Connecting an RA to a CA over Peers

The RA is installed as part of the EJBCA installation and after setting up a CA on localhost, for example, the RA UI will be available on https://localhost:8443/ejbca/ra/.

To install the RA as an external service, install EJBCA with an external Management CA (from your EJBCA CA) and then configure a Peer Connection from the CA to the RA. For more information, see Roles and Access Rules Operations and Peer Systems.

Setting Up a New RA

To set up a new RA polled by the CA, perform the following steps:

Note that this does not describe a complete installation procedure for any use case. 

Step 1: Set up the TLS Connection from CA to RA

On the Issuing CA

First, set up an Authentication Key Binding to identify the CA to the RA:

  1. Create a crypto token and in it a key of appropriate size for TL.
  2. Go to Internal Keybindings and click the Authentication Key Binding tab.
  3. Click Create new and pick the TLS crypto token and key, then click Create.
  4. Return to the overview page and click CSR to get a certificate signing request for the TLS key pair.

On the Management CA

The next step is to have the TLS keys signed by the Management CA:

  1. Go to the RA UI on the Management CA.
  2. Click Enroll and Make New Request.
  3. Under Key-pair Generation, click Provided by User.
  4. Upload/paste the CSR and follow the instructions until you're able to download a certificate in PEM format. This is your TLS certificate.

On the Issuing CA

  1. Go to Internal Keybindings and click the Authentication Key Binding tab.
  2. Under the menu Import externally issued certificate, upload the TLS certificate for your key binding.
  3. Click Enable on the internal key binding.
  4. Click Peer Systems.
  5. Click Edit next to the Peer Connector.
  6. Under the incoming requests section, select Process incoming requests and click Save.
  7. Click Authorized requests.
  8. In the role list, select Create New Role and click Select.
  9. Select all options for all RA rules.
  10. Select all options for Process requests for CA(s).
  11. Select all options for Process requests for End Entity Profile(s).
  12. Click Create new role.

Step 2: Set up the RA to Allow for Incoming Connections

On the RA

To set up the RA to allow for incoming connections, do the following:

  1. Click Peer Systems.
  2. Select Allow incoming connections to allow the CA to connect.

Step 3: Set up an Outgoing Peer Connection

On the Issuing CA

To set up an outgoing peer connection, do the following:

  1. Click Peer Systems.
  2. Under the Outgoing Peer Connection section, click Add.
  3. Pick your newly created authentication key binding and fill in the correct URL to the RA, then click Create.
  4. Click Ping for the new Outgoing Peer Connection to open the initial connection.

Step 4: Set up the Incoming Peer Connection

On the RA

To set up the incoming peer connection, do the following:

  1. The incoming connection from the CA should appear in the Incoming Connections section. The CA can connect, but the RA has been given no rights.
  2. Click on Create Role, and either select a predefined role for the peer connection or have EJBCA create on automatically (suggested). Then click Select.
  3. Select Accept long hanging connections.
  4. Ensure that Accept RA Requests is cleared.
  5. Select Access Management CA and select a CA for which you have imported a CA certificate to the RA.
  6. Click Create new Role.

The role has now been created on the CA for use by the RA.