Skip to main content
Skip table of contents

Tutorial - Use an ephemeral CA and revoke ephemeral certificates

In this tutorial, you will learn how to create and configure an ephemeral Certificate Authority (CA) to issue ephemeral certificates, use OCSP to validate the certificate, revoke the certificate using the REST API, and validate that the certificate is revoked.

About issuing and revoking ephemeral certificates

In use cases where you need to issue ephemeral user or device certificates for authentication with a short lifetime, there can still be reasons to revoke these certificates, for example, to block network access. Ephemeral certificates are not stored in the EJBCA database. However, since every certificate issued by EJBCA is in the audit log, it can be extracted from there to get its serial number needed for revocation. EJBCA provides a policy setting on the CA to permit revocation for certificates that are not in the CA database. An example use case is to issue ephemeral certificates with 7- to 21-day validity.

Prerequisites

For this tutorial, EJBCA Community Docker container version 8.3.1 was used.

Before you begin, you will need:

A running EJBCA instance – Click here to learn more.
A running EJBCA instance - Click to learn more

If you don’t already have EJBCA installed, here are some options for you:

Step 1 - Start the Docker containers

When an issued certificate does not reside in the database, EJBCA will answer unknown for that certificate when validating with OCSP. There is a setting in the ocsp.properties file in the EJBCA container to make EJBCA respond good for unknown certificates. With an ephemeral container, this setting can be persisted by asserting it in the Docker Compose YAML file.

To configure this OCSP setting, follow these steps:

  1. Use SSH to access the server.

  2. Change directory to the docker compose file.

    BASH
    $ cd ~/containers
  3. Use a text editor to edit the docker-compose.yml file.

    BASH
    $ vim docker-compose.yml 
  4. Add a new environment variable OCSP_NON_EXISTING_IS_GOOD and verify the container tag is 8.3.1. The docker-compose.yml should look similar to the following:

    YAML
    version: '3'
    networks:
      access-bridge:
        driver: bridge
      application-bridge:
        driver: bridge
    services:
      ejbca-database:
        container_name: ejbca-database
        image: "library/mariadb:latest"
        networks:
          - application-bridge
        volumes:
          - ./datadbdir:/var/lib/mysql:rw
      ejbca-node1:
        hostname: ejbca-node1
        container_name: ejbca
        image: keyfactor/ejbca-ce:8.3.1
        depends_on:
          - ejbca-database
        networks:
          - access-bridge
          - application-bridge
        environment:
          - DATABASE_JDBC_URL=jdbc:mariadb://ejbca-database:3306/ejbca?characterEncoding=UTF-8
          - LOG_LEVEL_APP=INFO
          - LOG_LEVEL_SERVER=INFO
          - TLS_SETUP_ENABLED=simple
          - OCSP_NON_EXISTING_IS_GOOD=true
        ports:
          - "80:8080"
          - "443:8443"
  5. Save and close the file.

  6. Start the EJBCA and MariaDB container with the following command:

    BASH
    $ docker compose up -d
  7. Tail the container logs to validate the OCSP_NON_EXISTING_IS_GOOD setting was detected.

    BASH
    $ docker logs ejbca 
  8. The output is similar to the following:

    BASH
    2024-05-23 00:52:55,336+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Configure logging for Application Server
    2024-05-23 00:52:55,343+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Configure logging for ejbca
    2024-05-23 00:52:55,350+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) uid=10001 gid=0(root) groups=0(root)
    2024-05-23 00:52:55,420+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Detected 2 available core(s).
    2024-05-23 00:52:55,429+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Detected 4078923776 bytes available host memory.
    2024-05-23 00:52:55,435+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Observable at 127.0.0.1:8090 under paths: /health /health/ready /health/live
    2024-05-23 00:52:55,451+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) LOG_LEVEL_APP_OCSP_TRANSACTIONS setting is depricated and does nothing
    2024-05-23 00:52:55,454+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) LOG_LEVEL_APP_OCSP_AUDIT setting is depricated and does nothing
    2024-05-23 00:52:55,458+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) MySQL/MariaDB database.
    2024-05-23 00:52:55,471+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Looking for plugins to import and initialize under /opt/keyfactor/ejbca/plugins/.
    2024-05-23 00:52:55,474+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Responding with 'good' when receiving OCSP requests for non-existing certificates.
    2024-05-23 00:52:55,485+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) External hostname env.HTTPSERVER_HOSTNAME is set to 'ejbca-node1'.
    2024-05-23 00:52:55,489+0000 INFO  [/opt/keyfactor/bin/start.sh] (process:1) Cluster Node ID is set to '6fsqlfocqelqhulixc'.

You now have configured EJBCA to respond good for unknown certificates and can continue with creating an ephemeral CA.

Step 2 - Create a crypto token for the ephemeral CA

A CA requires keys to sign issued certificates, CRLs, and OCSP requests when a delegated OCSP signer is not used. Crypto tokens are used to manage cryptographic keys on HSMs and soft keys stored in the EJBCA database.

To create a crypto token, follow these steps:

  1. Go to the EJBCA CA UI and click Crypto Tokens under CA functions.

  2. Click Create new and specify the following on the New Crypto Token page:

    • Name: Specify a name for the crypto token, in this example, ephemeralSubCA.

    • Type: Select Soft.

    • Auto-activation: Select use to allow EJBCA to save the password and reapply it after a restart.

    • Authentication Code: Enter a password to be used to activate the crypto token if the container is restarted. In this example, foo123.

  3. Click Save to create the crypto token.

  4. Next, generate three keys:

    • In the Name field that says signKey, specify signKey001, select ECDSA P-256 for the key size, and then click Generate new key pair to create the keys.

    • Repeat to create the default encryption key: name the key defaultKey001, select ECDSA P-256 for the key size, and then click Generate new key pair

    • Last, repeat to create a test key: name the key testKey, select ECDSA P-256 for the key size, and then click Generate new key pair.

  5. Click Back to Crypto Token overview.

You now have created a crypto token with keys and can continue with creating certificate profiles.

Step 3 - Create and configure certificate profiles

Before creating a CA or issuing certificates a certificate profile is created to assert the proper policy settings.

To create a certificate profile for the CA and end entity, follow these steps:

  1. In EJBCA, click Certificate Profiles under CA Functions.

  2. Click Clone next to the MyPKISubCAProfile certificate profile.

  3. Name the new certificate profile ephemeralSubCA-2y, and click Create from template.

  4. To edit the profile values to fit your needs, find the newly created ephemeralSubCA-2y displayed in the list and click Edit.

  5. On the Edit page, update the following:

    • For Signature Algorithm, select SHA256withECDSA.

    • For Validity, specify 2y.

  6. Click Save to store the Sub CA certificate profile.

  7. Click Clone next to the ShortLivedProfile certificate profile.

  8. Name the new certificate profile ephemeralMtls-14d, and click Create from template.

  9. To edit the profile values to fit your needs, find the newly created ephemeralMtls-14d displayed in the list and click Edit.

  10. On the Edit page, update the following:

    • For Signature Algorithm, select SHA256withECDSA.

    • For Validity, specify 14d.

    • Select Subject Alternative Name Critical.

    • Select Use CA defined OCSP locator.

    • For Available CAs, select Any CA.

  11. Click Save to store the certificate profile.

You now have created a new certificate profile for the ephemeral CA and the ephemeral end entity device. Continue to the next step to create the ephemeral CA.

Step 4 - Create the ephemeral CA

The crypto token and certificate profile can now be used to create the ephemeral CA. Policy settings located in the Directives section are set to not store certificate or user data in the CA database.

To create the ephemeral CA, follow these steps:

  1. In EJBCA, click Certificate Authorities under CA Functions.

  2. In the Add CA field, enter the name “ephemeralSubCA-G1” and click Create.

  3. On the Create CA page, update the following:

    • Select the crypto token ephemeralSubCA (created earlier) in the Crypto Token list.

    • Clear Use User Storage.

    • Clear Use Certificate Storage.

    • Select Accept Revocations for Non-Existing Entries.

    • For Default Certificate Profile for Non-Existing Entries, select the ephemeralMtls-14d.

    • For Subject DN, enter CN=Ephemeral Sub CA - G1,O=Keyfactor Community,C=SE.

    • For Signed By, select MyPKIRootCA-G1.

    • For Certificate Profile, select ephemeralSubCA-2y.

    • For Validity, specify 2y.

    • Clear LDAP DN order.

    • For OCSP service Default URI, enter http://ejbca-node1.ejbca-k8s/ejbca/publicweb/status/ocsp.

  4. Click Create to create the CA.

You now have created an ephemeral CA that does not store user or certificate data in the CA database and can continue with creating an end entity profile.

Step 5 - Create an end entity profile for the ephemeral device

Before a certificate can be issued, you must create an end entity profile to map the certificate profile, CA, and user token for the issued certificate.

To create the end entity profile, follow these steps:

  1. In EJBCA, click End Entity Profiles under RA Functions.

  2. Select the ShortLivedProfile end entity profile, enter ephemeralMtls for the Add End Entity Profile, and click Clone selected.

  3. Select the created ephemeralMtls end entity profile, and click Edit End Entity Profile to update the following:

    • Select Remove for Uniform Resource Identifier (URI) in the Subject Alternative Name section, and click Remove.

    • Select DNS Name in the Subject Alternative Name section, and click Add.

    • For DNS Name, select Required.

    • For Default Certificate Profile and Available Certificate Profiles, select ephemeralMtls-14d.

    • For Default CA and Available CAs, select ephemeralSubCA-G1.

  4. Click Save to store the end entity profile.

You now have created an end entity profile to issue an ephemeral certificate from the ephemeral CA and can continue with issuing a certificate using the REST API.

Step 6 - Issue an ephemeral certificate using the REST API

Ephemeral certificates cannot be issued using the EJBCA RA web but rather by using an enrollment protocol or API. To easily submit the pkcs10 to EJBCA, the pkcs10Enroll.sh script is used.

To issue an ephemeral certificate using the pkcs10Enroll.sh script, follow these steps:

  1. Return to the terminal session window that was used to SSH to the server.

  2. Change directories to the location of the pkcs10Enroll.sh script.

    BASH
    $ cd ~/rest-curl

This script is already on the Linux server from the previous tutorial EJBCA REST API CLI. The location of the script is re-used for this tutorial.

  1. Create an OpenSSL configuration file that is used to create the CSR:

    BASH
    $ cat > ephemeral-01.conf <<EOF
    [req]
    prompt = no
    req_extensions = v3_req
    distinguished_name = req_distinguished_name
    [ req_distinguished_name ]
    [ v3_req ]
    keyUsage = digitalSignature
    extendedKeyUsage = serverAuth
    subjectAltName = @alt_names
    [alt_names]
    DNS.1 = ephemeral-01.test
    
    EOF
  2. Generate an ECDSA P-256 private key:

    BASH
    $ openssl ecparam -name secp256r1 -genkey -noout -out ephemeral-01.key
  3. Generate a CSR with no subject DN using the previously created private key and OpenSSL configuration file:

    BASH
    $ openssl req -new -sha256 -key ephemeral-01.key -out ephemeral-01.csr -config ephemeral-01.conf -subj "/"
  4. Use the pkcs10Enroll.sh script to enroll for the certificate:

    BASH
    $ ./pkcs10Enroll.sh -P ../keyfactorCommunitySuperAdmin.p12 -s foo123 -t ../ManagementCA.pem \
    -H ejbca-node1.ejbca-k8s -p ephemeralMtls-14d \
    -e ephemeralMtls -n ephemeralSubCA-G1 \
    -c ephemeral-01.csr -u ephemeral-01

The credential and Management CA certificate are already on the Linux server from the previous tutorial EJBCA REST API CLI. The location of these files are re-used for this tutorial.

  1. Parse the ephemeral certificate with OpenSSL:

    BASH
    $ openssl x509 -text -noout -in ephemeral-01.crt
  2. The output is similar to the following:

    BASH
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                66:71:70:5c:d7:08:41:a4:ed:8f:44:da:d5:a2:57:ac:ac:8a:e4:38
            Signature Algorithm: ecdsa-with-SHA256
            Issuer: C = SE, O = Keyfactor Community, CN = Ephemeral Sub CA - G1
            Validity
                Not Before: May 26 12:00:13 2024 GMT
                Not After : Jun  9 12:00:12 2024 GMT
            Subject:
            Subject Public Key Info:
                Public Key Algorithm: id-ecPublicKey
                    Public-Key: (256 bit)
                    pub:
                        04:fe:1b:6e:56:8e:d5:3a:5c:a4:d4:67:8c:71:94:
                        3b:49:df:e9:35:7b:e7:e3:dd:c5:9d:7d:55:cc:99:
                        0c:a3:5d:52:ce:10:2a:6f:c6:20:85:41:d4:08:f0:
                        57:25:99:46:29:b4:8e:5c:9c:b7:60:dd:ca:79:9d:
                        41:00:82:b0:86
                    ASN1 OID: prime256v1
                    NIST CURVE: P-256
            X509v3 extensions:
                X509v3 Authority Key Identifier:
                    keyid:50:22:95:B3:D0:47:2D:DD:43:59:FC:1E:A7:F5:DE:39:17:6F:B0:82
    
                Authority Information Access:
                    OCSP - URI:http://ejbca-node1.ejbca-k8s/ejbca/publicweb/status/ocsp
    
                X509v3 Subject Alternative Name: critical
                    DNS:ephemeral-01.test
                X509v3 Extended Key Usage:
                    TLS Web Client Authentication
                X509v3 Subject Key Identifier:
                    76:77:20:A0:E9:60:2C:21:58:AE:E1:8F:55:04:3C:75:2A:B5:00:68
                X509v3 Key Usage: critical
                    Digital Signature
        Signature Algorithm: ecdsa-with-SHA256
             30:44:02:20:01:57:7d:7d:61:cc:50:ff:02:1a:25:c0:09:09:
             2f:2c:09:e1:5e:27:c5:a2:52:7e:82:75:f9:2c:93:bf:f9:71:
             02:20:5b:26:3f:7d:f8:df:20:bd:95:96:9b:12:20:d0:1b:31:
             59:14:8f:e7:c8:c7:1c:04:05:e2:8b:57:63:9c:c0:c2

You now have issued an ephemeral certificate that has a validity of 14 days and can continue with performing an OCSP check on the ephemeral certificate.

Step 7 - Validate the issued certificate using OCSP

Next, verify that the ephemeral certificate is valid using OCSP to query EJBCA with OpenSSL. Before performing the OCSP check the CA chain is needed for the issued certificate. The CA chain can be downloaded using the REST API. The serial number for the ephemeral certificate and the CA chain are sent in the OCSP request to EJBCA.

To perform the OCSP check, follow these steps:

  1. Use cURL to download the CA chain:

    BASH
    $ curl --cacert ../ManagementCA.pem --cert-type P12 --cert ../keyfactorCommunitySuperAdmin.p12:foo123 \
       -X 'GET' \
      'https://ejbca-node1/ejbca/ejbca-rest-api/v1/ca/CN%3DEphemeral%20Sub%20CA%20-%20G1%2CO%3DKeyfactor%20Community%2CC%3DSE/certificate/download' \
      -H 'accept: */*'
  2. The output is similar to the following:

    BASH
    Subject: CN=Ephemeral Sub CA - G1,O=Keyfactor Community,C=SE
    Issuer: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE
    -----BEGIN CERTIFICATE-----
    MIICnDCCAkKgAwIBAgIURpCk4Zoxi+vglT6CYG3UpRujzswwCgYIKoZIzj0EAwIw
    STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
    BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjQwNTIwMTczODU4WhcNMjYw
    NTIwMTczODU3WjBLMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
    bW11bml0eTEeMBwGA1UEAwwVRXBoZW1lcmFsIFN1YiBDQSAtIEcxMFkwEwYHKoZI
    zj0CAQYIKoZIzj0DAQcDQgAEyCOXk/7FDz83MUe6Mj2nAR4Rjh0g680XPiyUVV6P
    ZO1/YXCONFF6fMwxTod563m+AuKi5igW2pPb2AKgU7/Dx6OCAQQwggEAMBIGA1Ud
    EwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5Uw
    YgYIKwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRz
    L015UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9v
    Y3NwMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJv
    b3RDQS1HMS5jcmwwHQYDVR0OBBYEFFAilbPQRy3dQ1n8Hqf13jkXb7CCMA4GA1Ud
    DwEB/wQEAwIBhjAKBggqhkjOPQQDAgNIADBFAiEAzaOoLbhEs2fJBzKZCB1v2uf6
    JBp9ZLf1e6uiRn21VyUCIFMKQ+5ZV6XofR1aOxFOdnI1zyXNwnkfcmPt/MUnTsvI
    -----END CERTIFICATE-----
    Subject: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE
    Issuer: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE
    -----BEGIN CERTIFICATE-----
    MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw
    STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
    BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1
    MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
    Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI
    zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW
    dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/
    BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/
    BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL
    vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA=
    -----END CERTIFICATE-----
  3. Select copy the ephemeral sub CA PEM blob.

  4. Create the sub-ephemeral.crt file:

    BASH
    $ vim sub-ephemeral.crt
  5. Paste the ephemeral sub CA PEM blob:

    BASH
     Subject: CN=Ephemeral Sub CA - G1,O=Keyfactor Community,C=SE
    Issuer: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE
    -----BEGIN CERTIFICATE-----
    MIICnDCCAkKgAwIBAgIURpCk4Zoxi+vglT6CYG3UpRujzswwCgYIKoZIzj0EAwIw
    STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
    BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjQwNTIwMTczODU4WhcNMjYw
    NTIwMTczODU3WjBLMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
    bW11bml0eTEeMBwGA1UEAwwVRXBoZW1lcmFsIFN1YiBDQSAtIEcxMFkwEwYHKoZI
    zj0CAQYIKoZIzj0DAQcDQgAEyCOXk/7FDz83MUe6Mj2nAR4Rjh0g680XPiyUVV6P
    ZO1/YXCONFF6fMwxTod563m+AuKi5igW2pPb2AKgU7/Dx6OCAQQwggEAMBIGA1Ud
    EwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5Uw
    YgYIKwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRz
    L015UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9v
    Y3NwMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJv
    b3RDQS1HMS5jcmwwHQYDVR0OBBYEFFAilbPQRy3dQ1n8Hqf13jkXb7CCMA4GA1Ud
    DwEB/wQEAwIBhjAKBggqhkjOPQQDAgNIADBFAiEAzaOoLbhEs2fJBzKZCB1v2uf6
    JBp9ZLf1e6uiRn21VyUCIFMKQ+5ZV6XofR1aOxFOdnI1zyXNwnkfcmPt/MUnTsvI
    -----END CERTIFICATE-----
  6. Save and close the file.

  7. Select copy the root CA PEM blob.

  8. Create the root.crt file:

    BASH
    $ vim root.crt
  9. Paste the rootCA PEM blob:

    BASH
    Subject: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE
    Issuer: CN=My PKI Root CA - G1,O=Keyfactor Community,C=SE
    -----BEGIN CERTIFICATE-----
    MIIB2DCCAX6gAwIBAgIUAuuL1c/AoFwsfxgUrOvaRXldOWkwCgYIKoZIzj0EAwQw
    STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
    BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwIBcNMjMwMTIzMTYxODU4WhgPMjA1
    MzAxMTUxNjE4NTdaMEkxCzAJBgNVBAYTAlNFMRwwGgYDVQQKDBNLZXlmYWN0b3Ig
    Q29tbXVuaXR5MRwwGgYDVQQDDBNNeSBQS0kgUm9vdCBDQSAtIEcxMFkwEwYHKoZI
    zj0CAQYIKoZIzj0DAQcDQgAEIML7kNKGCjjKfxwyB/s4qtpFg2/aOVCeAByEeDMW
    dzHYLMOid4901ZPP5jMGghq84+yzzL5vCUXTKB44zJlU9qNCMEAwDwYDVR0TAQH/
    BAUwAwEB/zAdBgNVHQ4EFgQU1c6daJC9iIS8P75eQ6ro0yR4B5UwDgYDVR0PAQH/
    BAQDAgGGMAoGCCqGSM49BAMEA0gAMEUCIQCiFN/o++Z+AXkVUnM2M42vmVV+KPfL
    vdkRaOH7FIILEwIgEz0ROPPpZA2XFSa1dofkAY1h5iAbwg6VOaI3KfoabVA=
    -----END CERTIFICATE-----
  10. Save and close the file.

  11. Create the certchain.pem file which contains the root and sub CA PEM blobs:

    BASH
    $ cat sub-ephemeral.crt > certchain.pem
    $ cat root.crt >> certchain.pem
  12. Validate the certificate with an OCSP check:

    BASH
    $ openssl ocsp -issuer certchain.pem -cert ephemeral-01.crt -text -url http://ejbca-node1.ejbca-k8s/ejbca/publicweb/status/ocsp
  13. The output is similar to the following:

    BASH
    OCSP Request Data:
        Version: 1 (0x0)
        Requestor List:
            Certificate ID:
              Hash Algorithm: sha1
              Issuer Name Hash: 6C7E29272E7D8ED8DC404BD63C4543B8EE0094C3
              Issuer Key Hash: 502295B3D0472DDD4359FC1EA7F5DE39176FB082
              Serial Number: 6671705CD70841A4ED8F44DAD5A257ACAC8AE438
        Request Extensions:
            OCSP Nonce:
                04103CF6BCE12B7D6EBBFB2887999E4A4D6F
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: 502295B3D0472DDD4359FC1EA7F5DE39176FB082
        Produced At: May 26 12:19:34 2024 GMT
        Responses:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 6C7E29272E7D8ED8DC404BD63C4543B8EE0094C3
          Issuer Key Hash: 502295B3D0472DDD4359FC1EA7F5DE39176FB082
          Serial Number: 6671705CD70841A4ED8F44DAD5A257ACAC8AE438
        Cert Status: good
        This Update: May 26 12:19:34 2024 GMT
    
        Response Extensions:
            OCSP Nonce:
                04103CF6BCE12B7D6EBBFB2887999E4A4D6F
        Signature Algorithm: ecdsa-with-SHA256
             30:44:02:20:6a:b9:1f:3e:7f:5b:8a:80:dd:b5:7f:63:3c:ec:
             5d:57:71:7e:ba:0a:35:bd:64:c3:fa:a3:5a:18:27:7e:d3:41:
             02:20:6f:9d:20:c4:0a:61:6e:05:f2:c0:f7:59:06:d8:e7:9c:
             12:d1:51:68:58:8a:99:55:7f:59:a5:30:42:69:48:38
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                46:90:a4:e1:9a:31:8b:eb:e0:95:3e:82:60:6d:d4:a5:1b:a3:ce:cc
            Signature Algorithm: ecdsa-with-SHA256
            Issuer: C=SE, O=Keyfactor Community, CN=My PKI Root CA - G1
            Validity
                Not Before: May 20 17:38:58 2024 GMT
                Not After : May 20 17:38:57 2026 GMT
            Subject: C=SE, O=Keyfactor Community, CN=Ephemeral Sub CA - G1
            Subject Public Key Info:
                Public Key Algorithm: id-ecPublicKey
                    Public-Key: (256 bit)
                    pub:
                        04:c8:23:97:93:fe:c5:0f:3f:37:31:47:ba:32:3d:
                        a7:01:1e:11:8e:1d:20:eb:cd:17:3e:2c:94:55:5e:
                        8f:64:ed:7f:61:70:8e:34:51:7a:7c:cc:31:4e:87:
                        79:eb:79:be:02:e2:a2:e6:28:16:da:93:db:d8:02:
                        a0:53:bf:c3:c7
                    ASN1 OID: prime256v1
                    NIST CURVE: P-256
            X509v3 extensions:
                X509v3 Basic Constraints: critical
                    CA:TRUE, pathlen:0
                X509v3 Authority Key Identifier:
                    keyid:D5:CE:9D:68:90:BD:88:84:BC:3F:BE:5E:43:AA:E8:D3:24:78:07:95
    
                Authority Information Access:
                    CA Issuers - URI:http://my.pki/certs/MyPKIRootCA-G1.crt
                    OCSP - URI:http://my.pki/ocsp
    
                X509v3 CRL Distribution Points:
    
                    Full Name:
                      URI:http://my.pki/crls/MyPKIRootCA-G1.crl
    
                X509v3 Subject Key Identifier:
                    50:22:95:B3:D0:47:2D:DD:43:59:FC:1E:A7:F5:DE:39:17:6F:B0:82
                X509v3 Key Usage: critical
                    Digital Signature, Certificate Sign, CRL Sign
        Signature Algorithm: ecdsa-with-SHA256
             30:45:02:21:00:cd:a3:a8:2d:b8:44:b3:67:c9:07:32:99:08:
             1d:6f:da:e7:fa:24:1a:7d:64:b7:f5:7b:ab:a2:46:7d:b5:57:
             25:02:20:53:0a:43:ee:59:57:a5:e8:7d:1d:5a:3b:11:4e:76:
             72:35:cf:25:cd:c2:79:1f:72:63:ed:fc:c5:27:4e:cb:c8
    -----BEGIN CERTIFICATE-----
    MIICnDCCAkKgAwIBAgIURpCk4Zoxi+vglT6CYG3UpRujzswwCgYIKoZIzj0EAwIw
    STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
    BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjQwNTIwMTczODU4WhcNMjYw
    NTIwMTczODU3WjBLMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
    bW11bml0eTEeMBwGA1UEAwwVRXBoZW1lcmFsIFN1YiBDQSAtIEcxMFkwEwYHKoZI
    zj0CAQYIKoZIzj0DAQcDQgAEyCOXk/7FDz83MUe6Mj2nAR4Rjh0g680XPiyUVV6P
    ZO1/YXCONFF6fMwxTod563m+AuKi5igW2pPb2AKgU7/Dx6OCAQQwggEAMBIGA1Ud
    EwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5Uw
    YgYIKwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRz
    L015UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9v
    Y3NwMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJv
    b3RDQS1HMS5jcmwwHQYDVR0OBBYEFFAilbPQRy3dQ1n8Hqf13jkXb7CCMA4GA1Ud
    DwEB/wQEAwIBhjAKBggqhkjOPQQDAgNIADBFAiEAzaOoLbhEs2fJBzKZCB1v2uf6
    JBp9ZLf1e6uiRn21VyUCIFMKQ+5ZV6XofR1aOxFOdnI1zyXNwnkfcmPt/MUnTsvI
    -----END CERTIFICATE-----
    Response verify OK
    ephemeral-01.crt: good
    	This Update: May 26 12:19:34 2024 GMT

You now have validated that the ephemeral certificate is good using OCSP and can continue with revoking the ephemeral certificate.

Step 8 - Revoke the ephemeral certificate using the REST API

Revoking an ephemeral certificate is done using the EJBCA CLI, REST API, or web services. Ephemeral certificates cannot be revoked using the RA Web because the certificate does not exist in the database.

To revoke an ephemeral certificate with REST API, follow these steps:

  1. Parse the ephemeral certificate with OpenSSL to get the serial number and store that in a variable:

    BASH
    $ export CERT_SERIAL_NUMBER=$(openssl x509 -noout -serial -in ephemeral-01.crt | cut -d'=' -f2)
  2. Revoke the certificate using the REST API:

    BASH
    $ curl --silent --cacert ../ManagementCA.pem --cert-type P12 --cert ../keyfactorCommunitySuperAdmin.p12:foo123 \
      -X 'PUT' \
      "https://ejbca-node1/ejbca/ejbca-rest-api/v1/certificate/CN%3DEphemeral%20Sub%20CA%20-%20G1%2CO%3DKeyfactor%20Community%2CC%3DSE/${CERT_SERIAL_NUMBER}/revoke?reason=CESSATION_OF_OPERATION" \
      -H 'accept: application/json' | jq .
  3. The output is similar to the following:

    BASH
    {
      "issuer_dn": "CN=Ephemeral Sub CA - G1,O=Keyfactor Community,C=SE",
      "serial_number": "6671705CD70841A4ED8F44DAD5A257ACAC8AE438",
      "revocation_reason": "CESSATION_OF_OPERATION",
      "revocation_date": "2024-05-26T12:20:16Z",
      "message": "Successfully revoked",
      "revoked": true
    }

You now have revoked the ephemeral certificate and can continue with checking the validity with OCSP.

Step 9 - Validate the revoked certificate using OCSP

After revoking the certificate, the certificate serial number and Issuer DN are added to the CertificateData table in the CA database.

To check the validity of the revoked ephemeral certificate using OCSP, follow these steps:

  1. Validate the certificate with an OCSP check:

    CODE
    $ openssl ocsp -issuer certchain.pem -cert ephemeral-01.crt -text -url http://ejbca-node1.ejbca-k8s/ejbca/publicweb/status/ocsp
  2. The output is similar to the following:

    BASH
    OCSP Request Data:
        Version: 1 (0x0)
        Requestor List:
            Certificate ID:
              Hash Algorithm: sha1
              Issuer Name Hash: 6C7E29272E7D8ED8DC404BD63C4543B8EE0094C3
              Issuer Key Hash: 502295B3D0472DDD4359FC1EA7F5DE39176FB082
              Serial Number: 6671705CD70841A4ED8F44DAD5A257ACAC8AE438
        Request Extensions:
            OCSP Nonce:
                041094666B693277D6CD191D42EC1A7B780B
    OCSP Response Data:
        OCSP Response Status: successful (0x0)
        Response Type: Basic OCSP Response
        Version: 1 (0x0)
        Responder Id: 502295B3D0472DDD4359FC1EA7F5DE39176FB082
        Produced At: May 26 12:23:49 2024 GMT
        Responses:
        Certificate ID:
          Hash Algorithm: sha1
          Issuer Name Hash: 6C7E29272E7D8ED8DC404BD63C4543B8EE0094C3
          Issuer Key Hash: 502295B3D0472DDD4359FC1EA7F5DE39176FB082
          Serial Number: 6671705CD70841A4ED8F44DAD5A257ACAC8AE438
        Cert Status: revoked
        Revocation Time: May 26 12:20:16 2024 GMT
        Revocation Reason: cessationOfOperation (0x5)
        This Update: May 26 12:23:49 2024 GMT
    
        Response Extensions:
            OCSP Nonce:
                041094666B693277D6CD191D42EC1A7B780B
        Signature Algorithm: ecdsa-with-SHA256
             30:44:02:20:53:9d:7a:15:ca:5c:da:47:7d:f6:49:5d:1b:07:
             58:60:c7:a6:63:75:e2:2d:9f:45:5c:f7:55:7e:b0:0c:b4:4c:
             02:20:0e:e2:0f:11:31:bb:61:1c:ad:e4:a6:f3:33:90:3a:0e:
             ee:48:55:0c:dc:0f:3c:da:37:10:2b:84:7c:dc:d2:b4
    Certificate:
        Data:
            Version: 3 (0x2)
            Serial Number:
                46:90:a4:e1:9a:31:8b:eb:e0:95:3e:82:60:6d:d4:a5:1b:a3:ce:cc
            Signature Algorithm: ecdsa-with-SHA256
            Issuer: C=SE, O=Keyfactor Community, CN=My PKI Root CA - G1
            Validity
                Not Before: May 20 17:38:58 2024 GMT
                Not After : May 20 17:38:57 2026 GMT
            Subject: C=SE, O=Keyfactor Community, CN=Ephemeral Sub CA - G1
            Subject Public Key Info:
                Public Key Algorithm: id-ecPublicKey
                    Public-Key: (256 bit)
                    pub:
                        04:c8:23:97:93:fe:c5:0f:3f:37:31:47:ba:32:3d:
                        a7:01:1e:11:8e:1d:20:eb:cd:17:3e:2c:94:55:5e:
                        8f:64:ed:7f:61:70:8e:34:51:7a:7c:cc:31:4e:87:
                        79:eb:79:be:02:e2:a2:e6:28:16:da:93:db:d8:02:
                        a0:53:bf:c3:c7
                    ASN1 OID: prime256v1
                    NIST CURVE: P-256
            X509v3 extensions:
                X509v3 Basic Constraints: critical
                    CA:TRUE, pathlen:0
                X509v3 Authority Key Identifier:
                    keyid:D5:CE:9D:68:90:BD:88:84:BC:3F:BE:5E:43:AA:E8:D3:24:78:07:95
    
                Authority Information Access:
                    CA Issuers - URI:http://my.pki/certs/MyPKIRootCA-G1.crt
                    OCSP - URI:http://my.pki/ocsp
    
                X509v3 CRL Distribution Points:
    
                    Full Name:
                      URI:http://my.pki/crls/MyPKIRootCA-G1.crl
    
                X509v3 Subject Key Identifier:
                    50:22:95:B3:D0:47:2D:DD:43:59:FC:1E:A7:F5:DE:39:17:6F:B0:82
                X509v3 Key Usage: critical
                    Digital Signature, Certificate Sign, CRL Sign
        Signature Algorithm: ecdsa-with-SHA256
             30:45:02:21:00:cd:a3:a8:2d:b8:44:b3:67:c9:07:32:99:08:
             1d:6f:da:e7:fa:24:1a:7d:64:b7:f5:7b:ab:a2:46:7d:b5:57:
             25:02:20:53:0a:43:ee:59:57:a5:e8:7d:1d:5a:3b:11:4e:76:
             72:35:cf:25:cd:c2:79:1f:72:63:ed:fc:c5:27:4e:cb:c8
    -----BEGIN CERTIFICATE-----
    MIICnDCCAkKgAwIBAgIURpCk4Zoxi+vglT6CYG3UpRujzswwCgYIKoZIzj0EAwIw
    STELMAkGA1UEBhMCU0UxHDAaBgNVBAoME0tleWZhY3RvciBDb21tdW5pdHkxHDAa
    BgNVBAMME015IFBLSSBSb290IENBIC0gRzEwHhcNMjQwNTIwMTczODU4WhcNMjYw
    NTIwMTczODU3WjBLMQswCQYDVQQGEwJTRTEcMBoGA1UECgwTS2V5ZmFjdG9yIENv
    bW11bml0eTEeMBwGA1UEAwwVRXBoZW1lcmFsIFN1YiBDQSAtIEcxMFkwEwYHKoZI
    zj0CAQYIKoZIzj0DAQcDQgAEyCOXk/7FDz83MUe6Mj2nAR4Rjh0g680XPiyUVV6P
    ZO1/YXCONFF6fMwxTod563m+AuKi5igW2pPb2AKgU7/Dx6OCAQQwggEAMBIGA1Ud
    EwEB/wQIMAYBAf8CAQAwHwYDVR0jBBgwFoAU1c6daJC9iIS8P75eQ6ro0yR4B5Uw
    YgYIKwYBBQUHAQEEVjBUMDIGCCsGAQUFBzAChiZodHRwOi8vbXkucGtpL2NlcnRz
    L015UEtJUm9vdENBLUcxLmNydDAeBggrBgEFBQcwAYYSaHR0cDovL215LnBraS9v
    Y3NwMDYGA1UdHwQvMC0wK6ApoCeGJWh0dHA6Ly9teS5wa2kvY3Jscy9NeVBLSVJv
    b3RDQS1HMS5jcmwwHQYDVR0OBBYEFFAilbPQRy3dQ1n8Hqf13jkXb7CCMA4GA1Ud
    DwEB/wQEAwIBhjAKBggqhkjOPQQDAgNIADBFAiEAzaOoLbhEs2fJBzKZCB1v2uf6
    JBp9ZLf1e6uiRn21VyUCIFMKQ+5ZV6XofR1aOxFOdnI1zyXNwnkfcmPt/MUnTsvI
    -----END CERTIFICATE-----
    Response verify OK
    ephemeral-01.crt: revoked
    	This Update: May 26 12:23:49 2024 GMT
    	Reason: cessationOfOperation
    	Revocation Time: May 26 12:20:16 2024 GMT

You have now validated that EJBCA returns a revoked OCSP status for the revoked ephemeral certificate, which completes the tutorial.

Next steps and more resources

In this tutorial, you learned how to create an ephemeral CA, issue ephemeral certificates, and revoke an ephemeral certificate using the REST API.

Here are some next steps we recommend:

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.