CA and VA Configuration

The following describes the steps included in EJBCA CA to VA configuration and administration tasks related to VA management.

Apache Certificate Generation for the VA

Generate the Apache Certificate for the RA by following the instructions for the CA and the RA Server below.

Step 1: On the CA

SSH into the CA server and navigate to the /opt/PrimeKey/support directory.

Start by taking a backup of the system:

# /opt/PrimeKey/support/system_backup.sh

Generate TLS certificates for the VA server on the CA. Since an VA will most likely have two IP addresses (one internal and one external), those are indicated with the "-i" flag. In this case the IP addresses the host has are:

• 40.121.65.197
• 10.4.0.4

# /opt/PrimeKey/support/create_ra_tls_certs.sh -i 40.121.65.197 -i 10.4.0.4

If you are using a load balancer you can include that VIP name in the command above by specifying a "-d".  if the domain was ra.example.com the command would be:

# /opt/PrimeKey/support/create_ra_tls_certs.sh -i 40.121.65.197 -i 10.4.0.4 -d ra.example.com

The script will prompt to request to generate the certificates in the format that Apache will expect them on the VA.

Choose Y and press enter. It will output these files into the home directory of the user you provisioned the instance with.  In this case the user is "azure-user" so the certificates will be in the /home/azure-user/pem directory for easy copying.  If you would like to keep them with the hostname in the file for easy tracking, press N.

The three files output will be:

• managementca.ca-mgmt.pem
• server-mgmt.key
• server-mgmt.pem

Copy these files to the VA server and put them into place with the instructions in the next section.

Step 2: On the VA Server

SSH into the VA server and start by taking a backup of the system. Azure allows users to provision instances with their own username. For this example, we will use the user "azure-user".

# /opt/PrimeKey/support/system_backup.sh

Copy the three files that were copied to /home/azure-user/pem to the new VA. Copy the files from the user folder you provisioned the instance with to the /etc/httpd/ssl directory and restart Apache:

# cp /home/azure-user/pem/* /etc/httpd/ssl/
# service httpd restart

Convert the server to an VA using the install_ra.sh script. This script will import the ManagementCA certificate from the CA server so that the VA is managed by the same ManagementCA as the CA server.

# /opt/PrimeKey/support/install_ra.sh

The script will ask for the path to the ManagementCA PEM file from the CA server.

Use the managementca PEM that was copied to the /etc/httpd/ssl directory or copy a new one.  Use absolute paths.

Access the VA Administration GUI with the same certificate used to access the CA server. Test this by going to the EJBCA Admin Web on the VA. Note that there is no Management CA configured, an external ManagementCA is used. 

Import the CAs Public Certificate Chain into the VA

For the VA to be aware of the CA we need to import the CAs certificates into the VA. If you need assistance with setting up a CA structure, see the EJBCA Quick Start Guide.

Step 1: On the CA

1. On the CA, Click RA Web on the left side navigation and open the CAs RA web. Select CA Certificates and CRLs.

2. Download the CA certificates from the CA, RA web in PEM format.
3. Access the RA Servers administration UI and click Certification Authorities
4. Click Import CA Certificate.
5. Browse to the Root CA PEM file and select it.
6. Enter the name of the CA in the CA Name field.
7. Click Import CA Certificate.
8. Repeat for any other CAs.
   All imported CAs will show as an "External CA"
   

   

Step 2: On the VA

1. Click Certification Authorities.
2. Click Import CA certificate.
   1. Enter the name for the Root CA.
   2. Click Browse and browse to the CA cert downloaded in the last section.
   3. Click Import CA Certificate.
3. Click Import CA Certificate
   1. Enter the name for the Issuing CA.
   2. Click Browse and browse to the CA cert downloaded in the last section.
   3. Click Import CA Certificate.

Configure TLS Connections Between the CA and VA

Step 1: Import Profiles on the CA

SSH into the CA server and import the profiles that are going to be used for generating the key binding and peer connection certificates.

# /opt/ejbca/bin/ejbca.sh ca importprofiles -d /opt/PrimeKey/ra_profiles/

Step 2: Create Crypto Token to store Peer Systems authentication key on CA

Create a Crypto Token for the key binding to use. Navigate to Crypto Tokens and select Create new.

1. Enter a name: Peer Systems Token.
2. Select Type: Soft.
3. Enter and repeat Authentication Code.
4. Enable Auto-activation.
5. Click Save.
6. Generate new key pair:
   1. Alias: peer_systems_auth_key.
   2. Key Spec: RSA 4096.

Step 3: Set up Authentication Key Binding for Mutual Authentication on CA

Create an internal key binding for authenticating the TLS connection to the VA. Start by selecting Internal Key Bindings on the CA. 

1. Click Create new on the AuthenticationKeyBinding tab.
2. Enter a name: Peer System Key Binding to VA.
3. Select Crypto Token: "Peer Systems Token".
4. Key Pair Alias: peer_systems_auth_key.
5. Signature Algorithm: SHA256WithRSA.
6. Click Create.

Step 4: Generate Certificate for TLS Connection

Click RA Web on the left side navigation and open the CAs RA web. Select Make New Request.

1. Select Certificate Type: "Peer Systems User EE Profile"
2. CA: "ManagementCA".
3. Click Browse and select the "Peer System Key Binding to RA.pkcs10.pem" file.
4. Change CN, Common Name to "peersystems".
5. Change the Username to be the "peersystems"
6. Click Download PEM.
7. Save the file (peersystems.pem).

Step 5: Import Peer Systems certificate into Authentication Key Binding on CA

1. Choose System Functions > Internal Key Bindings.
2. Click the AuthenticationKeyBinding tab.
3. Under Import externally issued certificate:
   
   1. Target AuthenticationKeyBinding: Peer System Key Binding to RA.
   2. Click Browse.
   3. Select the peersystems.pem file.
   4. Click Import.
4. Under Action:
   1. Click Enable.
5. The Peer Systems Authentication Key Binding should now be Active.

   

Setup Peer Systems

Follow the steps below to setup Peer Systems:

• Step 1: On the CA
• Step 2: On the RA
• Step 3: On the CA

Step 1: On the CA

1. Choose System Functions > Peer Systems.
2. Under Outgoing Peer Connectors, click Add.
3. For Create Peer Connector, specify the following:
   
   1. Name: Peer Connection to RA
   2. URL: This should be the internal FQDN of the RA. For this example: "https://10.4.0.4/ejbca/peer/v1"
       EJBCA Cloud Uses Apache and no port designation is necessary.
   3. In the Authentication Key Binding list menu, select Peer System Key Binding to RA
   4. Select Enabled.
   5. Change Maximum parallel requests to 50.
      

      

4. Click Create.
5. Click Ping. You should see the error Unable to connect to peer. Unauthorized
    If the error Unable to connect to peer displays, this means you instances cannot communicate.  Please check your VPN connection. 
   Also, make sure that the internal IP address is used and not an FQDN or external IP unless you have internal name resolution across vNets.
   

   

Step 2: On the VA

1. Choose System Functions > Peer Systems.
2. You should see a connection attempt from the CA under Incoming Connections.
   

   

3. Click Create Role.
4. Ensure that – Create new role – is selected, and click Select.
5. Additional properties will show. Change the Role name to "External VA Role".
6. Ensure that Role is intended for peer connections is selected.
7. Select Access ManagementCA and any other CAs the VA needs to access.
8. Select Publish Certificate.
9. Select Compare certificate synchronization status.
10. Click Create new role.
    

    

Step 3: On the CA

1. Click Peer Systems.
2. Click Manage on the Peer Connection to VA peer connection.
3. Click Start.
4. It will say "Running".
5. Click Refresh.
6. You should see certificates added or synchronized.

Create a Peer Publisher on the CA

To create a Peer Publisher on the CA, do the following:

1. Select Publishers in the Administration GUI.
2. Enter a name such as VA Peer Publisher.
3. Click Add.
4. Select the publisher and click Edit.
5. From the PublisherType drop down select Validation Authority Peer Publisher.
6. Ensure the correct Peer System is selected.
7. Select Store CRL at the Validation Authority.
8. Click Save and Test Connection.
9. You should see Connection Tested Successfully at the top. Click Save.

Edit a Certificate Profile to use the Publisher

In order for generated certificates to be published to the VA, the profiles for the CA need to be configured to use the Peer Publisher.

1. In the Admin GUI, select CA Functions > Certificate Profiles.
2. Click Edit next to the profile from which you want to issue certificates (or create a new one).
3. Under the section Other Data, select VA Peer Publisher next to Publishers.
4. Click Save.

Create Crypto Token to Store OCSP Key Binding Key on VA

To create a Crypto Token for the key binding to use, do the following:

1. On the VA, navigate to Crypto Tokens and select Create new.
   

   

   1. Enter a name: OcspKeyBindingToken.
   2. Type: SOFT.
   3. Enter and repeat Authentication Code.
   4. Enable Auto-activation.
   5. Click Save.
   6. Generate new key pair:
      1. Alias: OcspKeyBindingKey
      2. Key Spec: RSA 4096

Set up OCSP Key Binding for Mutual Authentication on the VA

To set up OCSP Key Binding for Mutual Authentication on the VA, do the following:

Step 1: On the VA

1. Click on InternalKeyBindings on the VA and then select the OcspKeyBinding tab.
2. Click Create new.
3. Enter a name for the key binding, for example “OCSPKeyBinding_IssuingCA”.
4. Select the OCSPKeyBindingToken.
5. Ensure the correct key par alias is chosen
6. Click Create.
7. Click Back to Overview.
8. Click CSR under the actions column.
9. Save the OCSPKeyBinding_IssuingCA.pkcs10.pem file.
   

   

Step 2: On the CA

1. In the Admin GUI, select RA Web.
2. Click Make New Request.
3. Select the OCSP Signer EE Profile.
4. Select the Issuing CA. This is the CA certificate that is going to stamp the OCSP responses.
5. Browse to the OCSPKeyBinding_IssuingCA.pkcs10.pem file.
6. Enter a username, for example “OCSPKeyBinding_IssuingCA”.
7. Click download PEM.

Step 3: On the VA

1. On the Internal Key Bindings > OCSP Key Bindings tab, click Browse to browse to the certificate that was downloaded from the RA Web.
2. Click Import.
3. The following message displays “Operation completed without errors.”
4. Click Update.
5. Click Enable. An hourglass will show in the Active Column and the text “OCSPKeyBinding_IssuingCA status is now ACTIVE” will appear at the top
6. Set the Default Responder to be the OCSP Key Binding created.
   

   

You need to repeat these steps for any other CAs you want the VA to be an OCSP responder for.

Testing OCSP

Generate a certificate from the Issuing CA using the RA Web. The instructions will not be outlined here but have already been done several times in this guide.  Use the profile that has the publisher added to it.   It is easiest to have the key generated server side and the certificate downloaded as PEM for testing purposes. Once completed run the following SSL command (changing the attributes for your files and IPs):

# openssl ocsp -issuer CorporateIssuingCAG1.pem -CAfile CorporateRootCAG1_1.pem -cert server.pem -req_text -url https://40.121.65.197/ejbca/publicweb/status/ocsp

Where the flags are:

The output should appear as the following:

Where “Response Verify: OK” means that the stamped OCSP reply from the OCSP server was able to be validated with the certs provided in the command. “server.pem: good” means the certificate status is good.

Revoking the Certificate

1. Select Search End Entities.
2. Search by username (end entity name).
3. Find the End Entity in the search results.
4. Click ViewCertificates on the right side.
5. Select CertificateHold from the revocation reasons.
6. Click Revoke.
7. Run the openssl command again and the status should now be “revoked” with a reason of “Certificate Hold”.

Remote Internal Key Binding Updater

You can automatically update OCSP Key Binding Keys to renew themselves. This service will auto-rotate the OCSP signing key, renew the OCSP signing certificate and put it into production on a set interval.

To be able to use remote internal key binding updater some access rules have to be changed on the VA.

To automatically update OCSP Key Binding Keys to renew themselves, do the following:

The following configuration is performed on the VA

1. Open a browser and go to the Admin UI of the VA.
   
2. Click Peer Systems.
3. For the peer-connector, click Modify role.
   
4. In the CAs section, make sure Access 'Sub CA' is selected.
5. In the Internal Key Bindings section, select Renew certificate for the SubCA.
6. In the Crypto Tokens section, select Access and Key generation for OCSP.
7. Click Modify role to save the changes.

The following configuration is performed on the CA

1. Open a browser and go to the Admin UI of the CA.
   
2. Click Services.
3. In the Add Service field, enter OCSP Key Binding Updater.
   
4. Click Add.
5. In the List of Service list, select OCSP Key Binding Updater and click Edit Service.
6. In the Select Worker list, select Remote Internal Key Binding Updater.
   
7. In the Process key bindings where certificate is issued by list, select SubCA.
8. Select Renew key pair (optional).
9. In the Time before certificate expires field, enter 12.
10. In the Time unit of certificate expiry drop-down list select hours.
11. In the Period field, enter 1 and select hours from the list.
12. Select Active.
13. Click Save.