Skip to main content
Skip table of contents

Step 3: Create OCSP Key Binding in VA and Publisher in CA Hardware Appliance

The following describes the actions to perform to create an OCSP key binding in the VA Hardware Appliance and then a publisher in the CA Hardware Appliance.


Creating a Key Binding in the VA Hardware Appliance

  1. In the VA Hardware Appliance, go to the EJBCA Enterprise Administration.
  2. Navigate to VA Functions on the sidebar.
  3. Select OCSP Responder.
  4. Click Create new to create a new key binding.


  5. Enter the following values for the new key binding and click Create.

    • Name: Enter VAOcspKeyBinding
    • Crypto Token: Select OCSP key
    • Key PairAlias: Select signKey
    • SignatureAlgorithm: Select SHA256WithRSA

      Request Signers
    • CertificateAuthority: Select PeerMgmtCA from the drop down list
    • Click Add

      Generate OCSP responses for:

    • CertificateAuthority: Select PeerMgmtCA from the drop down list

    • Click Add

      Properties
    • Include signing certificate in response: Enable this option
    • Include certificate chain in response: Enable this option
    • ResponderID: Select KEYHASH.
    • Enable nonce in response: Enable this option
    • Omit reason code if revocation reason is unspecified (CABF compliance): Enable this option

      OCSP Extensions
    • Extension: Select Certificate Hash from the drop down list
    • Click Add
    • Click Create

  6. The key binding is created and the following message is displayed: VA OcspKeyBinding created with ID xxxxxxxxxx. (Depending on the database status, this ID could be set to any value.)

  7. Click Back to overview.
  8. Chose CSR from the Actions to download the CSR and save the file.

Creating a Publisher in the CA Hardware Appliance

  1. In the CA Hardware Appliance, go to the EJBCA Enterprise Administration.
  2. Navigate to RA Functions on the sidebar.
  3. Select End Entity Profiles.
  4. In Manage End Entity Profiles enter OCSPEndEntityProfile in the Add End Entity Profiles field.
  5. Click Add Profile.



  6. Select OCSPEndEntityProfile from the list.

  7. Click Edit End Entity Profile.


  8. Edit End Entity Profile: OCSPEndEntityProfile as follows

    • End Entity E-mail: Disable this option



      Subject DN Attributes:
    • CN Common Name: Select Required
    • Enter Keyfactor

      Main Certificate Data
    • Default Certificate Profile: Select OCSPSIGNER
    • Available Certificate Profile: Select OCSPSIGNER
    • DefaultCA: Select PeerMgmtCA
    • AvailableCAs: Select PeerMgmtCA
    • Default Token: Select User Generated
    • AvailableTokens: Select User Generated


  9. Click Save.

  10. In the Manage End Entity Profiles overview the message End Entity Profile 'OCSPEndEntityProfile' saved will be displayed.
  11. Return to the EJBCA Enterprise Administration.

  12. Navigate to RA Functions on the sidebar.

  13. Select Add End Entity. Make the following entries:

    • End Entity Profile: Select OCSPEndEntityProfile
    • Username: Select OCSP_end_entity
    • Password(orEnrollmentCode): Enter foo123
    • Confirm Password: Enter foo123
    • CN, Common Name: Enter OCSP
    • Certificate Profile: Select OCSPSIGNER
    • CA: Select PeerMgmtCA
    • Token: Select User Generated
    • Click Add


  14. Open EJBCA RA Web.

  15. From the top menu click the drop-down menu for Enroll.
  16. Chose Use Username from the drop down menu. Make the following entries:

    • Username: Enter OCSP_end_entity
    • Enrollment code: Enter foo123
    • Click Check to continue



    • Click Browse and select the CSR you downloaded in the previous step (VAOcspKeyBinding.pkcs10.pem)
    • Click Download PEM full chain


  17. Save the signed CSR.

  18. In the VA Hardware Appliance, go to the EJBCA Enterprise Administration.
  19. Navigate to VA Functions on the sidebar.
  20. Select OCSP Responders.
  21. In the section Import OCSP Signing Certificate, click Browse to upload the signed CSR.

  22. Click Import.


  23. On the same page, select Enable in the Actions row to enable the key binding. The Status will change to Enabled and marked as Active.

  24. In the section Set Default Responder, select VA OcspKeyBinding from the drop down menu.

  25. Click Set.

  26. In the CA Hardware Appliance, go to the EJBCA Enterprise Administration.
  27. Navigate to CA Functions on the sidebar.
  28. Select Publishers.
  29. In the Manage Publishers overview enter VA1 Publisher in the Add Publisher field.
  30. Click Add.

  31. Select the entry VA1 Publisher in the List of Publishers and click Edit Publisher:

  32. In the form Edit Publisher make the following entries in the Publisher : VA1 Publisher:

    • Publisher Type: Select Validation Authority Peer Publisher
    • Peer System: Select VA1 (xxxxxxx)
    • Enable the following options:
      • Store certificate at the ValidationAuthority
      • Store CRL at the Validation Authority
      • Use queue for CRLs
      • Use queue for certificates
    • Click Save and Test Connection
    • Click Save

  33. In the CA Hardware Appliance navigate to RA Functions on the sidebar.
  34. Select Search End Entities.
  35. Enter ssl_app in the first line: Search end entity with username.
  36. Click Search.

    Search End Entities
  37. The table in which ssl_app is listed then appears in the lower area. The End Entity can be navigated with the command buttons under the Actions column and with the commands arranged under the table.
    Click View next to Certificates under the Actions column.

    View Certificate of End Entity
  38. The Certificate will appear.
    Select Download PEM file.

    End Entity Certificate <certificate_to_be_controlled>.pem
  39. The following is a command script that should be executed on a terminal.

    CODE
    openssl ocsp -issuer <issuer>.pem \
    -CAfile <issuer>.pem \
    -cert <certificate_to_be_controlled>.pem -req_text \
    -url http://<VA_application_interface>:80/ejbca/publicweb/status/ocsp -resp_text
  40. The output looks like the following:

    OCSP Request Data :
    V e r s i o n : 1 ( 0 x0 ) R e q u e s to r L i s t :
    C e r t i f i c a t e ID :
    Hash Alg o r i th m : sha 1
    I s s u e r Name Hash : C45788773EDFD1434ED1D8A3C6E3CF176D78B82A I s s u e r Key Hash : EE5D0AE56A64E9001423A2F6FBFDBFF8BC4266E3
    S e r i a l Number : 41DC620FBFCB39C6 Request E x te n s i o n s :
    OCSP Nonce :
    04104775 FF9F9A74069EE07ED378AEA83E99
    OCSP Response Data :
    . . .
    Xu40z8I796Luq Zx99W7e Yy AutEir+ZLo31szYuDI+Q==
    OCSP Response Data :
    		...
    		Xu40z8I796LuqZx99W7eYyAutEir+ZLo31szYuDI+Q==
    		−−−−−END CERTIFICATE−−−−−
    		Response verify OK
    		ssl_app .pem: good
    		This Update: Dec 4 14:22:17 2014 GMT


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.