Install and configure EJBCA
EJBCA 6.0.3 – http://www.ejbca.org/download.html
JBoss AS 7.1.1 Final – http://download.jboss.org/jbossas/7.1/jboss-as-7.1.1.Final/jboss-as-7.1.1.Final.zip
Prereqs:
- OpenJDK 1.6 or later
- Apache Ant – http://mirror.tcpdiag.net/apache/
Ref:
Detailed deployment guide: http://majic.rs/book/free-software-x509-cookbook/setting-up-ejbca-as-certification-authority
EJBCA doc: http://wiki.ejbca.org/
Architecture
Import existing OpenSSL CA
Step 1 – Export the OpenSSL priv key and cert to a PKCS#12 keystore:
openssl pkcs12 -export -out exitingCA1.p12 -inkey\ -in -name existingCA1
Step 2 – Import the PKCS#12 keystore to EJBCA CA
/bin/ejbca.sh ca importca existingCA1.p12
Step 3 – Verify import
/bin/ejbca.sh ra adduser
### IMPORTANT ###
Distinguished name order of openssl may be opposite of ejbca default configuration – http://www.csita.unige.it/software/free/ejbca/ … If so, this ordering must changed in ejbca configuration prior to deploying (can’t be set on a per CA basis)
Have not been able to replicate this issue in testing.
Import existing TinyCA CA
Basic Admin and User operations
Create and end entity profile for server/client entities
Step 1 – Create a Certificate Profile (http://wiki.ejbca.org/certificateprofiles)
Step 2 – Create and End Entity Profile (http://wiki.ejbca.org/endentityprofiles)
* EndEntities can be deleted using:
/bin/ejbca.sh ra delendentity
Issuing certificates from CSRs
End entities need to be created for clients/servers that require certificates signed by our CA.
Step 1 – Create and End Entity (http://ejbca.org/userguide.html#Issue a new server certificate from a CSR)
Step 2 – Sign CSR using the End Entity which is associated with a CA
Importing existing certificates
EJBCA can create endentities and import their existing certificate one-by-one or in bulk (http://www.ejbca.org/docs/adminguide.html#Importing Certificates). Bulk inserts import all certificates under a single user which may not be desirable. Below is a script to import all certs in a directory one by one under a new endentity which will take the name of the certificate CN.
#!/bin/sh # for each certificate in the directory # create and enduserentity # enduserentity username = certificate CN # enduserentity token/pwrd = certificate CN EJBCA_HOME="/usr/share/ejbca" IMPORT_DIR=$1 CA=$2 ENDENTITYPROFILE=$3 SSLCERTPROFILE=$4 AP="_OTE" if [ $# -lt 4 ]; then echo "usage: import_existing_certs.sh" exit 1 fi for X in $IMPORT_DIR*.pem do echo "######################################################" echo "Importing: " $X CN=$(openssl x509 -in $X -noout -text | grep Subject: | sed -n 's/^.*CN=\(.*\),*/\1/p') echo "CN: " $CN printf "Running import: %s ca importcert '%s' '%s' '%s' ACTIVE NULL '%s' '%s' '%s'\n" "$EJBCA_HOME/bin/ejbca.sh" "$CN" "$CN" "$CA" "$X" "$ENDENTITYPROFILE" "$SSLCERTPROFILE" $EJBCA_HOME/bin/ejbca.sh ca importcert "$CN$AP" "$CN$AP" "$CA" ACTIVE null $X $ENDENTITYPROFILE $SSLCERTPROFILE echo "######################################################" done
Creating administrators
Create administrators that can sign CSR and revoke certificates: http://ejbca.org/userguide.html#Administrator%20roles
Revoking certificates
#Generate CRL via command line # List CAs /usr/share/ejbca/bin/ejbca.sh CA listcas # Create new CRLs: /usr/share/ejbca/bin/ejbca.sh CA createcrl "" -pem # Export CRL to file /usr/share/ejbca/bin/ejbca.sh CA getcrl " " -pem .pem
Checking certificate validity/revoke status via OSCP
openssl ocsp -issuer gtld_CA_cert.pem -CAfile gtld_CA_cert.pem \ -cert gtld_registrar5.pem -req_text -url http://localhost:8080/ejbca/publicweb/status/ocsp
Monitoring expiring certs
/bin/ejbca.sh listexpired 100
9 replies on “Migrating to EJBCA from OpenSSL and TinyCA”
By scratching various objects with all the front claws, it may help to ensure that they’re healthy.
Once you learn how to accept and study from your mistake, you may
not repeat them again. These components are very important if succeeding at improving our health and wellness and
positively impacting our total well being are the objectives.
Great blog here! Also your site loads up fast! What web hos are you using?Can I
get your affiliate link to your host? I wish my
website loaded up as fast as yours lol
I was very pleased to find this net-site.I wished to thanks to your time for this wonderful learn!! I undoubtedly having fun with every little little bit of it and I have you bookmarked to check out new stuff you blog post. Snapchatest
This article presents clear idea for the new people of blogging, that actually how to do running a blog.
I read this post completely about the comparison of newest and previous technologies, it’s awesome
article.
That is a great tip especially to those fresh to the blogosphere.
Simple but very precise information… Appreciate your sharing this one.
A must read post!
Definitely imagine that that you said. Your favourite justification seemed
to be on the web the easiest factor to have in mind of. I say to you, I
definitely get annoyed even as other people think about issues that they plainly do not realize about.
You managed to hit the nail upon the highest and outlined out the entire thing
with no need side-effects , other people could take a signal.
Will probably be back to get more. Thank you
First of all I want to say great blog! I had a quick question in which
I’d like to ask if you do not mind. I was interested to know
how you center yourself and clear your mind before writing.
I have had a hard time clearing my mind in getting my ideas out there.
I truly do enjoy writing however it just seems like the first 10
to 15 minutes are usually wasted just trying to figure out how to
begin. Any ideas or hints? Appreciate it!
I constantly emailed tgis weblog post page to all my friends,
since if like to read it after that my contacts will too.