Skip to main content
Skip table of contents

Connecting an RA to a CA over Peers

Setting Up a New RA

To use EST over CoAPs on the EJBCA LRA Software Appliance follow the steps described below.

  • The EJBCA LRA must have a TLS Certificate issued by a Certification Authority that is trusted by the standard EJBCA.
  • Therefore create a valid Certificate for the EJBCA LRA
  • Please see Managing TLS Certificates for more details.
  • If you use an external Vendor CA (the CA that signs the Birth certificate for IoT devices) you must import it to the EJBCA CA.

To set up a new RA polled by the CA, perform the following steps:

Note that this does not describe a complete installation procedure for any use case. 

Step 1: Set up the TLS Connection from CA to LRA

Configure on the standard EJBCA:

First, set up a Remote Authenticator to identify the CA to the RA:

  1. On the Overview page of the EJBCA Software Appliance click Admin Web in the Application Overview section.

  2. The EJBCA Enterprise opens.
  3. Create a Crypto Token, or use an existing Crypto Token.
  4. Open the System Functions drop-down menu in the top menu.
  5. Select Remote Authentication.
  6. Click Create new...

  7. Enter a Name: in this example we named the Remote Authenticator: RemoteAuthenticator.

    Select Crypto Token: choose the newly created or the existing Crypto Token you want to use.

    Set the Key Pair Alias to any Key of your choice, in this example we used: auto select with defaultKey.
    This comes from the crypto token we created.

    Signature Algorithm
    : select Signature Algorithm from the drop-down menu.
    Make sure to select the same algorithm that was used to create the Crypto Token and the Certificate Authority.
    e selected SHA256WithRSA.

    In the section Properties > Protocol and Cipher Suite: select any of your choice.
    We have selected TLSv1.2TLS_ECDHE_ECDSA_WITH_AES_256_GBC_SHA384 from the drop-down menu.

  8. Confirm the setting with Save.


    Make sure that the protocol and the Cipher Suite match the algorithm of the generated key pair.


    Add the trusted CA of the remote LRA instance.

  9. Return to the Remote Authentication overview page. Click in the column Actions > CSR to create a new certificate signing request for the TLS key pair. If you click CSR , the pem file for remote authentication will be downloaded. Sign the remote authentication CSR to obtain a client certificate with a trusted CA.


    The CA used to sign the CSR must be trusted by the LRA and the default EJBCA CA.


    This step is only necessary if you are already using a trusted CA under Access > Trusted CA.
    The CA used to sign the CSR must be uploaded to WebConf of the EJBCA LRA. For more details see Access: Managing Trusted CAs.

  10. Go back to Remote Authentication.
    In the section Import Client Certificate, click Browse... for the CSR that is downloaded and signed before (Step 7).
    Click Import to obtain the TLS certificate for the key binding. in the corresponding column Name, Issuer and Serial Number are displayed, but Status is still Disabled and the column Active is check-marked with a red cross.
    In the column Actions click Enable.
    The RemoteAuthenticator becomes active. A green check mark is displayed in the Active column.

  11. In the LRA EJBCA Enterprise, open the System Functions drop-down menu in the top menu.
    Select Peer Systems.
    In the section Peer Systems activate Allow outgoing connections. Leave Allow incoming connections unchecked.
    In the section
    Outgoing Peer Connectors.
    Click Add.

    Create Peer Connector opens:
    Name: choose a name for the Peer Connector. In this example we named it PeerConnector.
    URL: a URL is preselected. Adjust the URL to the EJBCA LRA IP address you want to connect to.
    Authentication Key Binding: select the remote Authentication from Step 5 and 6 from the drop-down menu. Make sure it is active otherwise you cannot select it.Open the System Functions drop-down menu in the top menu.

  12. Enabled: select

    Incoming requests:
    Process incoming requests:enable
    Minimum parallel requests:2
    Maximum parallel requests:


    Click Create.

  13. Click Ping for the new Outgoing Peer Connection to open the initial connection.

    It is expected that the error message `Unable to connect to peer. status code: 401, reason phrase: Unauthorized ` will be displayed because we have not yet configured the LRA side.

  14. Click  Authorized requests.

    A new form opens. In the role list, select Create New Role. Enable
    • Allow processing of request from peer
    • View CAs and CRLs
    • Choose your CA (here PeerCA)
    • under process requests from the Protocols check-mark EST and REST

  15. Click Create new role to continue.

  16. Open the System Functions drop-down menu in the top menu. 
    elect the Roles and Access Rules page.
    Click Access Rules of the just created access rule.

  17. The Edit Access Rules page opens. Click Advanced Mode.

  18. Under CA Access Rules make sure to give Access to the Vendor CA (The CA that was used to sign the Birth certificates.)

Step 2: Set up the Incoming Peer Connection on the LRA

Configure the EJBCA LRA side:

Incoming Peer Connections are enabled by default on the EJBCA LRA Software Appliance additionally the EST and REST CoAP Management protocols are enabled.

To set up the incoming peer connection, do the following:

  1. In the LRA EJBCA Enterprise open the System Functions drop-down menu in the top menu.
  2. Select Peer Systems.
  3. The incoming connection from the CA should appear in the Incoming Connections section. The CA can connect, but the RA has been given no rights.

  4. Click on Create Role, and either select a predefined role for the peer connection or have EJBCA create on automatically (suggested).
    1. Role is intended for peer connection
    2. Accept long hanging connections
    3. Ensure that Accept RA Requests is cleared.
    4. Accept 'Internal CoAP-Proxy CA'
    5. Access 'PeerCA' (for our example)

  5. Click Create new role.
  6. To verify that the connection is working, try pinging the LRA again as described in Step 1, item 11. No more error message should be displayed.

The role has now been created on the CA for use by the RA.

Step 3: Allow CoAP Proxy to access the EJBCA CA

Configure on the EJBCA LRA side:

  1. In the EJBCA LRA Enterprise open the CA Functions drop-down menu in the top menu.
  2. Select CA Structure and CRLs.
  3. In the column Details of certificate chain click Download PEM file of the Internal CoAP-Proxy CA.

Configure on the standard EJBCA LRA side:

  1. In the standard EJBCA LRA open the CA Functions drop-down menu in the top menu.
  2. Select Certificate Authorities. Click Import Ca certificate.

    Upload the just downloaded Internal Coap-Proxy CA.

  3. In the standard EJBCA LRA Enterprise open the System Functions drop-down menu in the top menu.
  4. Select Roles and Access Rules.
  5. Click Add to create a new role. Here we use 'CoAP Proxy Role' as a name.

  6. Click on Members next to the newly created role.
  7. The Members page opens:
    1. In the column Matching Value use coap-proxy as the Match Value for the common name.
    2. In the CA column choose the CA imported in Step 3.
      If you have selected a different type, you must enter a different value.
    3. Click Add within the Action column to continue.

  8. On the Roles and Access Rules page click on Access Rules next to the newly created role.
  9. On the Edit Access Rules page we select the Super Administrators as the role template initially but you should restrict the access of this role to your specific needs.
  10. Click Save.
  11. Finish the setup of the EST configuration according to EST Client Mode Configuration.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.