16 address space
Node 2 using IP 172.31.0.115 – US East 2 – 172.31.0.0/16 address space
One of the nodes is in US-East-1 and the other in US-East-2. For the purposes of this guide we are
going to be using the instance ID from Node 1 as the password. You can obtain this from the EC2
console in the instance details, or run the following command:
# curl -s http://169.254.169.254/latest/meta-data/instance-id
VPC Configuration
To get the nodes to communicate, it is assumed a VPC Peering Connection is setup and in place. For
assistance with configuring a VPC Peering Connection, refer to Amazon's .VPC Peering Guide
Optionally, for testing purposes, all nodes can be setup within the same VPC. This is not ideal and
does not provide any availability guarantees if one of the AWS sites has an outage.
A Route Table needs to be created that allows these nodes to communicate over the Peering
Connection. For more information on configuring Route Tables between VPCs, refer to Amazon's
documentation on .Updating Your Route Tables for a VPC Peering Connection
A security group is also needed in each VPC. That configuration will be outlined below since it pertains
directly to the Galera communication.
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
© 2018 PRIMEKEY 7( )23
Security Groups
Galera replication uses the following port for communication:
443 - For TLS connections between the CA and the RA/VA.
To create a security group that allows for TLS traffic within the VPCs, follow the steps below.
In this example, the VPC internal address space is 172.16.0.0/16 in US-East-1 and the address space
in US-East-2 is 172.31.0.0/16.
Create a Security Group called "TLS 443 Traffic to US-East" with the following rules:
This will allow any connections outbound to any address and any inbound connection on port 443 from
any address on the 172.16.0.0/16 and 172.31.0.0/16 subnets. The same rule in the other VPC will also
need the same rule configured. These rules may be tightened as required for the organization.
To apply these Security Groups to the EJBCA Enterprise Cloud Edition Nodes in each of the
VPCs, right-click the node, select and then .Networking Change Security Groups
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
8( )23 © 2018 PRIMEKEY
Apply the security group to the instance so that it can communicate with the other nodes in the
cluster:
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
© 2018 PRIMEKEY 9( )23
CA and VA Configuration
The CA and VA configuration is described in the following sections:
Apache Certificate Generation for the VA
Import the CAs Public Certificate Chain into the VA
Configure TLS Connections Between the CA and VA
Setup Peer Systems
Create a Peer Publisher on the CA
Edit a Certificate Profile to use the Publisher
Create Crypto Token to store Peer Systems authentication key on VA
Testing OCSP
Apache Certificate Generation for the VA
Generate the Apache Certificate for the VA by following the instructions for the CA and the VA Server
below.
Step 1: On the CA
SSH into the CA server and navigate to the directory./opt/PrimeKey/support
Start by taking a backup of the system:
# /opt/PrimeKey/support/system_backup.sh
Generate TLS certificates for the VA server on the CA. Since a VA will most likely have two IP
addresses and two DNS addresses, those are indicated with the and flags. In this case the IP -d -i
and DNS names the host has are:
ec2-13-59-110-179.us-east-2.compute.amazonaws.com
ip-172-31-0-115.ec2.internal
35.153.160.120
172.31.0.115
# /opt/PrimeKey/support/create_ra_tls_certs.sh -d ec2-13-59-110-179.us-east-2.compute.
amazonaws.com -d ip-172-31-0-115.ec2.internal -i 35.153.160.120 -i 172.31.0.115
The script will prompt to request to generate the certificates in the format that Apache will expect them
on the VA.
Choose and press Enter. It will output these files into the /home/ec2-user/pem directory for easy Y
copying.
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
10( )23 © 2018 PRIMEKEY
The three files output will be:
managementca.ca-mgmt.pem
server-mgmt.key
server-mgmt.pem
Copy these files to the VA server and put them into place with the instructions in the next section.
Step 2: On the VA Server
SSH into the VA server and start by taking a backup of the system.
# /opt/PrimeKey/support/system_backup.sh
Copy the three files that were copied to /home/ec2-user/pem to the new RA. Copy the files (most likely
in /home/ec2-user/ to the /etc/httpd/ssl directory and restart Apache:
# cp /home/ec2-user/managementca.ca-mgmt.pem /home/ec2-user/server*
/etc/httpd/ssl/
# service httpd restart
Convert the server to a VA using the script. Note that this is the same script that is install_ra.sh
used to configure the server into an RA. There are many configuration commonalities between RAs
and VAs from a system standpoint. The Peer Connections and permissions are where they differ. The
script will import the ManagementCA certificate from the CA server so that the RA is install_ra.sh
managed by the same ManagementCA as the CA server.
# /opt/PrimeKey/support/install_ra.sh
The script will ask for the path to the ManagementCA PEM file from the CA server.
Use the managementca PEM that was copied to the /etc/httpd/ssl directory or copy a new one.
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
© 2018 PRIMEKEY 11( )23
Access the VA Administration GUI with the same certificate used to access the CA server. Test this by
going to the EJBCA Admin Web on the VA. Note that there is no Management CA configured, an
external ManagementCA is used.
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
12( )23 © 2018 PRIMEKEY
1.
2.
a.
b.
c.
3.
a.
b.
c.
Import the CAs Public Certificate Chain into the VA
For the VA to be aware of the CA we need to import the CAs certificates into the VA. If you need
assistance with setting up a CA structure, see the .EJBCA Evaluation Guide
Step 1: On the CA
Click on the CACA Structure and CRLs
Download the PEM file for the Root and Issuing CAs
Step 2: On the VA
Click .Certification Authorities
Click .Import CA certificate
Enter the name for the Root CA.
Click and browse to the CA cert downloaded in the last section.Browse
Click .Import CA Certificate
Click Import CA Certificate
Enter the name for the Issuing CA.
Click and browse to the CA cert downloaded in the last section.Browse
Click .Import CA Certificate
Configure TLS Connections Between the CA and VA
Step 1: Import Profiles on the CA
SSH into the CA server and import the profiles that are going to be used for generating the key binding
and peer connection certificates. This imports OSCP and Peer systems profiles.
# /opt/ejbca/bin/ejbca.sh ca importprofiles -d /opt/PrimeKey/ra_profiles/
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
© 2018 PRIMEKEY 13( )23
1.
2.
3.
4.
5.
6.
a.
b.
Step 2: Create Crypto Token to store Peer Systems authentication key on CA
Create a Crypto Token for the key binding to use. Navigate to and select .Crypto Tokens Create new
Enter a name: Peer Systems Token.
Select Type: Soft.
Enter and repeat Authentication Code.
Enable Auto-activation.
Click Save.
Generate new key pair:
Alias: peer_systems_auth_key.
Key Spec: RSA 4096.
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
14( )23 © 2018 PRIMEKEY
1.
2.
3.
4.
5.
6.
7.
Step 3: Set up Authentication Key Binding for Mutual Authentication on CA
Create an internal key binding for authenticating the TLS connection to the VA. Start by selecting
on the CA.Internal Key Bindings
Start by selecting on the CA.Internal Key Bindings
Click on the tab.Create new AuthenticationKeyBinding
Enter a name: Peer System Key Binding to VA.
Select Crypto Token: "Peer Systems Token".
Key Pair Alias: peer_systems_auth_key.
Signature Algorithm: SHA256WithRSA.
Click Create.
Click to go back to the tab and select under the Back to overview AuthenticationKeyBinding CSR
column and save the file (Peer System Key Binding to RA.pkcs10.pem).Action
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
© 2018 PRIMEKEY 15( )23
1.
2.
3.
4.
5.
6.
7.
1.
2.
Step 4: Generate Certificate for TLS Connection
Click on the left side navigation and open the CAs RA web. Select .RA Web Make New Request
Select Certificate Type: "Peer Systems User EE Profile"
CA: "ManagementCA".
Click and select the "Peer System Key Binding to RA.pkcs10.pem" file.Browse
Change to "peersystems".CN, Common Name
Change the to be the "peersystems"Username
Click .Download PEM
Save the file (peersystems.pem).
Step 5: Import Peer Systems certificate into Authentication Key Binding on CA
Choose > .System Functions Internal Key Bindings
Click the tab.AuthenticationKeyBinding
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
16( )23 © 2018 PRIMEKEY
3.
a.
b.
c.
d.
4.
a.
5.
Under :Import externally issued certificate
Target Peer System Key Binding to CA.AuthenticationKeyBinding:
Click .Browse
Select the filepeersystems.pem .
Click .Import
Under :Action
Click .Enable
The Peer Systems Authentication Key Binding should now be Active.
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
© 2018 PRIMEKEY 17( )23
1.
2.
3.
a.
b.
c.
d.
e.
4.
5.
Setup Peer Systems
Follow the steps below to setup Peer Systems:
Step 1: On the CA
Step 2: On the RA
Step 3: On the CA
Step 1: On the CA
Choose > .System Functions Peer Systems
Under , click .Outgoing Peer Connectors Add
For Create Peer Connector, specify the following:
Name: Peer Connection to RA
URL: This should be the internal FQDN of the RA. For this example: "https:// ip-
172.31.0.115.us-east-2.compute.internal/ejbca/peer/v1"
EJBCA ECE Uses Apache and no port designation is necessary.
In the list menu, select Authentication Key Binding Peer System Key Binding to vA
Select .Enabled
Clear .Process Incoming Requests
Click .Create
Click . You should see the error Ping Unable to connect to peer. Unauthorized ote
If the error displays, this is due to the security groups Unable to connect to peer
configuration. Also, make sure that the IP address is used and not an FQDN unless you have
internal name resolution across VPCs.
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
18( )23 © 2018 PRIMEKEY
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
1.
2.
3.
4.
5.
6.
Step 2: On the RA
Choose > .System Functions Peer Systems
You should see a connection attempt from the CA under Incoming Connections.
Click Create Role.
Ensure that is selected, and click – Create new role – Select.
Additional properties will show. Change the Role name to "External VA Role".
Select .Accept Long Hanging Connections
Ensure that is selected.Accept RA requests
Select and any other CAs desired for the VA to access.Access ManagementCA
Select Publish Certificate.
Select .Compare certificate synchronization status
Click .Create new role
Step 3: On the CA
Click .Peer Systems
Click on the peer connection.Manage Peer Connection to RA
Click Start.
It will say "Running".
Click Refresh.
You should see certificates added or synchronized.
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
© 2018 PRIMEKEY 19( )23
1.
2.
3.
4.
5.
6.
7.
8.
9.
1.
2.
3.
4.
1.
2.
3.
4.
5.
6.
a.
b.
Create a Peer Publisher on the CA
To create a Peer Publisher on the CA, do the following:
Select in the Administration GUI.Publishers
Enter a name such as VA Peer Publisher.
Click .Add
Select the publisher and click .Edit
From the drop down select .PublisherType Validation Authority Peer Publisher
Ensure the correct Peer System is selected.
Select . Store CRL at the Validation Authority
Click .Save and Test Connection
You should see at the top. Click .Connection Tested Successfully Save
Edit a Certificate Profile to use the Publisher
In order for generated certificates to be published to the VA, the profiles for the CA need to be
configured to use the Peer Publisher.
In the Admin GUI, select .CA Functions > Certificate Profiles
Click next to the profile from which you want to issue certificates (or create a new one).Edit
Under the section , select VA Peer Publisher next to .Other Data Publishers
Click .Save
Create Crypto Token to store Peer Systems authentication key on VA
On the VA, Create a Crypto Token for the key binding to use.
Navigate to and select .Crypto Tokens Create new
Enter a name: OcspKeyBindingToken.
Type: SOFT.
Enter and repeat Authentication Code.
Enable Auto-activation.
Click .Save
Generate new key pair:
Alias: OcspKeyBindingKey
Key Spec: RSA 4096
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
20( )23 © 2018 PRIMEKEY
1.
2.
3.
4.
5.
6.
7.
8.
9.
1.
2.
3.
4.
5.
6.
7.
1.
2.
3.
4.
5.
Set up OCSP Key Binding for Mutual Authentication on the VA
To setup OCSP Key Binding for Mutual Authentication on the VA, do the following:
Click on on the VA and then select the tab.InternalKeyBindings OcspKeyBinding
Click .Create new
Enter a name for the key binding, for example “OCSPKeyBinding_IssuingCA”.
Select the .OCSPKeyBindingToken
Ensure the correct key par alias is chosen
Click .Create
Click .Back to Overview
Click under the actions column.CSR
Save the file.OCSPKeyBinding_IssuingCA.pkcs10.pem
On the CA
In the Admin GUI, select RA Web.
Click .Make New Request
Select the .OCSP Signer EE Profile
Select the . This is the CA certificate that is going to stamp the OCSP responses.Issuing CA
Browse to the OCSPKeyBinding_IssuingCA.pkcs10.pem file.
Enter a username, for example “OCSPKeyBinding_IssuingCA”.
Click download PEM.
On the VA
On the Internal tab, click to browse to the Key Bindings > OCSP Key Bindings Browse
certificate that was downloaded from the RA Web.
Click .Import
The following message displays “Operation completed without errors.”
Click .Update
Click . An hourglass will show in the Active Column and the text Enable
“OCSPKeyBinding_IssuingCA status is now ACTIVE” will appear at the top
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
© 2018 PRIMEKEY 21( )23
6. Set the Default Responder to be the OCSP Key Binding created.
You need to repeat these steps for any other CAs you want the VA to be an OCSP responder for.
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
22( )23 © 2018 PRIMEKEY
1.
2.
3.
4.
5.
6.
7.
Testing OCSP
Generate a certificate from the Issuing CA using the RA Web. The instructions will not be outlined
here. It is easiest to have the key generated server side and the certificate downloaded as PEM. Once
completed run the following SSL command:
# openssl ocsp -issuer Corporate_Issuing_CAG1.cacert.pem -CAfile Corporate_Root_CAG1.
cacert.pem -cert server1.pem -req_text -url https://ec2-54-161-138-211.compute-1.amazonaws.
com/ejbca/publicweb/status/ocsp
Where the flags are:
Option Description
-issuer OS the Issuing CA Public Certificate.
-CAfile The Root certificate or Chain of the CA.
-url The URL to the OCSP server.
-req_text Optional but gives more output.
The output should appear as the following:
Where “Response Verify: OK” means that the stamped OCSP reply from the OCSP server was able to
be validated with the certs provided in the command. “server1.pem: good” means the certificate status
is good.
Revoking the certificate
Select Search End Entities.
Search by username (end entity name).
Find the End Entity in the search results.
Click on the right side.ViewCertificates
Select from the revocation reasons.CertificateHold
Click .Revoke
Run the openssl command again and the status should now be “revoked” with a reason of
“Certificate Hold”.
EJBCA Enterprise Cloud Edition VA Configuration and Administration Guide
© 2018 PRIMEKEY 23( )23