Saturday, June 30, 2012

PKI: Setting up and using a Certificate Authority using EJBCA

In the post we will walk through the setup and configuration of EJBCA used as a CA.

Setting up EJBCA

Installation

Refer http://ejbca.org/installation.html for details. Here are a few tips:


  1. Copied unlimited strength policy files to jre/lib/security
  2. Refer  <EJBCA>/conf/ejbca.properties for detailed setup of EJBCA and other properties. I modified  the file to set the following:
    1. appserver.home=jboss-5.1.0.GA
    2. ca.keystorepass=mypass
      1. Had to setup this entry correctly in to avoid token errors. Also verify that CA token is online in the Admin UI otherwise we run into issues while enrolling certificates.
  3. We are using the default hsqldb that comes with Jboss. I modified the  <EJBCA>/conf/database properties to set blank password for hsqldb. Changing the password in this file will require ant deploy to be executed again. Might be safer to use ant clean first.hsqldb-ds.xml has properties that can be enabled to allow tcp communication to the database. It is disabled by default.
    1. database.password=
  4. Verify that  jboss-5.1.0.GA/server/default/deploy/ejbca-ds.xml and hsqldb-ds.xml have the correct database properties/values. 
  5. Refer  <EJBCA>/conf/install.properties for detailed setup of the CA properties. To name a few properties:
    1. ca.name=AdminCA1
    2. ca.dn=CN=AdminCA1,O=EJBCA Sample,C=SE
    3. One can also specify a configuration file here which defines key name, password and key alias for the HSM used.
      1. ca.tokenproperties=/home/ejbca/ejbca/conf/catoken.properties
    4. ca.signaturealgorithm=SHA1WithRSA ( need to change this and try with a better one).
  6. Added bouncy castle jars from ejbca/lib to jboss/server/default/lib
  7. Run:
    1.  ant bootstrap
      1. Files modified/copied include:
        1. deploy/ejbca-ds.xml
        2. deploy/ejbca-mail-service.xml
        3. deploy/ejbca.ear
    2.  ant install ( all default properties except passwords)
    3. ant deploy
      1. conf/keystore/keystore.jks
      2. conf/keystore/truststore.jks
      3. deploy/jboss-web.deployer/server.xml
  8. Known issues
    1. On JBoss 5.1.x (not on JBoss 6.0.x) the WSDL location gets incorrectly generated by default. 
      1. To fix this (see JBoss settings during install) edit: APPSRV_HOME/server/default/deployers/jbossws.deployer/META-INF/jboss-beans.xml and comment out the line: <property name="webServiceHost">${jboss.bind.address}</property> to force the location to be generated with info from the WSDL request. 
      2. If this is not done you will get "HTTP 302 Moved Temporarily" errors when running the WS client.
    2. If you are using Oracle's JDK and JBoss 5.1.x you need to copy EJBCA_HOME/lib/bc*.jar to JBOSS_HOME/server/default/lib/. Remember this when it's time for upgrades! This is a bug tracked by JBoss as JBAS-7882. OpenJDK works just fine though, such as the OpenJDK distributed with RedHat, Ubuntu, Debian etc.
    3. See installation link for other known issues with 5.1 and other Jboss versions.

Sample Output

Here are a few excerpts from the console:

Output 1:

Initializing CA
     [java] Generating rootCA keystore:
     [java] CA name: AdminCA1
     [java] SuperAdmin CN: SuperAdmin
     [java] DN: CN=AdminCA1,O=EJBCA Sample,C=SE
     [java] CA token type: soft
     [java] CA token password: hidden
     [java] Keytype: RSA
     [java] Keyspec: 2048
     [java] Validity (days): 3650
     [java] Policy ID: null
     [java] Signature alg: SHA1WithRSA
     [java] Certificate profile: ROOTCA
     [java] CA token properties: null
     [java] Signed by: self signed
     [java] Initalizing Temporary Authorization Module with caid=-xxxx and
 superadmin CN 'SuperAdmin'.
     [java] Creating CA...
     [java] CAId for created CA: -xxxx
     [java] -Created and published initial CRL.
     [java] CA initialized

Output 2a

Trying to add user:
Username: tomcat
     [java] Password: <password hidden>
     [java] DN: CN=localhost,O=EJBCA Sample,C=SE
     [java] CA Name: AdminCA1
...
Generating keys in directory <EJBCA>/p12.
Generating keys for tomcat.
     [java] Created Keystore for 'tomcat'.
     [java] New user generated successfully - tomcat.

Output 2b

Trying to add user:
     [java] Username: superadmin
     [java] Password: <password hidden>
     [java] DN: CN=SuperAdmin
     [java] CA Name: AdminCA1

Generating keys in directory C:worldsecurityejbca_4_0_9p12.
     [java] Generating keys for superadmin.
     [java] Created Keystore for 'superadmin'.
     [java] New user generated successfully - superadmin.

Output 3

Wrote Root CA certificate to '<Local>\Temp/rootca.der' using DER encoding.
     [echo] Adding to or creating keystore: <EJBCA>/p12/truststore.jks



Files Generated in <EJBCA>/p12

  • superadmin.p12

    • Copy this file to admin desktop machine and import in web browser. AdminUI uses client authentication and won't work without this. This is the super administrators certificate used to access the admin GUI. Other administrators with specific privileges can be created later on. The default password for superadmin.p12 is ejbca, and is configured in web.properties.
    • For creating other CAs or expired CAs...
      • ant -Dca.name="My CA Name" javatruststore
      • This adds the CA certificate to p12/truststore.jks and copies this file to JBOSS_HOME/server/default/conf/keystore, where the SSL keystores are located.

  • tomcat.jks

    • This is for the servlet container in Jboss (tomcat ofcourse) and doesn't have to be tampered with. Here is a sample output of the keys(password is default pass used):
                   <EJBCA>\p12>keytool -list -keystore tomcat.jks
                   cacert, Jun 1, 2012, trustedCertEntry, Certificate fingerprint (SHA1): 33:DA...
                     localhost, Jun 1, 2012, PrivateKeyEntry, 
                    Certificate fingerprint (SHA1): F8:4...

      • truststore.jks
              This is for the servlet container in Jboss (tomcat ofcourse) and doesn't have to be    tampered with.


      Accessing EJBCA

      Access EJBCA to verify the install. 

      Start Jboss

      jboss-5.1.0.GA\bin>run.bat > c:\jboss.log

      Access Admin UI



                       Name: manojscepcertificate
                      Password: manojscepcertificate
                      CN=manojscepcertificate


        • Also, if the certificate is intended for Tomcat, then the below properties should be set correctly under the "Main Certificate Data" section:
          • Certificate Profile:             SERVER
          • CA:                                  AdminCA1
          • Token:                             User Generated


      • Note: Double check if Token needs to be set to P12 for the enrollment to work correctly?
        • For instance the "tomcat" user that was created as part of install, has a generated certificate and the token is set to jks. So most probably the token should have an impact on what is returned from the server. Setting it to user defined might work as well since the (SCEP) client can dictate this.
      • You can search and edit the entities as well.

      EJBCA UI

      Access the UI via https://localhost:8443/ejbca/index.jsp 
      This UI allows enrolling for new certificates, getting the certificates and CRLs and links to Administration.

      Certificate Enrollment

      Click on "Create Certificate from CSR" in the UI or navigate to https://localhost:8443/ejbca/enrol/server.jsp and provide the below details:

      • Username ( entity created in admin UI)
      • Password ( entity created in admin UI)
      • Request file.
        • This corresponds to the CSR file that can be created by using the Keytool supplied with JDK. One can also use openSSL or any other tool for creating this as well.
        • Refer my blog post on how to create a certificate.
        • The CSR can be PEM- or DER-formated file. One can also paste the PEM formatted contents directly into the textbox as well. 
        • A PEM-formatted request is a BASE64 encoded certificate request starting with
          • -----BEGIN CERTIFICATE REQUEST-----
          • and ending with
          • -----END CERTIFICATE REQUEST-----
      • The result type should be set to "PKCS#7" to get a single file with the Reply and the certificate chain. 
      • This returned reply can be imported in the keystore to complete the Certificate generation and signing process. Again, refer my blog post on how to create a certificate to get details on the import process.

      Certificate Enrollment Using SCEP

      This is the subject of another blog post. <TODO: insert link to blog post on SCEP enrollment>

      References

      3 comments:

      1. I followed the installation steps mentioned and successfully performed this task. Each steps is explained in detail with appropriate information about what is going on. Thanks for this explanatory article.
        public key infrastructure

        ReplyDelete
      2. Can you insert link to blog post on SCEP enrollment please :)

        ReplyDelete
      3. Thank You and that i have a nifty give: How Many Home Renovation Shows Are There how to renovate a house

        ReplyDelete