EJBCA Cloud AWS RA Configuration and Administration Guide...EJBCA PKI software suite, includes both...

PRINT DATE: 2019-05-22

EJBCA Cloud AWS RA Configuration and Administration Guide

Copyright ©2019 PrimeKey Solutions

Published by PrimeKey Solutions AB

Solna Access, Sundbybergsvägen 1

SE-171 73 Solna, Sweden

To report errors, please send a note to [email protected].

Notice of Rights

All rights reserved. No part of this guide may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. For more information on getting permission for reprints and excerpts, contact [email protected].

Notice of Liability

The information in this guide is distributed on an “As Is” basis without warranty. While every precaution has been taken in the preparation of the guide, neither the authors nor PrimeKey shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in the guide or by computer software and hardware products described in it.

Trademarks

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this guide, and PrimeKey was aware of a trademark claim, the designations appear as requested by the owner of the trademark. All other product names and services identified throughout this guide are used in editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this guide.

mailto:[email protected]

mailto:[email protected]

Table of ContentsIntroduction ........................................................................................................ 5

Documentation..................................................................................................................5

EJBCA RA Introduction...................................................................................... 6EJBCA Registration Authority (RA) ..................................................................................6

RA Concepts......................................................................................................................6

Security Features ..............................................................................................................6

External Polling Mode.......................................................................................................7

AWS Operating Environment............................................................................. 8EC2.....................................................................................................................................8

VPC Configuration ............................................................................................................8

Security Groups.................................................................................................. 9

CA and RA Configuration................................................................................. 11Apache Certificate Generation for the RA .................................................................... 11

Configure TLS Connections Between the CA and RA.................................................. 14

Setup Peer Systems....................................................................................................... 19

RA Administration............................................................................................ 23User Authorization ......................................................................................................... 23

Sample Configuration.................................................................................................... 25

RA User Management...................................................................................... 29Overview ......................................................................................................................... 29

Enrolling Certificates, Creating Key Stores and Retrieving Generated Certificates... 29

Certificate and End Entity Lifecycle Management....................................................... 29

Manage Requests .......................................................................................................... 29

CA Certificates and CRLs .............................................................................................. 29

Role Management.......................................................................................................... 30

EJBCA CLOUD AWS RA CONFIGURATION AND ADMINISTRATION GUIDE

© 2019 PRIMEKEY 5 (30)

IntroductionThis guide is intended to assist an EJBCA Cloud administrator with EJBCA CA to RA configuration and administration tasks related to RA management.

This configuration will assume that the user has procured at least two nodes in the AWS Marketplacefollowing the EJBCA Enterprise Cloud Launch Guide.

DocumentationEJBCA Cloud documentation is available on:https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/

EJBCA Enterprise documentation is available on: https://download.primekey.com/docs/EJBCA-Enterprise/latest/

Additional information on EJBCA Community is available on: www.ejbca.org

Related Guides

• EJBCA Cloud AWS Launch Guide

• EJBCA Cloud AWS Backup Guide

https://aws.amazon.com/marketplace/seller-profile?id=7edf9048-58e6-4086-9d98-b8e0c1d78fce&ref=dtl_B078PLGJWL

https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/AWS/ejbca-cloud-launch-guide.pdf

https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/

https://download.primekey.com/docs/EJBCA-Enterprise/latest/

https://www.ejbca.org

https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/AWS/ejbca-ece-launch-guide.pdf

https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/AWS/ejbca-cloud-backup-guide.pdf


© 2019 PRIMEKEY 6 (30)

EJBCA RA Introduction

EJBCA Registration Authority (RA)Note that this documentation describes the new Peer Connector based External RA.

The new EJBCA RA includes a graphical user interface for administrators and users and is actually a generic RA, but with capabilities to operate in an external polling mode.

RA ConceptsApproving Actions The mechanism for requiring Administrators to approve actions before they are

executed.

Certificate Authority (CA)

A CA issues certificates to, and vouches for the authenticity of entities. The level of trust you can assign to a CA is individual, per CA, and depends on the CAs Policy (CP) and CA Practices Statement (CPS).

EJBCA PKI software suite, includes both CA, VA and RA.

Peer Systems A mechanism for connections initiated from the CA to the RA (or VA), where messages for control and operations are passed.

Registration Authority (RA)

Registration Authority, can be run as part of the CA or as a separate service.

RA User A User that makes a certificate request on the RA, the user may have to wait for an RA Admin to approve the request.

RA Admin An Administrator that approves requests made by RA Users.

Validation Authority (VA)

A VA is responsible for providing information on whether certificates are valid or not. There can be one or more VAs connected to each CA in the PKI.

Security FeaturesNote the following security features of the Peer Connector based External RA:

• In polling mode:• TLS Connection is established from the CA to the RA with only firewall friendly outgoing

connections from the CA.• The CA will never fetch and process more requests than a configured upper limit preventing

DDoS of the RA nodes from taking down the CA nodes.

• Mutually authenticated TLS connection.


© 2019 PRIMEKEY 7 (30)

• JSF 2.0 based Web UI, including Content Security Policy, protection against XSS, CSRF and other attacks.

• Filtered error messages from the CA, only shows non-sensitive information in the RA UI.

• Secure object transfer between RA and CA.

• Location aware authorization. The authorization towards the CA is a combination of the Users authorization, and the RA servers so you can limit what RAs in different groups can be used for.

External Polling ModeFor security reasons, it is often preferred to deny all inbound traffic to the CA installation and instead let the CA fetch and process information from an external RA. The EJBCA RA does this using Peer Connectors. For more information, see Peer Systems.

Also note that the EJBCA RA works equally well locally, directly on the CA.


© 2019 PRIMEKEY 8 (30)

AWS Operating Environment

EC2Begin by starting two EJBCA Enterprise Cloud instances. In this example we will have the following 2 nodes:

• Node 1 using IP 172.16.0.144 – US East 1 – 172.16.0.0/16 address space

• Node 2 using IP 172.31.0.115 – US East 2 – 172.31.0.0/16 address space

One of the nodes is in US-East-1 and the other in US-East-2. For the purposes of this guide we are going to be using the instance ID from Node 1 as the password. You can obtain this from the EC2 console in the instance details, or run the following command:

# curl -s http://169.254.169.254/latest/meta-data/instance-id

VPC ConfigurationTo get the nodes to communicate, it is assumed a VPC Peering Connection is setup and in place. For assistance with configuring a VPC Peering Connection, refer to Amazon's VPC Peering Guide.

Optionally, for testing purposes, all nodes can be setup within the same VPC. This is not ideal and does not provide any availability guarantees if one of the AWS sites has an outage.

A Route Table needs to be created that allows these nodes to communicate over the Peering Connection. For more information on configuring Route Tables between VPCs, refer to Amazon's documentation on Updating Your Route Tables for a VPC Peering Connection.

A security group is also needed in each VPC. That configuration will be outlined below since it pertains directly to the Galera communication.

https://aws.amazon.com/marketplace/seller-profile?id=7edf9048-58e6-4086-9d98-b8e0c1d78fce

https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/Welcome.html

https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-routing.html


© 2019 PRIMEKEY 9 (30)

Security GroupsGalera replication uses the following port for communication:

• 443 - For TLS connections between the CA and the RA/VA.

To create a security group that allows for TLS traffic within the VPCs, follow the steps below.

In this example, the VPC internal address space is 172.16.0.0/16 in US-East-1 and the address space in US-East-2 is 172.31.0.0/16.

• Create a Security Group called "TLS 443 Traffic to US-East" with the following rules:

This will allow any connections outbound to any address and any inbound connection on port 443 from any address on the 172.16.0.0/16 and 172.31.0.0/16 subnets. The same rule in the other VPC will also need the same rule configured. These rules may be tightened as required for the organization.

• To apply these Security Groups to the EJBCA Enterprise Cloud Nodes in each of the VPCs, right-click the node, select Networking and then Change Security Groups.


© 2019 PRIMEKEY 10 (30)

• Apply the security group to the instance so that it can communicate with the other nodes in the cluster:


© 2019 PRIMEKEY 11 (30)

CA and RA ConfigurationThe CA and RA configuration is described in the following sections:

• Apache Certificate Generation for the RA

• Configure TLS Connections Between the CA and RA

• Setup Peer Systems

Apache Certificate Generation for the RAGenerate the Apache Certificate for the RA by following the instructions for the CA and the RA Server below.

Step 1: On the CASSH into the CA server and navigate to the /opt/PrimeKey/support directory.

Start by taking a backup of the system:

# /opt/PrimeKey/support/system_backup.sh

Generate TLS certificates for the RA server on the CA. Since an RA will most likely have two IP addresses and two DNS addresses, those are indicated with the -d and -i flags. In this case the IP and DNS names the host has are:

• ec2-13-59-110-179.us-east-2.compute.amazonaws.com

• ip-172-31-0-115.ec2.internal

• 13.59.110.179

• 172.31.0.115

# /opt/PrimeKey/support/create_ra_tls_certs.sh -d ec2-13-59-110-179.us-east-2.compute.amazonaws.com -d ip-172-31-0-115.ec2.internal -i 13.59.110.179 -i 172.31.0.115

The script will prompt to request to generate the certificates in the format that Apache will expect them on the RA.

Choose Y and press enter. It will output these files into the /home/ec2-user/pem directory for easy copying.


© 2019 PRIMEKEY 12 (30)

The three files output will be:

• managementca.ca-mgmt.pem

• server-mgmt.key

• server-mgmt.pem

Copy these files to the RA server and put them into place with the instructions in the next section.

Step 2: On the RA ServerSSH into the RA server and start by taking a backup of the system.

# /opt/PrimeKey/support/system_backup.sh

Copy the three files that were copied to /home/ec2-user/pem to the new RA. Copy the files (most likely in /home/ec2-user/ to the /etc/httpd/ssl directory and restart Apache:

# cp /home/ec2-user/managementca.ca-mgmt.pem /home/ec2-user/server* /etc/httpd/ssl/# service httpd restart

Convert the server to an RA using the install_ra.sh script. This script will import the ManagementCA certificate from the CA server so that the RA is managed by the same ManagementCA as the CA server.

# /opt/PrimeKey/support/install_ra.sh

The script will ask for the path to the ManagementCA PEM file from the CA server.

Use the managementca PEM that was copied to the /etc/httpd/ssl directory or copy a new one.


© 2019 PRIMEKEY 13 (30)

Access the RA Administration GUI with the same certificate used to access the CA server. Test this by going to the EJBCA Admin Web on the RA. Note that there is no Management CA configured, an external ManagementCA is used.


© 2019 PRIMEKEY 14 (30)

Configure TLS Connections Between the CA and RA

Step 1: Import Profiles on the CASSH into the CA server and import the profiles that are going to be used for generating the key binding and peer connection certificates.

# /opt/ejbca/bin/ejbca.sh ca importprofiles -d /opt/PrimeKey/ra_profiles/

Step 2: Create Crypto Token to store Peer Systems authentication key on CACreate a Crypto Token for the key binding to use. Navigate to Crypto Tokens and select Create new.

1. Enter a name: Peer Systems Token.

2. Select Type: Soft.

3. Enter and repeat Authentication Code.

4. Enable Auto-activation.

5. Click Save.

6. Generate new key pair:a. Alias: peer_systems_auth_key.b. Key Spec: RSA 4096.


© 2019 PRIMEKEY 15 (30)

Step 3: Set up Authentication Key Binding for Mutual Authentication on CACreate an internal key binding for authenticating the TLS connection to the RA. Start by selecting Internal Key Bindings on the CA.

1. Click Create new on the AuthenticationKeyBinding tab.

2. Enter a name: Peer System Key Binding to RA.

3. Select Crypto Token: "Peer Systems Token".

4. Key Pair Alias: peer_systems_auth_key.

5. Signature Algorithm: SHA256WithRSA.

6. Click Create.


© 2019 PRIMEKEY 16 (30)

Click Back to overview to go back to the AuthenticationKeyBinding tab and select CSR under the Actioncolumn and save the file (Peer System Key Binding to RA.pkcs10.pem).

Step 4: Generate Certificate for TLS ConnectionClick RA Web on the left side navigation and open the CAs RA web. Select Make New Request.

1. Select Certificate Type: "Peer Systems User EE Profile"

2. CA: "ManagementCA".

3. Click Browse and select the "Peer System Key Binding to RA.pkcs10.pem" file.

4. Change CN, Common Name to "peersystems".

5. Change the Username to be the "peersystems"

6. Click Download PEM.

7. Save the file (peersystems.pem).


© 2019 PRIMEKEY 17 (30)

Step 5: Import Peer Systems certificate into Authentication Key Binding on CA

1. Choose System Functions > Internal Key Bindings.

2. Click the AuthenticationKeyBinding tab.

3. Under Import externally issued certificate:a. Target AuthenticationKeyBinding: Peer System Key Binding to RA.b. Click Browse.c. Select the peersystems.pem file.d. Click Import.

4. Under Action:a. Click Enable.

5. The Peer Systems Authentication Key Binding should now be Active.


© 2019 PRIMEKEY 19 (30)

Setup Peer SystemsFollow the steps below to setup Peer Systems:

• Step 1: On the CA

• Step 2: On the RA

• Step 3: On the CA

Step 1: On the CA

1. Choose System Functions > Peer Systems.

2. Under Outgoing Peer Connectors, click Add.

3. For Create Peer Connector, specify the following:a. Name: Peer Connection to RAb. URL: This should be the internal FQDN of the RA. For this example: "https:// ip-172.31.0.115.us-

east-2.compute.internal/ejbca/peer/v1"

EJBCA Enterprise Cloud Uses Apache and no port designation is necessary.

c. In the Authentication Key Binding list menu, select Peer System Key Binding to RAd. Select Enabled.e. Select Process Incoming Requests.f. Change Maximum parallel requests to 50.

4. Click Create.

5. Click Ping. You should see the error Unable to connect to peer. Unauthorizedote

If the error Unable to connect to peer displays, this is due to the security groups configuration.


© 2019 PRIMEKEY 20 (30)

Also, make sure that the IP address is used and not an FQDN unless you have internal name resolution across VPCs.


© 2019 PRIMEKEY 21 (30)

Step 2: On the RA

1. Choose System Functions > Peer Systems.

2. You should see a connection attempt from the CA under Incoming Connections.

3. Click Create Role.

4. Ensure that – Create new role – is selected, and click Select.

5. Additional properties will show. Change the Role name to "External RA Role".

6. Select Role is intended for peer connections.

7. Select Accept long hanging connections.

8. Select Access ManagementCA and any other CAs the RA needs to access.

9. Click Create new role.

Step 3: On the CA

1. Select System Functions > Peer Systems.

2. Click Authorize Requests. If you do not see the Authorize Requests option, ensure Process incoming requests is selected in

the peer connector.

3. Ensure that – Create new role – is selected and then click Select.

4. Change the Role Name to something like "RA Administrators".

5. Select the RA rules that apply to your environment based on the permissions needed for the RA and its administrators to have. For a detailed explanation of RA Roles, see the section Prerequisites.

6. Select which CAs the RA should handle requests for.

7. Select the Profiles that the RA can use.

8. Select the protocols that the RA can process requests from


© 2019 PRIMEKEY 22 (30)

Click Create new role.

Step 4. On the RA

1. Click Manage on the Peer Connection to RA peer connection.

2. Select Accept long hanging connections (This instance is an External RA polled by CA.).

3. Select the CAs you wish to have on the RA

4. Click Create new role.

5. Access the RA Web on the RA server and the profiles you selected that exist on the CA should appear in the RA Web.


© 2019 PRIMEKEY 23 (30)

RA AdministrationThis guide describes EJBCA RA Administration tasks in the following sections User Authorization and Sample Configuration.

User AuthorizationTo be authorized to use the RA, both the peer connection role (in case the RA runs as an external service) and the User/Admin role must be configured to allow access to the desired functionality. The following describes how the authorization works for the built-in role templates.

CA Administrators CA Administrators are granted access to all functionality in the RA, but only to the CAs that are selected in the administrator role. CAs and related end entities and certificates, will be hidden if the administrator does not have access.

RA AdministratorsRA Administrators have access to the Enrollment, Search and Manage Requests pages, depending on the selected End Entity Rules. Access is restricted according to the selected CAs and end entity profiles as well. In order to make a certificate request, the administrator needs both Create End Entities, View End Entitiesand Delete End Entities access. Permission to approve or reject a request is controlled by the approval profile, but certificate requests and requests to edit end entities additionally require the Approve End Entityaccess. The end entity search require View End Entity access. The certificate search require View Certificateaccess.

SupervisorsSupervisors have access to the Manage Requests and Search pages only, in read-only mode.

AuditorsAuditors have access to everything in read-only mode, except for the Enrollment page which is not accessible.

Access Rules

Note that, in addition to the role configuration, the Enforce settings in the CA also control when certificates may be issued. Since the RA always creates a new end-entity for each request, this means that in order for renewal of certificates to work, the Enforce unique public keysand Enforce unique DN options must be disabled.


© 2019 PRIMEKEY 24 (30)

If you configure the access rules in Advanced Mode (that is, not using the role templates), you need the following access rules (listed per menu item). You also need access to any related CAs and End Entity Profiles, including all CAs referenced by the End Entity Profiles.

Enrollment/ca_functionality/create_certificate//ra_functionality/view_end_entity//ra_functionality/create_end_entity//ra_functionality/delete_end_entity//ca/...//endentityprofilesrules/.../view_end_entity//endentityprofilesrules/.../create_end_entity//endentityprofilesrules/.../delete_end_entity/

If using a version prior to EJBCA 6.8.0, you also need the following rules to create certificates through the RA. These are not needed in EJBCA 6.8.0 and later.

/ra_functionality/edit_end_entity//endentityprofilesrules/.../edit_end_entity/

Certificate and End Entity Search/ra_functionality/view_end_entity//ca_functionality/view_certificate//ca/...//endentityprofilesrules/.../view_end_entity/

Additionally, if the role should be allowed to revoke certificates, the following rule is needed:

/ra_functionality/revoke_end_entity/

Manage Requests/endentityprofilesrules/.../approve_end_entity/

And at least one of the following rules:

/ra_functionality/approve_end_entity/ - to approve certificate requests and end entity operations/ca_functionality/approve_caaction/ - to approve other operations/secureaudit/auditor/select/ - to see requests without being able to approve them

CAs & CRLs/ca_functionality/view_ca//ca/.../

Role Management/system_functionality/edit_administrator_privileges//system_functionality/view_administrator_privileges/

To perform actual role management in the RA UI, a role for roles management also needs access to the rules that sub-roles have (in order to see those sub-roles withing a namespace) and the following rules:


© 2019 PRIMEKEY 25 (30)

/ca_functionality/view_ca/

/ca_functionality/view_certificate/

/ca/<CA issuing admin certificates>/

Key Recovery/ra_functionality/keyrecovery//ca/...//endentityprofilesrules/.../keyrecovery/

Sample ConfigurationFollow this example configuration to create one RA User that can request certificates (needing Approval) and one RA Admin that can approve the requests.

It is assumed that you already have a CA (named High Assurance CA), a Certificate Profile (named EV TLS), and an End Entity Profile (also named EV TLS), where the profiles are set to issue from that CA.

Create RolesTo set up approvals, you need two roles that will be part of the approval process.

1. In the CA UI on the CA, go to Roles and Access Rules.

2. Add a role called RA User.

3. Add a role called RA Admin.

4. Edit Access Rules for RA User in Custom > Advanced Mode./ca_functionality/create_certificate//ra_functionality/view_end_entity//ra_functionality/create_end_entity//ra_functionality/delete_end_entity//ca/High Assurance CA//endentityprofilesrules/EV TLS/view_end_entity//endentityprofilesrules/EV TLS/create_end_entity//endentityprofilesrules/EV TLS/delete_end_entity/

5. Click Save

6. Edit Access Rules for RA Admin:

Template: RA Administrator

Note that RA does not support Decline rules. If a role that has a Decline rule is used on the RA, it will be denied access to everything as a security precaution.


© 2019 PRIMEKEY 26 (30)

Authorized CAs: High Assurance CA

End Entity Rules: all

End Entity Profiles: EV TLS

Other rules: none

7. Click Save.

8. Now add some users to the RA User and RA Admin roles.

RA Web Role ManagementOptionally, the RA User role can be setup from the RA Web which is convenient if the logged in administrator does not have access to the CA (for example from an external RA). Using Role Management in the RA requires Role Management privileges (see Role Management).

1. Go to the RA Web (https://[yourdomain]:8443/ejbca/ra).

2. Navigate to Role Management > Roles.

3. Click Create New Role.

4. In the Available panel, select High Assurance CA and click Add.

5. Select the End Entity Permissions options Create and delete end entities and View end entities.

6. Under End entity profiles, select EV TLS and click Add.

7. Click Add at the bottom of the page.

The role RA User is added with the corresponding access rules available in the CA UI.

Create an Approval ProfileTo configure the system to require approvals for issuing certain certificates, you need to create an Approval Profile.

Note that the approval system stores the role privileges per request. As a result, if you change roles in an Approval Profile, you need to make a new request for the new role attributes to be applied. Old requests will live after the rules set up when those requests were made.

Create an Approval Profile with two partsTo create one part for verifying the evidence:

1. In the CA UI on the CA, go to Approval Profiles.

2. Enter EV TLS Approval and click Add.

3. Click Edit for EV TLS Approval.


© 2019 PRIMEKEY 27 (30)

4. Change Approval Profile Type to Partitioned Approval.

5. In the first partition: Select RA Admin as Roles which may approve this partition.

6. In the first partition: Select Anybody as Roles which may view this partition.

7. In the first partition: Add a checkbox called Verified Evidence.

8. In the first partition: Add a textfield called Path to evidence.

9. Enter Evidence in the name field of the first partition.

10. Click Save.

To create another part for verifying the payment:

1. In the CA UI on the CA, go to Approval Profiles.

2. Click Edit for EV TLS Approval.

3. Click Add Partition.

4. Change Approval Profile Type to Partitioned Approval.

5. In the second partition: Select RA Admin as Roles which may approve this partition.

6. In the second partition: Select Anybody as Roles which may view this partition.

7. In the second partition: Add a checkbox called Verified payment.

8. In the second partition: Add a radiobutton called Payment method and add the rows Credit card and Invoice.

9. In the second partition: Add a textfield called Path to receipt.

10. Enter Payment in the name field of the second partition.

11. Click Save.

Configure Certificate Profile to use Approval ProfileYou also need to configure the Certificate Profile to use the Approval Profile.

1. In the CA UI on the CA, go to Certificate Profiles.

2. Click Edit for EV TLS.

3. Under Approval Settings, select Add/Edit End Entity, Revocation and Key Recovery

4. For Approval Profiles, select the newly created EV TLS Approval.

5. Click Save.

Email NotificationsYou can configure email notifications for both RA Admins and RA Users with information on when a request have been created or changed, and including links to approve or checking status. Notification configurations


© 2019 PRIMEKEY 28 (30)

can for example be specified in End Entity Profiles and in Approval Profiles. For more information on available parameters, see the E-mail Notifications section.

Request CertificatesStart a new browser session and access the RA at https://localhost:8443/ejbca/ra/. You should now be able to request certificates using the function in Enroll > Make New Request.The information displayed is depending on the RA User's access, for example if one or more profiles or CAs are available to the user. When there is only one choice available and thus no selection to be made, the option is not displayed on the page and thus a limited configuration results in an easy to use request page.

When you have created a request, you will be presented with a message that your request has been submitted for approval, and given a Request ID so you can follow the status of your request.

Approving RequestsStart a new browser session and access the RA again as RA Admin. You should now have to option to Manage Requests. Here you can view, approve or reject requests. Requests can also be edited and once a request has been updated it has to be approved by another administrator as you are not allowed to approve your own edits.

Enabling Key RecoveryTo perform key recovery for user, key recovery has to be enabled in EJBCA System Configuration. To activate key recovery:

1. In the CA UI on the CA, go to System Configuration.

2. On the Basic Configuration tab, for Enable Key Recovery, select Activate [x]

Additionally, the end entity profile used to create the end entity, requires key recovery to be enabled.

Using Local Key GenerationLocal key generation is used when the key recovery data (encrypted key pair) is to be stored on an external RA rather than the CA. For more information, see the Key Recovery section.

To activate local key generation, do the following.

1. In the CA UI on the RA, go to System Configuration.

2. On the tab Basic Configuration, for Enable Key Recovery, select Activate [x] and Force Local Key Generation [x].

3. Select a crypto token for encryption of the key pairs (the crypto token must be created and activated before this step).

4. Select a crypto token key.


© 2019 PRIMEKEY 29 (30)

RA User ManagementThe following introduces EJBCA RA Management tasks and functions you can perform in the EJBCA RA GUI. For more information, refer to the EJBCA documentation on RA Operations.

OverviewThe EJBCA RA UI is the portal for all end entity related operations, from enrolling certificates to administrating access for other RA administrators. The RA can either exist locally on the same instance as the CA, or be proxied to the CA via peers.

Enrolling Certificates, Creating Key Stores and Retrieving Generated CertificatesThe heart of any RA is the ability to enroll for certificates and key stores. The EJBCA RA allows for both having the server generate key stores or simply sign a supplied CSR, and can also be used to pre-configure end entities for the end user to enroll against at a later date.

Certificate and End Entity Lifecycle ManagementManaging certificates is an essential day-to-day task of RA administration. The EJBCA provides a full interface for searching among certificates and end entities in order to find certificates needing renewal, or responding from requests from users to suspend and revoke certificates.

Manage RequestsEJBCA's powerful approvals mechanism is naturally used in the RA as well, though it's limited to enrollment, renewal and revocation operations. The EJBCA RA provides an interface to manage approvals, view other pending approval requests and audit past operations.

CA Certificates and CRLsThe CA Certificates and CRLs screen allows downloading CA certificates and CRLs for CAs that you have access to.

The CAs you can access to are listed in a table displaying the following:

The RA can be configured to both use certificate authentication or to allow for public access. In either case, the menu items described on this page and its sub-pages will only appear in accordance to the rights set up for that user. Additionally, both the user and the peer connector itself (if using) have their access rights limited to only permitted CAs and role namespaces.


© 2019 PRIMEKEY 30 (30)

Column Description

Certificate Authority

Name of Certificate Authority.

CRL • Full: Download a full CRL.

• Delta: Download a deltaCRL if one is available.

Certificate • PEM: Download certificate in PEM format.

• DER: Download certificate in binary format.

Certificate chain

Downloads a certificate chain for a sub CA, the sub CA certificate(s) and root CA certificate:

• PEM: Download certificate chain in PEM format.

• JKS: Download certificate chain in a Java Keystore format.

• PKCS#7: Download certificate chain as a certificate-only binary PKCS#7 (CMS) file.

Browser import Downloads the CA certificate with headers to trigger a browser import.

Download CA Certificate Fingerprint SheetTo download a YAML text document with the CA Certificate fingerprints of all CAs you have access to, click Download Fingerprints. This is useful during a key ceremony and eliminates the need for downloading CA certificates and computing the fingerprints manually using a third-party tool such as OpenSSL. The fingerprint is computed using SHA-256.

Download CA Certificate BundleTo download a compressed zip file containing the CA certificates of all CAs you have access to, click Download Certificate Bundle. The certificates in the bundle are provided in binary format (DER).

Role ManagementIn order to allow for Managed PKI setups using the EJBCA RA, the RA makes full use of access rights and role namespaces. This allows an RA administrator with sufficient access rights to create duplicate or further constrained RA administrators within the same namespace in order to handle local user administration without needing to interact with the CA.

EJBCA Cloud AWS RA Configuration and Administration Guide...EJBCA PKI software suite, includes both...

Documents

Transcript of EJBCA Cloud AWS RA Configuration and Administration Guide...EJBCA PKI software suite, includes both...