Part 3b: EJBCA Policy Server Configuration

The following sections cover setting up EJBCA as a Policy Server for auto-enrollment.

Step 1 - Configure Kerberos Authentication

The following sections cover how to enable Kerberos authentication for the EJBCA CEP and CES Services, allowing users and computers to authenticate to EJBCA using their Active Directory credentials.

1. In EJBCA Admin Web, click Autoenrollment Configuration in the side menu.
   
2. Add a new alias with the name msae, select the alias and click on Edit Autoenrollment Alias.
3. Specify the AD server details:
   • Forest Root Domain: Domain name of the AD Forest Root. For example, yourcompany.com (lower case)
     
   • AD Domain Controller: Host and domain name of the Active Directory Domain Controller. For example, dsserver.yourcompany.com.
     
   • Policy Name: Display name of the Certificate Enrollment Policy retrieved by clients (free text).
     
   • Server principal name: SPN as created in Part 2: Group Policies and Certificate Templates. For example, HTTP/ejbcaserver.yourcompany.com@YOURCOMPANY.COM .'YOURCOMPANY.COM' is the name of the REALM and must be upper case.
     
   • Kerberos Keytab: Upload the Key Tab file for the SPN account created in Part 2: Group Policies and Certificate Templates.
     

   • Krb5 Conf file: Upload a pre-configured krb5.conf (Kerberos configuration file) file. This file need to be manually created to match your domain configuration. Below is an example Krb5.conf file that can be tailored to match your domain.

      The enctypes parameters may be changed to only allow specific cipher suites. However, the Key Tab file created in Part 2: Group Policies and Certificate Templates must support the same ciphers. AES256 with SHA1 (aes256-cts-hmac-sha1-96) should be supported on all recent systems. To enforce this cipher the Keytab file must contain only AES256 keys. In this case, the service account encryption settings should enable AES256 only.

     [libdefaults]
       default_realm = YOURCOMPANY.COM
       default_tkt_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
       default_tgs_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
       permitted_enctypes = aes256-cts aes256-cts-hmac-sha1-96 aes128-cts rc4-hmac des3-cbc-sha1 des-cbc-md5 des-cbc-crc
      
     [realms]
       YOURCOMPANY.COM = {
       kdc = yourcompany.com
       default_domain = yourcompany.com
     }
      
     [domain_realm]
     .yourcompany.com = YOURCOMPANY.COM

     CODE

   • Use SSL: Set to true to enable SSL connection to Active Directory (LDAPS). This is optional and requires additional configuration as described in Enabling TLS for Active Directory Connection.

   • Authentication Key Binding: If SSL is enabled, select the authentication key binding which establishes trust for the LDAPS Certificate.
   • Active Directory Port: LDAP port to Active directory. Default are 389 and 636 for SSL.
     

   • AD User Login: Active directory bind account (created in Part 1: Configure Active Directory Domain Services) in any of the following formats:
     

     • "autoenrollmentbind@yourcompany.com" (sAMAccountName followed by @, followed by either DNS name of a domain in the same forest or a value in the  uPNSuffixes of the Partitions container in the config NC replica)
     • "CN=autoenrollment bind,CN=Users,DC=yourcompany,DC=com" (Full DN)
     • "autoenrollment bind" (Display Name)

     YML

   • AD User Password: Password for the bind account.

   • Issuing Certificate Authority: Default CA, signing enrolled certificates.
     
4. Click Test Connection. The message "Active Directory connection test was successful" should be displayed at the top of the page.
5. Click Save to store the configuration.
   

Step 2 - Mapping Certificate Templates to EJBCA Profiles

Each enrollment request coming from Microsoft clients contains a Certificate Template OID reference. In order to enroll certificates with proper attributes, each template intended for use must be mapped to EJBCA profiles. Given a successful AD connection in previous steps, the section MS Auto Enrollment Templates will contain a list of all certificate templates loaded from Active Directory.

To map Certificate Templates to EJBCA profiles:

1. Click Select a Template and select Computer_Auto_Enrollment.
2. Click Select End Entity Profile and select Computer_End_Entity_Profile.
3. Click Select Certificate Profile and select Computer_Certificate_Profile.
4. Click Add.
5. Repeat the steps for User_Auto_Enrollment and its corresponding profiles, as well as for any other template you wish to create mappings for.
6. Click Save.

Only templates which have been mapped to EJBCA profiles will be visible for the enrolling clients, assuming they have sufficient enrollment permissions on the mapped template.

If changes are made to the Certificate Templates in Active Directory after the mapping above has been done, the changes will not take effect until EJBCA has reloaded the profiles. To reload profiles in EJBCA,  Edit the affected alias and click Save.
Note that changes to Template group security permissions take effect imminently as they are looked up for every request rather than being cached. The reload of templates only affects template attributes, such as "Subject name format", "Display name" and "Publish Certificates in Active Directory".

Step 3 - Enable the Service Endpoint

By default, EJBCA do not allow any incoming traffic to its CES and CEP Services.

To enable the services:

1. In EJBCA, click System Configuration and select the Protocol Configuration tab.
2. Click Enable on MSAE.