Part 1: EJBCA Administration

The following sections cover administrating EJBCA and include instructions on how to create a 3-tier CA hierarchy, add custom certificate extensions, and how to create certificate profiles, end entities, and administrator roles.

In the examples below, the Certificate Services hostname is csserver.yourcompany.com. The text enclosed in angle brackets should be replaced with names in your environment.

Create the 3-tier CA Hierarchy

The following sections cover how to create a3-tier CA using soft keystores.

Create Root CA

Create Root CA Crypto Token

  1. Click Crypto Tokens under CA Functions
  2. Select Create New
    1. Enter a name for the Crypto Token: Root CA Token
    2. Select Type as Soft
    3. Enter an authentication code for the token.
    4. Auto-activation: Not selected
    5. Click Save
    6. Generate a signKey of size 4096
    7. Generate a defaultKey of size 4096
    8. Generate a testKey of size 1024

Create Root CA Certificate Profile

  1. Clone the ROOTCA profile for the Root CA and label it as "Root CA Certificate Profile" Select the following values:
    1. Available key algorithms: RSA
    2. Available bit lengths: 4096
    3. Validity: 25y
    4. LDAP DN order: Unchecked
    5. Available CA: Any CA

Create the Root CA certificate

  1. Click Certificate Authorities, In the Add CA field enter the name "Root CA". Click "Create…"
  2. In the Create CA screen populate the following fields:
    1. Signing Algorithm: SHA256WithRSA
    2. Crypto Token: Root CA Token
    3. Subject DN: <RootCASubjectDN>
    4. Signed By: Self Signed
    5. Certificate Profile: Root CA Certificate Profile
    6. Validity: 25y
    7. CRL Distribution Point: http://crl.company.com/Root_CA.crl
    8. OCSP Service Locator URI: http://ocsp.company.com

Create Intermediate CA

Create Intermediate CA Crypto Token

  1. Click Crypto Tokens under CA Functions
  2. Select Create New
    1. Enter a name for the Crypto Token: Intermediate CA Token
    2. Select Type as Soft
    3. Enter an authentication code for the token.
    4. Auto-activation: Not selected
    5. Click Save
    6. Generate a signKey of size 4096
    7. Generate a defaultKey of size 4096
    8. Generate a testKey of size 1024

Create Intermediate CA Certificate Profile

  1. Clone the SUBCA profile for the Intermediate CA and label it as "Intermediate CA Certificate Profile." Select the following values:
    1. Available key algorithms: RSA
    2. Available bit lengths: 4096
    3. Validity: 25y
    4. LDAP DN order: Unchecked
    5. Available CA: Any CA

Create Intermediate CA certificate

  1. Click Certificate Authorities, In the Add CA field enter the name "Intermediate CA". Click "Create…"
  2. In the Create CA screen populate the following fields:
    1. Signing Algorithm: SHA256WithRSA
    2. Crypto Token: Intermediate CA Token
    3. Subject DN: <IntermediateCASubjectDN>
    4. Signed By: Root CA
    5. Certificate Profile: Intermediate CA Certificate Profile
    6. Validity: 20y
    7. CRL Distribution Point: http://crl.company.com/Intermediate_CA.crl
    8. OCSP Service Locator URI: http://ocsp.company.com

Create Issuing CA

Create Issuing CA Crypto Token

  1. Click Crypto Tokens under CA Functions
  2. Select Create New
    1. Enter a name for the Crypto Token: Issuing CA Token
    2. Select Type as Soft
    3. Enter an authentication code for the token.
    4. Auto-activation: Cleared  
    5. Click Save
    6. Generate a signKey of size 4096
    7. Generate a defaultKey of size 4096
    8. Generate a testKey of size 1024

Create Issuing CA Certificate Profile

  1. Clone the SUBCA profile for the Issuing CA and label it as "Issuing CA Certificate Profile." Select the following values:
    1. Available key algorithms: RSA
    2. Available bit lengths: 4096
    3. Validity: 25y
    4. LDAP DN order: Unchecked
    5. Available CA: Any CA

Create Issuing CA certificate

  1. Click Certificate Authorities, In the Add CA field enter the name "Issuing CA". Click "Create…"
  2. In the Create CA screen populate the following fields:
    1. Signing Algorithm: SHA256WithRSA
    2. Crypto Token: Issuing CA Token
    3. Subject DN: <IssuingCASubjectDN>
    4. Signed By: Intermediate CA
    5. Certificate Profile: Issuing CA Certificate Profile
    6. Validity: 15y
    7. CRL Distribution Point: http://crl.company.com/Issuing_CA.crl
    8. OCSP Service Locator URI: http://ocsp.company.com

Create Custom Certificate Extensions

To create the custom extension for the Microsoft template information, do the following:

  1. On the EJBCA Administration Interface, click System Configuration
  2. Select the Custom Certificate Extensions tab
  3. Enter the Object Identifier (OID) as "1.3.6.1.4.1.311.21.7".
  4. Enter "Certificate Template Information" as the Label.
  5. Click Add.
  6. Click Edit on the object previously added.
  7. Select the Encoding to DEROBJECT
  8. Set Dynamic to true.
  9. Click Save.

Create User and Computer Auto Enrollment Certificate Profiles

The following describes how to create the user and computer profiles for auto enrollment.

Create a certificate profile for User Auto Enrollment

  1. Click Certificate Profiles under CA Functions
  2. Clone from ENDUSER named User_Certificate_Profile
  3. Edit the User_Certificate_Profile
  4. Key Usage: Digital Signature, Non-repudiation, and Key encipherment
  5. Extended Key Usage: Client Authentication, Email Protection, and MS Encrypted File System (EFS)
  6. Used Custom Certificate Extensions: Certificate Template Information
  7. Available CAs: Issuing CA

Create a certificate profile for Computer Auto Enrollment

  1. Click Certificate Profiles under CA Functions
  2. Clone from ENDUSER named Computer_Certificate_Profile
  3. Edit the Computer_Certificate_Profile
  4. Key Usage: Digital Signature and Key encipherment
  5. Extended Key Usage: Client Authentication and Server Authentication
  6. Used Custom Certificate Extensions: Certificate Template Information
  7. Available CAs: Issuing CA

Create Tomcat Server and Web Services API Certificate Profiles

The following sections cover how to cerate certificate profiles for the Tomcat server and the Web Services API client.

Create a certificate profile for Tomcat server

  1. Click Certificate Profiles under CA Functions
  2. Clone from SERVER named Tomcat_Server_Certificate_Profile
  3. Edit the Tomcat_Server_Certificate_Profile
  4. Available key algorithms: RSA
  5. Change Validity to 5y
  6. Available bit lengths: 2048
  7. CRL Distribution Point: Use
  8. Use CA defined CRL Dist. Point: Use
  9. Authority Information Access: Use
  10. Use CA defined OCSP locator: Use
  11. Available CAs: Issuing CA

Create a certificate profile for Web Services API client

  1. Click Certificate Profiles under CA Functions
  2. Clone from ENDUSER named WebService_Client_Certificate_Profile
  3. Edit WebService_Client_Certificate_Profile
  4. Available key algorithms: RSA
  5. Change Validity to 5y
  6. Available bit lengths: 2048
  7. Available CAs: ManagementCA

Create User and Computer Auto Enrollment End Entity Profiles

The following describes how to create user and computer auto enrollment end entity profiles.

All attributes that may occur in a request should be added and marked as modifiable.

Create End Entity Profile for User Auto Enrollment

  1. Add End Entity profile named "User_End_Entity_Profile"
  2. Click User_End_Entity_Profile and click Edit End Entity Profile
  3. Subject DN Attributes: CN
  4. Other subject attributes: MS UPN
  5. Default Certificate Profile: User_Certificate_Profile
  6. Available Certificate Profiles: User_Certificate_Profile
  7. Default CA: Issuing CA
  8. Available CAs: Issuing CA
  9. Default Token: User Generated
  10. Available Tokens: User Generated

Create End Entity Profile for Computer Auto Enrollment

  1. Add End Entity profile named "Computer_End_Entity_Profile"
  2. Click Computer_End_Entity_Profile and click Edit End Entity Profile
  3. Subject DN Attributes: CN
  4. Other subject attributes: DNS Name
  5. Default Certificate Profile: Computer_Certificate_Profile
  6. Available Certificate Profiles: Computer_Certificate_Profile
  7. Default CA: Issuing CA
  8. Available CAs: Issuing CA
  9. Default Token: User Generated
  10. Available Tokens: User Generated

Create Tomcat Server and Web Services API End Entity Profiles

Create End Entity Profile for the SSL server certificate

  1. Click End Entity Profiles under RA Functions
  2. Add End Entity profile named "TomcatServerEEProfile"
  3. Click TomcatServerEEProfile and click Edit End Entity Profile
  4. Uncheck End Entity E-mail
  5. Subject DN Attributes: CN
  6. Default Certificate Profile: Tomcat_Server_Certificate_Profile
  7. Available Certificate Profiles: Tomcat_Server_Certificate_Profile
  8. Default CA: Issuing CA
  9. Available CAs: Issuing CA
  10. Default Token: JKS
  11. Available Tokens: JKS

Create End Entity Profile for the Web Services Client

  1. Click End Entity Profiles under RA Functions
  2. Add End Entity profile named "WebServiceClientEEProfile"
  3. Click WebServiceClientEEProfile and click Edit End Entity Profile
  4. Uncheck End Entity E-mail
  5. Subject DN Attributes: CN
  6. Default Certificate Profile: WebService_Client_Certificate_Profile
  7. Available Certificate Profiles: WebService_Client_Certificate_Profile
  8. Default CA: ManagementCA
  9. Available CAs: ManagementCA
  10. Default Token: JKS
  11. Available Tokens: JKS

Create Tomcat and Web Services End Entities

Creating and downloading the Tomcat JKS keystore

  1. Add the Tomcat server End Entity
    1. Click Add End Entity
    2. End Entity Profile: TomcatServerEEProfile
    3. Username: tomcat_server
    4. Password: <PASSWORD>
    5. Confirm Password: <PASSWORD>
    6. CN: <csserver.primekey.com>
    7. Click Add
  2. Download Tomcat server certificate as a JKS keystore with FireFox
    1. Click Public Web
    2. Click Create Keystore
    3. Username: tomcat_server
    4. Password: <PASSWORD>
  3. Save this keystore as tomcat_server.jks

Creating and downloading the Web Services JKS keystore

  1. Add the Web Services Client End Entity
    1. Click Add End Entity
    2. End Entity Profile: WebServiceClientEEProfile
    3. Username: aewsclient
    4. Password: <PASSWORD>
    5. Confirm Password: <PASSWORD>
    6. CN: aewsclient
    7. Click Add
  2. Download the Web Services Client certificate as a JKS keystore with FireFox
    1. Click Public Web
    2. Click Create Keystore
    3. Username: aewsclient
    4. Password: <PASSWORD>
  3. Save this keystore as aewsclient.jks

Create Administrator Roles for Web Services Client

To create administrator roles for the Web Services client, do the following:

  1. Click System Functions > Administrator Roles.
  2. Click Add
  3. Enter a name for role, in this example AutoEnrollment Web Services
  4. Click on Members for AutoEnrollment Web Services
  5. Specify the following:
    1. Match with: X509: CN, Common Name
    2. CA: ManagementCA
    3. Match value: aewsclient
  6. Click Add
  7. Click Edit Access Rules for AutoEnrollment Web Services
    1. Role Template: RA Administrators
    2. Authorized CA: Issuing CA
    3. End Entity Rules: Create End Entities, Edit End Entities, and View End Entities
    4. End Entity Profiles: Computer_End_Entity_Profile and User_End_Entity_Profile (select other End Entity Profiles that will be used with Auto Enrollment, if any)
    5. Other Rules: Uncheck View Audit Log
  8. Click Save.

When using Web Services through an RA, roles have to be set up both for the Web Service client and the RA. Ensure that the web services work well through the RA before configuring the auto enrollment above. For more information, see Web Service API.