Categories
InfoSec Notes

Migrating to EJBCA from OpenSSL and TinyCA

Install and configure EJBCA

EJBCA 6.0.3 – http://www.ejbca.org/download.html

JBoss AS 7.1.1 Final – http://download.jboss.org/jbossas/7.1/jboss-as-7.1.1.Final/jboss-as-7.1.1.Final.zip

Prereqs:

Ref:

Detailed deployment guide: http://majic.rs/book/free-software-x509-cookbook/setting-up-ejbca-as-certification-authority

EJBCA doc: http://wiki.ejbca.org/

Architecture

Recommended architecture (source: http://ejbca.org/architecture.html)

Import existing OpenSSL CA

Step 1 – Export the OpenSSL priv key and cert to a PKCS#12 keystore:

openssl pkcs12 -export -out exitingCA1.p12 -inkey  \
        -in  -name existingCA1

Step 2 – Import the PKCS#12 keystore to EJBCA CA

/bin/ejbca.sh ca importca  existingCA1.p12

Step 3 – Verify import

/bin/ejbca.sh ra adduser

### IMPORTANT ###

Distinguished name order of openssl may be opposite of ejbca default configuration – http://www.csita.unige.it/software/free/ejbca/ … If so, this ordering must changed in ejbca configuration prior to deploying (can’t be set on a per CA basis)

Have not been able to replicate this issue in testing.

Import existing TinyCA CA

Basic Admin and User operations

Create and end entity profile for server/client entities

Step 1 – Create a Certificate Profile (http://wiki.ejbca.org/certificateprofiles)

Step 2 – Create and End Entity Profile (http://wiki.ejbca.org/endentityprofiles)

* EndEntities can be deleted using:

/bin/ejbca.sh ra delendentity 

Issuing certificates from CSRs

End entities need to be created for clients/servers that require certificates signed by our CA.

Step 1 – Create and End Entity (http://ejbca.org/userguide.html#Issue a new server certificate from a CSR)

Step 2 – Sign CSR using the End Entity which is associated with a CA

Importing existing certificates

EJBCA can create endentities and import their existing certificate one-by-one or in bulk (http://www.ejbca.org/docs/adminguide.html#Importing Certificates). Bulk inserts import all certificates under a single user which may not be desirable. Below is a script to import all certs in a directory one by one under a new endentity which will take the name of the certificate CN.

#!/bin/sh

# for each certificate in the directory
#       create and enduserentity
#       enduserentity username = certificate CN
#       enduserentity token/pwrd = certificate CN

EJBCA_HOME="/usr/share/ejbca"
IMPORT_DIR=$1
CA=$2
ENDENTITYPROFILE=$3
SSLCERTPROFILE=$4
AP="_OTE"

if [ $# -lt 4 ]; then
        echo "usage: import_existing_certs.sh    "
        exit 1
fi
for X in $IMPORT_DIR*.pem
do
        echo "######################################################"
        echo "Importing: " $X
        CN=$(openssl x509 -in $X -noout -text | grep Subject: | sed -n 's/^.*CN=\(.*\),*/\1/p')
        echo "CN: " $CN
        printf "Running import: %s ca importcert '%s' '%s' '%s' ACTIVE NULL '%s' '%s' '%s'\n" "$EJBCA_HOME/bin/ejbca.sh" "$CN" "$CN" "$CA" "$X" "$ENDENTITYPROFILE" "$SSLCERTPROFILE"
        $EJBCA_HOME/bin/ejbca.sh ca importcert "$CN$AP" "$CN$AP" "$CA" ACTIVE null $X $ENDENTITYPROFILE $SSLCERTPROFILE
        echo "######################################################"
done

Creating administrators

Create administrators that can sign CSR and revoke certificates: http://ejbca.org/userguide.html#Administrator%20roles

Revoking certificates

#Generate CRL via command line
# List CAs
/usr/share/ejbca/bin/ejbca.sh CA listcas
# Create new CRLs:
/usr/share/ejbca/bin/ejbca.sh CA createcrl "" -pem 
# Export CRL to file
/usr/share/ejbca/bin/ejbca.sh CA getcrl "" -pem .pem

Checking certificate validity/revoke status via OSCP

openssl ocsp -issuer gtld_CA_cert.pem -CAfile gtld_CA_cert.pem \
-cert gtld_registrar5.pem -req_text -url http://localhost:8080/ejbca/publicweb/status/ocsp

Monitoring expiring certs

/bin/ejbca.sh listexpired 100

 

10 replies on “Migrating to EJBCA from OpenSSL and TinyCA”

By scratching various objects with all the front claws, it may help to ensure that they’re healthy.
Once you learn how to accept and study from your mistake, you may
not repeat them again. These components are very important if succeeding at improving our health and wellness and
positively impacting our total well being are the objectives.

Great blog here! Also your site loads up fast! What web hos are you using?Can I
get your affiliate link to your host? I wish my
website loaded up as fast as yours lol

I was very pleased to find this net-site.I wished to thanks to your time for this wonderful learn!! I undoubtedly having fun with every little little bit of it and I have you bookmarked to check out new stuff you blog post. Snapchatest

Definitely imagine that that you said. Your favourite justification seemed
to be on the web the easiest factor to have in mind of. I say to you, I
definitely get annoyed even as other people think about issues that they plainly do not realize about.

You managed to hit the nail upon the highest and outlined out the entire thing
with no need side-effects , other people could take a signal.
Will probably be back to get more. Thank you

First of all I want to say great blog! I had a quick question in which
I’d like to ask if you do not mind. I was interested to know
how you center yourself and clear your mind before writing.
I have had a hard time clearing my mind in getting my ideas out there.

I truly do enjoy writing however it just seems like the first 10
to 15 minutes are usually wasted just trying to figure out how to
begin. Any ideas or hints? Appreciate it!

Leave a Reply

Your email address will not be published. Required fields are marked *