Tutorial - Configure EJBCA to issue short-lived (ephemeral) certificates
Learn how to configure short-lived certificates, also known as ephemeral certificates, in EJBCA.
Short-lived certificates have a shorter lifespan compared to traditional certificates, typically ranging from hours to days rather than months or years. They are designed to be used for a specific purpose or for a limited duration, after which they expire and become invalid. Short-lived certificates are suitable for containers because containers are often short-lived themselves, meaning they are created and destroyed frequently as part of an application or service.
In this tutorial, you will learn how to:
- Create a certificate profile for short-lived certificates
- Create an end entity profile for short-lived certificates
Prerequisites
Before you begin, you need a running EJBCA instance with an active Certificate Authority (CA).
To learn how to configure a certificate profile template and CA-defined default values, see the tutorials Create a PKI Hierarchy in EJBCA and Issue TLS client certificates with EJBCA.
Step 1 - Create certificate profile
The first step is to create a certificate profile for short-lived certificates. The certificate profile defines the content and constraints of new certificates, such as key types to allow and what extensions to use in the certificates. For an introduction to certificate profiles, see the Certificate Profiles Overview.
The following steps describe how to create a short-lived certificate profile by cloning and modifying the certificate profile TLS Client Profile created in the tutorial Issue TLS client certificates with EJBCA.
To create a certificate profile for short-lived certificates:
- In EJBCA, under CA Functions, click Certificate Profiles.
The Manage Certificate Profiles page displays a list of available profiles. - Click Clone next to the TLS Client Profile to use that as a basis for creating your new profile.
- Name the new certificate profile ShortLivedProfile and click Create from template.
- To edit the profile values to fit your needs, find the newly created ShortLivedProfile in the list and click Edit.
- On the Edit page, verify that the type is End Entity and update the following:
- Validity or end date of the certificate, specify 3d.
- Clear Expiration Restrictions.
- Clear Use Certificate Storage.
- Clear Store Certificate Data.
- Clear Key encipherment.
- Select the checkbox for Extended Key Usage Critical
- Clear CRL Distribution Points.
- Clear Use CA defined OCSP locator.
Click Save to store the certificate profile.
The newly created ShortLivedProfile is displayed in the list of certificate profiles.
Step 2 - Create end entity profile
Next, create an end entity profile that allows you to define what information about holders of certificates EJBCA keeps track of and adds as subject information.
An end entity is a user of the PKI, like a device, person, or server. It is called the end entity as, in a hierarchy of certificates in the PKI, it is the endpoint and not authorized to issue any certificates of its own.
The end entity profile is used to define what subject information (e.g. subject DN and subject alternative name) to add to certificates. It is always used together with a certificate profile for certificate issuance. You can for example make it so that certificate requests are only allowed to contain certain values, and otherwise rejected, while some fields are free for the requestor to choose. Attribute values specified in end entity profiles are used either for validating requests, as optional default values, or can be combined with values provided in a certificate request.
Additionally, end entity profiles control if the issuing CA should generate key pairs together with certificates or allow issuance based on certificate signing requests (CSRs) created by the end entity.
To create an end entity profile, follow these steps:
- In EJBCA, under RA Functions, click End Entity Profiles.
- In the Add Profile field, add a name for the new profile, in this example ShortLivedProfile, and click Add profile.
- Select the newly created ShortLivedProfile, and click Edit End Entity Profile to update the profile.
- Edit the profile and update the following:
- Clear End Entity E-mail.
- Under Subject DN Attributes, for CN, Common Name, select for removal and click Remove to remove the common name from the subject DN since it is not required for short-lived certificates integrating with Istio.
- Under Other Subject Attributes, in the Subject Alternative Name list, select Uniform Resource Identifier (URI) and click Add.
- Under Main Certificate Data, map the certificate profile, CA, and type of key pair the profile can be used together with:
- For Default Certificate Profile, select the ShortLivedProfile you created in Step 1 - Create certificate profile).
- For Default CAs, select the MyPKISubCA-G1 (created in Create a PKI Hierarchy in EJBCA) to only allow that Sub CA to issue certificates with this profile.
- For Default Token, select User Generated since the certificate signing request (CSR) will be generated from the container side and sent over to EJBCA to get signed.
- Clear End Entity E-mail.
- Click Save to store the end entity profile.
The newly created ShortLivedProfile is displayed in the list of end entity profiles.
Next steps
In this tutorial, you learned how to configure EJBCA to issue short-lived certificates by creating a certificate profile and an end entity profile for short-lived certificates.
To learn how to create roles with various levels of authority in EJBCA, you can follow the tutorial Create roles in EJBCA.
Next, check out more video tutorials from Keyfactor Community to learn how to deploy the EJBCA container in Kubernetes and issue certificates to an Istio service mesh.