Follow the steps below to create a new Administrator certificate, add this Administrator to a role, and testing the access.
Creating a Certificate Profile for the Administrator
Follow the steps below to create a new Certificate Profile for administrators. The administrators certificates will be issued by a CA called ManagementCA.
Under CA Functions > Certificate Profiles.
Click Clone for the profile named ENDUSER.
Enter AdministratorEndEntityCertificateProfile as the new name and click Create from Template.
Click Edit for the new profile.
Under Validity, enter 365d (1 year validity).
Under Key usage, choose Digital Signature and Key encipherment (Ctrl+Click to select multiple).
Clear Allow Key Usage Override.
Select Use Extended Key Usage.
Under Extended Key Usage, choose Client Authentication.
Under Available bit lengths, "1024 bit", "2048 bit" and "4096 bit".
Under Available CAs, choose ManagementCA (the CA you use to issue Administrator certificates).
Creating an End Entity Profile for the Administrator
Follow the steps below to create a new End Entity Profile for Administrators. The profile will be connected to the Certificate Profile created above.
Under RA Functions > Edit End Entity Profiles.
Enter a name for your end entity profile, AdministratorEndEntityProfile.
Select AdministratorEndEntityProfile and clickEdit End Entity Profile.
Under the Subject DN Fields, add DN fields for the Admin DN, for example O, UID and C.
Under Default Certificate Profile, choose AdministratorEndEntityCertificateProfile.
Under Available Certificate Profiles, choose AdministratorEndEntityCertificateProfile.
Under Default CA, choose ManagementCA.
Under Available CAs, choose ManagementCA.
Issue the following new end entity based on the new end entity profile: CN: SoftCard RA Admin1.
Creating a new RA Role
Follow the steps below to create a RA Admininistrator role with access to add/list/edit end entities:
Choose Administrator Roles in the left frame.
Choose a name for your new administrator group, RAAdministratorRole.
When the group is created, clickAccess Rules.
Choose the RA Administrator role template.
Under Authorized CAs, choose which CAs the role should have access to. Choose ManagementCA.
Under Edit End Entity Profiles, select AdministratorEndEntityProfile.
Adding new Administrators to the RA Role
Choose Search/Edit End Entities and select your newly created end entity, choose View Certificates.
Copy the value of Certificate Serial Number, e.g. 5F003A0113F507F9.
Go to Administrator Roles, clickAdministrators under RAAdministratorRole.
Choose the CA that the administrator belongs to, ManagementCA.
Paste the text from < in the Match value.
In EJBCA Enterprise Edition, it is also possible to add a new administrator to an existing role by using the WS API call addSubjectToRole in your application or with the Web Services CLI.
Test the new Administrator
Log in with the new administrators to view differences between that and the superadmin. Additionally, try the different roles and privileges to see the differences between them all.
The authorization privileges are cached and there will be a delay before a rule change is used.