Local Signing of Attestations with Chainloop and EJBCA Ephemeral Certificates

With this integration, Chainloop can be configured to generate short-lived signing certificates by using EJBCA as the certificate authority (CA), enabling a user experience similar to Sigstore Fulcio’s “keyless” approach.

There are some key differences compared to the SignServer approach:

The client will not need access to the PKI infrastructure, and Chainloop will be in charge of exchanging the CLI identity for a short-lived certificate signed by EJBCA. Simplifying authentication.
The signing process will happen locally, in the client.
The verification materials and the final attestation can optionally be downloaded as a Sigstore Bundle for further offline verification.

Prerequisites

Before you begin, you need:

A running EJBCA instance - Click to learn more

If you don’t already have EJBCA installed, here are some options for you:

Download EJBCA - Free and open-source EJBCA Community version
- There are tutorials to help you, for example, see this one on how to run the EJBCA Docker container: Quick Start Guide - Start EJBCA Container with Client Certificate Authenticated Access.
Try on AWS - Free 30-day trial EJBCA Cloud on AWS
Try on Azure - Free 30-day trial EJBCA Cloud on Azure

To have EJBCA configured for issuing signing certificates. Check the Step 2 at Tutorial - SignServer Container Signing with Cosign
To have enabled EJBCA Certificate Management APIs.
A running Chainloop instance. To deploy it, you can either run a local instance using this docker compose file or in a Kubernetes Cluster using the Chainloop Helm Chart.

How to Configure Chainloop to use EJBCA as CA

To enable enable Chainloop to use EJBCA as its certificate authority, you must add your EJBCA settings to your Chainloop Helm Chart configuration.

For complete instructions and examples on how to sign Chainloop attestations with EJBCA-issued certificates, refer to the How-to guide: Use Keyfactor EJBCA to generate ephemeral signing certificates in the Chainloop documentation.

Once you have done so, the attestation process will not require providing any signing material; the resulting attestation will be automatically signed.
> chainloop attestation push

Next steps

In this guide, you learned how to set up Chainloop to use EJBCA as CA for local signing of attestations with ephemeral certificates.

Here are some next steps we recommend:

If you are interested in EJBCA Enterprise, read more on Keyfactor EJBCA Enterprise.

If you are interested in EJBCA Community, check out EJBCA Community vs Enterprise or read more on ejbca.org.
If you are an EJBCA Enterprise customer and need support, visit the Keyfactor Support Portal.
Discuss with the EJBCA Community on GitHub Discussions.