Learn how to create roles in EJBCA, needed when integrating with Kubernetes and Istio in later tutorials.

The following covers how to create three new roles with various levels of authority. You will create roles, assign permissions to the roles, and also create a certificate for the RA role to be used when integrating with Kubernetes and Istio.

In this tutorial, you will learn how to:

  • Create Auditor and RA Administrator roles
  • Create certificate profile
  • Create end entity profile
  • Create RA role for Kubernetes
  • Issue client certificate

  • Enable EJBCA REST API Certificate Management

Prerequisites

Before you begin, you need a running EJBCA instance with an active Certificate Authority (CA).

To learn how to configure a certificate profile template and CA-defined default values, see the tutorials Create a PKI Hierarchy in EJBCA and Issue TLS client certificates with EJBCA.

Step 1 - Create Auditor and RA Administrator roles

Access rules are used to authorize specific actions in EJBCA, ranging from activating crypto token keys to creating end entities to managing the access rules themselves. Access rules can be managed either by setting them using EJBCA default role templates or by editing them manually from the Access Rules list in the advanced mode. Often a combination of the two is used: a predefined template to start with and then fine-tuning by giving or denying access to individual rules. 

EJBCA provides the following default role templates:

  • Super Administrator
  • CA Administrator
  • RA Administrator
  • Supervisor
  • Auditor

To create an auditor and RA administrator role in EJBCA and define what the accounts can access, perform the following steps.

Create Auditor role

The following cover how to edit an auditor role and edit the role template for the auditor role so that the auditor has access to view information but not make any configuration changes.

To create an auditor role and authorize actions in EJBCA:

  1. In the EJBCA menu, under System Functions, click Roles and Access Rules.
  2. Next to the list of available roles, click Add.
  3. For Role name, specify Auditor and click Add.
    The Roles Management page now lists the Auditor role.
  4. Next to the Auditor role, click Members.
  5. Members are defined by an attribute from the certificate DN and the serial number:
    • Match with: Select X509:CN, Common name.
    • CA: Ensure that the Management CA is selected for the CA to match on.
    • Match Value: Specify the CN value from the certificate, in this example: "Auditor". Note that this is a case-sensitive matching.
  6. Click Add to add the user to the Auditor role.
  7. To configure the auditor role and update the role template, click Edit Access Rules.
  8. To update the access rules for the auditor role:
    • For Role Template, select Auditor.
    • For Authorized CAs, select All
    • For End Entity Profiles, select All.
    • For Validators, select All.
  9. Click Save to store the updated access rules for the auditor role.

Create RA Administrator role

To create a RA administrator role and authorize actions in EJBCA:

  1. Click Back to Roles Management.
  2. Next to the list of available roles, click Add.
  3. For Role name, specify RA and click Add.
    The Roles Management page now lists the RA role.
  4. Next to the RA role, click Access Rules.
  5. To update the access rules for the RA role:
    • For Role Template, select RA Administrators.
    • For Authorized CAs, select ManagementCA and MyPKISubCA-G1.
    • For End Entity Profiles, select TLS Client Profile and TLS Server Profile.
    • For Other Rules, ensure that View Audit Log is selected.
  6. Click Save to store the updated access rules for the RA role.
  7. Next, to further fine-tune the access rules and give access to individual rules, click Advanced Mode.
    • For /ca_functionality/view_ca/ select Allow to enable viewing and accessing CA activation, CA structure & CRL and Certificate Authorities.
    • For /services/view/ select Allow to enable viewing system services.
  8. Click Save to store the rules for the RA role.

Step 2 - Create certificate profile

The following steps describe how to create a RA administrator certificate profile by cloning and modifying the certificate profile TLS Client Profile created in the tutorial Issue TLS server certificates with EJBCA.

To create the certificate profile:

  1. In EJBCA, under CA Functions, click Certificate Profiles.
    The Manage Certificate Profiles page displays a list of available profiles.
  2. Click Clone next to the TLS Client Profile to use that as a basis for creating your new profile.
  3. Name the new certificate profile RA-Admins-Profile and click Create from template.
  4. To edit the profile values to fit your needs, find the newly created RA-Admins-Profile in the list and click Edit.
  5. On the Edit page, verify that the type is End Entity and update the following:
    • For Available Key Algorithms, select RSA.
    • For Available Bit Lengths, select 2048 bits, 3072 bits, and 4096 bits.
    • Clear Key encipherment.
    • Under Other Data, for Available CAs, select Management CA.

  6. Click Save to store the certificate profile.

The newly created RA-Admins-Profile is displayed in the list of certificate profiles.

Step 3 - Create end entity profile

Next, create an end entity profile that allows you to define what information about holders of certificates EJBCA keeps track of and adds as subject information. The following steps describe how to create a RA administrator end entity profile by cloning and modifying the end entity profile TLS Client Profile created in the tutorial Issue TLS server certificates with EJBCA.

To create an end entity profile:

  1. In EJBCA, under RA Functions, click End Entity Profiles.
  2. Select the TLS Client Profile in the list, specify the name RA-Administrator in the Add End Entity Profile field, and then click Clone selected.
  3. Select the newly created RA-Administrator profile, and click Edit End Entity Profile to update the profile.
  4. Edit the profile and update the following:
    • Under Main Certificate Data, map the certificate profile, CA, and type of key pair the profile can be used together with:
      • For Default Certificate Profile and Available Certificate Profiles select the RA-Admins-Profile you created in Step 2 - Create certificate profile.
      • For Default CAs and Available CAs, select Management CA.
    • Specify Default Token options to define how the key pair generation should be implemented for the certificates:
      • Select User Generated and the formats P12 file and PEM file.
        User Generated means that the requester generates their own key pair and thus that the user creates and provides a certificate signing request (CSR) for the certificate request to EJBCA. The other file options allow the CA to generate the private key and certificate and return those to the requester as a single file in the selected format.
  5. Click Save to store the end entity profile.

Step 4 - Create RA Administrator role for Kubernetes

To create an RA administrator role in EJBCA for the integration with Kubernetes in a later tutorial:

  1. In the EJBCA menu, under System Functions, click Roles and Access Rules.
  2. Next to the list of available roles, click Add.
  3. For Role name, specify RA-Kubernetes and click Add.
    The Roles Management page now lists the RA-Kubernetes role.
  4. Next to the RA-Kubernetes role, click Members.
  5. Members are defined by an attribute from the certificate DN and the serial number:
    • Match with: Select X509:CN, Common name.
    • CA: Ensure that the Management CA is selected for the CA to match on.
    • Match Value: Specify the CN value that will be added for the certificate, in this example: "k8-RA". Note that this is a case-sensitive matching.
  6. Click Add to add the user to the role.
  7. To configure the role, click Edit Access Rules.
  8. Click Save to store the updated access rules for the role.

Step 5 - Issue client certificate

To issue a TLS client certificate, use the EJBCA RA web interface to make a new request and enroll for a certificate using your new profiles.

  1. In EJBCA, click RA Web to access the EJBCA RA UI.
  2. Select Make New Request from the Enroll menu.
  3. For Certificate Type, select your RA-Administrator.
  4. For Key-pair generation, select By the CA.
  5. Specify the following information about the holder of the certificate, to be used in the certificate:
    • For Key algorithm, select RSA 2048 bits.
    • For CN, Common Name, specify a name, in this example k8-RA.
    • For Username, add k8-RA to register the user under the username identical to the common name. The Username is the name that will go into the database and is often the same as the Common Name. 
    • For Enrollment code: Enter a password twice. This password will be used to encrypt the certificate bundle (P12 file) once downloaded.
  6. Click Download PEM to download and save the certificate in an encrypted k8-RA.pem file.

Step 6 - Enable EJBCA REST API Certificate Management

To enable the EJBCA REST API Certificate Management service to allow issuing certificates with an EJBCA container in a later tutorial.

  1. In EJBCA, click System Configuration.
  2. Select the Protocol Configuration tab.
  3. For REST API Certificate Management, select the action Enable.

The Certificate Management service is now enabled in EJBCA.

Next steps

In this tutorial, you learned how to create roles, profiles, and issue a certificate needed when integrating with Kubernetes and Istio in later tutorials.

Next, to learn how to install and configure a Kubernetes runtime on Alma Linux to deploy the EJBCA container, follow the tutorial Install MicroK8s to run EJBCA.

Check out our other video tutorials on the Keyfactor Community YouTube channel.

To find out more about EJBCA use cases, see Solution Areas.

Related Tutorials