Configure EJBCA Server

The following sections cover how to configure the EJBCA server.

Launch an EJBCA Enterprise Cloud Server from AWS

For instructions on how to deploy EJBCA Cloud from Amazon Web Services (AWS) and log in to the EJBCA Admin Web for the first time, refer to the EJBCA Cloud AWS Launch Guide.

Certificate Authority Set up 

If you do not already have Certificate Authorities (CAs) configured in EJBCA, follow the EJBCA Enterprise Quick Start Guide to set up a 2 Tier CA Hierarchy.

Modify the Workstation End Entity Profile

The Intune device certificates use an Organizational Unit in the Subject DN Attributes. Since this attribute was not added following the Create End Entity Profiles instructions in the Quick Start Guide, do the following to add the attribute in the Corporate Workspace End Entity Profile:

  1. Under RA Functions, select End Entity Profiles.
  2. Edit the Corporate Workspace EE Profile and under Subject DN Attributes, select the (OU) Organizational Unit field for subject DN and click Add.
  3. Click Save to save the Corporate Workspace End Entity Profile.

Gather Certificates

Follow the steps below to gather the CA certificates and note that the certificates need to be gathered in both PEM and DER formats.

Download the Superadmin Certificate File

The Superadmin Certificate File (superadmin.p12) will be used by the Intune EJBCA Connector server to access the EJBCA Web Services.

Save the superadmin.p12 certificate (downloaded during the EJBCA Cloud Quick Start Guide set up) to the Intune EJBCA Connector server directory /home/ubuntu/.

If using the standalone software installation, the certificate to save to the Intune EJBCA Connector server directory will be located in /opt/ejbca/p12.

Download EJBCA Certificates

To download the EJBCA Certificates using the EJBCA RA Web, do the following:

  1. Access the RA Web in one of the following ways:
    • In the EJBCA Administration GUI, select RA Web in the bottom-left menu.
    • Access the RA Web directly at https://<EJBCA FQDN>/ejbca/ra/
  2. In the EJBCA RA Web, select Search > Certificates.
  3. In the Any CA Field, select - Corporate Root CA - G1
  4. Click on View for the certificate row with Subject of CN=Corporate Root CA - G1,O=Corporation,C=US.
    1. Right-click on the Download as PEM link and save the file as root.pem.
    2. Right-click on the Download as DER link and save the file as root.crt.
    3. Click Back to Overview.
  5. Click on View for the certificate row with Subject of CN=Corporate Issuing CA - G1,O=Corporation,C=US.
    1. Right-click on the Download as PEM link and save the file as issuing.pem.
    2. Right-click on the Download as DER link and save the file as issuing.crt.
    3. Click Back to Overview.
  6. In the Any CA Field, select - ManagementCA.
  7. Click on View for the certificate row with Subject that includes CN=ManagementCA.
    1. Right-click on the Download as DER link and save the file as managementca.crt.
  8. Save all certificate files to the Intune EJBCA Connector server directory /home/ubuntu/.

Next Step: Configure Intune

Next, configure Intune for Device Certificate Enrollment.