Skip to main content
Skip table of contents

Migrating Microsoft CA to EJBCA

The following provides information on migrating a Microsoft CA to EJBCA using the same generic methods to import CA keys and certificate, and import all issued user certificates. After such a complete migration the old CA can be decommissioned. Ensure to keep audit logs in order to enable a full audit trail over the CAs complete lifetime.

Note that EJBCA and MS commands may have changed as new versions have been released.

CA Keys

Export Soft MS CA Keys and Import to EJBCA

To export the MS CA key and import it into EJBCA, use the built-in functionality to back up an MS CA. For more information, see the Microsoft documentation on How to move a certification authority to another server.

This gives a PKCS#12 that can be imported to EJBCA.

  • Start a new "mmc" and add the "Certificate Authority" snap-in. Right-click the CA to export > All tasks > Back up CA.
  • Follow the wizard and select Private key and CA certificate, location for storing the p12-file, and a password.
  • Copy the p12-file to the EJBCA machine.
  • Run: $EJBCA_HOME/bin/ejbca.sh ca importca "MS CA v1" /path/mscakey.p12

The CA should now appear in the EJBCA Admin GUI.

HSM CA Keys

If you are using an HSM for the CA keys you want to ensure that they can be read by EJBCA first.

For P11NG (EJBCA Enterprise) you can use the p11ng-cli to list and test keys on the HSM, to ensure they are usable by EJBCA.

Create a new crypto token in EJBCA for the HSM.

CODE
bin/ejbca.sh cryptotoken create --help

Run the importca CLI command to import the CA, using the newly created crypto token and configuring the CA to use the appropriate keys.

CODE
bin/ejbca.sh ca importca --help

Certificates

Import Existing Certificates to EJBCA

To import existing certificates into EJBCA, you can either import the certificates one at the time if you only have a few certificates or you can choose to import the entire certificate database.

Import Certificates One at the Time

Importing certificates one at the time is suitable if you have a few certificates.

  • Certificates can be exported from the CA-snap-in by opening each certificate and clicking "copy to file..".
  • Convert the certificate to PEM format with openssl: openssl x509 -in certificate.crt -inform DER -out certificate.pem -outform PEM
  • Import to EJBCA with: $EJBCA_HOME/bin/ejbca.sh ca importcert username password "MS CA v1" status certificate.pem EndEntityProfile CertProfile

Import Entire Certificate Database

The entire certificate database is stored in \window\system32\CertLog\CA-name.edb.

The Microsoft server provided Certutil.exe can be used to dump the different posts from the database and the following lists names of possible columns to dump:

CODE
certutil -schema 

To dump all certificates with their UPN, TemplateName, Disposition (Issued, Revoked), and the PEM-encoded certificate, run the following:

CODE
 certutil -view -restrict "GeneralFlags>0" /out "UPN,CertificateTemplate,Disposition,RawCertificate" > certdump.txt 

After exporting the data with certutil, import it to EJBCA using the script ejbca.sh:

CODE
./ejbca.sh ca importcertsms --help

CRLS

In order to preserve CRL number ordering you should import the latest issued CRL into EJBCA. While revocation information was imported with the certificate import, the CRL number sequence must be incremental.

CRLs can be imported into EJBCA with:

CODE
bin/ejbca.sh ca importcrl --help

Issue Certificates using Autoenrollment, Intune, for SmartCard Logon, DCs, EFS etc

For more information, see the following.

Encryption Keys and Certificates

See Key Recovery for generic documentation about key recovery in EJBCA. From ADCS you can export archived user keys and certificates in the form of a PKCS#12 keystore (.pfx). EJBCA have a CLI command to import such keystores.

CODE
bin/ejbca.sh ra keyrecoveryimport --help

An outline for the process of importing keys/certificates into EJBCA is:

  • Export of User Certificates from ADCA (including private key). Each .PFX file should be uniquely named to correspond to a username; this name will be used to create the EJBCA end entity record. When importing key recovery data, a unique username must be created for each private key.

  • Enable key recovery in EJBCA.
  • Import the CA from ADCS into EJBCA (see above).
  • Create end entity certificate profile and end entity profile for the end entities to be imported by the keyrecoveryimport command.
  • Run the keyrecoveryimport command, for example:
CODE
bin/ejbca.sh ra keyrecoveryimport -f "/tmp/test.pfx" --certprofile "Import_Keyrec_CP" --eeprofile "Import_Keyrec_EEP" --password "supersecret"

The import tool performs the following actions:

  • Reads the PFX file
  • Adds an End Entity in the UserData table, therefore username must be unique. Subject DN data from the certificate is used for to the End Entity subject DN.
  • Adds key recovery by taking the certificate and the public/private key pair, and storing it encrypted in the KeyRecoveryData table.

After import it is important to validate that it works to recover keys. Follow the procedure documented under Key Recovery to test the recovery process for an imported end entity.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.