1. Home
  2. /
  3. EJBCA PKI as the UpstreamAuthority in SPIRE

EJBCA PKI as the UpstreamAuthority in SPIRE  

Set up SPIFFE/SPIRE Workload Identity Management with EJBCA PKI.

hero-sub-2
spiffe-spire-horizontal

SPIFFE, SPIRE, and Streamlined Workload Identities with EJBCA PKI

The Secure Production Identity Framework for Everyone (SPIFFE) is an open-source standard for securely identifying software systems in dynamic, diverse environments. It enables seamless, reliable mutual authentication across any runtime. 

SPIRE is a production-ready SPIFFE implementation that handles node and workload attestation to securely issue and verify SVIDs based on predefined conditions. 

The Keyfactor SPIRE Upstream Authority plugin integrates SPIRE with EJBCA PKI, enabling organizations to standardize their PKI on a single, unified platform. 

How to get started

In this tutorial, you will learn how to configure SPIRE to use the EJBCA UpstreamAuthority Plugin. This integration allows SPIRE to issue workload identity certificates as part of a trusted PKI managed by EJBCA. 

Follow this tutorial if you want to leverage SPIRE as an implementation of the SPIFFE framework for secure workload identity and EJBCA for workload identity issuance. 

Here are the steps:

  1. Prepare EJBCA
  2. Compile SPIRE Server and SPIRE Agent
  3. Configure SPIRE Server using the EJBCA UpstreamAuthority plugin
  4. Start SPIRE Server
  5. Attest a SPIRE Agent to the Server using a join token
  6. Fetch an x509-SVID from SPIRE Agent over the SPIFFE Workload API 
     
Screenshot 2024-12-02 at 12.48.48

Prerequisites

Before you begin, you need a running EJBCA container with:

  • A Client Certificate and corresponding Private Key with permissions to use the EJBCA REST API.
  • Access to the EJBCA Admin Web UI.
  • At least one configured Certificate Authority. 
  • You can follow the EJBCA - Getting started with Kubernetes guide to deploy EJBCA in Kubernetes on your computer. 

Additionally, you need:

  • A 64-bit Linux or macOS environment
  • The openssl command line tool 
  • Go 1.13 or higher to build SPIRE. See https://golang.org/dl/ or run brew install golang. 
  • The Make command line tool 
     

Note: SPIRE currently only allows using a fixed internal CA as its default and functions as the issuing CA. EJBCA can be used as an external trust chain to accept a CSR from SPIRE and provide a signed sub-CA certificate, allowing for control over the PKI trust chain used internally in SPIRE as well as providing for multi-cloud or multi-provider trust.

 

 Documentation

Tutorials/documentation

Documentation

Check out our How-To guide for  using the EJBCA UpstreamAuthority plugin to enable SPIRE to issue workload identities as part of a trusted PKI using EJBCA.

Documentation

Keyfactor GitHub

Get your hands on the EJBCA UpstreamAuthority plugin for SPIRE Server on the Keyfactor GitHub  

Keyfactor GitHub

SIFFE GitHub 

Get your hands on the EJBCA UpstreamAuthority plugin for SPIRE Server on the SPIFFE GitHub  

SPIFFE GitHub

Discussion

You can ask your questions and learn from PKI specialists in the EJBCA forum on GitHub Discussions.

Discussions

Related open-source projects

This website uses cookies

Cookies consist of small text files. They contain data that is stored on your device. To enable us to place certain types of cookies we need to obtain your consent. At PrimeKey Solutions AB, corp. ID no. 556628-3064, we use the following kinds of cookies. To read more about which cookies we use and storage times, click here to access our cookies policy.

Manage your cookie-settings

Necessary cookies

Check to consent to the use of Necessary cookies
Necessary cookies are cookies that must be placed for basic functions to work on the website. Basic functions are, for example, cookies which are needed so that you can use menus on the website and navigate on the site.

Functional cookies

Check to consent to the use of Functional cookies
Functional cookies need to be placed on the website in order for it to perform as you would expect. For example, so that it recognizes which language you prefer, whether or not you are logged in, to keep the website secure, remember login details or to be able to sort products on the website according to your preferences.

Cookies for statistics

Check to consent to the use of Cookies for statistics
For us to measure your interactions with the website, we place cookies in order to keep statistics. These cookies anonymize personal data.

Cookies for ad-tracking

Check to consent to the use of Cookies for ad-tracking
To enable us to offer better service and experience, we place cookies so that we can provide relevant advertising. Another aim of this processing is to enable us to promote products or services, provide customized offers or provide recommendations based on what you have purchased in the past.

Ad measurement user cookies

Check to consent to the use of Ad measurement user cookies
In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

Check to consent to the use of Personalized ads cookies
To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data
Close