SignServer Enterprise Cloud Edition Peering to EJBCA ECE … · 2018. 11. 1. · EJBCA to...
Transcript of SignServer Enterprise Cloud Edition Peering to EJBCA ECE … · 2018. 11. 1. · EJBCA to...
-
SignServer Enterprise
Cloud Edition Peering
to EJBCA ECE
Configuration Guide
Print date: 2018-11-01
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
2( )22 © 2018 PRIMEKEY
Table of Contents
Introduction _______________________________________________________________________ 3
Documentation __________________________________________________________________ 3
Related Guides _______________________________________________________________ 3
AWS Operating Environment _________________________________________________________ 4
EC2 ___________________________________________________________________________ 4
VPC Configuration ________________________________________________________________ 4
EJBCA/SignServer Peering Security Groups _____________________________________________ 5
Generate new TLS Certificates for SignServer ___________________________________________ 7
Allow Peer Connections in SignServer __________________________________________________ 9
Peer Connection Configuration ______________________________________________________ 10
Step 1: Create Crypto Token for Peering Key __________________________________________ 10
Step 2: Create a Certificate Profile for the Peer ________________________________________ 10
Step 3: Setup the Key Bindings _____________________________________________________ 12
Step 4: Generate a CSR for the KeyBinding ___________________________________________ 13
Creating the Peer Connection _______________________________________________________ 15
Allow Peer Connection in SignServer _________________________________________________ 16
Configuring Automatic Generation and Key Renewal over Peers ____________________________ 17
SignServer Configuration _________________________________________________________ 17
EJBCA Configuration ____________________________________________________________ 19
Create the End Entity on EJBCA ____________________________________________________ 20
Automatically Renewing the Key Binding Key ___________________________________________ 22
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
© 2018 PRIMEKEY 3( )22
Introduction
This guide will assist a SignServer Enterprise Cloud Edition administrator with peering to EJBCA
Enterprise Cloud Edition configuration.
This configuration will assume that the user has procured three nodes in the AWS Marketplace
following the SignServer and EJBCA Launch Guides referenced below.
Documentation
SignServer Enterprise Cloud Edition documentation is available on:
https://download.primekey.com/docs/SignServer-Enterprise-Cloud/latest
SignServer Enterprise Edition documentation is available on:
https://download.primekey.com/docs/SignServer-Enterprise/current
Additional information on SignServer Community Edition is available on: www.signserver.org
Related Guides
SignServer ECE Launch Guide
EJBCA ECE Launch Guide
https://aws.amazon.com/marketplace/seller-profile?id=7edf9048-58e6-4086-9d98-b8e0c1d78fce&ref=dtl_B078PLGJWLhttps://download.primekey.com/docs/SignServer-Enterprise-Cloud/latesthttps://download.primekey.com/docs/SignServer-Enterprise/currenthttps://www.signserver.orghttps://download.primekey.com/docs/SignServer-Enterprise-Cloud/latest/signserver-cloud-launch-guide.pdfhttps://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/ejbca-ece-launch-guide.pdf
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
4( )22 © 2018 PRIMEKEY
AWS Operating Environment
EC2
Begin by starting an and a SignServer Enterprise Cloud Edition EJBCA Enterprise Cloud Edition
instance. In this example we will have the following 2 nodes:
EJBCA Node using IP 172.16.2.21– US East 1 – 172.16.0.0/16 address space
SignServer Node using IP 172.16.2.98 – US East 1 – 172.16.0.0/16 address space
For simplicity of this guide these nodes are in US-East-1 region.
VPC Configuration
If it is desired to have these two nodes communicate from different VPCs, it is assumed a VPC Peering
Connection is setup and in place. For assistance with configuring a VPC Peering Connection, refer to
Amazon’s .VPC Peering Guide
Optionally, all nodes can be setup within different VPCs. A Route Table will need to be created that
allows these nodes to communicate over the Peering Connection. For more information on configuring
Route Tables between VPCs, refer to Amazon’s .VPC Peering Guide
A security group is also needed in each VPC. That configuration is outlined in the section EJBCA
below since it pertains directly to the Galera communication. /SignServer Peering Security Groups
Consult the AWS documentation for further information.
https://aws.amazon.com/marketplace/seller-profile?id=7edf9048-58e6-4086-9d98-b8e0c1d78fcehttps://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/Welcome.htmlhttps://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-routing.html
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
© 2018 PRIMEKEY 5( )22
1.
2.
EJBCA/SignServer Peering Security Groups
EJBCA to SignServer Peering uses port 443 (SSL/TLS) for communication. This connection is initiated
from the EJBCA server to the SignServer node and needs to only go one way but allow return
communication.
Create a security group that allows for TLS traffic within the VPCs. In this example, the VPC
internal address space is in US-East-1. Create a Security Group called 172.16.0.0/16 Allow All
with the following rules:TLS Traffic
This will allow any connections outbound to any address and any inbound connection on port
443 from any address on the 172.16.0.0/16 subnet. The same rule in the other VPC will also
need the same rule configured. These rules may be tightened as required for the organization.
Apply these Security Groups to the EJBCA Enterprise Cloud Edition and SignServer Cloud
Edition Nodes in each of the VPCs. Right-click the node, select and then Networking Change
:Security Groups
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
6( )22 © 2018 PRIMEKEY
3.
4.
Apply the security group to the instances so that they can communicate with each other:
In the node details there is a link to . The associated IPs should be set up View Inbound Rules
according to the following example (modified for your IP ranges subnets):
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
© 2018 PRIMEKEY 7( )22
1.
2.
3.
4.
5.
6.
7.
Generate new TLS Certificates for SignServer
The default certificates for SignServer are generated upon installation and are self-signed. It is
recommended to configure new certificates from a CA which EJBCA trusts. Running a script on the
command line of EJBCA Enterprise Cloud Edition can make this a simple process.
To generate new TLS certificates for SignServer, do the following:
Start a shell session to the EJBCA instance:
# ssh -i ec2-user@
# cd /opt/PrimeKey/support
Run the script titled . Running this script with the and flags create_ra_tls_certs.sh -d -i
will generate certificates that Apache on the SignServer instance will use. In this demo
environment example, our DNS and IP address for our SignServer instance are:
ec2-54-165-63-62.compute-1.amazonaws.com
ip-172-16-2-98.ec2.internal
54.165.63.62
172.16.2.98
Running the script passing these addresses to the command line will look like the following:
# sudo ./create_ra_tls_certs.sh -d ec2-54-165-63-62.compute-1.amazonaws.com -d ip-172
-16-2-98.ec2.internal -i 54.165.63.62 -i 172.16.2.98
Answer to the prompt about copying the certificates with proper names for Apache. This will y
output them to. /home/ec2-user/pem.
Copy this pem folder to the SignServer instance. This should be done over a secure channel
between the nodes, via SSH or whatever method meets the organizations security needs.
Copy these files to then move them into the appropriate position in /home/ec2-user/pem,
on the SignServer node and restart apache with the following commands:/etc/httpd/ssl
# cd /home/ec2-user/pem
# sudo cp * /etc/httpd/ssl/.
# sudo service httpd restart
Run the following command to allow the EJBCA Superadmin access to SignServer:
# cd /opt/signserver
# bin/signserver wsadmins -allowany
Go to the SignServer tab and click .Administrators Add
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
8( )22 © 2018 PRIMEKEY
8.
9.
Click and add the and for the EJBCA Load Current Roles: Admin, Auditor, Archive Auditor
SuperAdmin, and then click Add.
On the SignServer tab, change the to Administrators Current Setting: Allow any Only Listed
by clicking .Switch to "Only Listed"
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
© 2018 PRIMEKEY 9( )22
1.
2.
3.
Allow Peer Connections in SignServer
To allow Per Connections in SignServer, do the following:
Log in to the SignServer Administration Web.
Select at the top.Administrators
Under , select and click Peer Systems Allow incoming connections Save.
The following text displays “ .”No peer has successfully connected to this node
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
10( )22 © 2018 PRIMEKEY
1.
2.
3.
4.
1.
Peer Connection Configuration
The Peer Connection is configured in the following steps:
Step 1: Create Crypto Token for Peering Key
Step 2: Create a Certificate Profile for the Peer
Step 3: Setup the Key Bindings
Step 4: Generate a CSR for the KeyBinding
Step 1: Create Crypto Token for Peering Key
To create a Crypto Token for the Peering Key, do the following:
Create a Crypto Token on the EJBCA instance by selecting under Crypto Tokens CA
.Functions
Click .Create New
Enter a for the Crypto Token, an and enable to Name Authentication Code Auto-activation
ensure that the Crypto Token comes online and is available after a reboot. Click .Save
Enter the key name , select , and click signserver_peer_systems_key RSA 2048 Generate
.new key pair
Step 2: Create a Certificate Profile for the Peer
To create a Certificate Profile for the Peer, do the following:
Select under .Certificate Profiles CA Functions
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
© 2018 PRIMEKEY 11( )22
2.
3.
4.
5.
6.
In the enter a name such as and click List of Certificate Profiles SignServer Peer Profile Add
.
Click on the newly created . Select the following options in the Edit SignServer Peer Profile
profile and click :Save
Available Key Algorithms: RSA
Available Bit Lengths: 2048
Validity or end date of the certificate: 10y
Extended Key Usage: Client Authentication
Under select .RA Functions, End Entity Profiles
Enter a name for a new profile in the such as , Add Profile Field SignServer Peer EE Profile
and click .Add
Select the and click .SignServer Peer EE Profile Edit End Entity Profile
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
12( )22 © 2018 PRIMEKEY
7.
1.
2.
3.
Within the profile select the following values and then click .Save
Default Certificate Profile: SignServer Peer EE Profile
Available Certificate Profiles: SignServer Peer EE Profile
Default CA: ManagementCA
Available CAs: ManagementCA
Default Token: User Generated
Available Tokens: User Generated
Step 3: Setup the Key Bindings
Setup the key bindings in the following steps:
Click under .Internal Key Bindings System Functions
On the tab, click and specify the following:AuthenticationKeyBinding Create new
Name: Peer System Key Binding to SignServer
Crypto Token: PeerSystemsToken
Key Pair Alias: signserver_peer_systems_key
Signature Algorithm: SHA256WithRSA
Protocol and Cipher Suite: TLSv1.2;TLS_RSA_WITH_AES_256_CBC_SHA256
Click and then click .Create Back to overview
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
© 2018 PRIMEKEY 13( )22
1.
2.
3.
4.
5.
Step 4: Generate a CSR for the KeyBinding
Do the following to generate a CSR for the Key Binding:
In the Internal Key Bindings overview, select the action for the CSR Peer System Key Binding
to download a CSR.to SignServer
Save this file to a location on your computer.
Select in the EJBCA Admin Web menu to access the RA Web.RA Web
In the EJBCA RA, click .Make New Request
In , select the . Then upload the CSR by clicking Certificate Type SignServer Peer EE Profile
to select the CSR downloaded in the previous step and click .Browse Upload CSR
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
14( )22 © 2018 PRIMEKEY
6.
7.
8.
9.
10.
Change the if desired, and then enter the “signserver_peer”.CN, Common Name Username
Click to download the signed certificate and save this file to a location on your Download PEM
computer.
Go back to the EJBCA Admin Web and select under Internal Key Bindings System Functions
.
Under the header, click , select the PEM file Import externally issued certificate Browse
downloaded in the previous step and click .Import
A notification appears at the top that the .Operation completed without errors
Click on the Key Binding. A notice appears at the top that the Enable Peer System Key Binding
and a check-mark indicates its active status.to SignServer status is now ACTIVE
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
© 2018 PRIMEKEY 15( )22
1.
2.
3.
4.
Creating the Peer Connection
To create the Peer Connection, do the following:
Select under and make sure that thePeer Systems System Functions Allow outgoing
option is selected.connections
Click and specify the following in the screen:Add Create Peer Connector
Name: Peer Connection to SignServer
URL: https://ip-172-16-2-98.ec2.internal/signserver/peer/v1
This will be the internal DNS name for your SignServer instance.NOTE
Authentication Key Binding: Peer System Key Binding to SignServer
Enabled: Selected
Click .Create
Click . You should get an error that says: “ ”. This Ping Unable to connect to peer. Unauthorized
“error” is expected because we have not yet allowed the connection on the SignServer side.
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
16( )22 © 2018 PRIMEKEY
1.
2.
3.
4.
5.
Allow Peer Connection in SignServer
To allow Per Connection in SignServer, do the following:
Access the SignServer Administration GUI.
Select at the top.Administrators
Under the section you will see a new connection attempt:Incoming Connections
Click .Add Authorization
Select and click .Peer System Add
There will now be a second Authorization with a Peer System role.
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
© 2018 PRIMEKEY 17( )22
1.
2.
3.
4.
Configuring Automatic Generation and Key Renewal over Peers
Configuration of Automatic Generation and Key Renewal over Peers is done in the following steps:
SignServer Configuration
EJBCA Configuration
Create the End Entity on EJBCA
SignServer Configuration
For this section we are going to create a PDF Signer that will allow key and certificate renewal over the
peer connection. This saves from having to pass around CSRs from SignServer to EJBCA when doing
certificate renewals.
To create the PDF Signer, do the following:
Access the SignServer Administration Web.
Click on , click and then select .Workers Add From Template
In , select and click .Load from Template pdfsigner.properties Next
In the comment out the line Configuration, WORKERGENID1.DEFAULTKEY=signer00003
since we want to use our own key, and click .Apply
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
18( )22 © 2018 PRIMEKEY
5.
6.
7.
8.
9.
10.
The worker is added with an “Inactive” state. Click the Worker to select it and then PDFSigner
select the tab.Configuration
Click and specify the following under :Add Add Property
Name: “PEERS_VISIBLE”
Value: “true”
Click to add the property to the configuration.Submit
Click onto the worker to select it and then click .back Renew key
Under enter the following details:Renew Keys,
Key Algorithm: “RSA”
Key Specification: “2048”
New Key Alias: “PDFSignKey0001”
Click .Generate
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
© 2018 PRIMEKEY 19( )22
1.
2.
3.
4.
5.
6.
7.
EJBCA Configuration
Configure EJBCA according to the following:
Access the Administration GUI for EJBCA.
Select under and add a profile called “Certificate Profiles CA Functions PDF Signer
:Certificate Profile
Click on the Certificate Profile once added, specify the following attributes and click Edit Save:
Available Key Algorithms: RSA
Available Bit Lengths: 2048
Validity or end date of the certificate: 5y
Extended Key Usage: PDF Signing
Under , click .RA Functions End Entity Profiles
Enter a name for a new profile in the such as , and Add Profile Field PDF Signer EE Profile
click .Add
Select the and click .SignServer Peer EE Profile Edit End Entity Profile
Within the profile select the following values:
Default Certificate Profile: PDF Signer EE Profile
Available Certificate Profiles: PDF Signer EE Profile
Default CA: ManagementCA
Available CAs: ManagementCA
Default Token: User Generated
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
20( )22 © 2018 PRIMEKEY
1.
2.
3.
Available Tokens: All
Create the End Entity on EJBCA
To create the End Entity on EJBCA:
In the EJBCA Admin Web, select under the section.Add End Entity RA Functions
Specify the following for the End Entity and then click A d.d
End Entity Profile: PDF Signer EE Profile
Username: PDFSigner
Password:
CN, Common name: “PDFSigner” must match the worker name in SignServer
Certificate Profile: PDF Signer Certificate Profile
Select under .Peer Systems System Functions
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
© 2018 PRIMEKEY 21( )22
4.
5.
6.
Click on the and select the Manage Peer Connection to SignServer Remote Key Bindings
tab.
The of and the value of should Remote name PDFSigner Remote key pair PDSSignKey0001
be populated already if the configuration was done correctly. In enter Local end entity
:PDFSigner
Click . The certificate details will now show with a certificate serial Issue signing certificate
number bound to the binding:
Go to the SignServer Admin Web, select the tab and check that the PDFSigner worker Workers
now is active.
-
SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide
22( )22 © 2018 PRIMEKEY
1.
2.
3.
4.
Automatically Renewing the Key Binding Key
A service can be created to automatically update the key used for the authentication key binding key.
This is done via an EJBCA service.
To create a service to automatically renew the key binding key, do the following:
Select under .Services System Functions
Under , enter the name and click .Add Service Peer Connection to SignServer Updater Add
Select the newly added service, click and set the following attributes:Edit Service
Select Worker: Remote Internal Key Binding Updater
Peer System: Peer Connection to SignServer
Renew key pair: Selected
Active: Selected
Click .Save
IntroductionDocumentationRelated Guides
AWS Operating EnvironmentEC2VPC Configuration
EJBCA/SignServer Peering Security GroupsGenerate new TLS Certificates for SignServerAllow Peer Connections in SignServerPeer Connection ConfigurationStep 1: Create Crypto Token for Peering KeyStep 2: Create a Certificate Profile for the PeerStep 3: Setup the Key BindingsStep 4: Generate a CSR for the KeyBinding
Creating the Peer ConnectionAllow Peer Connection in SignServerConfiguring Automatic Generation and Key Renewal over PeersSignServer ConfigurationEJBCA ConfigurationCreate the End Entity on EJBCA
Automatically Renewing the Key Binding Key