Learn how to issue a client authentication certificate using the EJBCA Community Docker container.

In this tutorial:

  • Create basic profiles
  • Issue client authentication certificate
  • Download CA certificate
  • Import client certificate into browser


This guide covers how to issue a client authentication certificate using the EJBCA Community Docker container. For instructions on how to start an EJBCA Community container and access EJBCA, see Quick Start Guide - Start EJBCA Container with Unauthenticated Network Access.

Prerequisites

Before you begin, you need a started EJBCA container and access to the EJBCA CA UI. For instructions, see Start EJBCA Container with Unauthenticated Network Access.

Step 1 - Create profiles

Once you have access to EJBCA, follow the steps below to create a certificate profile with information about the certificate and an end entity profile, providing your personal details.

Create Certificate Profile

Certificate profiles define the constraints of the certificate, for example, what keys it can use, and what the extensions will be.

To create a certificate profile:

  1. In EJBCA, under CA Functions, click Certificate Profiles.
  2. Click Clone next to the ENDUSER template profile.
  3. Specify a name for the new certificate profile, in this example ClientAuth, and click Create from template.
    The newly created  profile is displayed in the list of certificate profiles.
  4. Click Edit for the ClientAuth profile and specify the following:
    1. For Validity or end date of the certificate, specify 1y.
    2. For Key Usage, clear Non-repudiation.
    3. For Extended Key Usage, select Client Authentication.
  5. To store the certificate profile, click Save.

Create End Entity Profile

To create an end entity profile, follow these steps:

  1. In EJBCA, under RA Functions, click End Entity Profiles.
  2. In the Add Profile field, add a name for the new profile, in this example ClientAuth, and click Add profile.
    The newly created ClientAuth profile is displayed in the list of end entity profiles.
  3. Select the profile, and click Edit End Entity Profile.
  4. Edit the profile and update the following:
    1. To add an email address to your certificate, click Add next to Subject Alternative Name list option RFC 822 Name (e-mail address).
    2. For Default Certificate Profile, select only the new profile you created in Create Certificate Profile, in this example ClientAuth.
    3. For Default Token, select P12 file.
  5. To store the updated end entity profile, click Save.

Add End Entity

To preregister yourself as a user, create an end entity:

  1. In EJBCA, under RA Functions, click Add End Entity and specify the following:
    1. Specify a Username and a Password (one time enrollment code) that you will use to pick up your certificate.
    2. Enter your E-mail address.
    3. For CN, Common name, enter your name.
    4. For RFC 822 Name (e-mail address), select Use data from E-mail address field.
  2. To add the end entity, click Add.

Step 2 - Issue client authentication certificate

To pick up your client authentication certificate using the credentials specified for your end entity user, use the EJBCA RA UI to enroll:

  1. To pick up your certificate, click RA Web to access the EJBCA RA UI.
  2. To enroll, select Enroll > Use Username.
  3. In the Username and Enrollment code fields, specify the credentials entered in the previous step Add End Entity, and then click Check.
  4. For Key algorithm, select RSA 2048 bits for the certificate.
  5. To download the PKCS#12 keystore, click Download the PKCS#12.

Your client authentication certificate is downloaded as a P12 file.

Step 3 - Download CA certificate

To download the Management CA certificate using the EJBCA RA UI, follow these steps:

  1. Select the EJBCA RA UI menu option CA Certificates and CRLs.
  2. For the listed ManagementCA, click PEM in the Certificate column.

The CA certificate is downloaded as a ManagementCA PEM file.

You have now downloaded both the CA certificate (as a PEM file) and your personal private key and certificate (as a P12 keystore file). Next, import the client certificate into your web browser.

Step 4 - Import client certificate into browser

To access the EJBCA CA UI, import the downloaded client certificate into your web browser.

The procedure for importing a certificate may vary. This example describes how to import a certificate to Mozilla Firefox.

To import the certificate in Mozilla Firefox:

  1. On the Firefox menu, select Preferences.
  2. Click Privacy & Security.
  3. In the Security section, click View Certificates.
  4. On the Your Certificates tab, select Import.
  5. Browse to the downloaded P12 keystore to import and select the file.
  6. For the password enter the one time enrollment code that you specified in the previous step Add End Entity, and click Sign in.
  7. On the Mozilla Firefox tab Your Certificates, verify that the certificate was imported, and then click OK.

Next, point your browser to https://localhost/ejbca/adminweb to access EJBCA.

Next steps

In this tutorial, you learned how to create basic profiles to issue and download the client authentication certificate, and then import the certificate into your browser to access EJBCA.

To find out more about EJBCA use cases, see Solution Areas.

To learn how to get started with SignServer Community as a Docker Container, you can follow the Quick Start Guide - Start SignServer Container with Client Certificate Authenticated Access

Related Quick Start Guides