Managing CAs

This section provides information on managing CAs and instructions on how to create, renew, revoke, and import and export Certificate Authorities (CAs) and also includes the subsections listed below.

For more conceptual information on CAs, see Certificate Authority Overview.

Export and Import CAs

Under certain circumstances, it can be wise to back up the CA's signature and encryption keys. Remember to protect the backup in the same way as the CA itself.

  • Soft token CAs can be exported and backed up. CAs with the keys on an HSM cannot be exported through EJBCA. Use the HSMs methods to back up such keys. 
  • Soft token CAs can be imported using both the CLI and Admin GUI, while HSM CAs can only be imported using the CLI.

The aliases of the keys in exported keystores are important when importing the keystores, and allow you to assign the correct keys. To list the aliases (or friendlyName in OpenSSL terminology) in a PKCS#12 file, use the following OpenSSL command:

openssl pkcs12 -in /home/user/tmp/kesytore.p12

Using Command Line Interface

To export a CA named TestCA to the PKCS#12-file /path/TestCA.p12 with password foo123, enter the following from the $EJBCA_HOME directory:

$ bin/ejbca.sh ca exportca TestCA ./TestCA.p12
Using JBoss JNDI provider...
Enter keystore password: foo123
$

To import the backup keys for TestCA later, enter the following from the $EJBCA_HOME directory:

$ bin/ejbca.sh ca importca TestCA /path/TestCA.p12 SignatureKeyAlias EncryptionKeyAlias
Using JBoss JNDI provider...
Enter keystore password: foo123
$

To view usage instructions on how to import HSM CAs, run the following command:

$ bin/ejbca.sh ca importca --help

If you import multiple CAs that are using the same HSM, and the same slot on the HSM, duplicate crypto tokens are created in EJBCA. Although there should only be one crypto token per slot, one crypto token per CA is created during the import of the CAs. To merge these crypto tokens after the import is complete, use the CLI command mergecatokens:

bin/ejbca.sh ca mergecatokens --help

Using the CA UI 

To export and import the CA's keys using the Admin GUI, you need superadministrator access. Make sure that .p12 files are not automatically saved to an unsuitable place by your browser before you perform an export.

To export the CA's keys, do the following:

  1. Select the Certificate Authorities menu option.
  2. Select the CA to export and click Edit.
  3. Next to CA export requires the keystore password, enter the keystore password.
  4. Click Export CA keystore.
  5. The PKCS#12-file will be downloaded by your browser to the location you specify.

To import the CA's keys, do the following:

  1. Select the Certificate Authorities menu option.
  2. Click Import CA keystore.
  3. Specify the CA's name, full pathname to the PKCS#12-file, and keystore password.
  4. If you exported the CA's keys using EJBCA, do not edit the two Alias field default values.
  5. Click Import CA keystore.

Remove and Restore a CA Soft Key Store 

Soft token CAs can have their keystore removed from the database. When the keystore is removed, the CA cannot issue certificates and its CA token status is set to offline.

Before removing the keystore, export it first to allow restoring it later, see Export and Import CAs above.

To remove the catoken keys for TestCA, enter the following from the $EJBCA_HOME directory:

$ bin/ejbca.sh ca removekeystore TestCA
Using JBoss JNDI provider...
$ 

To restore the catoken keys again for TestCA with the keystore exported as TestCA-exported.p12, enter the following from the $EJBCA_HOME directory:

$ bin/ejbca.sh ca restorekeystore TestCA /path/TestCA-exported.p12 -s SignatureKeyAlias -e EncryptionKeyAlias
Using JBoss JNDI provider...
Enter keystore password: foo123
$

Renewing CAs 

You can renew CAs in different ways:

  • Renew only CA certificate, using the same keys.
  • Renew CA keys and certificate.

To renew only the CA certificate using the same keys, click Renew CA. Note that your CA must be online to be able to sign the new certificate (if a self-signed CA), or the certificate request (if a sub CA). Additionally, if using a sub CA with the root CA in the same EJBCA instance, the root CA is also required to be online.

To renew the CA keys, set Next CA key to Generate new key using KeySequence and click Renew CA. Note that not all HSMs support renewal of CA keys.

When using an HSM, manual renewal of keys can also be made by generating new keys on the HSM, using for example the EJBCA CLI tools, and then selecting the generated keys in the Next CA key field and clicking Renew CA.

Revoking CAs

When revoking a sub CA, you can choose to only revoke the sub CA certificate or to revoke the sub CA certificate and all certificates issued by the sub CA. A TLS client would normally check the revocation status of each certificate in the certificate chain, in which case revoking only the sub CA certificate would be sufficient.

Revoke the CA Certificate

You revoke a sub CA certificate the same way as you revoke any other certificate in EJBCA. To revoke a sub CA certificate, do the following on the EJBCA instance where the issuer of the sub CA (normally a root CA) resides:

  1. Go to the RA Web and select Search > Certificates.
  2. Search for the certificate by entering the common name of the sub CA, and click View to view the sub CA certificate.
  3. Choose a revocation reason in the certificate status list menu and click Revoke to revoke the sub CA certificate.
  4. Go the CA UI and click CA Structure and CRLs.
  5. Click Create CRL on the appropriate issuer (root CA) to create a new CRL.
  6. Optionally, download and distribute the new CRL to VA instances manually if this is not done automatically with a publisher.

Revoke All Certificates Issued by the CA

You can also revoke all certificates issued by the sub CA. To revoke all certificates issued by the sub CA, do the following on the EJBCA instance where the sub CA resides:

This operation may potentially create a very large CRL if the sub CA has issued a great number of certificates.

  1. Go to the CA UI and click Certification Authorities.
  2. Select the sub CA whose certificates you want to revoke, and click Edit CA to edit the sub CA.
  3. In the CA Life Cycle section, choose a revocation reason and click Revoke to revoke all certificates issued by the sub CA that are not yet revoked. This will also create a new CRL.

If the CA is connected to a VA using peers, the VA will not automatically get the new status of the revoked certificates and you therefore need to synchronize manually as follows:

  1. Click Peer Systems in the menu.
  2. Click Manage on the appropriate peer connector.
  3. In the Certificate Data Synchronization tab, choose Only sync revoked and then click Start to push the status of the revoked certificates to the VA.