The recommended way of authenticating with EJBCA is by using a hard token. You can use a YubiKey as hard token instead of storing the certificate directly in the browser. This is more secure since the private key never leaves the token, thus key generation and signing is done on the token itself.
This guide describes how to get started with your YubiKey on Ubuntu using Mozilla Firefox as web browser.
Add a new administrator to EJBCA with the following details:
Math with: X509:CN, Common name
CA: <Your Management CA>
Match value: YubiKey Demo
Begin by installing YubiKey PIV Manager:
sudo add-apt-repository ppa:yubico/stable
sudo apt-get update
sudo apt-get install pubikey-piv-manager
Insert your token into your computer and start YubiKey PIV Manager. If you are using the default PIN, YubiKey PIV Manager requests you to change it.
Click Generate new key... and make the following changes:
Choose Certificate Signing Request (CSR) as Output
Enter YubiKey Demo as Subject
Click OK and save the CSR
Create a certificate from the CSR using EJBCA. For more information, see EJBCA User Guide. The certificate should be downloaded as a DER-file (binary).
Import the certificate to the token by clicking Import from file...
Eject and insert the token again to reload the token
Install OpenSC PKCS11 driver:
sudo apt-get install opensc
Open Firefox and type about:preferences in the address bar
Click Privacy and Security > Security devices and click Load to load a new PKCS11 driver-
Enter the following information:
Module name: OpenSC
Module filename: /usr/lib/x86_64-linux-gnu/ opensc-pkcs11.so
Click OK and restart Firefox
Go to https:// <domain name> :8443/ejbca/adminweb. Unlock the token if required, using the PIN code set in step 3.
Choose the certificate YubiKey Demo and click OK to access EJBCA.
YubiKey PIV Manager: https://developers.yubico.com/yubikey-piv-manager/