The following describes the steps included in EJBCA CA to VA configuration and administration tasks related to VA management.

Apache Certificate Generation for the VA

Generate the Apache Certificate for the VA by following the instructions for the CA and the VA Server below.

Step 1: On the CA

SSH into the CA server and navigate to the /opt/PrimeKey/support directory.

Start by taking a backup of the system:

# /opt/PrimeKey/support/system_backup.sh
CODE

Generate TLS certificates for the VA server on the CA. Since a VA will most likely have two IP addresses and two DNS addresses, those are indicated with the -d and -i flags. In this case the IP and DNS names the host has are:

  • ec2-13-59-110-179.us-east-2.compute.amazonaws.com
  • ip-172-31-0-115.ec2.internal
  • 35.153.160.120
  • 172.31.0.115
# /opt/PrimeKey/support/create_ra_tls_certs.sh -d ec2-13-59-110-179.us-east-2.compute.amazonaws.com -d ip-172-31-0-115.ec2.internal -i 35.153.160.120 -i 172.31.0.115
CODE

The script will prompt to request to generate the certificates in the format that Apache will expect them on the VA.

Choose Y and press Enter. It will output these files into the /home/ec2-user/pem directory for easy copying.

The three files output will be:

  • managementca.ca-mgmt.pem
  • server-mgmt.key
  • server-mgmt.pem

Copy these files to the VA server and put them into place with the instructions in the next section.

Step 2: On the VA Server

SSH into the VA server and start by taking a backup of the system.

# /opt/PrimeKey/support/system_backup.sh
CODE

Copy the three files that were copied to /home/ec2-user/pem to the new VA. Copy the files (most likely in /home/ec2-user/ to the /etc/httpd/ssl directory and restart Apache:

# cp /home/ec2-user/managementca.ca-mgmt.pem /home/ec2-user/server* 
/etc/httpd/ssl/
# service httpd restart
CODE

Convert the server to a VA using the install_ra.sh script. Note that this is the same script that is used to configure the server into a VA. There are many configuration commonalities between RAs and VAs from a system standpoint. The Peer Connections and permissions are where they differ. The install_ra.sh script will import the ManagementCA certificate from the CA server so that the VA is managed by the same ManagementCA as the CA server.

# /opt/PrimeKey/support/install_ra.sh
CODE

The script will ask for the path to the ManagementCA PEM file from the CA server.

Use the managementca PEM that was copied to the /etc/httpd/ssl directory or copy a new one.

Access the VA Administration GUI with the same certificate used to access the CA server. Test this by going to the EJBCA Admin Web on the VA. Note that there is no Management CA configured, an external ManagementCA is used.

Import the CAs Public Certificate Chain into the VA

For the VA to be aware of the CA we need to import the CAs certificates into the VA. If you need assistance with setting up a CA structure, see the EJBCA Cloud Quick Start Guide.

Step 1: On the CA

To download certificate:

  1. Click CA Structure & CRLs on the CA.
  2. Download the PEM file for the Root and Issuing CAs.

Step 2: On the VA

To import certificate:

  1. Click Certification Authorities.
  2. Click Import CA certificate.
    1. Enter the name for the Root CA.
    2. Click Browse and browse to the CA cert downloaded in the previous step.
    3. Click Import CA Certificate.
  3. Click Import CA Certificate
    1. Enter the name for the Issuing CA.
    2. Click Browse and browse to the CA cert downloaded in the previous step.
    3. Click Import CA Certificate.

Configure TLS Connections Between the CA and VA

Step 1: Import Profiles on the CA

SSH into the CA server and import the profiles that are going to be used for generating the key binding and peer connection certificates. This imports OCSP and Peer systems profiles.

# /opt/ejbca/bin/ejbca.sh ca importprofiles -d /opt/PrimeKey/ra_profiles/
CODE

Step 2: Create Crypto Token to store Peer Systems authentication key on CA

To create a Crypto Token for the key binding to use:

  1. Navigate to Crypto Tokens and select Create new.
  2. Enter a name: Peer Systems Token.
  3. Select Type: Soft.
  4. Enter and repeat Authentication Code.
  5. Enable Auto-activation.
  6. Click Save.
  7. Generate new key pair:
    1. Alias: peer_systems_auth_key.
    2. Key Spec: RSA 4096.


Step 3: Set up Authentication Key Binding for Mutual Authentication on CA

To create an internal key binding for authenticating the TLS connection to the VA:

  1. Start by selecting Internal Key Bindings on the CA.
  2. Click Create new on the AuthenticationKeyBinding tab.
  3. Enter a name: Peer System Key Binding to VA.
  4. Select Crypto Token: "Peer Systems Token".
  5. Key Pair Alias: peer_systems_auth_key.
  6. Signature Algorithm: SHA256WithRSA.
  7. Click Create.

Click Back to overview to go back to the AuthenticationKeyBinding tab and select CSR under the Action column and save the file (Peer System Key Binding to VA.pkcs10.pem).

Step 4: Generate Certificate for TLS Connection

To generate Certificate for TLS Connection:

  1. In the Admin GUI, select RA Web, and select Make New Request.
  2. Select Certificate Type: "Peer Systems User EE Profile"
  3. CA: "ManagementCA".
  4. Click Browse and select the "Peer System Key Binding to VA.pkcs10.pem" file.
  5. Change CN, Common Name to "peersystems".
  6. Change the Username to be the "peersystems"
  7. Click Download PEM.
  8. Save the file (peersystems.pem).

Step 5: Import Peer Systems certificate into Authentication Key Binding on CA

  1. Choose System Functions > Internal Key Bindings.
  2. Click the AuthenticationKeyBinding tab.
  3. Under Import externally issued certificate:
    1. Target AuthenticationKeyBinding: Peer System Key Binding to CA.
    2. Click Browse.
    3. Select the peersystems.pem file.
    4. Click Import.
  4. Under Action:
    1. Click Enable.
  5. The Peer Systems Authentication Key Binding should now be Active.

Setup Peer Systems

Follow the steps below to setup Peer Systems:

Step 1: On the CA

  1. Choose System FunctionsPeer Systems.
  2. Under Outgoing Peer Connectors, click Add.
  3. For Create Peer Connector, specify the following:
    1. Name: Peer Connection to VA
    2. URL: This should be the internal FQDN of the VA. For this example: "https:// ip-172.31.0.115.us-east-2.compute.internal/ejbca/peer/v1"
      (warning) EJBCA Enterprise Cloud Uses Apache and no port designation is necessary.
    3. In the Authentication Key Binding list menu, select Peer System Key Binding to VA.
    4. Select Enabled.
    5. Clear Process Incoming Requests.
  4. Click Create.
  5. Click Ping. You should see the error Unable to connect to peer. Unauthorized
    (warning) If the error Unable to connect to peer displays, this is due to the security groups configuration. Also, make sure that the IP address is used and not an FQDN unless you have internal name resolution across VPCs.

Step 2: On the VA

  1. Choose System FunctionsPeer Systems.
  2. You should see a connection attempt from the CA under Incoming Connections.

  3. Click Create Role.
  4. Ensure that – Create new role – is selected, and click Select.
  5. Additional properties will show. Change the Role name to "External VA Role".
  6. Select Accept Long Hanging Connections.
  7. Ensure that Accept RA requests is not selected.
  8. Select Access ManagementCA and any other CAs desired for the VA to access.
  9. Select Publish Certificate.
  10. Select Compare certificate synchronization status.
  11. Click Create new role.

Step 3: On the CA

  1. Click Peer Systems.
  2. Click Manage on the Peer Connection to VA peer connection.
  3. Click Start.
  4. It will say "Running".
  5. Click Refresh.
  6. You should see certificates added or synchronized.

Create a Peer Publisher on the CA

To create a Peer Publisher on the CA, do the following:

  1. Select Publishers in the Administration GUI.
  2. Enter a name such as VA Peer Publisher.
  3. Click Add.
  4. Select the publisher and click Edit.
  5. From the PublisherType list, select Validation Authority Peer Publisher.
  6. Ensure the correct Peer System is selected.
  7. Select Store CRL at the Validation Authority.
  8. Click Save and Test Connection.
  9. You should see Connection Tested Successfully at the top. Click Save.

Edit a Certificate Profile to use the Publisher

In order for generated certificates to be published to the VA, the profiles for the CA need to be configured to use the Peer Publisher.

  1. In the Admin GUI, select CA Functions > Certificate Profiles.
  2. Click Edit next to the profile from which you want to issue certificates (or create a new one).
  3. Under the section Other Data, select VA Peer Publisher next to Publishers.
  4. Click Save.

Edit a Certificate Authority to use the Publisher

In order for generated CRLs and CA Certificates to be published to the VA, the CA needs to be configured to use the Peer Publisher.

  1. In the Admin GUI, select CA Functions > Certification Authorities.
  2. Select the CA to be edited and click Edit CA.
  3. Under the section Other Data, select VA Peer Publisher next to Publishers.
  4. Click Save.

Create Crypto Token to Store Peer Systems Authentication Key on VA

On the VA, create a Crypto Token for the key binding to use.

  1. Navigate to Crypto Tokens and select Create new.
  2. Specify the following for the new crypto token:
    1. Enter a name: OcspKeyBindingToken.
    2. Type: SOFT.
    3. Enter and repeat Authentication Code.
    4. Enable Auto-activation.
  3. Click Save.
  4. Generate new key pair:
    1. Alias: OcspKeyBindingKey
    2. Key Spec: RSA 4096

Set up OCSP Key Binding for Mutual Authentication on the VA

To setup OCSP Key Binding for Mutual Authentication on the VA, do the following:

  1. Click on InternalKeyBindings on the VA and then select the OcspKeyBinding tab.
  2. Click Create new.
  3. Enter a name for the key binding, for example “OCSPKeyBinding_IssuingCA”.
  4. Select the OCSPKeyBindingToken.
  5. Ensure the correct key pair alias is chosen.
  6. Click Create.
  7. Click Back to Overview.
  8. Click CSR under the actions column.
  9. Save the OCSPKeyBinding_IssuingCA.pkcs10.pem file.

On the CA

  1. In the Admin GUI, select RA Web.
  2. Click Make New Request.
  3. Select the OCSP Signer EE Profile.
  4. Select the Issuing CA. This is the CA certificate that is going to stamp the OCSP responses.
  5. Browse to the OCSPKeyBinding_IssuingCA.pkcs10.pem file.
  6. Enter a username, for example “OCSPKeyBinding_IssuingCA”.
  7. Click download PEM.

On the VA

  1. On the Internal Key Bindings > OCSP Key Bindings tab, click Browse to browse to the certificate that was downloaded from the RA Web.
  2. Click Import.
  3. The following message displays “Operation completed without errors.”
  4. Click Update.
  5. Click Enable. An hourglass will show in the Active Column and the text “OCSPKeyBinding_IssuingCA status is now ACTIVE” will appear at the top
  6. Set the Default Responder to be the OCSP Key Binding created.

You need to repeat these steps for any other CAs you want the VA to be an OCSP responder for.

Upload the first CRL to the VA for each CA

On the CA

  1. Click CA Structure & CRLs.
  2. Click Get CRL for the CA being configured for OCSP.
  3. Save the CRL to the local computer.

On the VA

  1. Click CA Structure & CRLs.
  2. Click Browse and point to the CRL downloaded in the previous step.
  3. Select the CA in the list for the CA you are importing the CRL from.
  4. Click Import.

Add a Publisher Queue Process Service 

On the CA

To add a Publisher Queue Process Service, perform the following on the CA:

  1. Select Services under System Functions.
  2. In the Add Service dialog, enter the name "Peer Publisher Queue Process Service", and click Add.
  3. Select the newly added service and click Edit Service.
  4. In the Select Worker list, select Publish Queue Process Service.
  5. Select the VA Peer Publisher in the Publishers to check.
  6. Select Active next to Active.
  7. Click Save.

Testing OCSP

Generate a certificate from the Issuing CA using the RA Web. The instructions will not be outlined here. It is easiest to have the key generated server-side and the certificate downloaded as PEM. Once completed run the following SSL command:

# openssl ocsp -issuer Corporate_Issuing_CAG1.cacert.pem -CAfile Corporate_Root_CAG1.cacert.pem -cert server1.pem -req_text -url https://ec2-54-161-138-211.compute-1.amazonaws.com/ejbca/publicweb/status/ocsp
CODE

Where the flags are:

Option

Description

-issuer

OS the Issuing CA Public Certificate.

-CAfile

The Root certificate or Chain of the CA.

-url

The URL to the OCSP server.

-req_text

Optional but gives more output.

The output should appear as the following:

Where “Response Verify: OK” means that the stamped OCSP reply from the OCSP server was able to be validated with the certs provided in the command. “server1.pem: good” means the certificate status is good.

Revoking the Certificate

  1. Select Search End Entities.
  2. Search by username (end entity name).
  3. Find the End Entity in the search results.
  4. Click ViewCertificates on the right side.
  5. Select CertificateHold from the revocation reasons.
  6. Click Revoke.
  7. Run the openssl command again and the status should now be “revoked” with a reason of “Certificate Hold”.