In the post we will walk through the setup and configuration of EJBCA used as a CA.
Name: manojscepcertificate
Password: manojscepcertificate
This UI allows enrolling for new certificates, getting the certificates and CRLs and links to Administration.
Setting up EJBCA
Installation
Refer http://ejbca.org/installation.html for details. Here are a few tips:- Copied unlimited strength policy files to jre/lib/security
- Refer <EJBCA>/conf/ejbca.properties for detailed setup of EJBCA and other properties. I modified the file to set the following:
- appserver.home=jboss-5.1.0.GA
- ca.keystorepass=mypass
- Had to setup this entry correctly in to avoid token errors. Also verify that CA token is online in the Admin UI otherwise we run into issues while enrolling certificates.
- We are using the default hsqldb that comes with Jboss. I modified the <EJBCA>/conf/database properties to set blank password for hsqldb. Changing the password in this file will require ant deploy to be executed again. Might be safer to use ant clean first.hsqldb-ds.xml has properties that can be enabled to allow tcp communication to the database. It is disabled by default.
- database.password=
- Verify that jboss-5.1.0.GA/server/default/deploy/ejbca-ds.xml and hsqldb-ds.xml have the correct database properties/values.
- Refer <EJBCA>/conf/install.properties for detailed setup of the CA properties. To name a few properties:
- ca.name=AdminCA1
- ca.dn=CN=AdminCA1,O=EJBCA Sample,C=SE
- One can also specify a configuration file here which defines key name, password and key alias for the HSM used.
- ca.tokenproperties=/home/ejbca/ejbca/conf/catoken.properties
- ca.signaturealgorithm=SHA1WithRSA ( need to change this and try with a better one).
- Added bouncy castle jars from ejbca/lib to jboss/server/default/lib
- Run:
- ant bootstrap
- Files modified/copied include:
- deploy/ejbca-ds.xml
- deploy/ejbca-mail-service.xml
- deploy/ejbca.ear
- ant install ( all default properties except passwords)
- ant deploy
- conf/keystore/keystore.jks
- conf/keystore/truststore.jks
- deploy/jboss-web.deployer/server.xml
- Known issues
- On JBoss 5.1.x (not on JBoss 6.0.x) the WSDL location gets incorrectly generated by default.
- To fix this (see JBoss settings during install) edit: APPSRV_HOME/server/default/deployers/jbossws.deployer/META-INF/jboss-beans.xml and comment out the line: <property name="webServiceHost">${jboss.bind.address}</property> to force the location to be generated with info from the WSDL request.
- If this is not done you will get "HTTP 302 Moved Temporarily" errors when running the WS client.
- If you are using Oracle's JDK and JBoss 5.1.x you need to copy EJBCA_HOME/lib/bc*.jar to JBOSS_HOME/server/default/lib/. Remember this when it's time for upgrades! This is a bug tracked by JBoss as JBAS-7882. OpenJDK works just fine though, such as the OpenJDK distributed with RedHat, Ubuntu, Debian etc.
- See installation link for other known issues with 5.1 and other Jboss versions.
Sample Output
Here are a few excerpts from the console:
Output 1:
Initializing CA
[java] Generating rootCA keystore:
[java] CA name: AdminCA1
[java] SuperAdmin CN: SuperAdmin
[java] DN: CN=AdminCA1,O=EJBCA Sample,C=SE
[java] CA token type: soft
[java] CA token password: hidden
[java] Keytype: RSA
[java] Keyspec: 2048
[java] Validity (days): 3650
[java] Policy ID: null
[java] Signature alg: SHA1WithRSA
[java] Certificate profile: ROOTCA
[java] CA token properties: null
[java] Signed by: self signed
[java] Initalizing Temporary Authorization Module with caid=-xxxx and
superadmin CN 'SuperAdmin'.
[java] Creating CA...
[java] CAId for created CA: -xxxx
[java] -Created and published initial CRL.
[java] CA initialized
Output 2a
Trying to add user:
Username: tomcat
[java] Password: <password hidden>
[java] DN: CN=localhost,O=EJBCA Sample,C=SE
[java] CA Name: AdminCA1
...
Generating keys in directory <EJBCA>/p12.
Generating keys for tomcat.
[java] Created Keystore for 'tomcat'.
[java] New user generated successfully - tomcat.
Output 2b
Trying to add user:
[java] Username: superadmin
[java] Password: <password hidden>
[java] DN: CN=SuperAdmin
[java] CA Name: AdminCA1
Generating keys in directory C:worldsecurityejbca_4_0_9p12.
[java] Generating keys for superadmin.
[java] Created Keystore for 'superadmin'.
[java] New user generated successfully - superadmin.
Output 3
Wrote Root CA certificate to '<Local>\Temp/rootca.der' using DER encoding.
[echo] Adding to or creating keystore: <EJBCA>/p12/truststore.jks
Files Generated in <EJBCA>/p12
- superadmin.p12
- Copy this file to admin desktop machine and import in web browser. AdminUI uses client authentication and won't work without this. This is the super administrators certificate used to access the admin GUI. Other administrators with specific privileges can be created later on. The default password for superadmin.p12 is ejbca, and is configured in web.properties.
- For creating other CAs or expired CAs...
- ant -Dca.name="My CA Name" javatruststore
- This adds the CA certificate to p12/truststore.jks and copies this file to JBOSS_HOME/server/default/conf/keystore, where the SSL keystores are located.
- tomcat.jks
- This is for the servlet container in Jboss (tomcat ofcourse) and doesn't have to be tampered with. Here is a sample output of the keys(password is default pass used):
Certificate fingerprint (SHA1): F8:4...
- truststore.jks
This is for the servlet container in Jboss (tomcat ofcourse) and doesn't have to be tampered with.
Accessing EJBCA
Access EJBCA to verify the install.
Start Jboss
jboss-5.1.0.GA\bin>run.bat > c:\jboss.logAccess Admin UI
- Access Admin UI via https://localhost:8443/ejbca/adminweb/index.jsp and create an End entity or user for certificate generation. For instance:
Name: manojscepcertificate
Password: manojscepcertificate
CN=manojscepcertificate
- Also, if the certificate is intended for Tomcat, then the below properties should be set correctly under the "Main Certificate Data" section:
- Certificate Profile: SERVER
- CA: AdminCA1
- Token: User Generated
- Note: Double check if Token needs to be set to P12 for the enrollment to work correctly?
- For instance the "tomcat" user that was created as part of install, has a generated certificate and the token is set to jks. So most probably the token should have an impact on what is returned from the server. Setting it to user defined might work as well since the (SCEP) client can dictate this.
- You can search and edit the entities as well.
EJBCA UI
Access the UI via https://localhost:8443/ejbca/index.jspThis UI allows enrolling for new certificates, getting the certificates and CRLs and links to Administration.
Certificate Enrollment
Click on "Create Certificate from CSR" in the UI or navigate to https://localhost:8443/ejbca/enrol/server.jsp and provide the below details:
- Username ( entity created in admin UI)
- Password ( entity created in admin UI)
- Request file.
- This corresponds to the CSR file that can be created by using the Keytool supplied with JDK. One can also use openSSL or any other tool for creating this as well.
- Refer my blog post on how to create a certificate.
- The CSR can be PEM- or DER-formated file. One can also paste the PEM formatted contents directly into the textbox as well.
- A PEM-formatted request is a BASE64 encoded certificate request starting with
- -----BEGIN CERTIFICATE REQUEST-----
- and ending with
- -----END CERTIFICATE REQUEST-----
- The result type should be set to "PKCS#7" to get a single file with the Reply and the certificate chain.
- This returned reply can be imported in the keystore to complete the Certificate generation and signing process. Again, refer my blog post on how to create a certificate to get details on the import process.
Certificate Enrollment Using SCEP
This is the subject of another blog post. <TODO: insert link to blog post on SCEP enrollment>
References
