Tutorial - Issue TLS client certificates with EJBCA

Learn how to issue client TLS certificates with EJBCA.

In this tutorial, you will learn how to:

• Create a certificate profile for client TLS certificates
• Create an end entity profile
• Issue certificate with CA-side key pair generation

Prerequisites

Before you begin, you need a running EJBCA instance with an active Certificate Authority (CA).

To learn how to configure a certificate profile template and CA-defined default values, see the tutorials Create a PKI Hierarchy in EJBCA and Issue TLS server certificates with EJBCA.

Step 1 - Create certificate profile

The first step is to create a certificate profile for client TLS certificates. The certificate profile defines content and constraints of new certificates, such as key types to allow and what extensions to use in the certificates. For an introduction to certificate profiles, see the Certificate Profiles Overview.

The following steps describe how to create a client TLS certificate profile by cloning and modifying the certificate profile TLS Server Profile created in the tutorial Issue TLS server certificates with EJBCA.

To create a certificate profile for client TLS certificates:

1. In EJBCA, under CA Functions, click Certificate Profiles.
   The Manage Certificate Profiles page displays a list of available profiles.
   
2. Click Clone next to the TLS Server Profile to use that as a basis for creating your new profile.
   
3. Name the new certificate profile TLS Client Profile and click Create from template.
4. To edit the profile values to fit your needs, find the newly created TLS Client Profile in the list and click Edit.
5. On the Edit page, verify that the type is End Entity and update Extended Key Usage to Client Authentication to make the profile a client TLS certificate profile.
   Extended key usages define how the certificate and the key pair can be used. If you need a key usage that is not available by default, you can add additional extended key usages in the EJBCA System Configuration, see Extended Key Usages.

6. Click Save to store the certificate profile.
   

The newly created TLS Client Profile is displayed in the list of certificate profiles.

Step 2 - Create end entity profile

Next, create an end entity profile that allows you to define what information about holders of certificates EJBCA keeps track of and adds as subject information.

An End Entity is a user of the PKI, like a device, person, or server. It is called the end entity as, in a hierarchy of certificates in the PKI, it is the endpoint and not authorized to issue any certificates of its own.

The end entity profile is used to define what subject information (e.g. subject DN and subject alternative name) to add to certificates. It is always used together with a certificate profile for certificate issuance. You can for example make it so that certificate requests are only allowed to contain certain values, otherwise they are reject, while some fields are free for the requestor to choose. 

Attribute values specified in end entity profiles are used either for validating requests, as optional default values or can be combined with values provided in a certificate request. For instance, if you make the country attribute non-modifiable and required, and specify SE as the country code, that means that certificates should only be issued to end entities from Sweden. 

Additionally, end entity profiles controls if the issuing CA should generate key pairs together with certificates or allow issuance based on certificate signing requests (CSRs) created by the end entity.

To create an end entity profile, follow these steps:

1. In EJBCA, under RA Functions, click End Entity Profiles.
2. In the Add Profile field, add a name for the new profile, in this example TLS Client Profile, and click Add profile.
3. Select the newly created TLS Client Profile, and click Edit End Entity Profile to update the profile.
   
4. Edit the profile and update the following:
   • Verify that End Entity E-mail is selected, not Required and Modifiable. This allows you to optionally add an email address to this user account in EJBCA to later enable notifications about expiring certificates and renewals, for example. For more information, see End Entity E-Mail.
     
   • Under Subject DN Attributes, specify the following:
     • For Subject DN Attributes, add an Organization field and a Country field.
     • For CN, Common Name, verify that Required and Modifiable are selected to make the name required when a new certificate is issued. The Common Name is the easy-to-understand name of the entity.
       
     • For O, Organization, verify that Required is selected and clear Modifiable and enter "Keyfactor Community" to be used as a fixed value for the organization.
       
     • For C, Country, verify that Required is selected and clear Modifiable and enter "SE" to use Sweden as a fixed value for the country.
   • Under Other Subject Attributes, you can specify options for Subject Alternative Name (SAN). Some browsers require this field and it should be implemented for server certificates:
     
     • In the Subject Alternative Name list, select DNS Name and click Add. For the displayed DNS Name field, select Use entity CN field to add a DNS name that is the same as your common name field.
     • Add additional optional DNS names to allow more than one DNS name in the certificates. Select DNS Name and click Add. For the displayed DNS Name field, leave the default Modifiable option selected. Repeat to add additional optional DNS names.
       
   • Under Main Certificate Data, map the certificate profile, CA, and type of key pair the profile can be used together with:
     
     • For Default Certificate Profile, select the TLS Client Profile you created in Step 1 - Create certificate profile).
     • For Default CAs, select the MyPKISubCA-G1 (created in Create a PKI Hierarchy in EJBCA) to only allow that Sub CA to issue certificates with this profile.
   • Specify Default Token options to define how the key pair generation should be implemented for the certificates:
     1. Select User Generated and CA-side key pair generation in P12 file format to allow the CA to generate the key pair together with the certificate.
        User Generated means that the requester generates their own key pair and thus that the user creates and provides a certificate signing request (CSR) for the certificate request to EJBCA. The other file options allow the CA to generate the private key and certificate and return those to the requester as a single file in the selected format.
5. Click Save to store the end entity profile.
   

Step 3 - Issue client certificate

To issue a TLS client certificate, use the EJBCA RA web interface to make a new request and enroll for a certificate using your new profiles.

1. In EJBCA, click RA Web to access the EJBCA RA UI.
2. Select Make New Request from the Enroll menu.
3. For Certificate Type, select your TLS Client Profile (created in Step 1 - Create certificate profile).
4. For Key-pair generation, select By the CA.
   
5. Specify the following information about the holder of the certificate, to be used in the certificate:
   • For CN, Common Name, specify a name, in this example Test01.
     
   • For Username, add Test01 to register the user under the username identical to the common name. The Username is the name that will go into the database and is often the same as the Common Name. 
     
   • For Enrollment code: Enter a password twice. This password will be used to encrypt the certificate bundle (P12 file) once downloaded.
   • For Email, specify test01@my.pki. This will be used as a metadata field in the EJBCA database and will not be added to the certificate.
6. Click Download PKCS#12 to download and save the private key and its associated certificate chain in a single, encrypted PKCS #12 file.
   

To view the certificates included in the downloaded Test01.p12 certificate bundle, open it with a tool that can handle PKCS#12 files and enter the password that you specified as the enrollment code to unlock the contents.

The P12 certificate bundle includes the private Elliptic Curve key and its associated certificate chain, containing the TLS certificate and CA certificates. Each certificate in the chain is verified by the entity identified by the next certificate in the chain. The Sub CA certificate is the issuer of the TLS certificate and the Root CA certificate is the issuer of the Sub CA certificate. 

Next steps

In this tutorial, you learned how to create a certificate profile for client TLS certificates, create a profile for the end entity with information about the certificate holder, and issue a TLS client certificate with CA-side key pair generation.

Next, to learn how to configure short-lived certificates, also known as ephemeral certificates, in EJBCA, you can follow the tutorial Tutorial - Configure EJBCA to issue short-lived (ephemeral) certificates.

Next, check out more video tutorials from Keyfactor Community.