Step 3: Create OCSP Key Binding in VA and Publisher in CA Hardware Appliance

The following describes the actions to perform to create an OCSP key binding in the VA Hardware Appliance and then a publisher in the CA Hardware Appliance.

Creating a Key Binding in the VA Hardware Appliance

  1. In the VA Hardware Appliance, go to the EJBCA Admin Web and open System Functions > Internal Key Bindings.
  2. Click Create new to create a new key binding:

    Create new OCSP key binding
  3. Enter the following values for the new key binding and click Create:

    • Name: Enter VAOcspKeyBinding.
    • Crypto Token: Select OCSP key.
    • Key PairAlias: Select signKey.
    • SignatureAlgorithm: Select SHA256WithRSA.
    • CertificateAuthority: Select PeerMgmtCA and click Add.
    • ResponderID: Select KEYHASH.
    • Include signing certificate in response: Enable this option.
    • Include certificate chain in response: Enable this option.

    Configure OCSP Key Binding
  4. The key binding is created and the following message is displayed: VA OcspKeyBinding created with id 1255634201:

    Created OCSP key binding
  5. Click Back to OcspKeyBinding overview.
  6. Click CSR to download the CSR and save the file:

    Download the CSR for OCSP key binding

Creating a Publisher in the CA Hardware Appliance

  1. In the CA Hardware Appliance, go to the EJBCA Admin Web and open RA Functions > End Entity Profiles.
  2. In the field Add profile enter OCSPEndEntityProfile and click Add profile.
  3. Select OCSPEndEntityProfile and click Edit End Entity Profile:

    Edit OCSPEndEntityProfile
  4. Edit the profile as follows and click Save:

    • End Entity E-mail: Disable this option.

      Section Subject DN Attributes:
    • O, Organization: Select Required and enter PrimeKey Labs
    • C, Country: Select Required, and enter SE

      Section Main certificate data (not visible in screenshot):
    • Default Certificate Profile: Select OCSPSIGNER
    • Available Certificate Profile: Select OCSPSIGNER
    • DefaultCA: Select PeerMgmtCA
    • AvailableCAs: Select PeerMgmtCA
    • DefaultToken: Select User Generated
    • AvailableTokens: Select User Generated

    Edit OCSPEndEntityProfile
  5. In the EJBCA AdminWeb, open RA Functions > Add End Entity, specify the following, and click Add:

    • End Entity Profile: Select OCSPEndEntityProfile
    • Username: Select OCSP_end_entity
    • Password(orEnrollmentCode): Enter foo123
    • Confirm Password: Enter foo123
    • CN, Common Name: Enter OCSP
    • Certificate Profile: Select OCSPSIGNER
    • CA: Select PeerMgmtCA
    • Token: Select User Generated

    Add OCSP End Entity in CA Hardware Appliance
  6. Go to the EJBCA Public Web, open Enroll > Create Certificate from CSR and specify the following:

    • Username: Enter OCSP_end_entity
    • Enrollment code: Enter foo123
    • Request file: Click Browse and select the CSR you downloaded in the previous step.
    • Result Type: Select PEM - full certificate chain

    Click OK to confirm your entries.

    Create Certificate from CSR
  7. Save the signed CSR:

    OCSP CSR is signed successfully
  8. In the VA Hardware Appliance, go to the EJBCA Admin Web and open RA Functions > Internal Key Bindings.
  9. In the section Import externally issued certificate, click Browse to upload the signed CSR, and click Import:

    Upload the signed OCSP CSR in VA

  10. In the same page, click Enable to enable the key binding:

    Enable OCSP key binding
  11. In the section Set Default Responder, select VA OcspKeyBinding, and click Set:

    Set default responder
  12. In the CA Hardware Appliance, got to the EJBCA Admin Web and open CA Functions > Publishers.
  13. In the Add Publisher field, enter VA1 Publisher and click Add.
  14. Select the entry VA1 Publisher in the List of Publishers and click Edit Publisher:

    Add publisher in CA Hardware Appliance

  15. Configure the publisher as follows:

    • Publisher Type: Select Validation Authority Peer Publisher
    • Remote System: Select VA1 (XXXXXXXX)
    • Enable the following options:
      • Store certificate at the ValidationAuthority
      • Store CRL at the Validation Authority
      • Use queue for CRLs
      • Use queue for certificates
  16. Click Save and Test Connection, and then click Save:

    Configure the publisher in CA-Appliance
  17. In the CA Hardware Appliance, go to the EJBCA Admin Web and open RA Functions > Search End Entities. There you can view a certificate that belongs to the end entity and download it as <certificate_to_be_controlled>.pem.
  18. Run the following command as user to check its validity towards the OCSP setup:

    openssl ocsp -issuer <issuer>.pem -CAfile <issuer>.pem -cert {color}
     <certificate_to_be_controlled>.pem -req_text -url \ 
    http://<VA_application_interface>:80/ejbca/publicweb/status/ocsp {color}
  19. The output looks like the following:

    OCSP Request Data :
    V e r s i o n : 1 ( 0 x0 ) R e q u e s to r L i s t :
    C e r t i f i c a t e ID :
    Hash Alg o r i th m : sha 1
    I s s u e r Name Hash : C45788773EDFD1434ED1D8A3C6E3CF176D78B82A I s s u e r Key Hash : EE5D0AE56A64E9001423A2F6FBFDBFF8BC4266E3
    S e r i a l Number : 41DC620FBFCB39C6 Request E x te n s i o n s :
    OCSP Nonce :
    04104775 FF9F9A74069EE07ED378AEA83E99
    OCSP Response Data :
    . . .
    Xu40z8I796Luq Zx99W7e Yy AutEir+ZLo31szYuDI+Q==
    OCSP Response Data :
    		−−−−−END CERTIFICATE−−−−−
    		Response verify OK
    		ssl_app .pem: good
    		This Update: Dec 4 14:22:17 2014 GMT