Part 3: EJBCA Administration

The following sections cover administrating EJBCA and include instructions on how to create a 3-tier CA hierarchy, add custom certificate extensions, and how to create certificate profiles, end entities, and administrator roles.

In the examples below, the Certificate Services hostname is csserver.yourcompany.com. The text enclosed in angle brackets should be replaced with names in your environment.

Step 1 - Create 3-tier CA Hierarchy

The following sections cover how to create a 3-tier CA (Root CA, Intermediate CA, and Issuing CA) using soft keystores.

Create Root CA

Follow the steps below to create a Root CA Crypto Token, a Root CA Certificate Profile, and then the Root CA certificate.

Create Root CA Crypto Token

To create Crypto Tokens for the Root CA:

  1. In EJBCA, select Crypto Tokens under CA Functions, and then click Create new.

  2. Specify the following on the New Crypto Token page and click Save.

    1. Name: As name for the Crypto Token, specify "Root CA Token".

    2. Type=Soft.

    3. Authentication Code: Enter a password for the token.

    4. Auto-activation: Clear Use.

  3. Create three key pairs within the Crypto Token:

    1. Generate a signKey of size RSA 4096, used for cert signing.

    2. Generate a defaultKey of size RSA 4096, used for everything not signing or test.

    3. Generate a testKey of size RSA 1024, used for testing.

Create Root CA Certificate Profile

To create a Root CA Certificate Profile:

  1. Click Certificate Profiles under CA Functions.

  2. Clone the ROOTCA profile to create your own profile for the Root CA:

    1. Click Clone next to the ROOTCA profile.

    2. Specify "Root CA Certificate Profile" and click Create from template.

  3. Click Edit on the new Root CA Certificate Profile and specify the following:

    1. Available key algorithms: RSA.

    2. Available bit lengths: 4096.

    3. Validity: 25y.

    4. LDAP DN order: Clear (to get X509 DN ordering) for greater compatibility with systems that use certificates.

    5. Available CAs: Any CA.

  4. Click Save to save the Root CA Profile.

Create Root CA Certificate

To create a Root CA Certificate:

  1. Click Certificate Authorities under CA Functions.

  2. In the Add CA field, enter the name "Root CA" and click Create.

  3. On the Create CA page, specify the following and then click Create:

    1. Signing Algorithm: SHA256WithRSA.

    2. Crypto Token: Root CA Token.

    3. Subject DN: <RootCASubjectDN>.

    4. Signed By: Self Signed.

    5. Certificate Profile: Root CA Certificate Profile.

    6. Validity: 25y.

    7. CRL Distribution Point: <http://crl.yourcompany.com/Root_CA.crl>.

    8. OCSP Service Locator URI: <http://yourocsp.company.com>.

Create Intermediate CA

Follow the steps below to create an Intermediate CA Crypto Token, an Intermediate CA Certificate Profile, and then an Intermediate CA certificate.

Create Intermediate CA Crypto Token

To create an Intermediate CA Crypto Token:

  1. In EJBCA, select Crypto Tokens under CA Functions, and then click Create new.

  2. Specify the following on the New Crypto Token page and click Save.

    1. Name: As name for the Crypto Token, specify "Intermediate CA Token".

    2. Type=Soft.

    3. Authentication Code: Enter a password for the token.

    4. Auto-activation: Clear Use.

  3. Create three key pairs within the Crypto Token:

    1. Generate a signKey of size RSA 4096, used for cert signing.

    2. Generate a defaultKey of size RSA 4096, used for everything not signing or test.

    3. Generate a testKey of size RSA 1024, used for testing.

Create Intermediate CA Certificate Profile

To create an Intermediate CA Certificate Profile:

  1. Click Certificate Profiles under CA Functions.

  2. Clone the SUBCA profile to create your own profile for the Intermediate CA:

    1. Click Clone next to the SUBCA profile.

    2. Specify "Intermediate CA Certificate Profile" and click Create from template.

  3. Click Edit on the new Intermediate CA Certificate Profile and specify the following:

    1. Available key algorithms: RSA.

    2. Available bit lengths: 4096.

    3. Validity: 20y.

    4. LDAP DN order: Clear (to get X509 DN ordering) for greater compatibility with systems that use certificates.

    5. Available CAs: Root CA.

  4. Click Save to save the Intermediate CA Certificate Profile.

Create Intermediate CA Certificate

To create an Intermediate CA Certificate:

  1. Click Certificate Authorities under CA Functions.

  2. In the Add CA field, enter the name "Intermediate CA" and click Create.

  3. On the Create CA page, specify the following and then click Create:

    1. Signing Algorithm: SHA256WithRSA.

    2. Crypto Token: Intermediate CA Token.

    3. Subject DN: <IntermediateCASubjectDN>.

    4. Signed By: Root CA.

    5. Certificate Profile: Intermediate CA Certificate Profile.

    6. Validity: 20y.

    7. CRL Distribution Point: <http://crl.yourcompany.com/Intermediate_CA.crl>.

    8. OCSP Service Locator URI: <http://ocsp.yourcompany.com>.

Create Issuing CA

Create Issuing CA Crypto Token

To create an Issuing CA Crypto Token:

  1. In EJBCA, select Crypto Tokens under CA Functions, and then click Create new.

  2. Specify the following on the New Crypto Token page and click Save.

    1. Name: As name for the Crypto Token, specify "Issuing CA Token".

    2. Type=Soft.

    3. Authentication Code: Enter a password for the token.

    4. Auto-activation: Clear Use.

  3. Create three key pairs within the Crypto Token:

    1. Generate a signKey of size RSA 4096, used for cert signing.

    2. Generate a defaultKey of size RSA 4096, used for everything not signing or test.

    3. Generate a testKey of size RSA 1024, used for testing.

Create Issuing CA Certificate Profile

To create an Issuing CA Certificate Profile:

  1. Click Certificate Profiles under CA Functions.

  2. Clone the SUBCA profile to create your own profile for the Issuing CA:

    1. Click Clone next to the SUBCA profile.

    2. Specify "Issuing CA Certificate Profile" and click Create from template.

  3. Click Edit on the new Issuing CA Certificate Profile and specify the following:

    1. Available key algorithms: RSA.

    2. Available bit lengths: 4096.

    3. Validity: 15y.

    4. LDAP DN order: Clear (to get X509 DN ordering) for greater compatibility with systems that use certificates.

    5. Available CAs: Intermediate CA.

  4. Click Save to save the Issuing CA Certificate Profile.

Create Issuing CA Certificate

To create an Issuing CA Certificate:

  1. Click Certificate Authorities under CA Functions.

  2. In the Add CA field, enter the name "Issuing CA" and click Create.

  3. On the Create CA page, specify the following and then click Create:

    1. Signing Algorithm: SHA256WithRSA.

    2. Crypto Token: Issuing CA Token.

    3. Subject DN: <IssuingCASubjectDN>.

    4. Signed By: Intermediate CA.

    5. Certificate Profile: Issuing CA Certificate Profile.

    6. Validity: 15y.

    7. CRL Distribution Point: <http://crl.yourcompany.com/Issuing_CA.crl>.

    8. OCSP Service Locator URI: <http://ocsp.yourcompany.com>.

Step 2 - Create Custom Certificate Extensions

To create the custom extension for the Microsoft template information, do the following:

  1. In EJBCA, click System Configuration.

  2. Select the Custom Certificate Extensions tab and specify the following:

    1. Object Identifier (OID): "1.3.6.1.4.1.311.21.7".

    2. Label: "Certificate Template Information".

  3. Click Add.

  4. Click Edit on the added object and specify the following:

    1. Select the Encoding = DEROBJECT

    2. Set Dynamic to true.

  5. Click Save.

Step 3 - Create User and Computer Auto Enrollment Certificate Profiles

The following describes how to create user and computer profiles for Auto Enrollment.

Create Certificate Profile for User Auto Enrollment

To create a certificate profile for User Auto Enrollment:

  1. Click Certificate Profiles under CA Functions.

  2. Clone the ENDUSER profile to create your own profile for the Intermediate CA:

    1. Click Clone next to the ENDUSER profile.

    2. Specify "User_Certificate_Profile" and click Create from template.

  3. Click Edit on the new User_Certificate_Profile and specify the following:

    1. Key Usage: Digital Signature, Non-repudiation, and Key encipherment.

    2. Extended Key Usage: Client Authentication, Email Protection, and MS Encrypted File System (EFS).

    3. Used Custom Certificate Extensions: Certificate Template Information.

    4. Available CAs: Issuing CA.

  4. Click Save to save the Certificate Profile.

Create Certificate Profile for Computer Auto Enrollment

To create a certificate profile for Computer Auto Enrollment:

  1. Click Certificate Profiles under CA Functions.

  2. Clone the ENDUSER profile to create your own profile for the Intermediate CA:

    1. Click Clone next to the ENDUSER profile.

    2. Specify "Computer_Certificate_Profile" and click Create from template.

  3. Click Edit on the new Computer_Certificate_Profile and specify the following:

    1. Key Usage: Digital Signature and Key encipherment.

    2. Extended Key Usage: Client Authentication and Server Authentication.

    3. Used Custom Certificate Extensions: Certificate Template Information.

    4. Available CAs: Issuing CA.

  4. Click Save to save the Certificate Profile.

Step 4 - Create Tomcat Server and Web Services API Certificate Profiles

The following sections cover how to create certificate profiles for the Tomcat server and the Web Services API client.

Create Certificate Profile for Tomcat Server

To create a certificate profile for the Tomcat server:

  1. Click Certificate Profiles under CA Functions.

  2. Clone the SERVER profile to create your own profile for the Intermediate CA:

    1. Click Clone next to the SERVER profile.

    2. Specify "Tomcat_Server_Certificate_Profile" and click Create from template.

  3. Click Edit for the new Tomcat_Server_Certificate_Profile and specify the following:

    1. Available key algorithms: RSA.

    2. Available bit lengths: 2048 bits.

    3. Validity: 5y.

    4. CRL Distribution Points: Use.

    5. Use CA defined CRL Dist. Point: Use.

    6. Authority Information Access: Use.

    7. Use CA defined OCSP locator: Use.

    8. Available CAs: Issuing CA.

  4. Click Save to save the Tomcat server Certificate Profile.

Create Certificate Profile for Web Services API client

To create a certificate profile for Web Services API client:

  1. Click Certificate Profiles under CA Functions.

  2. Clone the ENDUSER profile to create your own profile for the Intermediate CA:

    1. Click Clone next to the ENDUSER profile.

    2. Specify "WebService_Client_Certificate_Profile" and click Create from template.

  3. Click Edit for the new WebService_Client_Certificate_Profile and specify the following:

    1. Available key algorithms: RSA.

    2. Available bit lengths: 2048 bits.

    3. Validity: 5y.

    4. Available CAs: ManagementCA.

  4. Click Save to save the Web Services API client Certificate Profile.

Step 5 - Create User and Computer Auto Enrollment End Entity Profiles

The following describes how to create User and Computer Auto Enrollment End Entity Profiles.

Create End Entity Profile for User Auto Enrollment

To create an End Entity Profile for User Auto Enrollment:

  1. Click End Entity Profiles under RA Functions.

  2. In the Add Profile field, specify User_End_Entity_Profile and click Add.

  3. Select the User_End_Entity_Profile, click Edit End Entity Profile, and specify the following:

    1. Subject DN Attributes: CN.

    2. Subject Alternative Name: MS UPN, User Principal Name.

    3. Default Certificate Profile: User_Certificate_Profile.

    4. Available Certificate Profiles: User_Certificate_Profile.

    5. Default CA: Issuing CA.

    6. Available CAs: Issuing CA.

    7. Default Token: User Generated.

    8. Available Tokens: User Generated.

  4. Click Save to store the end entity profile.

Create End Entity Profile for Computer Auto Enrollment

To create an End Entity Profile for Computer Auto Enrollment:

  1. Click End Entity Profiles under RA Functions.

  2. In the Add Profile field, specify Computer_End_Entity_Profile and click Add.

  3. Select the Computer_End_Entity_Profile, click Edit End Entity Profile, and specify the following:

    1. Subject DN Attributes: CN.

    2. Subject Alternative Name: DNS Name.

    3. Default Certificate Profile: Computer_Certificate_Profile.

    4. Available Certificate Profiles: Computer_Certificate_Profile.

    5. Default CA: Issuing CA.

    6. Available CAs: Issuing CA.

    7. Default Token: User Generated.

    8. Available Tokens: User Generated.

  4. Click Save to store the end entity profile.

Step 6 - Create Tomcat Server and Web Services API End Entity Profiles

Create End Entity Profile for SSL Server Certificate

To create an End Entity Profile for the SSL server certificate:

  1. Click End Entity Profiles under RA Functions.

  2. In the Add Profile field, specify TomcatServerEEProfile and click Add.

  3. Select the TomcatServerEEProfile, click Edit End Entity Profile, and specify the following:

    1. End Entity E-mail: Clear.

    2. Subject DN Attributes: CN.

    3. Subject Alternative Name: DNS Name.

    4. Default Certificate Profile: Tomcat_Server_Certificate_Profile.

    5. Available Certificate Profiles: Tomcat_Server_Certificate_Profile.

    6. Default CA: Issuing CA.

    7. Available CAs: Issuing CA.

    8. Default Token: JKS.

    9. Available Tokens: JKS.

  4. Click Save to store the end entity profile.

Create End Entity Profile for Web Services Client

To create an End Entity Profile for the Web Services Client:

  1. Click End Entity Profiles under RA Functions.

  2. In the Add Profile field, specify WebServiceClientEEProfile and click Add.

  3. Select the WebServiceClientEEProfile, click Edit End Entity Profile, and specify the following:

    1. End Entity E-mail: Clear.

    2. Subject DN Attributes: CN.

    3. Default Certificate Profile: WebService_Client_Certificate_Profile.

    4. Available Certificate Profiles: WebService_Client_Certificate_Profile.

    5. Default CA: ManagementCA.

    6. Available CAs: ManagementCA.

    7. Default Token: JKS.

    8. Available Tokens: JKS.

  4. Click Save to store the end entity profile.

Step 7 - Create Tomcat and Web Services End Entities

Create and Download Tomcat JKS Keystore

Create and download the Tomcat JKS Keystore according to the following steps and replace the text enclosed in angle brackets with the values used in your environment.

  1. Click Add End Entity under RA Functions and specify the following:

    1. End Entity Profile: TomcatServerEEProfile

    2. Username: tomcat_server.

    3. Password: <PASSWORD>.

    4. Confirm Password: <PASSWORD>.

    5. CN: <tomcatserver.yourcompany.com>.

    6. DNS Name: <tomcatserver.yourcompany.com>.

    7. Click Add.

  2. Select Public Web, click Create Keystore and specify the following:

    1. Username: tomcat_server.

    2. Password: <PASSWORD>.

    3. Click OK.

  3. Click Enroll and save the keystore as tomcat_server.jks.

Create and Download Web Services JKS Keystore

To create and download the Web Services JKS Keystore:

  1. Click Add End Entity under RA Functions and specify the following:

    1. End Entity Profile: WebServiceClientEEProfile

    2. Username: aewsclient.

    3. Password: <PASSWORD>

    4. Confirm Password: <PASSWORD>

    5. CN: aewsclient.

    6. Click Add.

  2. Select Public Web, click Create Keystore and specify the following:

    1. Username: aewsclient.

    2. Password: <PASSWORD>

    3. Click OK.

  3. Click Enroll and save the keystore as aewsclient.jks.

Step 8 - Create Administrator Roles for Web Services Client

To create administrator roles for the Web Services client, do the following:

  1. Click System Functions > Administrator Roles.

  2. Click Add and specify the name for the role: AutoEnrollment Web Services.

  3. Click on Members for AutoEnrollment Web Services and specify the following:

    1. Match with: X509: CN, Common Name.

    2. CA: ManagementCA.

    3. Match value: aewsclient.

    4. Click Add.

  4. Click Edit Access Rules for AutoEnrollment Web Services and specify the following:

    1. Role Template: RA Administrators.

    2. Authorized CA: Issuing CA.

    3. End Entity Rules: Create End Entities, Delete End Entities, Edit End Entities, and View End Entities.

    4. End Entity Profiles: Computer_End_Entity_Profile and User_End_Entity_Profile (select other End Entity Profiles that will be used with Auto Enrollment, if any).

    5. Other Rules: Clear View Audit Log.

  5. Click Save.