AuthenticationKeyBinding

The identity of outgoing TLS connections is configured as an Authentication Key Binding.

  • The certificate must have Key Usage: Digital Signature. The certificate should also have Key Usage: Key Encipherment if the key is an RSA key.
  • The certificate must have Extended Key Usage: Client Authentication.
  • The list of trusted certificates will be used to validate the remote server side SSL certificate.

Validation of the Server Certificate

Validation of the remote TLS certificate is subject to basic TLS certificate path validation and for example OCSP checks are currently not supported. You can configure the list of trusted remote server side TLS certificats in the following ways:

  • By default, any remote server side TLS certificate issued by a CA that exists in the local EJBCA instance will be trusted.
  • By specifying a CA, you can choose to trust only TLS certificates issued by this CA.
  • By specifying both a CA and a certificate serial number, only the specific TLS certificate will be trusted.

If an external CA is used and you need to trust a specific TLS certificate, the certificate must be known to the local instance as well. To ensure that this is known, you can, for example, run the following:

bin/ejbca.sh ca importcert

Protocol And Cipher Suite

The Authentication Key Binding defines a protocol and a cipher suite to use for the outgoing TLS connection. The protocols and cipher suites accessible in EJBCA are configured in cesecore.properties.

To add additional protocols and cipher suites, do the following:

  1. Copy cesecore.properties.sample from EJBCA's conf directory and use it as a template. If allow.external-dynamic.configuration is enabled, you can override the default configuration by putting the cesecore.properties configuration file in /etc/cesecore/conf.
  2. Edit cesecore.properties and look for the Authentication Key Binding settings. Specify the supported protocols and cipher suites using the authkeybind.ciphersuite property. For example:
    authkeybind.ciphersuite.0=TLSv1.2;TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    authkeybind.ciphersuite.1=TLSv1.2;TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
    A complete list of all available protocols and cipher suites to choose from is available in the Java Cryptography Architecture Oracle Providers Documentation for JDK 8 or the corresponding document for your JDK distribution.
  3. If allow.external-dynamic.configuration is enabled it should be sufficient to restart the application server for the changes to take effect. Otherwise, you need to recompile and redeploy EJBCA.

Use Authentication Key Bindings with Peer Connectors

For more information, see Setting up Peer Connectors for Outgoing Connections in Peer Systems Operations.