Part 1: EJBCA Administration

This section will cover:

  • Creation of a 3-tier CA using soft keystores

  • Creating the custom extension for Microsoft template information

  • Creating user and computer profiles for auto enrollment

  • Creating the Web Services API keystore

  • Creating the server certificate for Apache Tomcat web server

  • Administrator roles for the Web Services Client

In the examples below, the Certificate Services hostname is csserver.primekey.com. The text highlighted in red should be replaced with names in your environment.

1. Create the 3-tier CA hierarchy

1.1 Create the Root CA

Create Root CA Crypto Token

  1. Click Crypto Tokens under CA Functions

  2. Select Create New

    1. Enter a name for the Crypto Token: Root CA Token

    2. Select Type as Soft

    3. Enter an authentication code for the token.

    4. Auto-activation: Not selected

    5. Click Save

    6. Generate a signKey of size 4096

    7. Generate a defaultKey of size 4096

    8. Generate a testKey of size 1024

Create Root CA Certificate Profile

  1. Clone the ROOTCA profile for the Root CA and label it as "Root CA Certificate Profile" Select the following values:

    1. Available key algorithms: RSA

    2. Available bit lengths: 4096

    3. Validity: 25y

    4. LDAP DN order: Unchecked

    5. Available CA: Any CA

Create the Root CA certificate

  1. Click Certificate Authorities, In the Add CA field enter the name "Root CA". Click "Create…"

  2. In the Create CA screen populate the following fields:

    1. Signing Algorithm: SHA256WithRSA

    2. Crypto Token: Root CA Token

    3. Subject DN: <RootCASubjectDN>

    4. Signed By: Self Signed

    5. Certificate Profile: Root CA Certificate Profile

    6. Validity: 25y

    7. CRL Distribution Point: http://crl.company.com/Root_CA.crl

    8. OCSP Service Locator URI: http://ocsp.company.com

1.2 Create Intermediate CA

Create Intermediate CA Crypto Token

  1. Click Crypto Tokens under CA Functions

  2. Select Create New

    1. Enter a name for the Crypto Token: Intermediate CA Token

    2. Select Type as Soft

    3. Enter an authentication code for the token.

    4. Auto-activation: Not selected

    5. Click Save

    6. Generate a signKey of size 4096

    7. Generate a defaultKey of size 4096

    8. Generate a testKey of size 1024

Create Intermediate CA Certificate Profile

  1. Clone the SUBCA profile for the Intermediate CA and label it as "Intermediate CA Certificate Profile." Select the following values:

    1. Available key algorithms: RSA

    2. Available bit lengths: 4096

    3. Validity: 25y

    4. LDAP DN order: Unchecked

    5. Available CA: Any CA

Create Intermediate CA certificate

  1. Click Certificate Authorities, In the Add CA field enter the name "Intermediate CA". Click "Create…"

  2. In the Create CA screen populate the following fields:

    1. Signing Algorithm: SHA256WithRSA

    2. Crypto Token: Intermediate CA Token

    3. Subject DN: <IntermediateCASubjectDN>

    4. Signed By: Root CA

    5. Certificate Profile: Intermediate CA Certificate Profile

    6. Validity: 20y

    7. CRL Distribution Point: http://crl.company.com/Intermediate_CA.crl

    8. OCSP Service Locator URI: http://ocsp.company.com

1.3 Create Issuing CA

Create Issuing CA Crypto Token

  1. Click Crypto Tokens under CA Functions

  2. Select Create New

    1. Enter a name for the Crypto Token: Issuing CA Token

    2. Select Type as Soft

    3. Enter an authentication code for the token.

    4. Auto-activation: Not selected

    5. Click Save

    6. Generate a signKey of size 4096

    7. Generate a defaultKey of size 4096

    8. Generate a testKey of size 1024

Create Issuing CA Certificate Profile

  1. Clone the SUBCA profile for the Issuing CA and label it as "Issuing CA Certificate Profile." Select the following values:

    1. Available key algorithms: RSA

    2. Available bit lengths: 4096

    3. Validity: 25y

    4. LDAP DN order: Unchecked

    5. Available CA: Any CA

Create Issuing CA certificate

  1. Click Certificate Authorities, In the Add CA field enter the name "Issuing CA". Click "Create…"

  2. In the Create CA screen populate the following fields:

    1. Signing Algorithm: SHA256WithRSA

    2. Crypto Token: Issuing CA Token

    3. Subject DN: <IssuingCASubjectDN>

    4. Signed By: Intermediate CA

    5. Certificate Profile: Issuing CA Certificate Profile

    6. Validity: 15y

    7. CRL Distribution Point: http://crl.company.com/Issuing_CA.crl

    8. OCSP Service Locator URI: http://ocsp.company.com

2. Create Custom Certificate Extensions

  1. On the EJBCA Administration Interface, click System Configuration

  2. Select the Custom Certificate Extensions tab

  3. Enter the Object Identifier (OID) as "1.3.6.1.4.1.311.21.7".

  4. Enter "Certificate Template Information" as the Label.

  5. Click Add.

  6. Click Edit on the object previously added.

  7. Select the Encoding to DEROBJECT

  8. Set Dynamic to true.

  9. Click Save.

3. Create User and Computer Auto Enrollment Certificate Profiles

3.1 Create a certificate profile for User Auto Enrollment

  1. Click Certificate Profiles under CA Functions

  2. Clone from ENDUSER named User_Certificate_Profile

  3. Edit the User_Certificate_Profile

  4. Key Usage: Digital Signature, Non-repudiation, and Key encipherment

  5. Extended Key Usage: Client Authentication, Email Protection, and MS Encrypted File System (EFS)

  6. Used Custom Certificate Extensions: Certificate Template Information

  7. Available CAs: Issuing CA

3.2 Create a certificate profile for Computer Auto Enrollment

  1. Click Certificate Profiles under CA Functions

  2. Clone from ENDUSER named Computer_Certificate_Profile

  3. Edit the Computer_Certificate_Profile

  4. Key Usage: Digital Signature and Key encipherment

  5. Extended Key Usage: Client Authentication and Server Authentication

  6. Used Custom Certificate Extensions: Certificate Template Information

  7. Available CAs: Issuing CA

4. Create Tomcat Server and Web Services API Certificate Profiles

4.1 Create a certificate profile for Tomcat server

  1. Click Certificate Profiles under CA Functions

  2. Clone from SERVER named Tomcat_Server_Certificate_Profile

  3. Edit the Tomcat_Server_Certificate_Profile

  4. Available key algorithms: RSA

  5. Change Validity to 5y

  6. Available bit lengths: 2048

  7. CRL Distribution Point: Use

  8. Use CA defined CRL Dist. Point: Use

  9. Authority Information Access: Use

  10. Use CA defined OCSP locator: Use

  11. Available CAs: Issuing CA

4.2 Create a certificate profile for Web Services API client

  1. Click Certificate Profiles under CA Functions

  2. Clone from ENDUSER named WebService_Client_Certificate_Profile

  3. Edit WebService_Client_Certificate_Profile

  4. Available key algorithms: RSA

  5. Change Validity to 5y

  6. Available bit lengths: 2048

  7. Available CAs: ManagementCA

5. Create User and Computer Auto Enrollment End Entity Profiles

All attributes that may occur in a request should be added and marked as modifiable.

5.1 Create End Entity Profile for User Auto Enrollment

  1. Add End Entity profile named "User_End_Entity_Profile"

  2. Click User_End_Entity_Profile and click Edit End Entity Profile

  3. Subject DN Attributes: CN

  4. Other subject attributes: MS UPN

  5. Default Certificate Profile: User_Certificate_Profile

  6. Available Certificate Profiles: User_Certificate_Profile

  7. Default CA: Issuing CA

  8. Available CAs: Issuing CA

  9. Default Token: User Generated

  10. Available Tokens: User Generated

5.2 Create End Entity Profile for Computer Auto Enrollment

  1. Add End Entity profile named "Computer_End_Entity_Profile"

  2. Click Computer_End_Entity_Profile and click Edit End Entity Profile

  3. Subject DN Attributes: CN

  4. Other subject attributes: DNS Name

  5. Default Certificate Profile: Computer_Certificate_Profile

  6. Available Certificate Profiles: Computer_Certificate_Profile

  7. Default CA: Issuing CA

  8. Available CAs: Issuing CA

  9. Default Token: User Generated

  10. Available Tokens: User Generated

6. Create Tomcat Server and Web Services API End Entity Profiles

6.1 Create End Entity Profile for the SSL server certificate

  1. Click End Entity Profiles under RA Functions

  2. Add End Entity profile named "TomcatServerEEProfile"

  3. Click TomcatServerEEProfile and click Edit End Entity Profile

  4. Uncheck End Entity E-mail

  5. Subject DN Attributes: CN

  6. Default Certificate Profile: Tomcat_Server_Certificate_Profile

  7. Available Certificate Profiles: Tomcat_Server_Certificate_Profile

  8. Default CA: Issuing CA

  9. Available CAs: Issuing CA

  10. Default Token: JKS

  11. Available Tokens: JKS

6.2 Create End Entity Profile for the Web Services Client

  1. Click End Entity Profiles under RA Functions

  2. Add End Entity profile named "WebServiceClientEEProfile"

  3. Click WebServiceClientEEProfile and click Edit End Entity Profile

  4. Uncheck End Entity E-mail

  5. Subject DN Attributes: CN

  6. Default Certificate Profile: WebService_Client_Certificate_Profile

  7. Available Certificate Profiles: WebService_Client_Certificate_Profile

  8. Default CA: ManagementCA

  9. Available CAs: ManagementCA

  10. Default Token: JKS

  11. Available Tokens: JKS

7. Create Tomcat and Web Services End Entities

7.1 Creating and downloading the Tomcat JKS keystore

  1. Add the Tomcat server End Entity

    1. Click Add End Entity

    2. End Entity Profile: TomcatServerEEProfile

    3. Username: tomcat_server

    4. Password: <PASSWORD>

    5. Confirm Password: <PASSWORD>

    6. CN: csserver.primekey.com

    7. Click Add

  2. Download Tomcat server certificate as a JKS keystore with FireFox

    1. Click Public Web

    2. Click Create Keystore

    3. Username: tomcat_server

    4. Password: <PASSWORD>

  3. Save this keystore as tomcat_server.jks

7.2 Creating and downloading the Web Services JKS keystore

  1. Add the Web Services Client End Entity

    1. Click Add End Entity

    2. End Entity Profile: WebServiceClientEEProfile

    3. Username: aewsclient

    4. Password: <PASSWORD>

    5. Confirm Password: <PASSWORD>

    6. CN: aewsclient

    7. Click Add

  2. Download the Web Services Client certificate as a JKS keystore with FireFox

    1. Click Public Web

    2. Click Create Keystore

    3. Username: aewsclient

    4. Password: <PASSWORD>

  3. Save this keystore as aewsclient.jks

8. Create Administrator Roles for Web Services Client

  1. Create Administrator Role for Web Services Client

    1. Click Administrator Roles

    2. Click Add

    3. Enter name for role: AutoEnrollment Web Services

    4. Click on Administrators for AutoEnrollment Web Services

    5. Select the following:

      1. CA: ManagementCA

      2. Match with: X509: CN, Common Name

      3. Match type: Equal, case sens.

      4. Match value: aewsclient

    6. Click Add

  2. Click Edit Access Rules for AutoEnrollment Web Services

    1. Role Template: RA Administrators

    2. Authorized CA: Issuing CA

    3. End Entity Rules: View End Entity, Create End Entity, and Edit End Entity

    4. End Entity Profiles: User_End_Entity_Profile and Computer_End_Entity_Profile (select all End Entity Profiles that will be used with Auto Enrollment)

    5. Other Rules: View Audit Log

    6. Click Save

When using Web Services through an RA, roles have to be set up both for the Web Service client and the RA. Ensure that the web services work well through the RA before configuring the auto enrollment above. For more information, see Web Service API.