Setting up Peer Connectors and OCSP

This three-part video tutorial walks you through the steps of setting up peer connectors and OCSP using EJBCA Enterprise.

Prerequisites

The following tutorials use two virtual machines, one will have the Certificate Authority (CA) configured and the other one will be the Validation Authority (VA) or Registration Authority (RA).

It is assumed that you have:

  • Set up a CA and created certificate profiles for both client and server certificates.
  • Installed an EJBCA Enterprise instance for the CA, VA, or RA.

Tutorial Part 1 - Replacing the VA or RA Server Certificate

The first part of the tutorial walks you through creating both a truststore and a keystore to establish a chain of trust between the CA and VA nodes.

  • Create a truststore
  • Create a keystore
  • Installing the truststore and keystore on the VA or RA server

The truststore will contain the Management CA certificate and the keystore will contain the VA server certificate issued by the Management CA. This is the first step necessary to set up a TLS connection between the CA and the VA.

When you have completed this exercise, you will have created the foundations of trust between the CA and VA by signing the server certificate of the VA with the common management CA. The next step is to set up the peer connectors between the nodes for a secure TLS connection.

Tutorial Part 2 - Setting up Peer Connectors

The second tutorial walks you through configuring the peer connectors in EJBCA Enterprise in order to connect a Certificate Authority (CA) to a Validation Authority (VA) to issue OCSP certificates and CRLs.

  • Create the CA client TLS certificate
  • Create a Peer Connector
  • Establish a TLS tunnel between the CA and the VA

The Peer Connector is specifically used to ensure encrypted communication between the nodes using TLS.

When you have completed this exercise, you have created a secure TLS connection between the CA and VA. The next step is to configure the VA to respond to OCSP requests or creating an RA if you want the service to be an external Registration Authority. 

Tutorial Part 3 - Setting up an OCSP Signer

The OCSP service will respond to clients that want to check the validity of certificates to see if they are good, revoked, or unknown. This is usually the most critical component in any Enterprise PKI infrastructure because if the certificates issued cannot be trusted, the service will go down.

Now that you have created a peer connection between the CA and VA, you need to create an OCSP signing certificate. This must be a certificate signed by the CA to respond for, and it must also contain the extended key usage for OCSP signing.

This final part of the tutorial walks you through configuring the VA to respond to OCSP requests with EJBCA.

  • Create the OCSP keys
  • Create the OCSP Profile and Certificate
  • Sign the OCSP responder

When you have completed this exercise, your Validation Authority (VA) is authorized to answer OCSP requests on behalf of the SubCA. 

As a next step, you may continue with configuring a publisher and a service on the CA in order to provide revocation information on the VA database. For more information, refer to the EJBCA Documentation on Validation Authority Peer Publisher