Install and configure EJBCA
EJBCA 6.0.3 – http://www.ejbca.org/download.html
JBoss AS 7.1.1 Final – http://download.jboss.org/jbossas/7.1/jboss-as-7.1.1.Final/jboss-as-7.1.1.Final.zip
Prereqs:
- OpenJDK 1.6 or later
- Apache Ant – http://mirror.tcpdiag.net/apache/
Ref:
Detailed deployment guide: http://majic.rs/book/free-software-x509-cookbook/setting-up-ejbca-as-certification-authority
EJBCA doc: http://wiki.ejbca.org/
Architecture
Import existing OpenSSL CA
Step 1 – Export the OpenSSL priv key and cert to a PKCS#12 keystore:
openssl pkcs12 -export -out exitingCA1.p12 -inkey\ -in -name existingCA1
Step 2 – Import the PKCS#12 keystore to EJBCA CA
/bin/ejbca.sh ca importca existingCA1.p12
Step 3 – Verify import
/bin/ejbca.sh ra adduser
### IMPORTANT ###
Distinguished name order of openssl may be opposite of ejbca default configuration – http://www.csita.unige.it/software/free/ejbca/ … If so, this ordering must changed in ejbca configuration prior to deploying (can’t be set on a per CA basis)
Have not been able to replicate this issue in testing.
Import existing TinyCA CA
Basic Admin and User operations
Create and end entity profile for server/client entities
Step 1 – Create a Certificate Profile (http://wiki.ejbca.org/certificateprofiles)
Step 2 – Create and End Entity Profile (http://wiki.ejbca.org/endentityprofiles)
* EndEntities can be deleted using:
/bin/ejbca.sh ra delendentity
Issuing certificates from CSRs
End entities need to be created for clients/servers that require certificates signed by our CA.
Step 1 – Create and End Entity (http://ejbca.org/userguide.html#Issue a new server certificate from a CSR)
Step 2 – Sign CSR using the End Entity which is associated with a CA
Importing existing certificates
EJBCA can create endentities and import their existing certificate one-by-one or in bulk (http://www.ejbca.org/docs/adminguide.html#Importing Certificates). Bulk inserts import all certificates under a single user which may not be desirable. Below is a script to import all certs in a directory one by one under a new endentity which will take the name of the certificate CN.
#!/bin/sh # for each certificate in the directory # create and enduserentity # enduserentity username = certificate CN # enduserentity token/pwrd = certificate CN EJBCA_HOME="/usr/share/ejbca" IMPORT_DIR=$1 CA=$2 ENDENTITYPROFILE=$3 SSLCERTPROFILE=$4 AP="_OTE" if [ $# -lt 4 ]; then echo "usage: import_existing_certs.sh" exit 1 fi for X in $IMPORT_DIR*.pem do echo "######################################################" echo "Importing: " $X CN=$(openssl x509 -in $X -noout -text | grep Subject: | sed -n 's/^.*CN=\(.*\),*/\1/p') echo "CN: " $CN printf "Running import: %s ca importcert '%s' '%s' '%s' ACTIVE NULL '%s' '%s' '%s'\n" "$EJBCA_HOME/bin/ejbca.sh" "$CN" "$CN" "$CA" "$X" "$ENDENTITYPROFILE" "$SSLCERTPROFILE" $EJBCA_HOME/bin/ejbca.sh ca importcert "$CN$AP" "$CN$AP" "$CA" ACTIVE null $X $ENDENTITYPROFILE $SSLCERTPROFILE echo "######################################################" done
Creating administrators
Create administrators that can sign CSR and revoke certificates: http://ejbca.org/userguide.html#Administrator%20roles
Revoking certificates
#Generate CRL via command line # List CAs /usr/share/ejbca/bin/ejbca.sh CA listcas # Create new CRLs: /usr/share/ejbca/bin/ejbca.sh CA createcrl "" -pem # Export CRL to file /usr/share/ejbca/bin/ejbca.sh CA getcrl " " -pem .pem
Checking certificate validity/revoke status via OSCP
openssl ocsp -issuer gtld_CA_cert.pem -CAfile gtld_CA_cert.pem \ -cert gtld_registrar5.pem -req_text -url http://localhost:8080/ejbca/publicweb/status/ocsp
Monitoring expiring certs
/bin/ejbca.sh listexpired 100