Step 1: Install Hardware Appliance as Dedicated VA

Installing the Hardware Appliance as dedicated VA requires the following steps.

Renaming the Management CA

Proceed as follows in the CA Hardware Appliance to rename ManagementCA to PeerMgmtCA:

  1. In the WebConf Platform > Applications tab of the CA Hardware Appliance, click the Management access link. This opens EJBCA Administration.
  2. In the left-side menu, click CA Functions > Certification Authorities to open the Manage Certification Authorities page.
  3. In the List of Certification Authorities, select ManagementCA.

  4. In the field Add CA, enter PeerMgmtCA and click Rename selected.

    Rename ManagementCA to PeerMgmtCA
  5. In the left-side menu, click Public Web to open the public EJBCA pages.
  6. In the left-side menu, click Retrieve > Fetch CA Certificates to open the Fetch CA Certificates page
  7. Find the entry CA Certificate for the PeerMgmtCA. Click here the option Download as PEM to download the certificate.
    You will need this certificate for the installation of the VA Hardware Appliance instance.

Installing the VA Hardware Appliance

To install the VA Hardware Appliance follow the description in the Using External CA for Installation section.
Consider the following specific details for the WebConf wizard steps:

  • Network settings: Use a name that defines the functionality of the Hardware Appliance like in the following example:

    VA installation: Network settings
  • Management CA Settings:
    a) Select Use existing Management CA.
    b) Click Browse to search for and select the .pem file that you downloaded for the PeerMgmtCA:

    VA installation: Management CA Settings


    c) Wait for the PEM upload to finish.
    In the field SuperAdmin full Subject DN, enter the Subject DN used in the CA Hardware Appliance.
    To find this value, go to the WebConf Access > Appliance accounts tab of the CA Hardware Appliance. The value is in the MatchValue field:

    VA installation: Subject DN

Changing the Application Interface TLS Certificate

Proceed as follows to change the Application Interface TLS certificate in the VA Hardware Appliance.

In this example, you will create a new certificate that will be signed by PeerMgmtCA.

  1. In the VA Hardware Appliance, open the tab Access > Server TLS certificates in WebConf and copy the value in the Issuer field:

    Copy issuer value from VA-WebConf
  2. In the CA Hardware Appliance, create an end entity which will be issued the new TLS certificate.
    In the CA Hardware Appliance, open the EJBCA AdminWeb, select RA Functions > Add End Entity and enter the following values:

    • EndEntityProfile: Select SslServerProfile
    • Username: Enter ssl_va_app
    • Password (or Enrollment Code): Enter foo123
    • Confirm Password: Enter foo123
    • CN, Common name: Enter <the_value_you_copied_in_the_previous_step>
    • IP Address: Enter <the_value_you_copied_in_the_previous_step>
    • Certificate Profile: Select SslServerProfile
    • CA: Select PeerMgmtCA
    • Token: Select User Generated

    Click Add to confirm your entries.


    Add End Entity in CA Hardware Appliance
  3. In the VA Hardware Appliance, create a CSR as follows:
    1. Open the tab Access > Server TLS certificates in WebConf.
    2. In the section Application Interface, click Generate new key pair.
    3. Click CreateCSR > DownloadCSR and save the file:

      Download CSR for Application Interface in VA
  4. In the CA Hardware Appliance, open the EJBCA PublicWeb and select Enroll > Create Certificate from CSR.
  5. Enter the Username and Enrollment code that you used when adding the end entity, and click Browse to select the previously downloaded .crs.pem file.
  6. For Result type select PEM – full certificate chain and click OK:

    Sign certificate for VA Application Interface from CSR
  7. Click Save File to save the certificate .pem file.
  8. In the VA Hardware Appliance, click Browse to select and upload the signed request .pem file. Confirm that the Next Issuer is displayed
  9. Click Activate new cert and wait a few seconds for the configuration to be updated.

    Activate new certificate for VA Application Interface

Renaming the Management CA and configuring peer systems

In the beginning, you renamed the Management CA to PeerMgmtCA in the CA Hardware Appliance instance. In the next steps, you will do the same for the VA Hardware Appliance and configure the peer systems.

  1. Open VA Hardware Appliance AdminWeb > Certification Authorities and select ManagementCA
  2. In the Add CA field enter PeerMgmtCA and click Rename.
  3. Open VA Hardware Appliance AdminWeb > System Functions > Peer Systems and make sure only Allow Incoming connections is selected.
  4. Open CA Hardware Appliance AdminWeb > System Functions > Peer Systems and make sure only Allow outgoing connections is selected.
  5. In the section Outgoing Peer Connectors, click Add, enter the following values and click Create:

    • Name: Enter VA1
    • URL: Enter https://<application_VA_IP>:443/ejbca/peer/v1
    • Authentication Key Binding: Identify created during installation
    • Enabled: Enable this option
  6. Click Ping to ping the connector.
    No privileges have been configured yet, so you will receive the following message: Unable to connect to peer. Unauthorized.

    Ping to test the connection
  7. In the VA Hardware Appliance, the page VA Hardware Appliance AdminWeb > Peer Systems indicates that the CA-peer tried to connect with it. Click Create authentication to create authentication for the CA-peer.
  8. For Role, select Create new role to create a new role for the connection, and click Select:

    Create a new role for incoming request
  9. For the Authorize incoming connections, specify the following and click Create authorization:

    • Role: Specify CA_Peer to rename the role.
    • Generic rules: Enable Role is intended for peer connections.
    • CAs: Enable Access 'PeerMgmtCA'.
    • Publishing: Enable all Publishing options.
  10. In the page CA Hardware Appliance AdminWeb > Peer Systems, click Manage to manage the peer connector.
  11. In the form Management Operations for 'VA1', specify the following and click Start:

    • Push certificate: Enable this option.
    • Push integrity protection Enable this option.
    • Only check for discrepancies (dry run): Enable this option.
    • Filter: Select Certificate Profile.
    • Certificate Profiles: Select SslServerProfile.
  12. The CA-peer is now authorized to connect to the VA-peer and perform the actions configured in the previous step, indicated in the Status field, displaying Status Added:3:

    Check status of data synchronization in CA