Transcript of EJBCA Cloud & AWS Certificate Manager Integration Guide
EJBCA Cloud & AWS Certificate Manager Integration
GuideCopyright ©2019 PrimeKey Solutions
Solna Access, Sundbybergsvägen 1
SE-171 73 Solna, Sweden
Notice of Rights
All rights reserved. No part of this guide may be reproduced or
transmitted in any form by any means, electronic, mechanical,
photocopying, recording, or otherwise, without the prior written
permission of the publisher. For more information on getting
permission for reprints and excerpts, contact
support@primekey.com.
Notice of Liability
The information in this guide is distributed on an “As Is” basis
without warranty. While every precaution has been taken in the
preparation of the guide, neither the authors nor PrimeKey shall
have any liability to any person or entity with respect to any
loss or damage caused or alleged to be caused directly
or indirectly by the instructions contained in the guide or by
computer software and hardware products described in it.
Trademarks
Many of the designations used by manufacturers and sellers to
distinguish their products are claimed as trademarks. Where those
designations appear in this guide, and PrimeKey was aware of a
trademark claim, the designations appear as requested by the owner
of the trademark. All other product names and services identified
throughout this guide are used in editorial fashion only and for
the benefit of such companies with no intention of infringement of
the trademark. No such use, or the use of any trade name, is
intended to convey endorsement or other affiliation with this
guide.
Documentation..................................................................................................................5
Create Root CA
Keys..........................................................................................
7
Create the Root and Issuing CA Certificate
Profiles...................................... 10 Introduction
....................................................................................................................
10
Create Root CA
Profile...................................................................................................
11
Create End Entity Sub CA Profile
....................................................................
15
Create Root CA that uses the CloudHSM Crypto Token
............................... 16
Create AWS ACM Certificate Authority CSR
.................................................. 17
Add ACM PCA End
Entity.................................................................................
19
Fulfill the Pending ACM PCA Certificate
Request.......................................... 21
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 4 (4)
© 2019 PRIMEKEY 5 (5)
Introduction This Integration Guide is intended to help customers
integrate EJBCA Cloud with AWS Certificate Manager (ACM).
ACM requires that you have a Root Certificate Authority (CA)
already defined within your organization. By leveraging EJBCA
Enterprise Cloud Edition (ECE), you can have a CloudHSM backed Root
CA server with secure key storage from a legitimate PKI product. No
more need to protect your keys with hacked together CA servers, or
even soft keys with OpenSSL.
AWS Certificate Manager is a service that lets you easily
provision, manage, and deploy public and private Secure Sockets
Layer/Transport Layer Security (SSL/TLS) certificates for use with
AWS services. With AWS Certificate Manager, you can quickly request
a certificate, deploy it on ACM-integrated AWS resources, such as
Elastic Load Balancers, Amazon CloudFront distributions, and APIs
on API Gateway, and let AWS Certificate Manager handle certificate
renewals.
Leveraging EJBCA ECE in your organization can work to support
various additional use cases, all from the AWS environment. By
creating additional issuing CAs to issue certificates
to users, computers, personal devices, and even IoT devices,
EJBCA ECE lets you define granular policies for certificate
use for Client Certificates, Server Certificates, Code Signing
Certificates, Disk Encryption Certificates, PIV Card
Certificates and more.
Documentation EJBCA Enterprise Cloud Edition documentation is
available on:
https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/
EJBCA Enterprise Edition documentation is available on:
https://download.primekey.com/docs/EJBCA-Enterprise/latest/
Additional information on EJBCA Community Edition
is available on: www.ejbca.org
© 2019 PRIMEKEY 6 (6)
Provisioning EJBCA Instance and setting up CloudHSM EJBCA
Enterprise Cloud Edition is available in the AWS Marketplace.
Follow existing guides to get EJBCA Enterprise Cloud Edition
running if not already done.
1. Launch EJBCA Cloud using the Launch Guide: EJBCA Cloud Launch
Guide.
2. Setup and provision CloudHSM using the CloudHSM Integration
Guide: EJBCA Cloud CloudHSM Integration Guide.
Once the EJBCA Instance is running in AWS and integrated with Cloud
HSM (configuring the cloudHSM Client) using the guides above,
continue on with the following steps to create a RootCA and sign
the AWS Certificate Manager Private CA (ACM PCA) Certificate
Signing Request (CSR).
© 2019 PRIMEKEY 7 (7)
Create Root CA Keys The following describes how to create three
keys for the Root CA to use using clientToolBox.
To create a keystore in the HSM using clientToolBox, do the
following:
1. Create a testkey with clientToolBox. EJBCA will use this key for
healthcheck and keepalive to the HSM.
It is important to run these commands as the wildfly user.
This is due to file system access permissions and maintaining
the permissions for wildfly to be able to use these keys.
# su - wildfly #
/opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh
PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 2048
testKey0001
2. You will be prompted for a password in the format
of <HSM_CryptoUser>:<password> For example, the
following is the PKCS #11 PIN for an HSM crypto user
(CU) with user name CryptoUser and password
CUPassword123!:
CryptoUser:CUPassword123!
3. Create a total of three keys for EJBCA: • testKey (created in
step 1) • signKey • defaultKey
4. Create two more keys called signKey and defaultKey with the
following commands:
# /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh
PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 4096
signKey0001 # /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh
PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 4096
defaultKey0001
If ECC keys are desired, you can use a named curve. For
example, to generate a prime256v1 curve you could use the following
command:
# /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh
PKCS11HSMKeyTool generate /opt/ PrimeKey/cloudhsm/p11.conf
prime256v1 testKeyecdsa0001
For more information consult the EJBCA User Guide on ECC named
curves.
© 2019 PRIMEKEY 8 (8)
Create CloudHSM Crypto Token for Root CA The following describes
how to create a CloudHSM Crypto Token for the Root CA:
1. Under CA Functions, select Crypto Tokens, and
then click Create new.
2. On the New Crypto Token page, enter the following: a.
Name: b. Specify the values as follows:
• Name: <anything> (Name for the Root CA CloudHSM Crypto
Token, for example, "Corporate Root CA CloudHSM Crypto Token".
Note that this is not the CA name but the name of
the token.)
• Type: PKCS#11 • Authentication
Code: <HSM_CryptoUser>:<password>
(ex. CryptoUser:CUPassword123!)
• AutoActivation: Clear. • Use Explicit ECC
parameters: Clear. • PKCS#11: Library: AWS CloudHSM •
PKCS#11: Reference Type: Slot ID • PKCS#11: Reference: 1
• PKCS#11: Attribute Type: Default
3. Click Save.
© 2019 PRIMEKEY 9 (9)
4. On the Crypto Token: <Name> page, you should then see the
three key pairs within the Crypto Token and the information
CryptoToken created successfully displayed at the top:
• defaultKey: Used for everything not signing or test. • signKey:
Used for cert signing. • testKey: Used for testing health check for
CA.
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 10 (10)
Create the Root and Issuing CA Certificate Profiles The following
sections describe how to create a Root CA Profile and the AWS
Issuing CA Profile.
Introduction Certificate Profiles model how our CAs look with
regards to the different types of certificates, DN contents,
extensions and so on.
To manage Certificate Profiles, open the Manage Certificate
Profiles page (CA Functions Certificate Profiles > CA
Functions).
The following section describes how to create a Root CA
Profile.
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 11 (11)
Create Root CA Profile Follow these steps to create a Root CA
Profile:
1. Clone the ROOTCA profile to create your own for the Root CA you
are going to create: a. Click Clone next to the ROOTCA
profile. b. Specify Corporate Root CA Certificate Profile and click
Create from template in Name of new
certificate profile, .
2. Click Edit on the Corporate Root CA Certificate Profile and
specify the following:
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 12 (12)
a. Available key algorithms: Select desired key algorithm, for
example, RSA.
b. Available bit lengths: Select desired bit lengths, for example,
2048-4096.
c. Validity or end date of the certificate: Keep the validity at
the default 25y7d. d. CRL Distribution Points: Select if desired.
CRLs hold the revocation status of certificates.
To make your CRL Distribution Point be on an internal server to
your network, use an internal DNS name. It is recommended to put
the CRL URL behind a CNAME or load balanced VIP. This way it is
stamped in the certificate as something that should not ever
change, but the system serving the CRL behind the VIP can. To make
your CRL Distribution Point public, use a public DNS name that
points to an IP. If using Amazon AWS and the EJBCA Enterprise Cloud
Edition, using an Elastic IP is not recommended since this IP/URL
will change if the node is shut down invalidating the CRL location.
To allow clients to fetch the CRL from the CA directly and have
Apache in front of EJBCA, remove port 8080 from the URL and change
the DNS name as required. EJBCA does not know if Apache exists and
internally responds to 8080 in most cases. Example URLs: From EJBCA
server directly:
http://ip-172-16-0-148.ec2.internal/ejbca/publicweb/webdist/
certdist?cmd=crl&issuer=CN=Corporate_Root_CA,O=Corporation,C=US.
Served from Webserver:
http://crl.corporate-dns-url.com/corporate_root_ca.crl (you must
setup a script to fetch and copy the file to the URL you
choose).
e. Clear LDAP DN order (to get X509 DN ordering) for greater
compatibility with systems that use certificates.
f. Click Save to save the Root CA Profile.
NOTE
© 2019 PRIMEKEY 13 (13)
Create AWS ACM Issuing CA Certificate Profile Follow
these steps to create the AWS Issuing CA Profile:
1. Click Clone next to the SUBCA profile.
2. In Name of new certificate profile, specify AWS ACM CA
Certificate Profile and click Create from template.
3. Click Edit on the AWS ACM CA Certificate
Profile and specify the following.
a. Available key algorithms: Select desired key algorithm, for
example, RSA. b. Available bit lengths: Select desired bit
lengths, for example, 2048-4096. c. Validity or end date of the
certificate: Specify the validity 18m (this value will be
overridden by
the AWS ACM CSR)
4. Check the box titled "Allow Subject DN Override by CSR" under
the Permissions section.
5. Clear LDAP DN order (to get X509 DN ordering) for
greater compatibility with systems that use certificates.
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 14 (14)
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 15 (15)
Create End Entity Sub CA Profile To create the End Entity Sub CA
Profile, do the following:
1. Go to EJBCA Admin Web.
2. Select End Entity Profiles under RA Functions.
3. Enter a name for the EE profile in the Add Profile section, for
example "ACM PCA Sub CA EE Profile", and then click Add.
4. Select the ACM PCA Sub CA EE Profile and click Edit
End Entity Profile.
5. Select the AWS ACM CA Certificate Profile for Default
Certificate Profile and Available Certificate Profile.
6. Select Corporate Root CA - G1 for Default CA and Available
CAs.
7. Click Save.
© 2019 PRIMEKEY 16 (16)
Create Root CA that uses the CloudHSM Crypto Token To areate a Root
CA that uses the CloudHSM Crypto Token, do the following:
1. Go to the EJBCA Admin Web and select Certification
Authorities.
2. Under the Add CA field, enter a name for the Root CA,
for example "Corporate Root CA - G1", and then click Create.
3. Under Crypto Token select the Corporate Root CA CloudHSM
Crypto Token Crypto Token. If you named the keys correctly, they
should all populate automatically for the proper usages.
4. Under Certificate Profile select Corporate Root
CA Certificate Profile.
5. Set the Validity to 25y (or the life you would like this CA to
have).
6. Clear LDAP DN order.
7. Click Create.
© 2019 PRIMEKEY 17 (17)
Create AWS ACM Certificate Authority CSR To create the AWS ACM
Certificate Authority CSR, do the following:
1. Navigate to console.aws.amazon.com and login with your
credentials.
2. From within the AWS Console, select Services and then under
Security, Identity, & Compliance, select Certificate
Manager.
3. Click Get started.
4. Ensure that Subordinate CA is selected and then click
Next.
5. Enter values for Organization (O), Organization Unit (OU),
Country Name (C), State or province name, Locality name and Common
Name (CN), and then click Next.
6. Ensure RSA 2048 is selected. If any other algorithm is selected
(such as ECC), ensure the keys and certificate authority created
earlier match.
7. If CRL is desired to be populated to an S3 bucket, select Enable
CRL distribution and configure the S3 bucket name.
8. Confirm to their license agreement for the CA charges and then
click Confirm and create.
© 2019 PRIMEKEY 18 (18)
9. Click Get Started on the success confirmation
screen.
10. Export the CSR to a file using the blue link at the bottom of
the page. This is the file that we bring over to EJBCA to be
signed. Click Next.
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 19 (19)
Add ACM PCA End Entity To add the ACM PCA End Entity, do the
following:
1. In the EJBCA Admin Web, navigate to RA Functions and select Add
End Entity.
2. Under End Entity Profile, select ACM PCA Sub CA EE
Profile.
3. Enter the following values: • Username: acm_pca • Password:
<your chosen password to be used only once> • CN, Common
Name: Corporation AWS CA • Certificate Profile: AWS ACM CA
Certificate Profile • CA: Corporate Root CA - G1 • Token:
User Generated
4. Click Add.
© 2019 PRIMEKEY 20 (20)
Generate the ACM PCA Certificate for AWS 1. Navigate back to the
EJBCA Admin Web and click RA Web.
2. Click Enroll > Use Username.
3. Enter the username and Enrollment Code previously entered into
the End Entity. The values used in this guide are:
• Username: acm_pca • Password: <your chosen password to be
used only once>
4. Click Check.
6. Click Download PEM and save the file.
7. Scroll to the top of the RA Web, select CA Certificates and
CRLs.
8. Download the public certificate for the Corporate Root
CA - G1 by clicking PEM in the Certificate column,
and then click Save this file.
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 21 (21)
Fulfill the Pending ACM PCA Certificate Request To fulfill the
pending ACM PCA Certificate Request, do the following:
1. Return to the AWS ACM configuration wizard.
2. If your console is still open to the Import a signed
certificate authority (CA) certificate page, skip to step 8.
Otherwise, continue.
3. Sign in to your AWS account and open the ACM PCA console
at console.aws.amazon.com/acm-pca/ home.
4. Choose Private CAs.
6. Select Actions > Import CA certificate and then click
Next.
7. Under Certificate body, click File and browse to the signed CA
file, here previously called "AWS Corporation CA.pem".
8. Review the text imported. Remove everything
before -----BEGIN CERTIFICATE----- so the following text is on
the first line:
9. Click File again and browse to the Root CA public certificate
file, here previously called "CorporateRootCAG1.pem".
10. Review the text imported and remove everything
before -----BEGIN CERTIFICATE----- so the following text is on
the first line:
11. Click Next.
12. Confirm that the certificates look correct and click Confirm
and import.
© 2019 PRIMEKEY 22 (22)
13. The ACM PCA wizard returns the following success screen:
Introduction
Documentation
Create Root CA Keys
Create the Root and Issuing CA Certificate Profiles
Introduction
Create End Entity Sub CA Profile
Create Root CA that uses the CloudHSM Crypto Token
Create AWS ACM Certificate Authority CSR
Add ACM PCA End Entity
Generate the ACM PCA Certificate for AWS
Fulfill the Pending ACM PCA Certificate Request