Changing Client Certificate and Trusted CA for Management Interface

The following example shows how to change the client certificate and update the trusted CA for Management Interface using WebConf.

The new superuser certificate has to be issued from the same CA (MyCustomCA) that we will install for TLS authentication. First we have to provide the information about the certificate (MyUsername.pem) that will be used as superuser.

  1. Open the WebConf Access tab:

    WebConf Access
  2. Check the SubjectDN of the certificate using openssl.
    Run the following command as 'user':

    \$ openssl x509 -in MyUsername.pem -subject
    subject= /C=MyCountry/O=MyCompany/SN=MyLastName/GN=MyFirstName \
    /serialNumber=G824734/CN=MyFirstName MyLastName/UID=R4501ZHE
    -----BEGIN CERTIFICATE----- 
    MIID3zCCAsegAwIBAgIIdzHlq8R4dnAwDQYJKoZIhvcNAQELBQAwPTETMBEGA1UE
    AwwKTXlDdXN0b21DQTESMBAGA1UECgwJTXlDb21wYW55MRIwEAYDVQQGEwlNeUNv
    dW50cnkwHhcNMTUwMTEzMDkxOTIzWhcNMTYwMTEzMDkyNjAzWjCBoDESMBAGA1UE
    BhMJTXlDb3VudHJ5MRIwEAYDVQQKDAlNeUNvbXBhbnkxEzARBgNVBAQMCk15TGFz
    dE5hbWUxFDASBgNVBCoMC015Rmlyc3ROYW1lMRAwDgYDVQQFEwdHODI0NzM0MR8w
    HQYDVQQDDBZNeUZpcnN0TmFtZSBNeUxhc3ROYW1lMRgwFgYKCZImiZPyLGQBAQwI
    UjQ1MDFaSEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC5Dr5dRsio
    TvihzdeQQ1cCbDDM/KqN729+wuNcfO3btlMhXMRMrSdBz2gZgfIDfbNjWnmOmkF5
    ...
    qqh6BtM4h2SpLlzcpELvOA6ySUEsfvaVpK4I7ebLFDFhtTM=
    -----END CERTIFICATE-----

    In the subject value, slashes / have to be replaced with commas (,)

  3. In the section PKI Appliance Management Accounts, select clientcert, provide the following SubjectDN and click Add:

    C=MyCountry, O=MyCompany, SURNAME=MyLastName, GN=MyFirstName, serialNumber=G824734, CN=MyFirstNameMyLastName, UID=R4501ZHE

    Caution

    EJBCA is using org.bouncycastle.asn1.x500.style.BCStyle which interprets SN as serialNumber. We inherit this in org.cesecore.util.CeSecoreNameStyle (Legacy reasons). This means that you have to replace SN with SURNAME otherwise there is the danger of getting locked out.

    WebConf Access add a new client certificate for TLS authorization
  4. In the section Trusted CAs for TLS client authentication , click Browse and select the MyCustomCA-chain.pem file.

    The whole chain from the issuer CA of the client certificate up to the trusted RootCA is required.

    WebConf Upload the new trusted CA chain
  5. Click Activate new CA certificate to allow TLS to update the new trust of CA.

  6. Once the update is made, the new trusted configuration is used for authentication in the Management Interface.

    WebConf New configuration for Management Interface is in use