EJBCA Enterprise Cloud Edition RA Configuration and …€¦ · EJBCA Enterprise Cloud Edition RA...

EJBCA Enterprise Cloud Edition RA Configuration and Administration Guide

Print date: 2018-04-13


2( )35 © 2018 PRIMEKEY

Table of Contents

Introduction _______________________________________________________________________ 5Related Documentation ____________________________________________________________ 5

EJBCA RA Introduction _____________________________________________________________ 6EJBCA Registration Authority (RA) ___________________________________________________ 6RA Concepts ____________________________________________________________________ 6Security Features ________________________________________________________________ 6External Polling Mode _____________________________________________________________ 7

AWS Operating Environment _________________________________________________________ 8EC2 ___________________________________________________________________________ 8VPC Configuration ________________________________________________________________ 8

Security Groups ___________________________________________________________________ 9CA and RA Configuration ___________________________________________________________ 11

Apache Certificate Generation for the RA _____________________________________________ 11Step 1: On the CA ____________________________________________________________ 11Step 2: On the RA Server ______________________________________________________ 12

Configure TLS Connections Between the CA and RA ___________________________________ 14Step 1: Import Profiles on the CA ________________________________________________ 14Step 2: Create Crypto Token to store Peer Systems authentication key on CA _____________ 14Step 3: Set up Authentication Key Binding for Mutual Authentication on CA _______________ 15Step 4: Generate Certificate for TLS Connection ____________________________________ 16Step 5: Import Peer Systems certificate into Authentication Key Binding on CA ____________ 17

Setup Peer Systems _____________________________________________________________ 19Step 1: On the CA ____________________________________________________________ 19Step 2: On the RA ____________________________________________________________ 20Step 3: On the CA ____________________________________________________________ 20

RA Administration _________________________________________________________________ 22User Authorization _______________________________________________________________ 22

CA Administrators ____________________________________________________________ 22RA Administrators ____________________________________________________________ 22Supervisors _________________________________________________________________ 22Auditors ____________________________________________________________________ 22Access Rules _______________________________________________________________ 22

Sample Configuration ____________________________________________________________ 24Create Roles ________________________________________________________________ 24Create an Approval Profile _____________________________________________________ 25Configure Certificate Profile to use Approval Profile __________________________________ 26Email Notifications ____________________________________________________________ 26Request Certificates __________________________________________________________ 26Approving Requests __________________________________________________________ 26Enabling Key Recovery ________________________________________________________ 27

RA User Management _____________________________________________________________ 28Front page _____________________________________________________________________ 28


© 2018 PRIMEKEY 3( )35

Enroll _________________________________________________________________________ 28Make New Request ___________________________________________________________ 28Use Request ID ______________________________________________________________ 29Use Username ______________________________________________________________ 29

Search ________________________________________________________________________ 30Certificates _________________________________________________________________ 30End Entities _________________________________________________________________ 30

Manage Requests _______________________________________________________________ 31To Approve _________________________________________________________________ 31Pending Approval ____________________________________________________________ 33Processed __________________________________________________________________ 33Custom Search ______________________________________________________________ 33

CA Certificates and CRLs _________________________________________________________ 34Role Management _______________________________________________________________ 34

Edit / Create Role ____________________________________________________________ 35Role Members _______________________________________________________________ 35Namespaces ________________________________________________________________ 35


© 2018 PRIMEKEY 5( )35

IntroductionThis guide will assist an EJBCA Enterprise Cloud Edition administrator with EJBCA CA to RA configuration and administration tasks related to RA management.

This configuration will assume that the user has procured at least two nodes in the AWS Marketplacefollowing the .EJBCA ECE Quick Start Guide

Related DocumentationEJBCA ECE Quick Start GuideEJBCA ECE Backup Guide

https://aws.amazon.com/marketplace/seller-profile?id=7edf9048-58e6-4086-9d98-b8e0c1d78fce&ref=dtl_B078PLGJWL

https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/ejbca-cloud-quick-start-guide.pdf

https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/ejbca-cloud-quick-start-guide.pdf

https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/ejbca-cloud-backup-guide.pdf


6( )35 © 2018 PRIMEKEY

EJBCA RA Introduction

EJBCA Registration Authority (RA)Note that this documentation describes the new Peer Connector based External RA, available as of EJBCA 6.6.0.

The new EJBCA RA includes a graphical user interface for administrators and users and is actually a generic RA, but with capabilities to operate in an external polling mode.

For information on the previous version of the External RA, see .External RA using Database Polling

RA Concepts

Approving Actions

The mechanism for requiring Administrators to approve actions before they are executed.

Certificate Authority (CA)

A CA issues certificates to, and vouches for the authenticity of entities. The level of trust you can assign to a CA is individual, per CA, and depends on the CAs Policy (CP) and CA Practices Statement (CPS).

EJBCA Enterprise Java Beans Certificate Authority, includes both CA, VA and RA.

Peer Systems A mechanism for connections initiated from the CA to the RA (or VA), where messages for control and operations are passed.

Registration Authority (RA)

Registration Authority, can be run as part of the CA or as a separate service.

RA User A User that makes a certificate request on the RA, the user may have to wait for an RA Admin to approve the request.

RA Admin An Administrator that approves requests made by RA Users.

Validation Authority (VA)

A VA is responsible for providing information on whether certificates are valid or not. There can be one or more VAs connected to each CA in the PKI.

Security FeaturesNote the following security features of the Peer Connector based External RA:

In polling mode:TLS Connection is established from the CA to the RA with only firewall friendly outgoing connections from the CA.The CA will never fetch and process more requests than a configured upper limit preventing DDoS of the RA nodes from taking down the CA nodes.

Mutually authenticated TLS connection.


© 2018 PRIMEKEY 7( )35

JSF 2.0 based Web UI, including Content Security Policy, protection against XSS, CSRF and other attacks.Filtered error messages from the CA, only shows non-sensitive information in the RA UI.Secure object transfer between RA and CA.Location aware authorization. The authorization towards the CA is a combination of the Users authorization, and the RA servers so you can limit what RAs in different groups can be used for.

External Polling ModeFor security reasons, it is often preferred to deny all inbound traffic to the CA installation and instead let the CA fetch and process information from an external RA. The EJBCA RA does this using Peer Connectors. For more information, see .Peer Systems

Also note that the EJBCA RA works equally well locally, directly on the CA.


8( )35 © 2018 PRIMEKEY

AWS Operating Environment

EC2Begin by starting two instances. In this example we will have the EJBCA Enterprise Cloud Editionfollowing 2 nodes:

Node 1 using IP 172.16.0.144 – US East 1 – 172.16.0.0/16 address spaceNode 2 using IP 172.31.0.115 – US East 2 – 172.31.0.0/16 address space

One of the nodes is in US-East-1 and the other in US-East-2. For the purposes of this guide we are going to be using the instance ID from Node 1 as the password. You can obtain this from the EC2 console in the instance details, or run the following command:

# curl -s http://169.254.169.254/latest/meta-data/instance-id

VPC ConfigurationTo get the nodes to communicate, it is assumed a VPC Peering Connection is setup and in place. For assistance with configuring a VPC Peering Connection, refer to Amazon's .VPC Peering Guide

Optionally, for testing purposes, all nodes can be setup within the same VPC. This is not ideal and does not provide any availability guarantees if one of the AWS sites has an outage.

A Route Table needs to be created that allows these nodes to communicate over the Peering Connection. For more information on configuring Route Tables between VPCs, refer to Amazon's documentation on .Updating Your Route Tables for a VPC Peering Connection

A security group is also needed in each VPC. That configuration will be outlined below since it pertains directly to the Galera communication.

https://aws.amazon.com/marketplace/seller-profile?id=7edf9048-58e6-4086-9d98-b8e0c1d78fce

https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/Welcome.html

https://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-routing.html


© 2018 PRIMEKEY 9( )35

Security GroupsGalera replication uses the following port for communication:

443 - For TLS connections between the CA and the RA/VA.

To create a security group that allows for TLS traffic within the VPCs, follow the steps below.

In this example, the VPC internal address space is 172.16.0.0/16 in US-East-1 and the address space in US-East-2 is 172.31.0.0/16.

Create a Security Group called "TLS 443 Traffic to US-East" with the following rules:

This will allow any connections outbound to any address and any inbound connection on port 443 from any address on the 172.16.0.0/16 and 172.31.0.0/16 subnets. The same rule in the other VPC will also need the same rule configured. These rules may be tightened as required for the organization.

To apply these Security Groups to the EJBCA Enterprise Cloud Edition Nodes in each of the VPCs, right-click the node, select and then .Networking Change Security Groups


10( )35 © 2018 PRIMEKEY

Apply the security group to the instance so that it can communicate with the other nodes in the cluster:


© 2018 PRIMEKEY 11( )35

CA and RA ConfigurationThe CA and RA configuration is described in the following sections:

Apache Certificate Generation for the RAConfigure TLS Connections Between the CA and RASetup Peer Systems

Apache Certificate Generation for the RAGenerate the Apache Certificate for the RA by following the instructions for the CA and the RA Server below.

Step 1: On the CA

SSH into the CA server and navigate to the directory./opt/PrimeKey/support

Start by taking a backup of the system:

# /opt/PrimeKey/support/system_backup.sh

Generate TLS certificates for the RA server on the CA. Since an RA will most likely have two IP addresses and two DNS addresses, those are indicated with the and flags. In this case the IP -d -i

and DNS names the host has are:

ec2-13-59-110-179.us-east-2.compute.amazonaws.comip-172-31-0-115.ec2.internal35.153.160.120172.31.0.115

# /opt/PrimeKey/support/create_ra_tls_certs.sh -d ec2-13-59-110-179.us-east-2.compute.

amazonaws.com -d ip-172-31-0-115.ec2.internal -i 35.153.160.120 -i 172.31.0.115

The script will prompt to request to generate the certificates in the format that Apache will expect them on the RA.

Choose and press enter. It will output these files into the /home/ec2-user/pem directory for easy Ycopying.


12( )35 © 2018 PRIMEKEY

The three files output will be:

managementca.ca-mgmt.pemserver-mgmt.keyserver-mgmt.pem

Copy these files to the VA server and put them into place with the instructions in the next section.

Step 2: On the RA Server

SSH into the RA server and start by taking a backup of the system.

# /opt/PrimeKey/support/system_backup.sh

Copy the three files that were copied to /home/ec2-user/pem to the new RA. Copy the files (most likely in /home/ec2-user/ to the /etc/httpd/ssl directory and restart Apache:

# cp /home/ec2-user/managementca.ca-mgmt.pem /home/ec2-user/server*

/etc/httpd/ssl/

# service httpd restart

Convert the server to an RA using the install_ra.sh script. This script will import the ManagementCA certificate from the CA server so that the RA is managed by the same ManagementCA as the CA server.

# /opt/PrimeKey/support/install_ra.sh

The script will ask for the path to the ManagementCA PEM file from the CA server.

Use the managementca PEM that was copied to the /etc/httpd/ssl directory or copy a new one.


© 2018 PRIMEKEY 13( )35

Access the RA Administration GUI with the same certificate used to access the CA server. Test this by going to the EJBCA Admin Web on the RA. Note that there is no Management CA configured, an external ManagementCA is used.


14( )35 © 2018 PRIMEKEY

1. 2. 3. 4. 5. 6.

a. b.

Configure TLS Connections Between the CA and RA

Step 1: Import Profiles on the CA

SSH into the CA server and import the profiles that are going to be used for generating the key binding and peer connection certificates.

# /opt/ejbca/bin/ejbca.sh ca importprofiles -d /opt/PrimeKey/ra_profiles/

Step 2: Create Crypto Token to store Peer Systems authentication key on CA

Create a Crypto Token for the key binding to use. Navigate to and select .Crypto Tokens Create new

Enter a name: Peer Systems Token.Select Type: Soft.Enter and repeat Authentication Code.Enable Auto-activation.Click Save.Generate new key pair:

Alias: peer_systems_auth_key.Key Spec: RSA 4096.


© 2018 PRIMEKEY 15( )35

1. 2. 3. 4. 5. 6.

Step 3: Set up Authentication Key Binding for Mutual Authentication on CA

Create an internal key binding for authenticating the TLS connection to the RA. Start by selecting on the CA.Internal Key Bindings

Click on the tab.Create new AuthenticationKeyBindingEnter a name: Peer System Key Binding to RA.Select Crypto Token: "Peer Systems Token".Key Pair Alias: peer_systems_auth_key.Signature Algorithm: SHA256WithRSA.Click Create.

Click to go back to the tab and select under the Back to overview AuthenticationKeyBinding CSR column and save the file (Peer System Key Binding to RA.pkcs10.pem).Action


16( )35 © 2018 PRIMEKEY

1. 2. 3. 4. 5. 6. 7.

Step 4: Generate Certificate for TLS Connection

Click on the left side navigation and open the CAs RA web. Select .RA Web Make New Request

Select Certificate Type: "Peer Systems User EE Profile"CA: "ManagementCA".Click and select the "Peer System Key Binding to RA.pkcs10.pem" file.BrowseChange to "peersystems".CN, Common NameChange the to be the "peersystems"UsernameClick .Download PEMSave the file (peersystems.pem).


© 2018 PRIMEKEY 17( )35

1. 2. 3.

a. b. c. d.

4. a.

5.

Step 5: Import Peer Systems certificate into Authentication Key Binding on CA

Choose > .System Functions Internal Key BindingsClick the tab.AuthenticationKeyBindingUnder :Import externally issued certificate

Target Peer System Key Binding to RA.AuthenticationKeyBinding:Click .BrowseSelect the filepeersystems.pem .Click .Import

Under :ActionClick .Enable

The Peer Systems Authentication Key Binding should now be Active.


© 2018 PRIMEKEY 19( )35

1. 2. 3.

a. b.

c. d. e.

4. 5.

Setup Peer SystemsFollow the steps below to setup Peer Systems:

Step 1: On the CAStep 2: On the RAStep 3: On the CA

Step 1: On the CA

Choose > .System Functions Peer SystemsUnder , click .Outgoing Peer Connectors AddFor Create Peer Connector, specify the following:

Name: Peer Connection to RAURL: This should be the internal FQDN of the RA. For this example: "https:// ip-172.31.0.115.us-east-2.compute.internal/ejbca/peer/v1"

EJBCA ECE Uses Apache and no port designation is necessary.In the list menu, select Authentication Key Binding Peer System Key Binding to RASelect .EnabledSelect .Process Incoming Requests

Click .CreateClick . You should see the error Ping Unable to connect to peer. Unauthorized ote

If the error displays, this is due to the security groups Unable to connect to peer configuration.Also, make sure that the IP address is used and not an FQDN unless you have internal name resolution across VPCs.


20( )35 © 2018 PRIMEKEY

1. 2.

3. 4. 5. 6. 7. 8. 9.

10. 11.

1. 2.

3. 4. 5.

6. 7.

Step 2: On the RA

Choose > .System Functions Peer SystemsYou should see a connection attempt from the CA under Incoming Connections.

Click Create Role.Ensure that is selected, and click – Create new role – Select.Additional properties will show. Change the Role name to "External RA Role".Select .Accept Long Hanging ConnectionsEnsure that is selected.Accept RA requestsSelect and any other CAs the RA needs to access.Access ManagementCASelect Publish Certificate.Select .Compare certificate synchronization statusClick .Create new role

Step 3: On the CA

Select .System Functions > Peer SystemsClick .Authorize Requests

If you do not see the option, ensure is Authorize Requests Process incoming requestsselected in the peer connector.Ensure that is selected and then click .– Create new role – SelectChange the Role Name to something like "RA Administrators".Select the RA rules that apply to your environment based on the permissions needed for the RA and its administrators to have.For a detailed explanation of RA Roles, see the section .[RA Administration]Select which CAs the RA should handle requests for.Select the Profiles that the RA can use.


© 2018 PRIMEKEY 21( )35

8.

9. 10. 11. 12. 13. 14. 15.

Select the protocols that the RA can process requests from

Click .Create new roleClick Peer SystemsClick on the peer connection.Manage Peer Connection to RAClick Start.It will say "Running".Click Refresh.You should see certificates synchronized.


22( )35 © 2018 PRIMEKEY

RA AdministrationThis guide describes EJBCA RA Administration tasks in the following sections and User Authorization

.Sample Configuration

User AuthorizationTo be authorized to use the RA, both the peer connection role (in case the RA runs as an external service) and the User/Admin role must be configured to allow access to the desired functionality. The following describes how the authorization works for the built-in role templates.

CA Administrators

CA Administrators are granted access to all functionality in the RA, but only to the CAs that are selected in the administrator role. CAs and related end entities and certificates, will be hidden if the administrator does not have access.

RA Administrators

RA Administrators have access to the Enrollment, Search and Manage Requests pages, depending on the selected End Entity Rules. Access is restricted according to the selected CAs and end entity profiles as well. In order to make a certificate request, the administrator needs both Create End

, and access. Permission to approve or reject a Entities View End Entities Delete End Entitiesrequest is controlled by the approval profile, but certificate requests and requests to edit end entities additionally require the access. The end entity search require Approve End Entity View End Entityaccess. The certificate search require access.View Certificate

Supervisors

Supervisors have access to the and pages only, in read-only mode.Manage Requests Search

Auditors

Auditors have access to everything in read-only mode, except for the Enrollment page which is not accessible.

Access Rules

Note that, in addition to the role configuration, the settings in the CA also control Enforcewhen certificates may be issued. Since the RA always creates a new end-entity for each request, this means that in order for renewal of certificates to work, the Enforce unique

and options must be disabled.public keys Enforce unique DN

If you configure the access rules in Advanced Mode (that is, not using the role templates), you need the following access rules (listed per menu item). You also need access to any related CAs and End Entity Profiles, including all CAs referenced by the End Entity Profiles.


© 2018 PRIMEKEY 23( )35

Enrollment

/ca_functionality/create_certificate/

/ra_functionality/view_end_entity/

/ra_functionality/create_end_entity/

/ra_functionality/delete_end_entity/

/ca/.../

/endentityprofilesrules/.../view_end_entity/

/endentityprofilesrules/.../create_end_entity/

/endentityprofilesrules/.../delete_end_entity/

If using a version prior to EJBCA 6.8.0, you also need the following rules to create certificates through the RA. These are not needed in EJBCA 6.8.0 and later.

/ra_functionality/edit_end_entity/

/endentityprofilesrules/.../edit_end_entity/

Certificate and End Entity Search

/ra_functionality/view_end_entity/

/ca_functionality/view_certificate/

/ca/.../

/endentityprofilesrules/.../view_end_entity/

Additionally, if the role should be allowed to revoke certificates, the following rule is needed:

/ra_functionality/revoke_end_entity/

Manage Requests

/endentityprofilesrules/.../approve_end_entity/

And at least one of the following rules:

/ra_functionality/approve_end_entity/ - to approve certificate requests and

end entity operations

/ca_functionality/approve_caaction/ - to approve other operations

/secureaudit/auditor/select/ - to see requests without being able to

approve them

CAs & CRLs

/ca_functionality/view_ca/

/ca/.../

Role Management

/system_functionality/edit_administrator_privileges/

/system_functionality/view_administrator_privileges/


24( )35 © 2018 PRIMEKEY

1. 2. 3. 4.

5. 6.

Key Recovery

/ra_functionality/keyrecovery/

/ca/.../

/endentityprofilesrules/.../keyrecovery/

Note that RA does not support Decline rules. If a role that has a Decline rule is used on the RA, it will be denied access to everything as a security precaution.

Sample ConfigurationFollow this example configuration to create one that can request certificates (needing RA UserApproval) and one that can approve the requests.RA Admin

It is assumed that you already have a CA (named ), a Certificate Profile (named High Assurance CA), and an End Entity Profile (also named ), where the profiles are set to issue from that EV TLS EV TLS

CA.

Create Roles

To set up approvals, you need two roles that will be part of the approval process.

In the Admin GUI on the CA, go to .Administrator RolesAdd a role called RA User.Add a role called RA Admin.Edit Access Rules for in .RA User Custom > Advanced Mode/ca_functionality/create_certificate//ra_functionality/view_end_entity//ra_functionality/create_end_entity//ra_functionality/delete_end_entity//ca/High Assurance CA//endentityprofilesrules/EV TLS/view_end_entity//endentityprofilesrules/EV TLS/create_end_entity//endentityprofilesrules/EV TLS/delete_end_entity/Click SaveEdit Access Rules for RA :Admin

Template: RA Administrator

Authorized CAs: High Assurance CA

End Entity Rules: all

End Entity Profiles: EV TLS

Other rules: none


© 2018 PRIMEKEY 25( )35

7. 8.

1. 2. 3. 4. 5.

6. 7.

1. 2. 3. 4. 5. 6. 7. 8. 9.

10.

1. 2. 3.

Click .SaveNow add some users to the and roles.RA User RA Admin

RA Web Role ManagementOptionally, the role can be setup from the RA Web which is convenient if the logged in RA Useradministrator does not have access to the CA (for example from an external RA). Using Role Management in the RA requires privileges (see ).Role Management Role Management

Go to the RA Web ( ).https://[yourdomain]:8443/ejbca/ra Navigate to .Role Management > RolesClick .Create New RoleIn the panel, select and click .Available High Assurance CA AddSelect the options and End Entity Permissions Create and delete end entities View end

.entitiesUnder , select and click .End entity profiles EV TLS AddClick at the bottom of the page.Add

The role is added with the corresponding access rules available in the Admin GUI.RA User

Create an Approval Profile

To configure the system to require approvals for issuing certain certificates, you need to create an Approval Profile.

Note that the approval system stores the role privileges per request. As a result, if you change roles in an Approval Profile, you need to make a new request for the new role attributes to be applied. Old requests will live after the rules set up when those requests were made.

Create an Approval Profile with two partsTo create one part for verifying the evidence:

In the Admin GUI on the CA, go to Approval Profiles.Enter and click EV TLS Approval Add.Click for Edit EV TLS Approval.Change to l.Approval Profile Type Partitioned ApprovaIn the first partition: Select as RA Admin Roles which may approve this partition.In the first partition: Select as Anybody Roles which may view this partition.In the first partition: Add a checkbox called Verified Evidence.In the first partition: Add a textfield called Path to evidence.Enter in the name field of the first partition.EvidenceClick Save.

To create another part for verifying the payment:

In the Admin GUI on the CA, go to Approval Profiles.Click for Edit EV TLS Approval.Click Add Partition.


26( )35 © 2018 PRIMEKEY

4. 5. 6. 7. 8.

9. 10. 11.

1. 2. 3. 4. 5.

Change to Approval Profile Type Partitioned Approval.In the second partition: Select as RA Admin Roles which may approve this partition.In the second partition: Select as Anybody Roles which may view this partition.In the second partition: Add a checkbox called Verified payment.In the second partition: Add a radiobutton called and add the rows Payment method Credit

and card Invoice.In the second partition: Add a textfield called Path to receipt.Enter in the name field of the second partition.PaymentClick Save.

Configure Certificate Profile to use Approval Profile

You also need to configure the Certificate Profile to use the Approval Profile.

In the Admin GUI on the CA, go to .Certificate ProfilesClick for .Edit EV TLSUnder , select , and Approval Settings Add/Edit End Entity Revocation Key RecoveryFor , select the newly created Approval Profiles EV TLS Approval.Click Save.

Email Notifications

You can configure email notifications for both RA Admins and RA Users with information on when a request have been created or changed, and including links to approve or checking status. Notification configurations can for example be specified in End Entity Profiles and in Approval Profiles. For more information on available parameters, see the section.E-mail Notifications

Request Certificates

Start a new browser session and access the RA at https://localhost:8443/ejbca/ra/. You should now be able to request certificates using the function in .Enroll > Make New RequestThe information displayed is depending on the RA User's access, for example if one or more profiles or CAs are available to the user. When there is only one choice available and thus no selection to be made, the option is not displayed on the page and thus a limited configuration results in an easy to use request page.

When you have created a request, you will be presented with a message that your request has been submitted for approval, and given a Request ID so you can follow the status of your request.

Approving Requests

Start a new browser session and access the RA again as . You should now have to option RA Adminto . Here you can view, approve or reject requests. Requests can also be edited Manage Requestsand once a request has been updated it has to be approved by another administrator as you are not allowed to approve your own edits.


© 2018 PRIMEKEY 27( )35

1. 2.

1. 2.

3.

4.

Enabling Key Recovery

To perform key recovery for user, key recovery has to be enabled in EJBCA System Configuration. To activate key recovery:

In the Admin GUI on the CA, go to .System ConfigurationOn the tab, for Enable Key Recovery, select Basic Configuration Activate [x]

Additionally, the end entity profile used to create the end entity, requires key recovery to be enabled.

Using Local Key GenerationLocal key generation is used when the key recovery data (encrypted key pair) is to be stored on an external RA rather than the CA. For more information, see the section.Key Recovery

To activate local key generation, do the following.

In the Admin GUI on the , go to .external RA System ConfigurationOn the tab , for Enable Key Recovery, select and Basic Configuration Activate [x] Force

.Local Key Generation [x]Select a crypto token for encryption of the key pairs (the crypto token must be created and activated before this step).Select a crypto token key.


28( )35 © 2018 PRIMEKEY

RA User ManagementThis section covers EJBCA RA Management tasks and describes the EJBCA menu sections and the functions a user can perform in the EJBCA RA GUI:

Front pageEnrollSearchManage RequestsCA Certificates and CRLsRole Management

User Access

Different menu items will be visible depending on the Users access role.

Front pageThe RA front page contains quick links to the most common operations performed by a user:

Making a new certificate requestChecking status of a request, and retrieving the certificateRequesting revocation of a certificate

EnrollThe menu includes options for making certificate requests and retrieving (enrolling) certificates Enrollissued to the User.

Make New Request

The page allows requesting a new certificate. Note that the options available are Make New Requestdepending on your role, and when there is only one choice available and thus no selection to be made, the option is not displayed on the page. To view these predefined options, click in the Show detailsbottom-right of each section.

Select Request TemplateSelect to choose which type of certificate to request. If you have access to request Certificate Typemultiple certificates, the options are available for selection in a list. Note that you will not have to make a selection if you only have access to one certificate type.

Second you select The subtype choice exists if there are multiple variants, for Certificate subtype. example SMIME Signing or Encryption, or different validity periods for TLS certificates. If you only have access to one Certificate subtype, you will not be able to choose anything.


© 2018 PRIMEKEY 29( )35

Third you can choose which to request the certificate from, if you have access to more than one CACA. If only one CA choice is available, you will not be able to choose anything.

Last in the section you choose if you will provide a CSR or if the CA will generate a Request Templatekeystore, including the private key, for you. If only one choice is available, you will not be able to choose anything.

Upload CSRIf the last choice in the section was , you now get the ability to Request Template Provided by Userupload a CSR. Once uploaded some basic information about the CSR, such as the type and length of the public key is displayed.

Select key algorithmIf the last choice in the section was , you now get the ability to choose Request Template On Serverkey type and key length, within the restrictions set by the policy.

Provide request infoThis is the section where you enter you personal data for the request. This includes Distinguished

fields and fields. Only available fields are displayed and an asterisk Name Subject Alternative name(*), marks required fields.

Provide User CredentialsThe last section to fill in contains your . This can include a and User credentials username

, or only an enrollment code if the username is automatically generated. The enrollment codeenrollment code will be used when you, at a later stage, retrieve your certificate.

Confirm requestLast there is a summary section of your choices so you can verify the data you entered before confirming the request. As last step you are asked to either Confirm the request to be sent for approvals, or immediately issue the certificate if the certificate can be issued immediately for your role.

Confirm Request: Creates a request for approval and provides you with a Request ID for tracking the request.Download buttons: Immediately issues a certificate

Use Request ID

This menu selection will let you check status of a request sent for approval, using the , you Request IDwere given. If the request is ready for issuance, you will then be able to provide the enrollment code that you either provided yourself or was sent. After giving the Request ID and an enrollment code, your certificate or keystore will be downloaded to you.

Use Username

As an alternative to using a Request ID, you may be provided with a username and an enrollment code by your administrator. These can be used on this screen in order to issue your certificate.


30( )35 © 2018 PRIMEKEY

SearchThe menu allows administrators with appropriate access rights to search for certificates or end Searchentities (users, devices, and so on).

Certificates

Use the search field to search for certificates and show search results as you type. Search is performed over the certificate:

Distinguished NameSubject Alternative NameSerial NumberEnd Entity username that the certificate is issued for

Use the corresponding list menus to narrow the search to a specific , End Entity Profile Certificate and Profile, CA, Certificate Status.

Click to access time fields to limit the search for certificates or Show more options issued, expired, before or after the time specified.revoked

You can also select the maximum number of results that will be shown.

Search results are presented in a list with some certificate fields as columns. Click on a row to View display details of the certificate. While viewing the details, click the link in the bottom to download the certificate or click to display an ASN.1 dump of the certificate contents. Show more details

Requesting revocationWhile viewing a specific certificate you can request revocation, or revoke the certificate immediately if you have the proper rights, by selecting revocation reason in the list menu at the Certificate Statussection and clicking Revoke.

Requesting key recoveryViewing a certificate, you can also request key recovery for the selected certificate. This is done by clicking , provide a new enrollment code and then click If the operation Recover Key Confirm request.requires approval, a link will be provided at the bottom of the page along with a request id which is used to check the status of your request. Once the request is approved by another administrator, a new certificate can be enrolled through If the operation does . Enroll > Use Request ID / Username not require approval, a new certificate may be enrolled instantly from Enroll > Use Username .

The button is only visible if the logged in Administrator is authorized to perform key Recover Keyrecovery and key recovery data exists for the user.

End Entities

Searching for end entities is done as you type in the search field. Search is done over the end entities:

Distinguished Name


© 2018 PRIMEKEY 31( )35

Subject Alternative NameUsername

By choosing in the fields below the search field you can narrow the search to a specific:

End Entity ProfileCertificate ProfileCAEnd Entity Status

By clicking you also get access to time fields to limit the search in time: Show more options

End entity modified before or after a specific time

You can also select the maximum number of results that will be shown.

Search results are presented in a list with some end entity fields as columns. You can also click Viewon the right in a row to display details of the end entity.

Manage RequestsThe menu functions are used for RA Administrators to approve requests that have Manage Requestsbeen performed by less privileged users, i.e. such requests that require approval by an administrator before the certificate can be issued, a revocation performed etc.

The page contains the following tabs:Manage Requests

To Approve: Lists requests that you as an administrator may approve or deny.Pending Approval: Lists currently pending requests you have access to view, including those that you may approve yourself.Processed: Lists past requests you have access to view.Custom Search: A search screen allowing you to filter and search all requests you have access to view.

To Approve

The tab shows what approvals request you as an RA Administrator have the possibility to To Approveattend to. As an RA Administrator, this is your view to pick up requests to review.

Note that approval requests have an expire period and will disappear from the list when To Approveexpired.

Requests to review are listed in a table displaying:

Column Description

ID The request ID

Request Date Date and time of the request.


32( )35 © 2018 PRIMEKEY

Column Description

CA The CA the request was made for.

Type Type of request:

Add End EntityChange Status of End EntityEdit End EntityKey RecoveryRevoke CertificateRevoke End Entity

Name Username of the request end entity

Requested by Your login

Request Status Valid values:

Waiting for ApprovalApprovedExecutedRejectedExecution FailedExpired

Review Clicking displays View Request details about the request and allows you Reviewto edit the request.

View RequestClicking displays View Request details about the request and allows you to edit the request.Review

Note that if you edit a request, you will not be able to approve the same request since the request will have to be approved by another administrator.


© 2018 PRIMEKEY 33( )35

Below the request details may be information to approve or reject for the request. The details to specify for approval depends on the configuration of in the CA and can be text fields, Approval Profilesoptions, or numbers that you have to specify before clicking or .Approve Reject

If only one approval is required, the request will be after you approve the request. In a multi-Executedstep approval process, the request will move to the next administrator to approve the next step. The approval workflow is configured by the CA Administrators.

Pending Approval

If you have made requests yourself, and have privileges to view the page, this tab Manage Requestsdisplays the requests that you have made, and that are waiting for approval by another administrator. If you have requests that are pending approval, a table is shown displaying information about your request, with the same information as for .To Approve

Click to the right in the table to view details about your request. To edit your request before it Reviewhas been approved, click while viewing request details.Edit

Processed

The tab shows requests that you have approved or rejected and allows you to review what Processedhas been done.

Custom Search

The tab (available as of EJBCA 6.8.0 ) allow searching for approval requests based Custom Searchon:


34( )35 © 2018 PRIMEKEY

Request StatusCreated on or afterCreated on or beforeOnly requests that expire in a number of days

CA Certificates and CRLsThe screen lets you download CA certificates and CRLs for CAs that you CA Certificates and CRLshave access to.

The CAs you can access to are listed in a table displaying:

Column Description

Certificate Authority

Name of Certificate Authority.

CRLFull: Download a full CRL.Delta: Download a deltaCRL if one is available.

CertificatePEM: Download certificate in PEM format.DER: Download certificate in binary format.

Certificate chain

Downloads a certificate chain for a sub CA, the sub CA certificate(s) and root CA certificate:

PEM: Download certificate chain in PEM format.JKS: Download certificate chain in a Java Keystore format.PKCS#7: Download certificate chain as a certificate-only binary PKCS#7 (CMS) file.

Browser import Downloads the CA certificate with headers to trigger a browser import.

Role ManagementRole management is available in the RA Web as of EJBCA 6.8.0, allowing RA administrators to manage their users and roles without access to the CA. The tab is visible among Role Managementthe menu items in the RA Web if the logged in administrator has sufficient access rights to manage roles.

RA role management consists of functionality similar to in the Administrator Administrator RolesWeb, including:

Viewing existing roles and role membersCreating new roles and namespaces


© 2018 PRIMEKEY 35( )35

Adding members to rolesEditing end entity permissions

Edit / Create Role

From the RA Web menu, roles can be added or edited through . In the Role Management > Rolesedit page, CAs and End Entity Profile, authorized by the logged in administrator are displayed in the

box. Moving items to the box will grant corresponding access to the members of Available Allowedthe role. Access may also be granted to other RA related operations using th e End Entity

options.permissions

Role Members

Members can be added to an existing role or edited through . Role Management > Role Members Similar to the administrator web, options are available select role, match with attribute and select CA to associate the member with.

Namespaces

A new concept introduced to role management is . A role may be associated with a Namespacesnamespace which controls visibility of other roles. Members of a role, belonging to a specific namespace may only view other roles belonging to that namespace. In practice this introduces an option to keep multiple roles on the same CA, with separated visibility to different RA administrators. E.g. it might be desired to keep roles of organization A hidden from the administrators of organization B, even though the belong to the same CA.

Managing NamespacesThrough the edit page displayed when editing or creating a new role, the desired namespace to be associated with the role may be selected from the drop down menu at the top of the page. A new namespace can also be created by selecting from the list menu (if the logged Create new namespace in administrator is authorized to do so).

EJBCA Enterprise Cloud Edition RA Configuration and …€¦ · EJBCA Enterprise Cloud Edition RA...

Documents

Transcript of EJBCA Enterprise Cloud Edition RA Configuration and …€¦ · EJBCA Enterprise Cloud Edition RA...