User guide
About
EJBCA is a fully functional Certificate Authority built in Java. Based on J2EE technology it constitutes a robust, high performance and component based CA. Both flexible and platform independent, EJBCA can be used standalone or integrated in any J2EE application.
The EJBCA Homepage can be found at http://ejbca.sourceforge.net/. Information about contacting the EJBCA team, contributing to EJBCA, etc can be found through the Homepage.
More documentation can also be found on the homepage and on the documentation site http://docs.primekey.se/.
EJBCA is completely written in Java and should as such run on any platform where a J2EE server runs. Development and testing is performed on Linux and Windows platforms.
Security
Security is discussed below in the chapter about configuration and in Security.
Please take a minute to thorougly consider the security implications and make sure you know what you are doing when you are setting up a CA.
If running on Linux, you should consider using the sample firewall script provided in 'ejbcafirewall.sh'. If running on Windows, a similar aproach should be taken with firewall software/hardware.
Upgrade
See doc/RELEASE_NOTES and UPGRADE for information about upgrading from an earlier version of EJBCA.
Quick start guide
Prerequisites
Note: EJBCA makes use of strong crypto and keystore passwords longer than 7 characters. For this to work you must install the 'Unlimited Strength Jurisdiction Policy Files' for JDK. The policy files can be found at the same place as the JDK download at java.sun.com. Further information on this can be found in the Sun documentation on the JCE.
Needed to build and run are:
- JDK 1.4.x or 1.5.x
- JBOSS >3.2.6 or 4.0.x (latest tested verison is JBoss 4.0.2)
- Ant 1.6.x to build (http://jakarta.apache.org/ant/)
Set the environment variable JBOSS_HOME to the directory where JBoss's root is (/jboss-version). This is done so the deploy script will know where files are to be copied, they are copied to the directory $JBOSS_HOME/server/default/deploy.
Windows/Unix: When we describe command line commands below we use unix notation, e.g. 'ejbca.sh' for the executable command files. The same command files are available for windows as cmd-files, e.g. 'ejbca.cmd.'
Configure
If you are only testing EJBCA at this stage and is not setting up a production environment, you can skip this step.
Now when everything is prepared, there are a few things to configure before starting JBOSS and running everything in a production environment.
In a production environment you should use something like the following structure:
- Go through the install process creating an AdminCA. Use a simple DN. This CA is only used to issue the initial superadmin certificate. Not published in LDAP.
- Once installed, create all your REAL CAs using the admin-GUI. Now you can use the certificate profiles etc that you like. These certificates can be published in LDAP. See HOWTO-multiplecas.txt for a detailed configuration guide.
In a production environment you should use something else than the default Hypersonic database that comes with JBoss for the reasons:
- Hypersonic database is in-memory, which means that over time it will consume more memory. If a large numer of certificates is issued, it will become an issue after a while.
- Hypersonic does not support full SQL, in particular ALTER statements. When a new version of EJBCA is released we can not create scripts that updates the database if some tables changed. This will make upgrades much much harder.
Install
Note that the installation must be done with a user with privileges to write to JBOSS_HOME and subdirs.
1) Set the environment variable JBOSS_HOME to where your JBoss is installed, example /opt/jboss-4.0.2.
2) Copy ejbca.properties.sample to ejbca.properties and customize if needed. The default values works fine for a test installaton.
- Customize the CA properties if you need to do so. For production use you need to do this, don't forget to edit passwords to be secure and secret. Keep ejbca.properties as secret as possible. DO NOT forget the passwords, if you need to re-install the software sometime.
- Customize the database if needed but easiest thing is to keep the default as it is, it will use the JBoss embedded HSQLDB and everything will be easier for you. For production use you should use a real database instead of the embedded one.
3) Open a console (terminal) and start JBoss. You can start JBoss with 'ant j2ee:run' from EJBCA_HOME or the normal command 'run.sh/cmd' from JBOSS_HOME/bin.
4) Open a console and type 'ant bootstrap' it will compile, jar, war, ear everything and deploy it to JBoss. You should see JBoss picking up all the changes and deploying the ear without errors.
5) Type 'ant install' it will generate all certificates, keys, etc needed to run with an initial CA. You will find admin keys in ${ejbca.home}/p12. (do not delete those files!)
- tomcat.jks is for the servlet container (don't bother with it)
- superadmin.p12 should be imported in your browser, that's your administration certificate.
You will need administrative privileges (e.g. root) for the CA-certificate to be installed in Javas trust-keystore ($JAVA_HOME/jre/lib/security/cacerts, default pwd 'changeit'). If you don't have root permission now, you can do it manually later after step 9. It's important so don't forget!
6) Stop JBoss (ctrl+c or whatever)
7) type 'ant deploy', this will deploy everything again and configure the servlet container with the keystore file (this is why we needed to stop the container). If you alternative want to use jbossspecific service for automatic creation of the CRL:s you should use 'ant deploywithjbossservices' instead.
8) Import the certificate from EJBCA_HOME/p12/superadmin.p12 in your web browser. This is the super administrators certificate used to access the admin GUI. Other administrators with specific privileges can be created later on.
9) Start JBoss again and go to https://localhost:8443/ejbca/ to access the admin-GUI, or http://localhost:8080/ejbca for the public pages.
If you did not have root permission and get an error during installation step 5, you can install the root certificate afterwards with the following commands, WITH the right permissions: bin/ejbca.sh ca getrootcert AdminCA1 ca.crt -der
keytool -import -trustcacerts -alias AdminCA1 -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file ca.crt
where AdminCA1 is the CA name as configured in ejbca.properties (default is AdminCA1). You must stop and start JBoss after doing this.
Running optional tests
If you want to run a thorough test of your new CA, run the automated tests with 'ant test:run'. To run the tests you must copy the file lib/ext/junti-1.5.8 to ANT_HOME/lib.
NOTE: After running tests with 'ant test:run', you might consider deleting the database since some leftovers are left in the database. The tests will create and revoke some test certificates, so afterwards your CRLs will be populated with a few entries. 'ant test:run' should not be run on a production system, only to test the installation.
NOTE! Don't forget to configure JBoss for security! See security. Security is CRITICAL for a CA.
After the installation
Administrating EJBCA
You can administrate EJBCA using a web browser and the admin-GUI, this is the easiest way.
You can also use the command line interface (cli) which is called by 'bin/ejbca.sh'. If you call ejbca.sh you get a list of available commands, and you can get help for all commands by calling them without arguments, i.e: bin/ejbca.sh ca
bin/ejbca.sh ra adduser
etc etc
Creating more CAs
After installation, that creates a default admin CA you can create more CAs using the admin GUI.
Your CAs can be either root CAs, subordinate CAs to another CA in EJBCA or subordinate CAs to an external CA. The initial admin CA is a RootCA.
You can also use the command line interface (cli) 'bin/ejbca.sh ca init' to create new CAs, although a better idea is to do it from the Admin GUI. Ex: 'bin/ejbca.sh ca init TestRoot "C=SE,O=PrimeKey,CN=EJBCA" 2048 365 2.5.29.32.0' will create a root CA with the DN 'C=SE,O=PrimeKey,CN=EJBCA'. The keylength is 2048 bit (RSA) and the validity of the root certificate is 365 days. Quote the DN so it is treated as one argument.
PKIX requires that a CRL always is available even if it is empty. When creating a new CA the CA certificate is stored and published (if any Publishers are configured), and the initial CRL is created and stored/published.
Subordinate CAs are created using the admin GUI, you can not use the cli for that.
Converting an OpenSSL CA
You can convert a PEM-style Root CA key to a PKCS12 file that can be imported in EJBCA. openssl pkcs12 -export -out server1.p12 -inkey cakey.pem -in ca.pem -name privateKey
You can import the CA with the cli command 'bin/ejbca.sh ca importca'.
Using EJBCA
Creating Users
Users are added in the admin-GUI, 'Add End Entity' or with the cli 'bin/ejbca.sh ra adduser'. The users DN is normally entered in the cli as "C=SE,O=MyOrg,OU=MyOrgUnit,CN=MyName". If a ',' is needed in the DN the comma must be escaped using '\,'.
Create User certificates
To enroll for certificates using browsers, open http://127.0.0.1:8080/ejbca/publicweb/apply/index.html (assuming the servlet container listens to port 8080) and use the links for your browser.
To enroll for certificates using manual methods (for server certificates for example) open http://127.0.0.1:8080/ejbca/publicweb/apply/apply_man.jsp and fill in the form.
Note that application for certificates only work when the status of a user is NEW, FAILED or INPROCESS (one time password thing). The status is set to GENERATED after a certificate has been issued. To issue a new certificate, the status must be reset to NEW, which can be done through the admin-GUI or the cli.
During batch generation of certificates, users with status NEW or FAILED are generated. This is due to the possibility that a batch generation for some reason failed. If it fails status is set to FAILED and you can try again after fixing the error.
Create server certificates
The best way to create server certificates is to generate a PKCS12, JKS or PEM file for the server, depending on what server it is. To do this:
- Create a user with the admin_GUI or 'bin/ejbca.sh ra'. The DN for a server should have the domain name in CommonName (CN). Example DN for webserver: "C=SE,O=AnaTom,CN= www.anatom.se", or for mailserver "C=SE,O=AnaTom,OU=Engineering,CN=mail.anatom.se". Set the token type to match the kind of token that should be generated for your server.
- To be able to batch-generate certificates, the batch generation program must have access to the users (servers) password in order to request a certificate on behalf of the user. Normally the password is stored in hashed form, so the password must be stored in clear text form by running 'bin/ejbca.sh ra setclearpwd username password'
- Generate private keys and certificates by running 'bin/ejbca.sh batch'
Many servers (ex Apache, Tomcat) wants keys and certificates in PEM-format or SUN JKS. To generate PEM-files use token type PEM. The PEM-files will be stored in a separate subdirectory, 'pem'. The generated PEM-files can be used with Apache etc, and are NOT protected by any password. To generate JKS-files use token type JKS. The JKS-files will be stored in the subdirectory, 'p12' instead of PKCS12-files. The generated JKS- files can be used with Tomcat etc, and are protected (both private key password and keystore password) by the users password.
It is also possible to use openssl to transform a PKCS12 file to PEM- format. openssl pkcs12 -in pkcs12-file -nodes
copy and paste the private key to key file, the first certificate to server cert file and last certificate to CA cert file (If your CA is a subordinate CA to another Root CA, the CA cert file may need to contain the whole cert chain). Exactly how your server wants the files is server dependent.
CRL generation
A new CA should always issue an (empty) CRL. This is done when the ca is created and can also be done by running 'ca.sh/cmd createcrl caname'.
Note on CRL Distribution Points (CDPs): it is possible to configure multiple URLs for CDPs if they are separated by ';'. For example: http://cdpurl-1/mycrl.der;http://cdpurl-2/crl.crl
A CRLDistributionPoint for a CA in EJBCA could look like: http://host:port/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=url-encoded-issuerDN
(such as the link from the webdist pages)
There are at least two ways to have EJBCA to periodically create updated CRLs.
JBossservice
The first way to have CRLs generated automatically is to build and deploy the JBOSS CRL Service. This is done with the command 'ant deploywithjbossservices' (inside ejbca.ear) alternatively 'ant deployjbossservices' (outside ejbca.ear) If you only want to build the jar (without deploying) you can do so with the command 'ant jbossservices'. After installation with deployjbossservices, JBoss must be restarted.
This service will by default check if CRL generation is needed every minute. If this default behaviour can be changed by editing the attribute 'Polltime' in src/appserver/jboss/crlcreate-service.xml. A new CRL is created if the old one expires within the polltime + 10 minutes, so a CRL is always created at least 10 minutes before the old one expires. In this way we will in the worst case get the overlap time (10 min) as the time when applications can fetch the new CRL before the old one expires. The attribute can have the following values: DAILY = Every midnight
HOURLY = At XX:00 every hour.
30MIN = At XX:30 and XX:00 every hour
15MIN = At XX:15, XX:30, XX:45,XX:00, every hour
1MIN = Every minute
Cron job
The second way is to have a cron job or equivalent call 'bin/ejbca.sh ca createcrl'. The 'createcrl' command will then check all active CAs if there is a need to update their CRLs, otherwise nothing is done.
If you want to force CRL generation for a CA, use 'bin/ejbca.sh ca createcrl caname'
Example crontab entry: PATH=$PATH:/usr/java/jdk1.4.2_01/bin
@daily cd /home/ejbca;/home/ejbca/ca.sh createcrl;
where '/usr/java/jdk1.4.2_01/bin' is the path to where 'java' can be found. '/home/ejbca' is where ejbca is installed and 'ca.sh' located.
Sample crontab to be installed with 'crontab -e': SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
CLASSPATH=$CLASSPATH:/root/ejbca:/root/ejbca/admin.jar
JBOSS_HOME=/usr/local/jboss
# m h dom mon dow command
00 0 * * * cd /root/ejbca;./ca.sh createcrl
Scep
Since SCEP uses encryption, you must install the 'Unlimited Strength Jurisdiction Policy Files' for JDK. The policy files can be found at the same place as the JDK download. Further information on this can be found in the Sun documentation on the JCE.
There is a SCEP servlet receiving requests on http://localhost:8080/ejbca/publicweb/apply/scep/pkiclient.exe
Level of SCEP support
EJBCA does succesfully receive SCEP 'PKCSReq' requests and send back the certifificate/CRL immediately in a proper SCEP reply message. EJBCA does not support the 'polling' model, EJBCA uses the direct method, where a request is granted or denied immediately. EJBCA will not send back proper SCEP error messages in all cases of failure. The error messages are not completely implemented.
The CN part of the DN in the PKCS#10 request, which is part of the Scep request, will be used as the 'username' when authenticating the request in EJBCA. Create the Scep request with a CN mathing the username registered in EJBCA. The challengePassword in the PKCS#10 request, which is part of the Scep request, will be used as the 'password' when authenticating the request in EJBCA. Create the Scep request with a challengePassword mathing the password registered in EJBCA.
The most common errors should be wrong username/password or wrong status (not NEW) on the user in EJBCA.
Tested devices
*** OpenScep ***
To use the OpenScep client to request a certificate from this servlet, use the command: ./scep -k test.key -r test.pemreq -c ejbca-ca.pem -q foo123 -u http://localhost:8080/ejbca/publicweb/apply/scep
rem ./scep -d -k test.key -r test.pemreq -2 -e test.req -c ejbca-ca.pem -q foo123 -u http://localhost:8080/ejbca/publicweb/apply/scep
Where test.key is generated with: openssl genrsa -out test.key
test1.req is generated with: openssl req -key test.key -new -days 30 -out test.req -outform DER -config ../openssl/openscep.cnf
and test1.pemreq is generated with: openssl req -key test.key -new -days 30 -out test.pemreq -outform PEM -config ../openssl/openscep.cnf
*** Simple Scep Client (sscep) ***
Simple Scep Client. You should only use CN in the users DN (same as for PIX below).
*** Juniper Networks NetScreen-25/NetScreen-50 ***
Working.
*** Cisco VPN client ***
Tested with version 4.0.2.
To enroll using the Cisco VPN client use:
- CA URL='http://127.0.0.1:8080/ejbca/publicweb/apply/scep/pkiclient.exe'
- CA Domain=you CAs name in EJBCA
- In the DN screen simply enter the username (as added in EJBCA) as 'Name [CN]'
*** Cisco PIX ***
Cisco PIX is not currently tested as working.
- You must configure JBoss to use port 80 to enroll with PIX, this is done in JBOSS_HOME/server/default/deploy/jbossweb-tomcat50.sar/service.xml (or similar depending on version).
- EJBCA supports the 'ca' mode of enrollment for pix, not 'ra'.
- The certificate profile used by the SCEP CA must include the key usages KeyEncipherment and DataEncipherment, otherwise PIX will not be able to verify/decrypt encrypted SCEP messages. This is not in the default certificate profile for CAs.
- When enrolling for certificate using SCEP with for example a Cisco PIX there is a 'ca_nickname'. This nickname should be the CA-name as defined when creating the CA in EJBCA. For example 'vpnca'.
- Only use lower-case names when creating the CA in EJBCA, since PIX will change the CA name VpnCA to vpnca when enrolling.
- The username in EJBCA must be the name the PIX identifies itself with name.domain, example pix.primekey.se.
- The end-entity DN should only include the DN component CN plus unstructuredXX, ex "CN=pix.primekey.se, unstructuredName=pix.primekey.se", no O or C should be in the certificate.
- Certificates used for PIX must include the DN component unstructuredName (fqdn) and could also include unstructuredAddress (ip).
- Certificates used for PIX must include the SubjectAltName dNSName beeing the fqdn of the pix, eg name.domain, iPAddress can also be useful. If unstructuredAddress is used iPAddress should be used (but I don't think you should use ip).
- Cisco does not support use of the 'Domain Component', DC, attribute in DNs, don't use it.
- The PIX user should have a DN like "unstructuredName=pix.primekey.se, CN=pix.primekey.se", KeyUsage "Digital Signature, Key Encipherment", SubjectAltName "DNS:pix.primekey.se".
- When the VPN-client (above) connects to the PIX, the 'ou' part of the clients DN must match a Vpngroup you have specified, otherwise the connection will fail.
Please notice this Cisco note:
Be sure that the PIX Firewall clock is set to GMT, month, day, and year before configuring CA. Otherwise, the CA may reject or allow certificates based on an incorrect timestamp. Cisco's PKI protocol uses the clock to make sure that a CRL is not expired. Set timezone first, then set time, then check time with 'show clock'.
The enrollment steps should be something like: ca identity pixca ca-ip:/ejbca/publicweb/apply/scep/pkiclient.exe
ca configure pixca ca 1 0 crloptional
ca authenticate pixca
--wait--
show ca certificate
ca save all
wr mem
ca crl request pixca
--wait--
show ca crl
ca enroll pixca foo123
--wait--
Unforturnately this gives the following error for me: CRYPTO_CA: error = 293: failed to verify
or sometimes: CRYPTO_CA: error = 266: failed to verify
If someone has any ideas what this means, don't hesitate to let us know.
Ocsp
OCSP is used by PKI-clients to verify the validity of certificates in real-time. This is done by sending a request for the status of a specific certificate to an OCSP responder. The responer may or may not be the same as the CA. The OCSP responder sends a signed reply, containing the requested status information back to the client. The client uses this status information to determine whether the certificate is valid for use or revoked.
There is an OCSP servlet receiving requests on http://localhost:8080/ejbca/publicweb/status/ocsp. The servlet can process requests for certificates signed by a CA running in EJBCA, as long as the CAs OCSP service has not been deactivated.
The OCSP servlet receives OCSP request by http(s) and send back a status response signed by the CA, or with a dedicated responder certificate.
For a CA to be valid as an OCSP-responder it must have the KeyUsage 'Digital Signature' in the certificate profile used to create the CA. This KeyUsage must be included if the CA is to sign OCSP-responses. The default certificate profiles for CAs includes the key usage 'Digital Signature'.
There are a two parameters affecting the OCSP service that can be configured in ejbca.properties:
- 'useCASigningCert' - If set to true (default) the OCSP reponses will be signed directly by the CAs certificate instead of the CAs OCSP responder. If set to false, the CAs special OCSP responder certificate is used to sign the OCSP responses. The OCSP responder certificate is signed directly by the CA.
- 'defaultResponderID' - Specifies the subject of a CA which will generate responses when no real CA can be found from the request. This is used to generate 'unknown' responses when a request is received for a certificate that is not signed by any CA on this server. Set this to the same DN as your initial Admin CA for example.
These values should be set during deployment of EJBCA. After the values have been edited, they are installed with the 'ant deploy' command.
Example to generate an OCSP request using OpenSSL: openssl ocsp -issuer Test-CA.pem -CAfile Test-CA.pem -cert Test.pem -req_text -url http://localhost:8080/ejbca/publicweb/status/ocsp
If Mozilla is to request and accept OCSP-responses from a CA it must be configured:
- 'Use OCSP to validate all certificates using this URL and signer' in 'Privacy & Security->Validation'. Choose the CA from EJBCA (which you should have made Trusted by right clicking in 'Privacy & Security->Certificates->Manage Certificates->Authorities' and checking the appropriate checkboxes).
- If using a Certificate Profile that includes a OCSP Service URL for client certificates, the Validation option in Mozilla 'Use OCSP to validate only certificates that specify an OCSP service URL' also works fine. When this option is checked you may need to restart Mozilla.
When the validation settings are set, Mozilla will query the OCSP server when for example double-clicking on a certificate in the certificate manager. An appropriate URL for validation is: http://hostname:8080/ejbca/publicweb/status/ocsp
If using a dedicated OCSP responder certificate, this certificate must be imported in Mozilla as a Trusted CA certificate, so it can be set as OCSP signer in 'Privacy & Security->Validation'. You can do this through 'View Certificates' in EJBCA (http://hostname:8080/ejbca/publicweb/webdist/cacert.jsp).
In doc/samples there is a sample how to check revocation with OCSP using the new APIs in JDK 1.5.
Key recovery
Key Recovery can be used to re-use or restore a users private key. To enable key recovery use the admin-GUI:
- Set 'Enable Key Recovery' in 'System Configuration'.
- Create a new End Entity Profile and set to use 'Key Recoverable'.
- Add users with this End Entity Profile.
The following is an example of a sequence of commands that can be used to generate a new certificate for a user using the same key pair:
# First revoke username, with revocation reason reason, bin/ejbca.sh ra revokeuser $username $reason
# then mark the certificate for keyrecovery, bin/ejbca.sh ra keyrecovernewest $username
# then set clear text password for Batch session to use bin/ejbca.sh ra setclearpwd $username $userpass
# and finally reissue the certificate. bin/ejbca.sh batch
Email notifications
Mail settings in JBoss is created when running the 'ant install' using the values specified in ejbca.properties (or default). It is configured in $JBOSS_HOME/server/default/deploy/ejbca-mail-service.xml. For other containers you must create a mail service with the same JNDI name as specificed in ejbca.properties.
You must create a new end-entity profile to be able to issue certificates to end users using email notifications. Under the RA functions, choose "Edit End Entity Profiles" and add a new profile. Select the profile and go into 'Edit End Entity profile'. In this page you can Enable Send Notifications and create the notification message.
Enter the from-address and subject. Enter a message using the following variables for dynamic substitution: $USERNAME, $PASSWORD, $CN, $O, $OU, $C, $DATE. Use $NL for newline in the mail message.
Tip: If you configure autogenerated password in end entity profile you don't need to enter one in the adduser page. A generated one will automatically be sent with the email.
If you want to re-send a notification for a user, reset the status to NEW. If the status is already NEW, set the status to GENERATED and then back to NEW.
Hardware Security Modules (HSM)
EJBCA have a moduler API for HSMs, HardCAToken. For every CA that is created a HardCAToken object is also created. This object contains among other things references to keys (or the keys themselves of a soft token is used). For each HSM hardware that should be supported you need one HardCAToken class that implementes support for this particular HSM. A hard ca token plug-in must:
- implement IHardCAToken
- be loaded at the static initialization if HardCATokenManager where it is registered with the HardCATokenManager using the method addAvailableHardCAToken()
See HardCATokenSample and/or DummyHardCAToken for samples. Unlike the sample addAvailableHardCAToken() must be called with use=true, or the token will not be usable in EJBCA (as the flag suggests).
EJBCA has build-in support for the nCipher NFast HSM.
nCipher NFast
Follow these steps to create a CA that is using a NFast card: 1. Create keys that should be used on the NFast card
You may use the java keytool. It is advisable to define an alias for using the tool for keystores on the NFast: alias keyToolHSM='java -cp /opt/nfast/java/classes/rsaprivenc.jar:/opt/nfast/java/classes/nfjava.jar
:/opt/nfast/java/classes/kmjava.jar:/opt/nfast/java/classes/kmcsp.jar
:/opt/nfast/java/classes/jutils.jar sun.security.tools.KeyTool -provider com.ncipher.provider.km.nCipherKM
-storetype nCipher.sworld'
Then the keyToolHSM alias could be used to manage keys on the NFast card in exactly the same way as soft keys are managed by keytool. All keys for one CA should be in the same keystore. Different CAs may share the same keystore but may also have different keystores. 2. Copy files to jboss that implements the nCipher CA Token functionality to JBoss
The file are copied from the dist directory. The destination is the deploy directory of the application server (server/default/deploy in jboss). The files to be copied are: jutil.jar kmcsp.jar kmjava.jar nfjava.jar rsaprivenc.jar
You could also make links if you prefer that. 3. Make EJBCA aware of the NFast HSM
Restart the application server. 4. Create a new CA in the web GUI of EJBCA
Choose NFastCAToken as "CA Token Type".
Define the keystore on the nFast card that should be used. The keystore is defined by the hexadecimal hash string from the keystore file (open the .jks with a text editor ) generated in step 1. Define which keys in the keystore that should be used and the purpose of these keys.
Use one row for each definition. Begin the row with a key word. It is one row for the keystore and one for each key definition. Key word and value is separated by one or more spaces. A row with the keyword keyStore must always be present. The keywords for keys that can be used are:
- certSignKey - the key to be used when signing certificates
- crlSignKey - the key to be used when signing CLSs
- keyEncryptKey - the key to be used for key encryption and decryption.
- defaultKey - the key to be used when no other key is defined for a purpose. If this is the only definition then this key will be used for all purposes.
Example: keyStore 578fc1f0b19d5bc6f61e3a3f1e28318715385a20
certSignKey rootCertSign
defaultKey rootCRLSign
LDAP and Publishers
EJBCA has a modular support for something we call Publishers. A publisher can be any external source where you want to send issued certificates and CRLs to be stored. The most common cases of Publishers, which are implemented by default in EJBCA are LDAP directories and Active Directory (which is a special case of LDAP directory).
The Publisher architecture is modular and it's possible to implement custom publishers that can also be easily integrated and set up in the admin-GUI.
First we will start with describing the built-in publishers.
LDAP Naming
A good book to understand LDAP naming is "Understanding and Deploying LDAP Directory Services". The recommended method of choosing a naming suffix is the one described in RFC2247 that maps a DNS domain to a DN. If my DNS domain is bigcorp.com it will map to the DN "dc=bigcorp,dc=com". The top node in my LDAP directory will then be "dc=bigcorp,dc=com".
The dc component support is mandated by all of the X.509 RFCs now. For example, if I have this directory: dc=bigcorp,dc=com
|
+-dc=fi
|
|
+-dc=se
|
+-cn=Mike Jackson
The most understandable method is taking the subject name in forward order, like: cn=Mike Jackson,dc=se,dc=bigcorp,dc=com
If the DN is ordered like this it should be published to the correct object in the tree.
If the DN is ordered reverse, like: dc=bigcorp,dc=com,dc=se,cn=Mike Jackson EJBCA will reorder it incorrectly to forward order, so the publishing will be wrong.
Therefore... Use forward order like this: 'cn=Mike Jackson,dc=se,dc=bigcorp,dc=com' if using the dc model or 'cn=Mike Jackson,o=bigcorp,c=se' if using the o,c model.
An example image of an LDAP structure can be seen below in HOWTO-LDAP-tree.png.
Making unique LDAP DNs is the next challenge. If you are in a small organization having the CN will probably work fine, but in a larger organization there are probably several people with the same name. Somehow the names must be made unique, and one way is to introduce numbers, initials etc in the CN. Another way that we recommend is to use uid in the LDAP DN instead. LDAP DNs will then looks like "uid=tomas,dc=bigcorp,dc=com". Uid is the users username, normally used for login etc, and you probably already have some proceedure to create unique usernames already.
LDAP Basics
LDAP has an unusual structure, if you are not used to X.500 style naming. Things are either branches, or leaf nodes. You can't just drop an object anywhere you like; You need to create the framework to support it. Sort of like if you wanted to put entries in /etc/hosts, if the directory /etc did not exist.
First you mkdir /etc, Then you create the file. Then you start putting things in the file. The difference with LDAP and x.500 is that instead of paths separate by slashes, you have paths separated by commas and '=' signs.
For example, if you want to make an object "cn=ldaphost,ou=hosts,dc=yourdom,dc=com", you first have to make sure "dc=yourdom,dc=com" exists. Then make sure "ou=hosts,dc=yourdom,dc=com" exists. THEN you can try "cn=ldaphost,ou=hosts,dc=yourdom,dc=com"
EJBCA does not create branches in LDAP. You have to put them there with other means, before you start publishing.
Configure LDAP publishers
A Publisher is a session bean that implements the IPublishSession interface and is used to store certificates and CRLs for entities. EJBCA have support for endless number of publishers simply by defining publishers in the admin-GUI. The user of EJBCA can implement own publishers, but EJBCA already comes with a publisher for LDAP.
EJBCA uses a notion of base DN to publish to different LDAP structures. The DN used in the certificate can be different from the LDAP structure.
*** Configuring EJBCA ***
To configure the publisher for LDAP:
- Choose 'Edit Publishers' in the admin-GUI.
- Add a new publisher with a name you define yourself. Edit the publisher and fill in all the neccesary fields.
Parameters to LDAP Publisher:
- 'Hostname' is the host where the LDAP server is located.
- 'Port' is the port on which the LDAP server listens, default non-SSL is 389.
- 'Login DN' is the DN of a user on the LDAP server with permissions to add and update enties.
- 'Login Password' is the password for the user above.
- 'User Object Class' is the objectclass for the LDAP entries for users, where user certificates are published. The entry is hierarchical separated by ';' to build a structure like:
objectclass: top objectclass: person objectclass: organizationalPerson objectclass: inetOrgPerson This objectclass must allow the attribute 'userCertificate;binary'. Default 'top;person;organizationalPerson;inetOrgPerson'
- 'CA Object Class' is the objectclass for the LDAP entries for CAs, where CA certificates and CRLs are published. The entry is hierarchical separated by ';' to build a structure. This objectclass must allow the attributes 'cACertificate;binary', 'certificateRevocationList;binary' and 'authorityRevocationList;binary'.
Default 'top;applicationProcess;certificationAuthority'
- 'User Certificate Attribute' is the attribute name, in the userObjectClass, for the users certificate.
Default 'userCertificate;binary'.
- 'CA Certificate Attribute' is the attribute name, in the cAObjectClass, for the CAs certificate.
Default 'cACertificate;binary'.
- 'CRL Attribute' is the attribute name, in the cAObjectClass, for CRLs (user CRLs) publisher by the CA.
Default 'certificateRevocationList;binary'.
- 'ARL Attribute' is the attribute name, in the cAObjectClass, for ARLs (CA CRLs) publisher by the CA.
Default 'authorityRevocationList;binary' (note that pure ARLs are not implemented yet in EJBCA).
- 'LDAP location fields from cert DN' When configuring the LDAP publisher the BaseDN will be used as the base for the DN published in LDAP, and it will be appended to the LDAP location fields selected to be used. example: If the user DN in EJBCA is "cn=tomas gustavsson, uid=tomasg, O=PrimeKey Solutions AB, C=SE" and the BaseDN is "dc=PrimeKey,dc=SE" and the selected LDAP location fields are "CN". The LDAP DN used for publishing will be "cn=tomas gustavsson, dc=PrimeKey, dc=SE", and the "uid=tomasg" will be added as an attribute in LDAP. The certificate stored under "cn=tomas gustavsson, dc=PrimeKey, dc=SE" will have the subjectDN "cn=tomas gustavsson, uid=tomasg, O=PrimeKey Solutions AB, C=SE".
*** Setting up certificate profiles ***
You MUST make a custom certificate profile to publish to LDAP!
To publish in LDAP you must create a Certificate profile in EJBCA that publishes to LDAP. If the above is configured, there will be a section for 'Publishers' available when creating/editing a certificate profile (with 'Edit Certificate Profiles'). Choose this, and then when adding end-entities, make sure they use the new certificate profile and voila, the certs will be published.
*** Publishing to Active Directory ***
When configuring Active Directory LDAP, Bind DN for the users are usually, cn=user,cn=Users,dc=domain-component1,dc=domain-component2. For example: cn=Philip Vendil,cn=Users,dc=primekey,dc=se for the domain primekey.se
If your DN is like "cn=Ejbca1,0=MyOrg,c=SE" and your base DN is like "DC=Security,DC=Software,DC=MyOrg". The publisher for AD should have base DN like "cn=Users,dc=Security,dc=Software,dc=MyOrg"
For Login DN you should use the full ldap name, for example: "CN=Administrator,CN=Users,dc=primekey,dc=se"
In order to connect to AD though SSL you should issue a LDAP SSL P12 to the domain controller. According to MS Article ID 321051
The same certificate is used for both the AD and global catalogue (GC). Remember to add the CA certificate to the machine stores trusted root certificates.
*** Custom publishers ***
If your setup makes it very complex to configure multiple certificate profiles and multiple publishers you might consider writing a custom publisher that handles things directly according to you demands.
Look in the directory src/java/se/anatom/ejbca/ca/publishers for more information about writing your own solution. There is an empty custom publisher called DummyCustomPublisher.java that can be extended.
*** What EJBCA stores/creates/modifies ***
When ejbca publishes a certificate to LDAP it firsts builds the DN from the baseDN and 'LDAP location fields for cert DN'. It checks if the entry exists in the ldap and either creates or modifies the entry.
Apart from the DN in the entry a number of attributes are also stored, some are required by schema, some are optional. EJBCA find attributes in the certificate, if there is an OU (organizational unit) in the certificate EJBCA uses that to populate the OU attribute in the ldap entry.
When updating an entry that already exists EJBCA uses replace on the existing attributes, so if an email attributes already exists and EJBCA finds an email adress in the certificate, the email attribute in ldap is replaced with the email adress from the certificate.
The attributes that EJBCA creates or replaces are:
- cn (common name)
- l (locality)
- ou (organizational unit)
- sn (surname)
- gn (givenname)
- st (state)
- o (organization)
- uid (user id)
- initials
- title
Using LDAP
In Mozilla you can for example enter a URL like: ldap://ip-address-of-ldap-server:389/cn=Tomas Gustavsson,dc=se,dc=bigcorp,dc=com and it will fetch an adress book entry with the information about the user, including the certificate.
The LDAP url format is described in RFC2255.
Examples of using LDAP with Netscape/Mozilla can be found in the howto-section of this web page.
To use LDAP top fetch user certificates and use them for encrypting email there seems to be a requirement to use SSL connection to the LDAP server (Account Options->Compositions & Addressing->Edit directories->Edit->Use Secure Connection), see also below how to configure OpenLDAP for SSL.
Note: When fetching certificates from LDAP with Mozilla for example with URL: ldap://ldap-server-host/dc=bigcorp,dc=com??sub?(cn=MyName)?(objectclass=*) To get a checkbox at the fetched certificate, the CA certificate must be installed in the Windows truststore, not only in Mozillas.
To use SSL against an LDAP server with MS Outlook you must make sure the CN in the LDAP servers certificate is the same as the hostname. An example of adding a user for the LDAP server with the CLI interface is: bin/ejbca.sh ra adduser ldap password "C=SE,O=Foo,CN=ldap.foo.se" null MyCA null 1 PEM
where ldap.foo.se is the hostname of the LDAP server that Outlook should use.
The CA certificate must also be imported into Windows properly.
Configure OpenLDAP
The objectclass 'inetOrgPerson' is used by default to store certificates.
Example: dn: cn=Mike Jackson,ou=people,dc=company,dc=com
objectclass: top
objectclass: person
objectclass: organizationalPerson
objectclass: inetOrgPerson
cn: Mike Jackson
sn: Jackson
userCertificate;binary::
CAs are published in the form: dn: cn=ejbca,dc=jackson,dc=net
objectClass: top
objectClass: applicationProcess
objectClass: certificationAuthority
cn: ejbca
cACertificate;binary:
certificateRevocationList;binary:
authorityRevocationList;binary:
To configure OpenLDAP (version 2.2.5) to include the 'inetOrgPerson' you must add the following lines to slapd.conf: include /usr/local/etc/openldap/schema/cosine.schema
include /usr/local/etc/openldap/schema/inetorgperson.schema
Don't forget to add the top object by creating an LDIF file (org.ldif): dn: o=AnaTom,c=SE
objectclass: dcObject
objectclass: organization
o: AnaTom
dc: AnaTom
dn: cn=Admin,o=AnaTom,c=SE
objectclass: organizationalRole
cn: Admin
And using the command: ldapadd -x -D "cn=Admin,o=AnaTom,c=SE" -W -f org.ldif
Check what you have in the LDAP by: /usr/local/bin/ldapsearch -x -b 'o=AnaTom,c=SE' '(objectclass=*)'
*** Configure SSL ***
Create a user in ejbca (this example is for adding a user with the cli interface, adding a user with the admin-GUI works just as fine). In the mail ejbca directory type (use simply 'ra' on windows): bin/ejbca.sh ra adduser ldap foo123 "C=SE,O=Foo,CN=ldap" null AdminCA1 null 1 PEM
bin/ejbca.sh ra setclearpwd ldap foo123
Where foo123 is the ldap users password, C=SE... is the users DN and AdminCA1 is the name you chose for your CA. The user type is end-user (1), keystore type is PEM, and if using the admin-GUI check 'use batch'). Batch generate the PEM keystore: bin/ejbca.sh batch
Copy the resulting files p12/pem/ldap.pem, p12/pem/ldap-CA.pem and p12/pem/ldap-Key.pem to your LDAP server. In this example the slapd.conf is located in /usr/local/etc/openldap so we copy the files to that directory. Protect theses files so they are only readable by the LDAP server. Add the following to your slapd.conf: # Use SSL
TLSCipherSuite HIGH:MEDIUM:+SSLv3
TLSCertificateFile /usr/local/etc/openldap/ldap.pem
TLSCertificateKeyFile /usr/local/etc/openldap/ldap-Key.pem
TLSCACertificateFile /usr/local/etc/openldap/ldap-CA.pem
Restart slapd: ./slapd -h "ldap:/// ldaps:///"
and check thats it is running with 'ps -ef|grep slapd'.
On SuSE, if using the builting OpenLDAP you have to enable ldaps in /etc/sysconfig/openldap: OPENLDAP_START_LDAPS="yes"
and then run SuSEconfig
and then rcldap start
Configure your LDAP publisher in EJBCA to use SSL by checking the checkbox 'Use SSL', the port shold change to port 636.
Note! The CA certificate of the (root)CA used to sign the ldap server certificate must be present in the java trust cert store ($JAVA_HOME/jre/lib/security/cacerts). If you use the defualt CA created when ejbca was installed this is alread included. Otherwise you will have to add it using something like: First get the CA cert: bin/ejbca.sh ca getrootcert MyCA -der
Then add it to the java trust store: keytool -import -trustcacert -alias MyCA -keystore $JAVA_HOME/jre/lib/security/cacerts -password changeit
A guide for configuring OpenLDAP on Solaris can be found at bolthole.com
Extra device schema
To store certificates for devices (e.g. routers, toasters etc) in LDAP there is no really suitable standard object class. inetOrgPerson requires surnames etc, and the device objectclass does not include a certifictae attribute.
Mike Jackson has kindly contributed additional objects that extend the standard device class with a certificate attribute. The ejbcaDevice uses object ids from PrimeKey Solutions AB.
*** Installation ***
For the Netscape/SUN servers, on UNIX, copy the 85ejbca.ldif file into: /usr/netscape/servers/slapd-hostname/config/schema/
and restart the LDAP server.
For OpenLDAP, copy the ejbca.schema file into, e.g.: /usr/local/etc/openldap/schema/
and edit slapd.conf to add the following line: include /usr/local/etc/openldap/schema/ejbca.schema
then restart the server.
Export and import profiles
Certificate and End Entity profiles can be exported as XML files and imported in another instance of EJBCA, or in the same instance after removal of the old ones.
When exporting profiles (bin/ejbca.sh ca exportprofiles), all profiles will be exported to the specified directory. The exported files will be given unique names containing profile name and profile id. When importing profiles the profile name and id will be read from the filename. All profiles present in the specified directory will be imported.
Fixed profiles will not be imported, they will simply be skipped during import. If a profiles with the same name as the one beeing imported already exist, the profiles will not be imported.
Import of profiles try to keep the same profile id. If there already exist a profile with the same id in the database, you might have to edit the filename to choose another id. This can only be done if it is a new profile. The reason the id is kept is that there are references to the profile id from users beloinging to the profile.
One issue to notice regarding import/export of profiles is that if you export an entity profile with 'Available CAs' put to a CA that does not exist where you import the profile, you will not see it. Before exporting the profiles, you should set 'Available CAs' to a CA that is also present (with the same DN=caid) on the other CA. This is not ideal, but it is a consequence of how the authorization system works, you are not authorized to see the imported profiles when the caid is unknown.
Internationalization
To customize EJBCA admin GUI for your languages special characters you may have to change the default page encoding in 'web.contentencoding' (in ejbca.properties file) to for example UTF-8 instead of the default ISO-8859-1.
Displaying, receiving, decoding and storing different char sets is rather complicated and the architecture is multilayered. There is the web browser, application server, database and operating system, all working together. If you change to UFT-8 to handle your char set, perhaps you must also specify that the database connection should use UTF-8. For MySQL this can be done in the connection-url in your datasource description (JBOSS_HOME/server/default/deploy/ejbca-ds.xml): jdbc:mysql://yourhost/ejbca?useUnicode=true&characterEncoding=UTF-8
If you can't get you national characters to work with the admin GUI, you can try using the cli instead (bin/ejbca.sh ra adduser ...). That usually works.
EJBCA have for exmaple been tested on Windows/JBoss 4.0.2/MySQL and Linux/JBoss4.0.1sp1/HSQL with the default configuration using Swedish national characters, and it works nicely both with the cli and admin-GUI.
Adding a new language to the admin GUI
Java uses unicode internally, so the things that needs to be taken care of are:
- Make sure your system locale is set correctly, so Java will recognize input of your nations language. If Java does not automatically recognize your locale you might need to specify it as options to java during startup (i.e. in JBoss and cmd line commands such as ca.sh and ra.sh). java -Duser.language=2-char-language-code -Duser.region=2-char-country-code example for Swedish: java -Duser.language=sv -Duser.region=SE
- Your database must also recognize the locale so it does not strip down to plain ascii. This is database and JDBC-driver dependent.
The admin GUI is meant to support multiple languages through language files in src/adminweb/languages. In order to add a language you should do the following:
- Rename the languagefile you have created to language.languagecode.properties. In case of chinese it should be 'ch', and place it in the src/adminweb/languages directory.
- Edit ejbca.properties (create with ejbca.properties.sample as template if you don't have one). Change 'web.availablelanguages' and add your language code to the value. i.e: <env-entry-value>EN,FR,IT</env-entry-value>
- You may have to change the default page encoding in 'web.contentencoding' to for example UTF-8 instead of the default ISO-8859-1.
- Clean and re-deploy ejbca with 'ant clean' followed by 'ant deploy'. Restart JBoss and your browser after this.
Now it should be possible to select EN, FR and IT in the system configuration as default language and in the administrator preferences page. The language will be changed next time the administrator logs in.
Reference manual
All configuration options, JNDI names etc is configured through the use of an ejbca.properties file.
Administrating CA
The CA has a command line interface 'bin/ejbca.sh ca. Options are:
- info - prints information about a CA.
- init - creates a new Root CA.
- listcas - lists all CAs in the system. Stores CA certificates and publishes first CRL. Quote the DN (") so it is treated as one argument.
- getrootcert - exports the CA certificates to file.
- createcrl - issues a CRL.
- getcrl - retrieves the latest CRL.
- listexpired - List certificates that will expire within a given number of days.
- exportprofiles - exports entity and certificate profiles to xml-files.
- importprofiles - imports entity and certificate profiles from xml-files. When you export a profile that should be imported in another CA, make sure the 'Available CAs' is set to 'Any CA' for the profiles you export. Otherwise you can get into trouble with authorization if you don't have the same CAs with the same caids (DNs) where you import the profiles.
- importca - creates a new CA by importing keys from en existing PKCS12 file. A PKCS12 file can be generates from PEM files with openssl.
- importcert - creates a user and imports a certificate for him/her.
- republish - republishes certificates for a CA and all users. Can be used to add a publisher to a CA after some time, and then publish all certs.
Administrating RA
The RA has a command line interface 'bin/ejbca.sh ra'. Options are:
- adduser - adds a user to the database, after addition a user may apply for a certificate. If email address is set to 'null', no email is put in certificates. Quote the DN (") so it is treated as one argument. Altnames is a string simlar to the DN string but using alternative names from RFC3280, i.e. "rfc822Name=email, dNSName=hostname, uri=http://whatever, iPAddress=10.56.32.245" The full list is: otherName, rfc822Name, dNSName, x400Address, directoryName, ediPartyName, uniformResourceIdentifier, iPAddress, registeredID Only rfc822Name, dNSName, iPAddress and uniformResourceIdentifier (uri) is supported at the moment. Also the MS UPN and GUID are supported.
- deluser - removes a user from the database, any issued certificates remain active and present in the database.
- setpwd - set a new password for a user. The password is stored as a hash in the database.
- setclearpwd - set a clear text password for a user, needed to generate certificates batch-wise.
- setuserstatus - sets status of a user, users can only apply for certificates when their status is NEW. finduser - find a user in the database and lists details.
- listnewusers - lists all users with status NEW.
- listusers - lists users with specified status (give command to see list of status codes).
- revokeuser - revokes a user and all certificates issued to the user.
- keyrecover - recovers keys related to a specific certificate.
- keyrecovernewest - recovers the latest keys for a user.
Other Configuration
If you want to change the baseurl of the admin-web after installation use the command: bin/ejbca.sh setup setbaseurl computername applicationpath
Ex: bin/ejbca.sh setup setbaseurl localhost ejbca
To change ports (default public http=8080, public https=8442, private https=8443) you must edit ejbca.properties. Change the properties httpserver.pubhttp, httpserver.pubhttps and httpserver.privhttps. After changing, run 'ant deploy' and re-start the application server.
Configuring Publishers (LDAP)
LDAP setup is explained in HOWTO-LDAP.txt
Batch creation of certificates
Certificates can be created batch-wise with EJBCA. The class se.anatom.ejbca.batch.BatchMakeP12 creates keystore files for all users designated as NEW or FAILED in the local RA database. To be able to batch generate certificates, the users must be registered with clear text passwords. To set a clear text password for a user use bin/ejbca.sh.sh ra setclearpwd username password
To generate keystore files for all users with status NEW or FAILED, run bin/ejbca.sh batch
This will generate files for users if their clear text passwords are NOT null.
Without arguments 'batch' generates keystore files for all NEW or FAILED users. To generate a keystore file for a specific user, enter command bin/ejbca.sh batch username
Generated keystore files are stored in a subdirectory (to the current directory) called 'p12'. If the directory does not exist, it will be created. Make sure this directory is WELL protected, since the information contained in keystore files are secret (private keys). The format of keystores generated, PKCS12, JKS or PEM, is defined when adding the user in the database (using 'bin/ejbca.sh ra adduser' or the admin-GUI).
Fetching certificates and CRLs
Certificates and CRLs can be fetched through the web-interface as defined in 'webdist/index.html'. They can also be fetched directly from the 'CertificateStoreSession' session bean or using the command 'bin/ejbca.sh ca getcrl'
Other deployment scenarios
EJBCA can be run with servlets and EJBs or only with EJBs. The servlets are only a publicly available front-end to the beans. If the CA is deployed integrated in another J2EE application, this front-end may not be needed.
Certificate- and EndEntity Profiles
CertificateProfiles define different types of certificates, with regards to DN-contents, extensions etc. We also have EndEntityProfiles, where users are grouped, and you can determine which parts of their DN that is already pre-set, and which can be altered etc.
An EndEntityProfile can be connected to specific CertificateProfiles so users belonging to a specific EndEntityProfile can only get certificates from the specified CertificateProfile.
Adding your own public pages
Put your files (static html is easy) under publicweb/root, do a full build and re-deploy. The indexfile under publicweb/root is the one shown on http://ejbcahost:8080/ejbca, so you can add a subdir under there.
Using the demo servlet
There is a demo servlet that will accept any incoming post, create a user with a unique username, and instantly send back a certificate. The entity- and certificate profiles used are sent as parameters in the post. To set up the demo servlet:
- Find out the CA id of the CA you want to use for signing of the demo certificates. Use the admin-GUI or 'ejbca.sh ca listcas' to find the integer value that is the CA id.
- Configure the CA id in src/java/se/anatom/ejbca/apply/DemoCertReqServlet.java, it's the parameter DEFAULT_DEMOCAID.
- Edit src/publicweb/apply/WEB-INF/web.xml and uncomment the two sections for the demo servlet.
- If using UTF-8 to display the web-page containing the demo form to the users, change ISO-8859-1 to UTF-8 for the env-entry 'contentEncoding'. Otherwise national characters in names will be encoded/displayed incorrectly in the certificates.
- Deploy with 'ant deploy'.
- Create an end entity profile and a certificate profile that should be used for the demo certificates.
- Create a demo apply page containing something similar to the sample form below for Mozilla/Firefox. There sre some demo_xx scripts under src/publicweb/apply.
<form name="demoreq" action="http://127.0.0.1:8080/ejbca/publicweb/apply/democertreq" method="post">
Please fill out the form and click <b>Enroll</b> to receive your certificate.
Read our <a href="http://www.primekey.se/primekey/en/Demo.html">privacy policy</a>.<br>
<input name="certificateprofile" value="DemoCertProfile" type="hidden">
<input name="entityprofile" value="DemoEntityProfile" type="hidden"><br>
<br>
Full name:
<input name="user" value="C=SE,O=PrimeKey Solutions AB,OU=Demo,CN=" size="25" maxlength="60" class="input" type="text">
<p align="left"> E-mail:
<input name="email" size="25" maxlength="60" class="input" type="text">
<input name="includeemail" value="true" type="hidden">
</p>
<p align="left"> Choose key length from the list below. The default is recommended in most cases. <br>
<br>
<keygen type="hidden" name="keygen" value="challenge">
</p><p align="left">
<input value="Enroll" name="submit" type="submit">
</form>
You can use some hidden fields and some java script to for example only ask for a name, and concatenate it with a hidden partial DN to produce a full dn for the 'user' parameter. Use your imagination!
Samples
A collection of samples are in the directory src/java/se/anatom/ejbca/samples.
Troubleshooting
Add Debug output from the console administration commands by replacing: log4j.rootCategory=INFO, Console
in the file 'log4j.properties' with: log4j.rootCategory=DEBUG, Console
Extra info about the admin-GUI
If you had problems using the install script this small part describes brefly what the setup of the adminweb does. It's explained using out-of-the-head commands so don't expect it to work by copying and pasting these commands, it just something to look at.
0. Set the baseurl of the server with the command 'setup.sh/cmd setbaseurl computername applicationpath' Set the BASEURL to reflect your hostname, to be able to use the adminpages from external machines, this must be a real hostname or ip-address. Run 'ant deploy' to install the changes.
1. Tomcat: Copy src/appserver/jboss/tomcat55/server.xml (if using JBoss 4.0.2 or greater) to $JBOSS_HOME/server/default/deploy/jbossweb-tomcat41.sar/META-INF/jboss-service.xml.
Edit the file so 'keyStorePass' is the same as the password you specify below for 'tomcat'.
2. Edit parameters in ejbca.properties.
3. Create a tomcat server keystore with the 'ejbca.sh batch' tool (this can also be done with Suns 'keytool' by creating a keystore and then generating a certificate request that is processed by EJBCA, and last import the returned certificate and the CA-certificate into the keystore).
Create a user in EJBCA, DN="C=SE,O=PrimeKey,CN=your-host-name". bin/ejbca.sh ra adduser tomcat foo123 "C=SE,O=PrimeKey,CN=your-host-name" null caname null 1 3
Set a clear text password for the tomcat: bin/ejbca.sh ra setclearpwd tomcat foo123
Generate a JKS-keystore for tomcat: bin/ejbca.sh batch tomcat
4. Name the generated keystore 'tomcat.jks' and put in $JBOSS_HOME/server/default/conf/keystore.
5. Download the CA certificate in PEM-format from http://localhost:8080/ejbca/publicweb/webdist/cacert.jsp (call it ejbca-ca.pem).
6. Add the EJBCA CA certificate to the Java trust-keystore in $JAVA_HOME/jre/lib/security/cacerts keytool -import -trustcacerts -file ejbca-ca.pem -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
7. Create a user for EJBCA admin with CN=SuperAdmin and the RAADMIN bit (temporarily CN=SuperAdmin gives admin rights). bin/ejbca.sh ra adduser raadmin foo123 "C=SE,O=PrimeKey,CN=SuperAdmin" null caname null 65 1
Alternative: Create a PKCS12 file with EJBCA for a user with CN=SuperAdmin and the RAADMIN bit (temporarily CN=SuperAdmin gives adminrights). bin/ejbca.sh ra adduser raadmin foo123 "C=SE,O=PrimeKey,CN=SuperAdmin" null caname null65 2
bin/ejbca.sh ra setclearpwd raadmin foo123
bin/ejbca.sh batch
8. Fetch the certificate using your browser a http://localhost:8080/ejbca/publicweb/apply
Alternative: Install the generated PKCS12 (p12/superadmin.p12) file in the browser. In Mozilla this is done by Edit->Preferences->Privacy&Security-> Certificates->Manage Certificates->Import In IE it is done by double-clicking on the .p12 file.
9. Start JBoss.
10. Go to https://hostname:8443/ejbca
Reference: to generate a JKS with keytool 1keytool -genkey -alias tomcat -keystore tomcat.jks -keyalg RSA -dname "C=SE,O=AnaTom,CN=hostname" -storepass foo123 2keytool -certreq -alias tomcat -keystore tomcat.jks -sigalg SHA1WithRSA -storepass foo123 -file tomcat.req 3bin/ejbca.sh ra adduser tomcat foo123 "C=SE,O=AnaTom,CN=hostname" null caname null 1 JKS 4bin/ejbca.sh ca processreq tomcat foo123 tomcat.req tomcat.pem 5bin/ejbca.sh ca getrootcert ca.der -der 6keytool -import -trustcacerts -alias cacert -file ca.der -keystore tomcat.jks -storepass foo123 7keytool -import -alias tomcat -file tomcat.pem -keystore tomcat.jks -storepass foo123 8
run as root: keytool -import -trustcacerts -file ca.der -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
|
|
| 日 | 一 | 二 | 三 | 四 | 五 | 六 |
---|
24 | 25 | 26 | 27 | 28 | 29 | 30 | 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | 24 | 25 | 26 | 27 | 28 | 29 | 30 | 31 | 1 | 2 | 3 | 4 |
|
常用链接
留言簿(3)
随笔分类
随笔档案
文章分类
文章档案
朋友的BLOG
搜索
最新评论
阅读排行榜
评论排行榜
|
|