Tutorial - Use an ephemeral CA and revoke ephemeral certificates
In this tutorial, you will learn how to create and configure an ephemeral Certificate Authority (CA) to issue ephemeral certificates, use OCSP to validate the certificate, revoke the certificate using the REST API, and validate that the certificate is revoked.
About issuing and revoking ephemeral certificates
In use cases where you need to issue ephemeral user or device certificates for authentication with a short lifetime, there can still be reasons to revoke these certificates, for example, to block network access. Ephemeral certificates are not stored in the EJBCA database. However, since every certificate issued by EJBCA is in the audit log, it can be extracted from there to get its serial number needed for revocation. EJBCA provides a policy setting on the CA to permit revocation for certificates that are not in the CA database. An example use case is to issue ephemeral certificates with 7- to 21-day validity.
Prerequisites
For this tutorial, EJBCA Community Docker container version 8.3.1 was used.
Before you begin, you will need:
To have a Root CA, certificate profiles, end entity profiles, roles, and short-lived ephemeral certificates configured in EJBCA, see this playlist: https://www.youtube.com/playlist?list=PLt17f5skfOPEcg-Hbn4d-YY22wdmnaEa9.
To be familiar with CLI and OpenSSL tools
SSH access to the Linux host where the EJBCA container is running
Step 1 - Start the Docker containers
When an issued certificate does not reside in the database, EJBCA will answer unknown
for that certificate when validating with OCSP. There is a setting in the ocsp.properties
file in the EJBCA container to make EJBCA respond good
for unknown certificates. With an ephemeral container, this setting can be persisted by asserting it in the Docker Compose YAML file.
To configure this OCSP setting, follow these steps:
Use SSH to access the server.
Change directory to the docker compose file.
BASH$ cd ~/containers
Use a text editor to edit the
docker-compose.yml
file.BASH$ vim docker-compose.yml
Add a new environment variable
OCSP_NON_EXISTING_IS_GOOD
and verify the container tag is 8.3.1. Thedocker-compose.yml
should look similar to the following:YAMLversion: '3' networks: access-bridge: driver: bridge application-bridge: driver: bridge services: ejbca-database: container_name: ejbca-database image: "library/mariadb:latest" networks: - application-bridge volumes: - ./datadbdir:/var/lib/mysql:rw ejbca-node1: hostname: ejbca-node1 container_name: ejbca image: keyfactor/ejbca-ce:8.3.1 depends_on: - ejbca-database networks: - access-bridge - application-bridge environment: - DATABASE_JDBC_URL=jdbc:mariadb://ejbca-database:3306/ejbca?characterEncoding=UTF-8 - LOG_LEVEL_APP=INFO - LOG_LEVEL_SERVER=INFO - TLS_SETUP_ENABLED=simple - OCSP_NON_EXISTING_IS_GOOD=true ports: - "80:8080" - "443:8443"
Save and close the file.
Start the EJBCA and MariaDB container with the following command:
BASH$ docker compose up -d
Tail the container logs to validate the
OCSP_NON_EXISTING_IS_GOOD
setting was detected.BASH$ docker logs ejbca
The output is similar to the following:
BASH2024-05-23 00:52:55,336+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) Configure logging for Application Server 2024-05-23 00:52:55,343+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) Configure logging for ejbca 2024-05-23 00:52:55,350+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) uid=10001 gid=0(root) groups=0(root) 2024-05-23 00:52:55,420+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) Detected 2 available core(s). 2024-05-23 00:52:55,429+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) Detected 4078923776 bytes available host memory. 2024-05-23 00:52:55,435+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) Observable at 127.0.0.1:8090 under paths: /health /health/ready /health/live 2024-05-23 00:52:55,451+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) LOG_LEVEL_APP_OCSP_TRANSACTIONS setting is depricated and does nothing 2024-05-23 00:52:55,454+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) LOG_LEVEL_APP_OCSP_AUDIT setting is depricated and does nothing 2024-05-23 00:52:55,458+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) MySQL/MariaDB database. 2024-05-23 00:52:55,471+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) Looking for plugins to import and initialize under /opt/keyfactor/ejbca/plugins/. 2024-05-23 00:52:55,474+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) Responding with 'good' when receiving OCSP requests for non-existing certificates. 2024-05-23 00:52:55,485+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) External hostname env.HTTPSERVER_HOSTNAME is set to 'ejbca-node1'. 2024-05-23 00:52:55,489+0000 INFO [/opt/keyfactor/bin/start.sh] (process:1) Cluster Node ID is set to '6fsqlfocqelqhulixc'.
You now have configured EJBCA to respond good
for unknown certificates and can continue with creating an ephemeral CA.
Step 2 - Create a crypto token for the ephemeral CA
A CA requires keys to sign issued certificates, CRLs, and OCSP requests when a delegated OCSP signer is not used. Crypto tokens are used to manage cryptographic keys on HSMs and soft keys stored in the EJBCA database.
To create a crypto token, follow these steps:
Go to the EJBCA CA UI and click Crypto Tokens under CA functions.
Click Create new and specify the following on the New Crypto Token page:
Name: Specify a name for the crypto token, in this example, ephemeralSubCA.
Type: Select Soft.
Auto-activation: Select use to allow EJBCA to save the password and reapply it after a restart.
Authentication Code: Enter a password to be used to activate the crypto token if the container is restarted. In this example, foo123.
Click Save to create the crypto token.
Next, generate three keys:
In the Name field that says signKey, specify signKey001, select ECDSA P-256 for the key size, and then click Generate new key pair to create the keys.
Repeat to create the default encryption key: name the key defaultKey001, select ECDSA P-256 for the key size, and then click Generate new key pair.
Last, repeat to create a test key: name the key testKey, select ECDSA P-256 for the key size, and then click Generate new key pair.
Click Back to Crypto Token overview.
You now have created a crypto token with keys and can continue with creating certificate profiles.
Step 3 - Create and configure certificate profiles
Before creating a CA or issuing certificates a certificate profile is created to assert the proper policy settings.
To create a certificate profile for the CA and end entity, follow these steps:
In EJBCA, click Certificate Profiles under CA Functions.
Click Clone next to the MyPKISubCAProfile certificate profile.
Name the new certificate profile ephemeralSubCA-2y, and click Create from template.
To edit the profile values to fit your needs, find the newly created ephemeralSubCA-2y displayed in the list and click Edit.
On the Edit page, update the following:
For Signature Algorithm, select SHA256withECDSA.
For Validity, specify 2y.
Click Save to store the Sub CA certificate profile.
Click Clone next to the ShortLivedProfile certificate profile.
Name the new certificate profile ephemeralMtls-14d, and click Create from template.
To edit the profile values to fit your needs, find the newly created ephemeralMtls-14d displayed in the list and click Edit.
On the Edit page, update the following:
For Signature Algorithm, select SHA256withECDSA.
For Validity, specify 14d.
Select Subject Alternative Name Critical.
Select Use CA defined OCSP locator.
For Available CAs, select Any CA.
Click Save to store the certificate profile.
You now have created a new certificate profile for the ephemeral CA and the ephemeral end entity device. Continue to the next step to create the ephemeral CA.
Step 4 - Create the ephemeral CA
The crypto token and certificate profile can now be used to create the ephemeral CA. Policy settings located in the Directives section are set to not store certificate or user data in the CA database.
To create the ephemeral CA, follow these steps:
In EJBCA, click Certificate Authorities under CA Functions.
In the Add CA field, enter the name “ephemeralSubCA-G1” and click Create.
On the Create CA page, update the following:
Select the crypto token ephemeralSubCA (created earlier) in the Crypto Token list.
Clear Use User Storage.
Clear Use Certificate Storage.
Select Accept Revocations for Non-Existing Entries.
For Default Certificate Profile for Non-Existing Entries, select the ephemeralMtls-14d.
For Subject DN, enter CN=Ephemeral Sub CA - G1,O=Keyfactor Community,C=SE.
For Signed By, select MyPKIRootCA-G1.
For Certificate Profile, select ephemeralSubCA-2y.
For Validity, specify 2y.
Clear LDAP DN order.
For OCSP service Default URI, enter http://ejbca-node1.ejbca-k8s/ejbca/publicweb/status/ocsp.
Click Create to create the CA.
You now have created an ephemeral CA that does not store user or certificate data in the CA database and can continue with creating an end entity profile.
Step 5 - Create an end entity profile for the ephemeral device
Before a certificate can be issued, you must create an end entity profile to map the certificate profile, CA, and user token for the issued certificate.
To create the end entity profile, follow these steps:
In EJBCA, click End Entity Profiles under RA Functions.
Select the ShortLivedProfile end entity profile, enter ephemeralMtls for the Add End Entity Profile, and click Clone selected.
Select the created ephemeralMtls end entity profile, and click Edit End Entity Profile to update the following:
Select Remove for Uniform Resource Identifier (URI) in the Subject Alternative Name section, and click Remove.
Select DNS Name in the Subject Alternative Name section, and click Add.
For DNS Name, select Required.
For Default Certificate Profile and Available Certificate Profiles, select ephemeralMtls-14d.
For Default CA and Available CAs, select ephemeralSubCA-G1.
Click Save to store the end entity profile.
You now have created an end entity profile to issue an ephemeral certificate from the ephemeral CA and can continue with issuing a certificate using the REST API.
Step 6 - Issue an ephemeral certificate using the REST API
Ephemeral certificates cannot be issued using the EJBCA RA web but rather by using an enrollment protocol or API. To easily submit the pkcs10 to EJBCA, the pkcs10Enroll.sh
script is used.
To issue an ephemeral certificate using the pkcs10Enroll.sh
script, follow these steps:
Return to the terminal session window that was used to SSH to the server.
Change directories to the location of the
pkcs10Enroll.sh
script.BASH$ cd ~/rest-curl
This script is already on the Linux server from the previous tutorial EJBCA REST API CLI. The location of the script is re-used for this tutorial.
Create an OpenSSL configuration file that is used to create the CSR:
BASH$ cat > ephemeral-01.conf <<EOF [req] prompt = no req_extensions = v3_req distinguished_name = req_distinguished_name [ req_distinguished_name ] [ v3_req ] keyUsage = digitalSignature extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = ephemeral-01.test EOF
Generate an ECDSA P-256 private key:
BASH$ openssl ecparam -name secp256r1 -genkey -noout -out ephemeral-01.key
Generate a CSR with no subject DN using the previously created private key and OpenSSL configuration file:
BASH$ openssl req -new -sha256 -key ephemeral-01.key -out ephemeral-01.csr -config ephemeral-01.conf -subj "/"
Use the
pkcs10Enroll.sh
script to enroll for the certificate:BASH$ ./pkcs10Enroll.sh -P ../keyfactorCommunitySuperAdmin.p12 -s foo123 -t ../ManagementCA.pem \ -H ejbca-node1.ejbca-k8s -p ephemeralMtls-14d \ -e ephemeralMtls -n ephemeralSubCA-G1 \ -c ephemeral-01.csr -u ephemeral-01
The credential and Management CA certificate are already on the Linux server from the previous tutorial EJBCA REST API CLI. The location of these files are re-used for this tutorial.
Parse the ephemeral certificate with OpenSSL:
BASH$ openssl x509 -text -noout -in ephemeral-01.crt
The output is similar to the following:
BASHCertificate: Data: Version: 3 (0x2) Serial Number: 66:71:70:5c:d7:08:41:a4:ed:8f:44:da:d5:a2:57:ac:ac:8a:e4:38 Signature Algorithm: ecdsa-with-SHA256 Issuer: C = SE, O = Keyfactor Community, CN = Ephemeral Sub CA - G1 Validity Not Before: May 26 12:00:13 2024 GMT Not After : Jun 9 12:00:12 2024 GMT Subject: Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:fe:1b:6e:56:8e:d5:3a:5c:a4:d4:67:8c:71:94: 3b:49:df:e9:35:7b:e7:e3:dd:c5:9d:7d:55:cc:99: 0c:a3:5d:52:ce:10:2a:6f:c6:20:85:41:d4:08:f0: 57:25:99:46:29:b4:8e:5c:9c:b7:60:dd:ca:79:9d: 41:00:82:b0:86 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Authority Key Identifier: keyid:50:22:95:B3:D0:47:2D:DD:43:59:FC:1E:A7:F5:DE:39:17:6F:B0:82 Authority Information Access: OCSP - URI:http://ejbca-node1.ejbca-k8s/ejbca/publicweb/status/ocsp X509v3 Subject Alternative Name: critical DNS:ephemeral-01.test X509v3 Extended Key Usage: TLS Web Client Authentication X509v3 Subject Key Identifier: 76:77:20:A0:E9:60:2C:21:58:AE:E1:8F:55:04:3C:75:2A:B5:00:68 X509v3 Key Usage: critical Digital Signature Signature Algorithm: ecdsa-with-SHA256 30:44:02:20:01:57:7d:7d:61:cc:50:ff:02:1a:25:c0:09:09: 2f:2c:09:e1:5e:27:c5:a2:52:7e:82:75:f9:2c:93:bf:f9:71: 02:20:5b:26:3f:7d:f8:df:20:bd:95:96:9b:12:20:d0:1b:31: 59:14:8f:e7:c8:c7:1c:04:05:e2:8b:57:63:9c:c0:c2
You now have issued an ephemeral certificate that has a validity of 14 days and can continue with performing an OCSP check on the ephemeral certificate.
Step 7 - Validate the issued certificate using OCSP
Next, verify that the ephemeral certificate is valid using OCSP to query EJBCA with OpenSSL. Before performing the OCSP check the CA chain is needed for the issued certificate. The CA chain can be downloaded using the REST API. The serial number for the ephemeral certificate and the CA chain are sent in the OCSP request to EJBCA.
To perform the OCSP check, follow these steps:
Use cURL to download the CA chain:
BASH$ curl --cacert ../ManagementCA.pem --cert-type P12 --cert ../keyfactorCommunitySuperAdmin.p12:foo123 \ -X 'GET' \ 'https://ejbca-node1/ejbca/ejbca-rest-api/v1/ca/CN%3DEphemeral%20Sub%20CA%20-%20G1%2CO%3DKeyfactor%20Community%2CC%3DSE/certificate/download' \ -H 'accept: */*'
The output is similar to the following:
BASHSubject: CN=Ephemeral Sub CA - G1,O=Keyfactor Community,C=SE Issuer: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE -----BEGIN CERTIFICATE----- MIICnDCCAkKgAwIBAgIURpCk4Zoxi+vglT6CYG3UpRujzswwCgYIKoZIzj0EAwIw STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjQwNTIwMTczODU4WhcNMjYw NTIwMTczODU3WjBLMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv bW11bml0eTEeMBwGA1UEAwwVRXBoZW1lcmFsIFN1YiBDQSAtIEcxMFkwEwYHKoZI zj0CAQYIKoZIzj0DAQcDQgAEyCOXk/7FDz83MUe6Mj2nAR4Rjh0g680XPiyUVV6P ZO1/YXCONFF6fMwxTod563m+AuKi5igW2pPb2AKgU7/Dx6OCAQQwggEAMBIGA1Ud EwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5Uw YgYIKwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRz L015UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9v Y3NwMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJv b3RDQS1HMS5jcmwwHQYDVR0OBBYEFFAilbPQRy3dQ1n8Hqf13jkXb7CCMA4GA1Ud DwEB/wQEAwIBhjAKBggqhkjOPQQDAgNIADBFAiEAzaOoLbhEs2fJBzKZCB1v2uf6 JBp9ZLf1e6uiRn21VyUCIFMKQ+5ZV6XofR1aOxFOdnI1zyXNwnkfcmPt/MUnTsvI -----END CERTIFICATE----- Subject: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE Issuer: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE -----BEGIN CERTIFICATE----- MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1 MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/ BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/ BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA= -----END CERTIFICATE-----
Select copy the ephemeral sub CA PEM blob.
Create the
sub-ephemeral.crt
file:BASH$ vim sub-ephemeral.crt
Paste the ephemeral sub CA PEM blob:
BASHSubject: CN=Ephemeral Sub CA - G1,O=Keyfactor Community,C=SE Issuer: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE -----BEGIN CERTIFICATE----- MIICnDCCAkKgAwIBAgIURpCk4Zoxi+vglT6CYG3UpRujzswwCgYIKoZIzj0EAwIw STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjQwNTIwMTczODU4WhcNMjYw NTIwMTczODU3WjBLMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv bW11bml0eTEeMBwGA1UEAwwVRXBoZW1lcmFsIFN1YiBDQSAtIEcxMFkwEwYHKoZI zj0CAQYIKoZIzj0DAQcDQgAEyCOXk/7FDz83MUe6Mj2nAR4Rjh0g680XPiyUVV6P ZO1/YXCONFF6fMwxTod563m+AuKi5igW2pPb2AKgU7/Dx6OCAQQwggEAMBIGA1Ud EwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5Uw YgYIKwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRz L015UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9v Y3NwMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJv b3RDQS1HMS5jcmwwHQYDVR0OBBYEFFAilbPQRy3dQ1n8Hqf13jkXb7CCMA4GA1Ud DwEB/wQEAwIBhjAKBggqhkjOPQQDAgNIADBFAiEAzaOoLbhEs2fJBzKZCB1v2uf6 JBp9ZLf1e6uiRn21VyUCIFMKQ+5ZV6XofR1aOxFOdnI1zyXNwnkfcmPt/MUnTsvI -----END CERTIFICATE-----
Save and close the file.
Select copy the root CA PEM blob.
Create the
root.crt
file:BASH$ vim root.crt
Paste the rootCA PEM blob:
BASHSubject: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE Issuer: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE -----BEGIN CERTIFICATE----- MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1 MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/ BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/ BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA= -----END CERTIFICATE-----
Save and close the file.
Create the
certchain.pem
file which contains the root and sub CA PEM blobs:BASH$ cat sub-ephemeral.crt > certchain.pem $ cat root.crt >> certchain.pem
Validate the certificate with an OCSP check:
BASH$ openssl ocsp -issuer certchain.pem -cert ephemeral-01.crt -text -url http://ejbca-node1.ejbca-k8s/ejbca/publicweb/status/ocsp
The output is similar to the following:
BASHOCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 6C7E29272E7D8ED8DC404BD63C4543B8EE0094C3 Issuer Key Hash: 502295B3D0472DDD4359FC1EA7F5DE39176FB082 Serial Number: 6671705CD70841A4ED8F44DAD5A257ACAC8AE438 Request Extensions: OCSP Nonce: 04103CF6BCE12B7D6EBBFB2887999E4A4D6F OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 502295B3D0472DDD4359FC1EA7F5DE39176FB082 Produced At: May 26 12:19:34 2024 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 6C7E29272E7D8ED8DC404BD63C4543B8EE0094C3 Issuer Key Hash: 502295B3D0472DDD4359FC1EA7F5DE39176FB082 Serial Number: 6671705CD70841A4ED8F44DAD5A257ACAC8AE438 Cert Status: good This Update: May 26 12:19:34 2024 GMT Response Extensions: OCSP Nonce: 04103CF6BCE12B7D6EBBFB2887999E4A4D6F Signature Algorithm: ecdsa-with-SHA256 30:44:02:20:6a:b9:1f:3e:7f:5b:8a:80:dd:b5:7f:63:3c:ec: 5d:57:71:7e:ba:0a:35:bd:64:c3:fa:a3:5a:18:27:7e:d3:41: 02:20:6f:9d:20:c4:0a:61:6e:05:f2:c0:f7:59:06:d8:e7:9c: 12:d1:51:68:58:8a:99:55:7f:59:a5:30:42:69:48:38 Certificate: Data: Version: 3 (0x2) Serial Number: 46:90:a4:e1:9a:31:8b:eb:e0:95:3e:82:60:6d:d4:a5:1b:a3:ce:cc Signature Algorithm: ecdsa-with-SHA256 Issuer: C=SE, O=Keyfactor Community, CN=My PKI Root CA - G1 Validity Not Before: May 20 17:38:58 2024 GMT Not After : May 20 17:38:57 2026 GMT Subject: C=SE, O=Keyfactor Community, CN=Ephemeral Sub CA - G1 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:c8:23:97:93:fe:c5:0f:3f:37:31:47:ba:32:3d: a7:01:1e:11:8e:1d:20:eb:cd:17:3e:2c:94:55:5e: 8f:64:ed:7f:61:70:8e:34:51:7a:7c:cc:31:4e:87: 79:eb:79:be:02:e2:a2:e6:28:16:da:93:db:d8:02: a0:53:bf:c3:c7 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Authority Key Identifier: keyid:D5:CE:9D:68:90:BD:88:84:BC:3F:BE:5E:43:AA:E8:D3:24:78:07:95 Authority Information Access: CA Issuers - URI:http://my.pki/certs/MyPKIRootCA-G1.crt OCSP - URI:http://my.pki/ocsp X509v3 CRL Distribution Points: Full Name: URI:http://my.pki/crls/MyPKIRootCA-G1.crl X509v3 Subject Key Identifier: 50:22:95:B3:D0:47:2D:DD:43:59:FC:1E:A7:F5:DE:39:17:6F:B0:82 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:cd:a3:a8:2d:b8:44:b3:67:c9:07:32:99:08: 1d:6f:da:e7:fa:24:1a:7d:64:b7:f5:7b:ab:a2:46:7d:b5:57: 25:02:20:53:0a:43:ee:59:57:a5:e8:7d:1d:5a:3b:11:4e:76: 72:35:cf:25:cd:c2:79:1f:72:63:ed:fc:c5:27:4e:cb:c8 -----BEGIN CERTIFICATE----- MIICnDCCAkKgAwIBAgIURpCk4Zoxi+vglT6CYG3UpRujzswwCgYIKoZIzj0EAwIw STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjQwNTIwMTczODU4WhcNMjYw NTIwMTczODU3WjBLMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv bW11bml0eTEeMBwGA1UEAwwVRXBoZW1lcmFsIFN1YiBDQSAtIEcxMFkwEwYHKoZI zj0CAQYIKoZIzj0DAQcDQgAEyCOXk/7FDz83MUe6Mj2nAR4Rjh0g680XPiyUVV6P ZO1/YXCONFF6fMwxTod563m+AuKi5igW2pPb2AKgU7/Dx6OCAQQwggEAMBIGA1Ud EwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5Uw YgYIKwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRz L015UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9v Y3NwMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJv b3RDQS1HMS5jcmwwHQYDVR0OBBYEFFAilbPQRy3dQ1n8Hqf13jkXb7CCMA4GA1Ud DwEB/wQEAwIBhjAKBggqhkjOPQQDAgNIADBFAiEAzaOoLbhEs2fJBzKZCB1v2uf6 JBp9ZLf1e6uiRn21VyUCIFMKQ+5ZV6XofR1aOxFOdnI1zyXNwnkfcmPt/MUnTsvI -----END CERTIFICATE----- Response verify OK ephemeral-01.crt: good This Update: May 26 12:19:34 2024 GMT
You now have validated that the ephemeral certificate is good
using OCSP and can continue with revoking the ephemeral certificate.
Step 8 - Revoke the ephemeral certificate using the REST API
Revoking an ephemeral certificate is done using the EJBCA CLI, REST API, or web services. Ephemeral certificates cannot be revoked using the RA Web because the certificate does not exist in the database.
To revoke an ephemeral certificate with REST API, follow these steps:
Parse the ephemeral certificate with OpenSSL to get the serial number and store that in a variable:
BASH$ export CERT_SERIAL_NUMBER=$(openssl x509 -noout -serial -in ephemeral-01.crt | cut -d'=' -f2)
Revoke the certificate using the REST API:
BASH$ curl --silent --cacert ../ManagementCA.pem --cert-type P12 --cert ../keyfactorCommunitySuperAdmin.p12:foo123 \ -X 'PUT' \ "https://ejbca-node1/ejbca/ejbca-rest-api/v1/certificate/CN%3DEphemeral%20Sub%20CA%20-%20G1%2CO%3DKeyfactor%20Community%2CC%3DSE/${CERT_SERIAL_NUMBER}/revoke?reason=CESSATION_OF_OPERATION" \ -H 'accept: application/json' | jq .
The output is similar to the following:
BASH{ "issuer_dn": "CN=Ephemeral Sub CA - G1,O=Keyfactor Community,C=SE", "serial_number": "6671705CD70841A4ED8F44DAD5A257ACAC8AE438", "revocation_reason": "CESSATION_OF_OPERATION", "revocation_date": "2024-05-26T12:20:16Z", "message": "Successfully revoked", "revoked": true }
You now have revoked the ephemeral certificate and can continue with checking the validity with OCSP.
Step 9 - Validate the revoked certificate using OCSP
After revoking the certificate, the certificate serial number and Issuer DN are added to the CertificateData
table in the CA database.
To check the validity of the revoked ephemeral certificate using OCSP, follow these steps:
Validate the certificate with an OCSP check:
CODE$ openssl ocsp -issuer certchain.pem -cert ephemeral-01.crt -text -url http://ejbca-node1.ejbca-k8s/ejbca/publicweb/status/ocsp
The output is similar to the following:
BASHOCSP Request Data: Version: 1 (0x0) Requestor List: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 6C7E29272E7D8ED8DC404BD63C4543B8EE0094C3 Issuer Key Hash: 502295B3D0472DDD4359FC1EA7F5DE39176FB082 Serial Number: 6671705CD70841A4ED8F44DAD5A257ACAC8AE438 Request Extensions: OCSP Nonce: 041094666B693277D6CD191D42EC1A7B780B OCSP Response Data: OCSP Response Status: successful (0x0) Response Type: Basic OCSP Response Version: 1 (0x0) Responder Id: 502295B3D0472DDD4359FC1EA7F5DE39176FB082 Produced At: May 26 12:23:49 2024 GMT Responses: Certificate ID: Hash Algorithm: sha1 Issuer Name Hash: 6C7E29272E7D8ED8DC404BD63C4543B8EE0094C3 Issuer Key Hash: 502295B3D0472DDD4359FC1EA7F5DE39176FB082 Serial Number: 6671705CD70841A4ED8F44DAD5A257ACAC8AE438 Cert Status: revoked Revocation Time: May 26 12:20:16 2024 GMT Revocation Reason: cessationOfOperation (0x5) This Update: May 26 12:23:49 2024 GMT Response Extensions: OCSP Nonce: 041094666B693277D6CD191D42EC1A7B780B Signature Algorithm: ecdsa-with-SHA256 30:44:02:20:53:9d:7a:15:ca:5c:da:47:7d:f6:49:5d:1b:07: 58:60:c7:a6:63:75:e2:2d:9f:45:5c:f7:55:7e:b0:0c:b4:4c: 02:20:0e:e2:0f:11:31:bb:61:1c:ad:e4:a6:f3:33:90:3a:0e: ee:48:55:0c:dc:0f:3c:da:37:10:2b:84:7c:dc:d2:b4 Certificate: Data: Version: 3 (0x2) Serial Number: 46:90:a4:e1:9a:31:8b:eb:e0:95:3e:82:60:6d:d4:a5:1b:a3:ce:cc Signature Algorithm: ecdsa-with-SHA256 Issuer: C=SE, O=Keyfactor Community, CN=My PKI Root CA - G1 Validity Not Before: May 20 17:38:58 2024 GMT Not After : May 20 17:38:57 2026 GMT Subject: C=SE, O=Keyfactor Community, CN=Ephemeral Sub CA - G1 Subject Public Key Info: Public Key Algorithm: id-ecPublicKey Public-Key: (256 bit) pub: 04:c8:23:97:93:fe:c5:0f:3f:37:31:47:ba:32:3d: a7:01:1e:11:8e:1d:20:eb:cd:17:3e:2c:94:55:5e: 8f:64:ed:7f:61:70:8e:34:51:7a:7c:cc:31:4e:87: 79:eb:79:be:02:e2:a2:e6:28:16:da:93:db:d8:02: a0:53:bf:c3:c7 ASN1 OID: prime256v1 NIST CURVE: P-256 X509v3 extensions: X509v3 Basic Constraints: critical CA:TRUE, pathlen:0 X509v3 Authority Key Identifier: keyid:D5:CE:9D:68:90:BD:88:84:BC:3F:BE:5E:43:AA:E8:D3:24:78:07:95 Authority Information Access: CA Issuers - URI:http://my.pki/certs/MyPKIRootCA-G1.crt OCSP - URI:http://my.pki/ocsp X509v3 CRL Distribution Points: Full Name: URI:http://my.pki/crls/MyPKIRootCA-G1.crl X509v3 Subject Key Identifier: 50:22:95:B3:D0:47:2D:DD:43:59:FC:1E:A7:F5:DE:39:17:6F:B0:82 X509v3 Key Usage: critical Digital Signature, Certificate Sign, CRL Sign Signature Algorithm: ecdsa-with-SHA256 30:45:02:21:00:cd:a3:a8:2d:b8:44:b3:67:c9:07:32:99:08: 1d:6f:da:e7:fa:24:1a:7d:64:b7:f5:7b:ab:a2:46:7d:b5:57: 25:02:20:53:0a:43:ee:59:57:a5:e8:7d:1d:5a:3b:11:4e:76: 72:35:cf:25:cd:c2:79:1f:72:63:ed:fc:c5:27:4e:cb:c8 -----BEGIN CERTIFICATE----- MIICnDCCAkKgAwIBAgIURpCk4Zoxi+vglT6CYG3UpRujzswwCgYIKoZIzj0EAwIw STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjQwNTIwMTczODU4WhcNMjYw NTIwMTczODU3WjBLMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv bW11bml0eTEeMBwGA1UEAwwVRXBoZW1lcmFsIFN1YiBDQSAtIEcxMFkwEwYHKoZI zj0CAQYIKoZIzj0DAQcDQgAEyCOXk/7FDz83MUe6Mj2nAR4Rjh0g680XPiyUVV6P ZO1/YXCONFF6fMwxTod563m+AuKi5igW2pPb2AKgU7/Dx6OCAQQwggEAMBIGA1Ud EwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5Uw YgYIKwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRz L015UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9v Y3NwMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJv b3RDQS1HMS5jcmwwHQYDVR0OBBYEFFAilbPQRy3dQ1n8Hqf13jkXb7CCMA4GA1Ud DwEB/wQEAwIBhjAKBggqhkjOPQQDAgNIADBFAiEAzaOoLbhEs2fJBzKZCB1v2uf6 JBp9ZLf1e6uiRn21VyUCIFMKQ+5ZV6XofR1aOxFOdnI1zyXNwnkfcmPt/MUnTsvI -----END CERTIFICATE----- Response verify OK ephemeral-01.crt: revoked This Update: May 26 12:23:49 2024 GMT Reason: cessationOfOperation Revocation Time: May 26 12:20:16 2024 GMT
You have now validated that EJBCA returns a revoked OCSP status for the revoked ephemeral certificate, which completes the tutorial.
Next steps and more resources
In this tutorial, you learned how to create an ephemeral CA, issue ephemeral certificates, and revoke an ephemeral certificate using the REST API.
Here are some next steps we recommend:
Learn how to issue certificates from EJBCA through Vault, by following this Tutorial - Use EJBCA with HashiCorp Vault.
If you are interested in EJBCA Enterprise, read more on Keyfactor EJBCA Enterprise.
If you are interested in EJBCA Community, check out EJBCA Community vs Enterprise or read more on ejbca.org.
If you are an EJBCA Enterprise customer and need support, visit the Keyfactor Support Portal.
Discuss with the EJBCA Community on GitHub Discussions.