EJBCA Cloud Azure VA Configuration and Administration Guide

PRINT DATE: 2019-05-22

EJBCA Cloud Azure VA Configuration and Administration Guide

Copyright ©2019 PrimeKey Solutions

Published by PrimeKey Solutions AB

Solna Access, Sundbybergsvägen 1

SE-171 73 Solna, Sweden

To report errors, please send a note to [email protected].

Notice of Rights

All rights reserved. No part of this guide may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. For more information on getting permission for reprints and excerpts, contact [email protected].

Notice of Liability

The information in this guide is distributed on an “As Is” basis without warranty. While every precaution has been taken in the preparation of the guide, neither the authors nor PrimeKey shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in the guide or by computer software and hardware products described in it.

Trademarks

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this guide, and PrimeKey was aware of a trademark claim, the designations appear as requested by the owner of the trademark. All other product names and services identified throughout this guide are used in editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this guide.

mailto:[email protected]

mailto:[email protected]

Table of ContentsIntroduction ........................................................................................................ 4

Documentation..................................................................................................................4

EJBCA VA Introduction...................................................................................... 5EJBCA Validation Authority (VA) .....................................................................................5

Concepts ...........................................................................................................................5

External OCSP Responders ..............................................................................................6

Azure Operating Environment ........................................................................... 8Azure..................................................................................................................................9

Virtual Network Configuration..........................................................................................9

Azure vNet-to-vNet Connections for VAs ....................................................... 10Create a Gateway Subnet for the CA and the RA/VA hosts ........................................ 10

Create a virtual network gateway ................................................................................. 12

Create and configure the vNet for the other side......................................................... 16

Configure the gateway connection............................................................................... 18

Configure the RA/VA to CA gateway connection ........................................................ 20

Verify your connections................................................................................................. 21

CA and VA Configuration................................................................................. 23Apache Certificate Generation for the VA .................................................................... 23

Step 1: On the CA ........................................................................................................... 26

Setup Peer Systems....................................................................................................... 32

Create a Peer Publisher on the CA................................................................................ 36

Edit a Certificate Profile to use the Publisher .............................................................. 37

Create Crypto Token to store OCSP Key binding key on VA ....................................... 37

Testing OCSP ................................................................................................................. 40

EJBCA CLOUD AZURE VA CONFIGURATION AND ADMINISTRATION GUIDE

© 2019 PRIMEKEY 4 (41)

IntroductionThis guide is intended to assist an EJBCA Cloud administrator with EJBCA CA to VA configuration and administration tasks related to VA management in Microsoft Azure.

This configuration will assume that the user has procured at least two nodes in the Microsoft Azure Marketplace following the EJBCA Cloud Azure Launch Guide.

This guide also assumes that a CA (Certificate Authority) is configured that requires OCSP services. OCSP replies are stamped by a key from a CA for validation. That CA must exist to stamp the OCSP responses for the purposes of this configuration guide.

DocumentationEJBCA Cloud documentation is available on:https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/

EJBCA Enterprise documentation is available on: https://download.primekey.com/docs/EJBCA-Enterprise/latest/

Additional information on EJBCA Community is available on: www.ejbca.org

https://azuremarketplace.microsoft.com/en-us/marketplace/apps/primekey.ejbca_enterprise_cloud_2?tab=Overview


https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/Azure/ejbca-cloud-azure-launch-guide.pdf

https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/

https://download.primekey.com/docs/EJBCA-Enterprise/latest/

https://www.ejbca.org


© 2019 PRIMEKEY 5 (41)

EJBCA VA Introduction

EJBCA Validation Authority (VA)For detailed information on VA Services, refer to the online EJBCA Documentation on ejbca.org.

Concepts

• EJBCA: PKI software suite, includes both CA, VA and RA.

• Certificate Authority (CA): A CA issues certificates to, and vouches for the authenticity of entities. The level of trust you can assign to a CA is individual, per CA, and depends on the CAs Policy (CP) and CA Practices Statement (CPS).

• Validation Authority (VA): A VA is responsible for providing information on whether certificates are valid or not. There can be one or more VAs connected to each CA in the PKI. Can be run as part of the CA or as a separate service.

• Peer Systems: A mechanism for connections initiated from the CA to the VA (or RA), where messages for control and operations are passed.

• Certificate Store: The CA Certificate Store is used to get a certificate chain to the root CA in order to verify that the certificate is signed by a valid CA (it is valid if the root is trusted). RFC 4387 specifies how the certificates are retrieved. The service is configured using Modular Protocols Configuration.

• CRL Store: The CRL Store is used to get a Certificate Revocation List (a signed list of revoked certificates) for a CA. RFC 4387 specifies how the CRLs are retrieved. The service is configured using Modular Protocols Configuration.

• OCSP Responder: The OCSP Responder is used to ask if a certificate is revoked or not. The OCSP protocol is specified in RFC 2560 and the successor RFC 696.

http://www.ejbca.org

https://www.ejbca.org/docs/Modular_Protocol_Configuration.html

https://www.ejbca.org/docs/Modular_Protocol_Configuration.html

http://www.ietf.org/rfc/rfc2560.txt



© 2019 PRIMEKEY 6 (41)

External OCSP RespondersExternal OCSP responders serve multiple purposes:

• Separating the validation service from the CA service. This increases security because the CA service does not have to accept any incoming connections.

• Ensure the highest availability of the validation service. Using external OCSP responders you can have several completely independent nodes. This means that you can do maintenance on the CA, or some of the OCSP nodes without disturbing availability to the validation service.

• Ensure the highest performance. The external OCSP responder is very fast and one single responder can answer hundreds of requests per second. In addition, the external OCSP responders can be scaled linearly by adding multiple independent OCSP nodes.

The following shows a rough schema of the architecture using external OCSP responders.

The EJBCA external OCSP responder does not rely on CRLs being issued by the CA. Instead, the OCSP responder uses its own database with certificate status information. This can be a replica of the CertificateData table in EJBCA. In normal operation, the EJBCA CA pushes status changes to the external OCSP database when certificates are issued and revoked in EJBCA.

The external OCSP responder is not limited to usage in combination with EJBCA though. The external OCSP database can simply be updated by other tools, for example being fed with CRLs from other CAs.

Features


© 2019 PRIMEKEY 7 (41)

• Implements RFC 2560, RFC 6960 and RFC 5019.

• Independent of CA software used (various degrees of integration possible and may be required).

• One responder can respond for any number of CAs.

• Status information stored in SQL database.

• Not depending on CRLs. Status information can be updated in real-time.

• Plug-in mechanism for custom OCSP extensions.

• Highly configurable audit and transaction logging. Suitable for invoicing.

• Supports PKCS#11 HSMs and soft keys.

• Built-in health check used by load balancers and for monitoring.

• Configurable for requiring signed requests, authorized signers, etc.

• Can answer good or unknown to non-existing certificates, with different configuration based on request URI.

• Linear scalability for performance and high availability by adding multiple nodes.

• High performance, >500 requests per second on a single server.

• On-line renewal of OCSP responder keys and certificates.

• OCSP client in Java (Client ToolBox).

• Support for Norwegian Unid FNR extension.

• Support for German CertificateHash extension.





© 2019 PRIMEKEY 8 (41)

Azure Operating Environment


© 2019 PRIMEKEY 9 (41)

AzureBegin by starting two EJBCA Enterprise Cloud for Microsoft Azure instances. In this example we will have the following 2 nodes:

• Node 1 - CA using IP 10.2.0.4 – WestUS – 10.2.0.0/16 address space

• Node 2 - RA using IP 10.4.0.4 – EastUS – 10.4.0.0/16 address space

One of the nodes is in WestUS and the other in EastUS. For the purposes of this guide we are going to be using the instance ID from Node 1 as the password. You can obtain this from loading Azure Explorer or run the following command on the instance itself:

# curl -sH Metadata:true "http://169.254.169.254/metadata/instance/network/interface/0/macAddress?api-version=2017-08-01&format=text"

Virtual Network ConfigurationTo get the nodes to communicate, it is assumed a vNet-to-vNet VPN will need to be configured. This topic will be covered in the next section. For additional information, beyond whats covered in this guide, configuring a vNet-to-vNet VPN, refer to Azure's vNet-to-vNet Configuration Guide.

Optionally, for testing purposes, all nodes can be setup within the same Virtual Network. This is not ideal since it does not provide any availability guarantees if one of the Azure sites has an outage.

A network security group is also needed in each virtual network. That configuration will be outlined below since it pertains directly to the Galera communication.


https://azure.microsoft.com/en-us/features/storage-explorer/

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-howto-vnet-vnet-resource-manager-portal


© 2019 PRIMEKEY 10 (41)

Azure vNet-to-vNet Connections for VAsIn order to get the two instances of EJBCA to communicate in Azure, vNet-to-vNet connections are necessary to allow traffic to communicate across these two networks. In this guide we have two Resource Groups each containing a virtual network. The resource groups we have created are:

• ejbca-ca-westus

• ejbca-ra-eastus

Each one of these resource groups has a vnet01 that was created at privisioning time.

Create a Gateway Subnet for the CA and the RA/VA hosts

To create a gateway subnet

1. In the Azure portal, select the Resource Group for the instance you are going to connect. The resource group in this scenario is ejbca-ca-westus.

http://portal.azure.com/


© 2019 PRIMEKEY 11 (41)

2. Select the "vnet01" virtual network to create a virtual network gateway.

3. In the Settings section of your virtual network page, select Subnets to expand the Subnets page.

4. On the Subnets page, select Gateway subnet to open the Add subnet page.


© 2019 PRIMEKEY 12 (41)

5. The Name for your subnet is automatically autofilled with the value GatewaySubnet. This value is required for Azure to recognize the subnet as the gateway subnet. Adjust the autofilled Address range values to match your configuration requirements, then select OK to create the subnet.

6. Click the button to create the subnet.

7. Perform these same steps for the other host.

Create a virtual network gatewayIn this step, you create the virtual network gateway for your VNet. Creating a gateway can often take 45 minutes or more, depending on the selected gateway SKU.


© 2019 PRIMEKEY 13 (41)

To create a virtual network gateway

1. Sign in to the Azure portal and select Create a resource. The New page opens.

2. In the Search the marketplace field, enter virtual network gateway, and select Virtual network gateway from the search list.

3. On the Virtual network gateway page, select to open the Create virtual network gateway page.

4. On the Create virtual network gateway page, fill in the values for your virtual network gateway:• Name: Enter a name for the gateway object you're creating. This name is different than the

gateway subnet name.• Gateway type: Select VPN for VPN gateways.• VPN type: Select the VPN type that is specified for your configuration. Most configurations

require a Route-based VPN type.• SKU: Select the gateway SKU from the dropdown. The SKUs listed in the dropdown depend on

the VPN type you select. For more information about gateway SKUs, see Gateway SKUs.Only select Enable active-active mode if you're creating an active-active gateway configuration. Otherwise, leave this setting unselected.

• Location: You may need to scroll to see Location. Set Location to the location where your virtual network is located. For example, West US. If you don't set the location to the region where your virtual network is located, it won't appear in the drop-down list when you select a virtual network.

• Virtual network: Choose the virtual network to which you want to add this gateway. Select Virtual network to open the Choose virtual network page and select the VNet. If you don't see your VNet, make sure the Location field is set to the region in which your virtual network is located.

• Gateway subnet address range: You'll only see this setting if you didn't previously create a gateway subnet for your virtual network. If you previously created a valid gateway subnet, this setting won't appear.

• Public IP address: This setting specifies the public IP address object that's associated with the VPN gateway. The public IP address is dynamically assigned to this object when the VPN gateway is created. The VPN gateway currently supports only Dynamic public IP address allocation. However, dynamic allocation doesn't mean that the IP address changes after it has been assigned to your VPN gateway. The only time the public IP address changes is when the gateway is deleted and re-created. It doesn't change across resizing, resetting, or other internal maintenance/upgrades of your VPN gateway.

• Leave Create new selected.• In the text box, enter a name for your public IP address.

• Configure BGP ASN: Leave this setting unselected, unless your configuration specifically requires it. If you do require this setting, the default ASN is 65515, which you can change.

• Once filled in, click

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-gateway-settings#gwsku


© 2019 PRIMEKEY 16 (41)

5. Verify the settings and select to begin creating the VPN gateway. The settings are validated and you'll see the Deploying Virtual network gateway tile on the dashboard. Creating a gateway can take up to 45 minutes. You may need to refresh your portal page to see the completed status.

6. After you create the gateway, verify the IP address that's been assigned to it by viewing the virtual network in the portal. The gateway appears as a connected device. You can select the connected device (your virtual network gateway) to view more information. Proceed to the next section to start configuring the other side.

Create and configure the vNet for the other sideAfter you've configured the vNet for the CA, create the RA/VA vNet by repeating the previous steps and replacing the values with values that reflect the other region. You don't need to wait until the virtual network gateway for the first region has finished creating before you configure the other side. Make sure the address spaces don't overlap with any of the VNets to which you want to connect.


© 2019 PRIMEKEY 17 (41)

Once filled in, click , then click to begin creating the second VPN gateway.


© 2019 PRIMEKEY 18 (41)

Configure the gateway connectionWhen the virtual network gateways for both regions have completed, you can create your virtual network gateway connections. In this section, you create a connection from the CA West vNet to the RA East vNet. These steps work only for VNets in the same subscription. If your VNets are in different subscriptions, you must use PowerShell to make the connection. However, if your VNets are in different resource groups in the same subscription, you can connect them by using the portal.

1. In the Azure portal, select All resources, enter virtual network gateway in the search box, and then navigate to the virtual network gateway for your VNet. Select it to open the Virtual network gateway page.

2. Under Settings, select Connections, and then select Add to open the Add connection page.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vnet-vnet-rm-ps


© 2019 PRIMEKEY 19 (41)

3. On the Add connection page, fill in the values for your connection:• Name: Enter a name for your connection. For example, CAtoRAVANetworkConnection.• Connection type: Select VNet-to-VNet from the drop-down.• First virtual network gateway: This field value is automatically filled in because you're creating

this connection from the specified virtual network gateway.• Second virtual network gateway: This field is the virtual network gateway of the VNet that you

want to create a connection to. Select Choose another virtual network gateway to open the Choose virtual network gateway page.

• View the virtual network gateways that are listed on this page. Notice that only virtual network gateways that are in your subscription are listed. If you want to connect to a virtual network gateway that isn't in your subscription, use the PowerShell.

• Select the virtual network gateway to which you want to connect.• Shared key (PSK): In this field, enter a shared key for your connection. You can generate

or create this key yourself. In a site-to-site connection, the key you use is the same for your on-premises device and your virtual network gateway connection. The concept is similar here, except that rather than connecting to a VPN device, you're connecting to another virtual network gateway.

4. Select to save your changes.

https://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-vnet-vnet-rm-ps


© 2019 PRIMEKEY 20 (41)

Configure the RA/VA to CA gateway connectionNext, create a connection on the other side from the RAVAtoCAVirtualNetworkGateway just created to the CAtoVARAVirtualNetworkGateway. In the portal, locate the other virtual network gateway that needs a connection. Follow the steps from the previous section, replacing the values to create a connection from RAVAtoCAVirtualNetworkGateway to CAtoVARAVirtualNetworkGateway. Make sure that you use the same shared key.


© 2019 PRIMEKEY 21 (41)

Verify your connectionsLocate the virtual network gateway in the Azure portal. On the Virtual network gateway page, select Connections to view the Connections page for the virtual network gateway. After the connection is established, you'll see the Status values change to Succeeded and Connected. Select a connection to open the Essentials page and view more information.

When data begins flowing, you'll see values for Data in and Data out.


© 2019 PRIMEKEY 22 (41)

Test access from one of the hosts to the other


© 2019 PRIMEKEY 23 (41)

CA and VA ConfigurationThe CA and VA configuration is described in the following sections:

• Apache Certificate Generation for the VA

• Step 1: On the CA

• Setup Peer Systems

• Create a Peer Publisher on the CA

• Edit a Certificate Profile to use the Publisher

• Create Crypto Token to store OCSP Key binding key on VA

• Testing OCSP

Apache Certificate Generation for the VAGenerate the Apache Certificate for the RA by following the instructions for the CA and the RA Server below.

Step 1: On the CASSH into the CA server and navigate to the /opt/PrimeKey/support directory.

Start by taking a backup of the system:

# /opt/PrimeKey/support/system_backup.sh

Generate TLS certificates for the VA server on the CA. Since an VA will most likely have two IP addresses (one internal and one external), those are indicated with the "-i" flag. In this case the IP addresses the host has are:

• 40.121.65.197

• 10.4.0.4

# /opt/PrimeKey/support/create_ra_tls_certs.sh -i 40.121.65.197 -i 10.4.0.4

If you are using a load balancer you can include that VIP name in the command above by specifying a "-d". if the domain was ra.example.com the command would be:

# /opt/PrimeKey/support/create_ra_tls_certs.sh -i 40.121.65.197 -i 10.4.0.4 -d ra.example.com

http://ra.example.com


© 2019 PRIMEKEY 24 (41)

The script will prompt to request to generate the certificates in the format that Apache will expect them on the VA.

Choose Y and press enter. It will output these files into the home directory of the user you provisioned the instance with. In this case the user is "azure-user" so the certificates will be in the /home/azure-user/pem directory for easy copying. If you would like to keep them with the hostname in the file for easy tracking, press N.

The three files output will be:

• managementca.ca-mgmt.pem

• server-mgmt.key

• server-mgmt.pem

Copy these files to the VA server and put them into place with the instructions in the next section.

Step 2: On the VA ServerSSH into the VA server and start by taking a backup of the system. Azure allows users to provision instances with their own username. For this example we will use the user "azure-user".

# /opt/PrimeKey/support/system_backup.sh

http://managementca.ca


© 2019 PRIMEKEY 25 (41)

Copy the three files that were copied to /home/azure-user/pem to the new VA. Copy the files from the user folder you provisioned the instance with to the /etc/httpd/ssl directory and restart Apache:

# cp /home/azure-user/pem/* /etc/httpd/ssl/# service httpd restart

Convert the server to an VA using the install_ra.sh script. This script will import the ManagementCA certificate from the CA server so that the VA is managed by the same ManagementCA as the CA server.

# /opt/PrimeKey/support/install_ra.sh

The script will ask for the path to the ManagementCA PEM file from the CA server.

Use the managementca PEM that was copied to the /etc/httpd/ssl directory or copy a new one. Use absolute paths.

Access the VA Administration GUI with the same certificate used to access the CA server. Test this by going to the EJBCA Admin Web on the VA. Note that there is no Management CA configured, an external ManagementCA is used.


© 2019 PRIMEKEY 26 (41)

Import the CAs Public Certificate Chain into the VA

Step 1: On the CA

Import CA Certs to VAFor the VA to be aware of the CA we need to import the CAs certificates into the VA. If you need assistance with setting up a CA structure, see the EJBCA Quick Start Guide.

1. On the CA, Click RA Web on the left side navigation and open the CAs RA web. Select CA Certificates and CRLs.

2. Download the CA certificates from the CA, RA web in PEM format.

3. Access the RA Servers administration UI and click Certification Authorities

4. Click Import CA Certificate.

5. Browse to the Root CA PEM file and select it.

6. Enter the name of the CA in the CA Name field.

7. Click Import CA Certificate.

8. Repeat for any other CAs.

All imported CAs will show as an "External CA"

Step 2: On the VA

1. Click Certification Authorities.

2. Click Import CA certificate.

https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/ejbca-cloud-quick-start-guide.pdf


© 2019 PRIMEKEY 27 (41)

a. Enter the name for the Root CA.b. Click Browse and browse to the CA cert downloaded in the last section.c. Click Import CA Certificate.

3. Click Import CA Certificatea. Enter the name for the Issuing CA.b. Click Browse and browse to the CA cert downloaded in the last section.c. Click Import CA Certificate.

Step 1: Import Profiles on the CASSH into the CA server and import the profiles that are going to be used for generating the key binding and peer connection certificates.

# /opt/ejbca/bin/ejbca.sh ca importprofiles -d /opt/PrimeKey/ra_profiles/

Step 2: Create Crypto Token to store Peer Systems authentication key on CACreate a Crypto Token for the key binding to use. Navigate to Crypto Tokens and select Create new.

1. Enter a name: Peer Systems Token.

2. Select Type: Soft.

3. Enter and repeat Authentication Code.

4. Enable Auto-activation.

5. Click Save.

6. Generate new key pair:a. Alias: peer_systems_auth_key.


© 2019 PRIMEKEY 28 (41)

b. Key Spec: RSA 4096.

Step 3: Set up Authentication Key Binding for Mutual Authentication on CACreate an internal key binding for authenticating the TLS connection to the VA. Start by selecting Internal Key Bindings on the CA.

1. Click Create new on the AuthenticationKeyBinding tab.

2. Enter a name: Peer System Key Binding to VA.

3. Select Crypto Token: "Peer Systems Token".

4. Key Pair Alias: peer_systems_auth_key.

5. Signature Algorithm: SHA256WithRSA.

6. Click Create.


© 2019 PRIMEKEY 29 (41)

Click Back to overview to go back to the AuthenticationKeyBinding tab and select CSR under the Action column and save the file (Peer System Key Binding to RA.pkcs10.pem).

Step 4: Generate Certificate for TLS ConnectionClick RA Web on the left side navigation and open the CAs RA web. Select Make New Request.

1. Select Certificate Type: "Peer Systems User EE Profile"

2. CA: "ManagementCA".

3. Click Browse and select the "Peer System Key Binding to RA.pkcs10.pem" file.

4. Change CN, Common Name to "peersystems".

5. Change the Username to be the "peersystems"

6. Click Download PEM.

7. Save the file (peersystems.pem).


© 2019 PRIMEKEY 30 (41)

Step 5: Import Peer Systems certificate into Authentication Key Binding on CA

1. Choose System Functions > Internal Key Bindings.

2. Click the AuthenticationKeyBinding tab.

3. Under Import externally issued certificate:a. Target AuthenticationKeyBinding: Peer System Key Binding to RA.b. Click Browse.c. Select the peersystems.pem file.


© 2019 PRIMEKEY 31 (41)

d. Click Import.

4. Under Action:a. Click Enable.

5. The Peer Systems Authentication Key Binding should now be Active.


© 2019 PRIMEKEY 32 (41)

Setup Peer SystemsFollow the steps below to setup Peer Systems:


• Step 2: On the RA


Step 1: On the CA

1. Choose System Functions > Peer Systems.

2. Under Outgoing Peer Connectors, click Add.

3. For Create Peer Connector, specify the following:a. Name: Peer Connection to RAb. URL: This should be the internal FQDN of the RA. For this example: "https://10.4.0.4/ejbca/

peer/v1"

EJBCA Cloud Uses Apache and no port designation is necessary.

c. In the Authentication Key Binding list menu, select Peer System Key Binding to RAd. Select Enabled.e. Change Maximum parallel requests to 50.

4. Click Create.

5. Click Ping. You should see the error Unable to connect to peer. Unauthorizedote

If the error Unable to connect to peer displays, this means you instances cannot communicate. Please check your VPN connection.

https://10.4.0.4/ejbca/peer/v1

https://10.4.0.4/ejbca/peer/v1


© 2019 PRIMEKEY 33 (41)

Also, make sure that the internal IP address is used and not an FQDN or external IP unless you have internal name resolution across vNets.


© 2019 PRIMEKEY 34 (41)

Step 2: On the VA

1. Choose System Functions > Peer Systems.

2. You should see a connection attempt from the CA under Incoming Connections.

3. Click Create Role.

4. Ensure that – Create new role – is selected, and click Select.

5. Additional properties will show. Change the Role name to "External VA Role".

6. Ensure that Role is intended for peer connections is selected.

7. Select Access ManagementCA and any other CAs the VA needs to access.

8. Select Publish Certificate.

9. Select Compare certificate synchronization status.


© 2019 PRIMEKEY 35 (41)

10. Click Create new role.

Step 3: On the CA

1. Click Peer Systems.

2. Click Manage on the Peer Connection to VA peer connection.

3. Click Start.

4. It will say "Running".

5. Click Refresh.

6. You should see certificates added or synchronized.


© 2019 PRIMEKEY 36 (41)

Create a Peer Publisher on the CATo create a Peer Publisher on the CA, do the following:

1. Select Publishers in the Administration GUI.

2. Enter a name such as VA Peer Publisher.

3. Click Add.

4. Select the publisher and click Edit.

5. From the PublisherType drop down select Validation Authority Peer Publisher.

6. Ensure the correct Peer System is selected.

7. Select Store CRL at the Validation Authority.

8. Click Save and Test Connection.

9. You should see Connection Tested Successfully at the top. Click Save.


© 2019 PRIMEKEY 37 (41)

Edit a Certificate Profile to use the PublisherIn order for generated certificates to be published to the VA, the profiles for the CA need to be configured to use the Peer Publisher.

1. In the Admin GUI, select CA Functions > Certificate Profiles.

2. Click Edit next to the profile from which you want to issue certificates (or create a new one).

3. Under the section Other Data, select VA Peer Publisher next to Publishers.

4. Click Save.

Create Crypto Token to store OCSP Key binding key on VAOn the VA,

1. Create a Crypto Token for the key binding to use.

2. Navigate to Crypto Tokens and select Create new.

a. Enter a name: OcspKeyBindingToken.b. Type: SOFT.c. Enter and repeat Authentication Code.d. Enable Auto-activation.e. Click Save.f. Generate new key pair:

i. Alias: OcspKeyBindingKeyii. Key Spec: RSA 4096


© 2019 PRIMEKEY 38 (41)

Set up OCSP Key Binding for Mutual Authentication on the VATo setup OCSP Key Binding for Mutual Authentication on the VA, do the following:

1. Click on InternalKeyBindings on the VA and then select the OcspKeyBinding tab.

2. Click Create new.

3. Enter a name for the key binding, for example “OCSPKeyBinding_IssuingCA”.

4. Select the OCSPKeyBindingToken.

5. Ensure the correct key par alias is chosen

6. Click Create.

7. Click Back to Overview.

8. Click CSR under the actions column.

9. Save the OCSPKeyBinding_IssuingCA.pkcs10.pem file.

On the CA

1. In the Admin GUI, select RA Web.


© 2019 PRIMEKEY 39 (41)

2. Click Make New Request.

3. Select the OCSP Signer EE Profile.

4. Select the Issuing CA. This is the CA certificate that is going to stamp the OCSP responses.

5. Browse to the OCSPKeyBinding_IssuingCA.pkcs10.pem file.

6. Enter a username, for example “OCSPKeyBinding_IssuingCA”.

7. Click download PEM.

On the VA

1. On the Internal Key Bindings > OCSP Key Bindings tab, click Browse to browse to the certificate that was downloaded from the RA Web.

2. Click Import.

3. The following message displays “Operation completed without errors.”

4. Click Update.

5. Click Enable. An hourglass will show in the Active Column and the text “OCSPKeyBinding_IssuingCA status is now ACTIVE” will appear at the top

6. Set the Default Responder to be the OCSP Key Binding created.

You need to repeat these steps for any other CAs you want the VA to be an OCSP responder for.


© 2019 PRIMEKEY 40 (41)

Testing OCSPGenerate a certificate from the Issuing CA using the RA Web. The instructions will not be outlined here but have already been done several times in this guide. Use the profile that has the publisher added to it. It is easiest to have the key generated server side and the certificate downloaded as PEM for testing purposes. Once completed run the following SSL command (changing the attributes for your files and IPs):

# openssl ocsp -issuer CorporateIssuingCAG1.pem -CAfile CorporateRootCAG1_1.pem -cert server.pem -req_text -url https://40.121.65.197/ejbca/publicweb/status/ocsp

Where the flags are:

Option Description

-issuer OS the Issuing CA Public Certificate.

-CAfile The Root certificate or Chain of the CA.

-url The URL to the OCSP server.

-req_text Optional but gives more output.

The output should appear as the following:

Where “Response Verify: OK” means that the stamped OCSP reply from the OCSP server was able to be validated with the certs provided in the command. “server.pem: good” means the certificate status is good.

Revoking the certificate

1. Select Search End Entities.

2. Search by username (end entity name).

3. Find the End Entity in the search results.

4. Click ViewCertificates on the right side.

5. Select CertificateHold from the revocation reasons.

6. Click Revoke.


© 2019 PRIMEKEY 41 (41)

7. Run the openssl command again and the status should now be “revoked” with a reason of “Certificate Hold”.

EJBCA Cloud Azure VA Configuration and Administration Guide

Documents

Transcript of EJBCA Cloud Azure VA Configuration and Administration Guide