- EJBCA Introduction
- EJBCA Installation
-
EJBCA Operations
-
EJBCA CA Concept Guide
- Certificate Authority Overview
- Crypto Tokens Overview
- End Entities Overview
- Publishers Overview
- Validators Overview
- Certificate Profiles Overview
- Approval Profiles
- Services
- Peer Systems
- Internal Key Bindings Overview
- Roles and Access Rules
- Protocols
- Logging
- Character Limitations
- User Data Sources
- EJBCA RA Concept Guide
-
EJBCA Operations Guide
-
CA Operations Guide
- Approving Actions
- CA Web Overview
- Configure EJBCA for Public Access
- CRL Generation
- EJBCA Configuration Checker
- EJBCA Maintenance
- End Entities
- End Entity Profile Operations
- Exporting and Importing Profiles
- Importing Certificates
- Key Recovery
- Managing CAs
- Managing Certificate Profiles
- Managing Crypto Tokens
- Managing Internal Keybindings
- Modular Protocol Configuration
- OCSP Management
- Peer Systems Operations
- Roles and Access Rules Operations
- RA Operations Guide
- Command Line Interfaces
- EJBCA Batch Enrollment GUI
- ConfigDump Tool
-
CA Operations Guide
-
EJBCA CA Concept Guide
-
EJBCA Integration
-
Integrating with Third-Party Applications
- Access EJBCA using USB Tokens and Smart Cards
- Native Certificate Autoenrollment for Windows
- Microsoft Intune Device Certificate Enrollment
- Script based Autoenrollment for Windows clients with EJBCA
- Integrating EJBCA with GreyLog
- Versasec Card Management System Integration
- Ciphermail Email Gateway and EJBCA Integration
- Microsoft Smart Card Logon
- EJBCA and Cisco IOS
- OpenSSH and X509 Authentication
- Configure EJBCA with OpenSSO
- Setting up an Apache Web Server as a Proxy
- Setting up an Apache Web Server with mod_jk
- Setting up a HA Proxy in front of EJBCA
- EJBCA with GemSAFE Toolbox
- SensorNet PKI
- Issuing Certificates to Kubernetes Services using cert-manager
- Hardware Security Modules (HSM)
-
Integrating with Third-Party Applications
- Troubleshooting Guide
-
Tutorials and Guides
- Quick Install Guide
- Migrating from other CAs to EJBCA
- Modifying EJBCA
- Enabling Debug Logging
- Creating a custom RA application using EJBCA Web Services and Java
- Using EJBCA as a Certificate Management System (CMS)
- Batch Creating Certificates
- Making an ASN.1 Dump of a Certificate
- Using the Demo Servlet
-
EJBCA Release Information
-
EJBCA Release Notes
- EJBCA 7.3.1.1 Release Notes
- EJBCA 7.3.1 Release Notes
- EJBCA 7.3 Release Notes
- EJBCA 7.2.1.1 Release Notes
- EJBCA 7.2.1 Release Notes
- EJBCA 7.2 Release Notes
- EJBCA 7.1 Release Notes
- EJBCA 7.0.1 Release Notes
- EJBCA 7.0.0 Release Notes
- EJBCA 6.15.2.5 Release Notes
- EJBCA 6.15.2 Release Notes
- EJBCA 6.15.1 Release Notes
- EJBCA 6.15 Release Notes
- EJBCA 6.14.1 Release Notes
- EJBCA 6.14 Release Notes
- EJBCA 6.13 Release Notes
- EJBCA 6.12 Release Notes
- EJBCA 6.11 Release Notes
- EJBCA 6.10 Release Notes
- EJBCA 6.9 Release Notes
- EJBCA 6.8 Release Notes
- EJBCA 6.7 Release Notes
- EJBCA 6.6 Release Notes
- EJBCA 6.5 Release Notes
- EJBCA 6.4 Release Notes
- EJBCA 6.3 Release Notes
- EJBCA 6.2 Release Notes
- EJBCA 6.1 Release Notes
- EJBCA 6.0 Release Notes
- EJBCA Release Notes Summary
- EJBCA Change Log Summary
-
EJBCA Upgrade Notes
- EJBCA 7.3.1.1 Upgrade Notes
- EJBCA 7.3.1 Upgrade Notes
- EJBCA 7.3 Upgrade Notes
- EJBCA 7.2.1 Upgrade Notes
- EJBCA 7.2 Upgrade Notes
- EJBCA 7.1 Upgrade Notes
- EJBCA 7.0.1 Upgrade Notes
- EJBCA 7.0 Upgrade Notes
- EJBCA 6.15.2.5 Upgrade Notes
- EJBCA 6.15 Upgrade Notes
- EJBCA 6.14 Upgrade Notes
- EJBCA 6.13 Upgrade Notes
- EJBCA 6.12 Upgrade Notes
- EJBCA 6.11 Upgrade Notes
- EJBCA 6.10 Upgrade Notes
- EJBCA 6.9 Upgrade Notes
- EJBCA 6.8 Upgrade Notes
- EJBCA 6.7 Upgrade Notes
- EJBCA 6.6 Upgrade Notes
- EJBCA 6.5 Upgrade Notes
- EJBCA 6.4 Upgrade Notes
- EJBCA 6.3 Upgrade Notes
- EJBCA 6.2 Upgrade Notes
- EJBCA 6.1 Upgrade Notes
- EJBCA 6.0 Upgrade Notes
- EJBCA Upgrade Notes Summary
-
EJBCA Release Notes
SafeNet Luna
Installation
For information on installing SafeNet Luna, refer to SafeNet documentation.
Using Luna 6.x/7.x in FIPS Mode
Under FIPS 186-3/4, the RSA methods permitted for generating keys are 186-3 with primes and 186-3 with aux primes. Therefore, RSA PKCS and X9.31 key generation are no longer approved for operation in a FIPS compliant Luna HSM. If you are using the SafeNet Luna HSM in FIPS mode, set the following setting in the configuration file to redirect the older calling mechanism to a new approved mechanism when in FIPS mode:
Misc = { RSAKeyGenMechRemap = 1; }
Configuration
For configuration instructions, refer to the Luna SA Online Help – Document # 800274-xxx document provided on your installation CD.
Perform all of the steps in section A - Configuration (Setup Appliance after Installing) and note the following regarding the setup:
- Step 3: Note that changing many of the policies will reset the HSM and you will not be able to change any of these policies later on.
- Step 4: A new partition could be added at any time. Each partition will be represented as a PKCS#11 slot. Make sure to write the Record Partition Client Password (TP) in a text file. In the example, the password is btqx-EFGH-3456-7/K9 for the first created partition (slot 1). The TP will later be used as PIN for the slot.
- Step 5: We recommend allowing partitions (p11 slots) to be "activated". If a partition is not activated, you will have to insert the black key in the PED and enter the PIN each time a resource in the HSM is used by the client. The following displays an example command to allow activating a partition:
lunash:>partition changePolicy -partition partition1 -policy 22 -value 1
- Step 6: We recommend running from a directory owned by yourself (not having to use sudo) instead of running from the
/usr/LunaSA/bin
directory.
The following shows and example of running from your own directory:$ /usr/lunasa/bin/ctp admin@lunasa.int.primekey.com:server.pem .
$ sudo /usr/lunasa/bin/vtl addServer -n lunasa.int.primekey.com -c server.pem $ sudo /usr/lunasa/bin/vtl createCert -n milton
- Step 7: Each partition assigned to a client will be represented by a PKCS#11 slot for this client. Each newly added partition will be put last in the slot list, and the number of a slot will be slot list index plus 1 (list index starting with 0 and slot number starting with 1). To view the partition slot mapping on the client, run the following. The client may then use these slots with EJBCA and its tools.
$ /usr/lunasa/bin/vtl verify The following Luna SA Slots/Partitions were found: Slot Serial # Label ==== ======== ===== 1 950784001 partition1 2 950784002 partition2
Activating Slots
A partition (slot) must be activated before it can be used by a client as described in B - Administration & Maintenance > Activating and AutoActivating Partitions of the Luna SA Online Help – Document # 800274-xxx document provided on your installation CD. The partition policy required to do the activation must have been set (see step 5 above). The following displays an example for activating a partition using the password from the configuration in step 4 above:
lunash:>hsm login
lunash:>partition activate -partition partition1 -password btqx-EFGH-3456-7/K9
Generate Keys on a Slot
The following displays an exeample for generating keys on a slot using the password btqx-EFGH-3456-7/K9 from the step 4 above:
$ ./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lunasa/lib/libCryptoki2_64.so 2048 rsa2048_1 1
0 [main] INFO org.ejbca.util.keystore.KeyTools - Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
PKCS11 Token [SunPKCS11-Luna] Password:
Created certificate with entry rsa2048_1.
$ ./ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /usr/lunasa/lib/libCryptoki2_64.so secp160r1 secp160r1_1 1
0 [main] INFO org.ejbca.util.keystore.KeyTools - Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
PKCS11 Token [SunPKCS11-Luna] Password:
Created certificate with entry secp160r1_1.
List and Test Keys Used by EJBCA
The following displays an example of listing and testing all keys that could be used by EJBCA:
$ ./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lunasa/lib/libCryptoki2_64.so 1
Test of keystore with ID 1.
0 [main] INFO org.ejbca.util.keystore.KeyTools - Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
PKCS11 Token [SunPKCS11-libCryptoki2_64.so-slot2] Password:
Testing of key: rsa2048_1
SunJCE version 1.7SunPKCS11-libCryptoki2_64.so-slot2 version 1.7; modulus length: 2048; byte length 245. The docoded byte string is equal to the original!
Signature test of key rsa2048_1: signature length 256; first byte 28; verifying true
Key statistics.
Signings per second: 369; Decryptions per second: 135
Testing of key: secp160r1_1
Signature test of key secp160r1_1: signature length 48; first byte 30; verifying true
Key statistics.
Signings per second: 68 No crypto available for this key.
Sample Hard Token Properties
The following displays a sample configuration of the Hard Token Properties for PKCS#11 token when creating a new CA:
sharedLibrary=/usr/lunasa/lib/libCryptoki2_64.so
slotLabelType=SLOT_NUMBER
slotLabelValue=1
certSignKey=myECCKey
crlSignKey=myECCKey
defaultKey=default
Useful Luna Commands
The following lists useful native Luna cmu commands.
To list objects and their handles:
./cmu list -display=index,handle,class,keyType,label
If you have created keys with native commands, or imported keys, there is probably no certificate object as required by Java PKCS#11 provider. To create a self-signed certificate referencing the private handle, run:
./cmu selfSign -privatehandle=87 -CN="caSign00001" -startDate=20020101
-endDate=20451231 -serialNum=0133337f
Note that 87 needs to be replaced with the handle of the private key found when running the list command.