User Guide

Administrative tutorials

There are additional documentation and administrative tutorial movies at http://docs.primekey.se/.

Administrating EJBCA

You can administrate EJBCA using a web browser and the admin-GUI, this is the easiest way. The admin-GUI requires SSL with authentication using client certificate, i.e. strong authentication.

You can also use the command line interface (cli) which is called by 'bin/ejbca.sh'. If you call ejbca.sh you get a list of available commands, and you can get help for all commands by calling them without arguments, i.e:

bin/ejbca.sh ca
bin/ejbca.sh ra adduser
etc etc

Backup and restore of EJBCA

To backup an EJBCA installation you need to:

• Backup the database
• Backup all $EJBCA_HOME/conf/**
• Backup all $EJBCA_HOME/p12/**

• Restore database
• Unzip new EJBCA
• Restore conf and p12
• Run "ant deploy" to configure JBoss and deploy EJBCA. If you are using another application server, consult the Installation doc for deployment.

If you are using soft keystores for the CAs this is all that is needed. If you are using an HSM you need to backup your keys in the HSM as well. How this backup and restore is done depends on the HSM you are using. Consult the documentation for your HSM.

SSL certificate expire

The SSL certificate used for SSL in JBoss (SSL is used for the admin-GUI) is stored in APPSRV_HOME/server/default/conf/keystore.jks. The default validity time for the SSL certificate is two years. When this expire, you must generate a new one.

You can do this through the admin-GUI by:

1. Go to 'List/Edit End Entities' and search for user 'tomcat'.
2. 'Edit_End_Entity' and set the 'Password' to the same as httpsserver.password in your conf/ejbca.properties and 'Status' to 'New'.
3. Open up a command line in EJBCA_HOME and run 'bin/ejbca.sh batch'.
4. Copy EJBCA_HOME/p12/tomcat.jks to APPSRV_HOME/server/default/conf/keystore.jks, or run 'ant deploy'. Ant deploy will do some other things as well, so if you are not sure, just copy the file.
5. Restart JBoss.

You can also do everything using the CLI:

1. bin/ejbca.sh ra setuserstatus tomcat 10
2. bin/ejbca.sh ra setclearpwd tomcat <password from httpsserver.password>
3. bin/ejbca.sh batch
4. cp p12/tomcat.jks $APPSRV_HOME/server/default/conf/keystore.jks
5. Restart JBoss.

Creating more CAs

After installation, that creates a default admin CA you can create more CAs using the admin GUI.

Your CAs can be either root CAs, subordinate CAs to another CA in EJBCA or subordinate CAs to an external CA. The initial admin CA is a RootCA.

You can also use the command line interface (cli) 'bin/ejbca.sh ca init' to create new CAs, although a better idea is to do it from the Admin GUI. Ex: 'bin/ejbca.sh ca init TestRoot "C=SE,O=PrimeKey,CN=EJBCA" 2048 365 2.5.29.32.0' will create a root CA with the DN 'C=SE,O=PrimeKey,CN=EJBCA'. The keylength is 2048 bit (RSA) and the validity of the root certificate is 365 days. Quote the DN so it is treated as one argument.

PKIX requires that a CRL always is available even if it is empty. When creating a new CA the CA certificate is stored and published (if any Publishers are configured), and the initial CRL is created and stored/published.

Subordinate CAs are created using the admin GUI, you can not use the cli for that.

Creating a SubCA signed by an external CA

Some CA hierarchies have the requirement of being signed by an external Certificate Authorities and sometimes other external CA:s need to be signed by your CA.

When creating a CA that is signed by an external CA, you actually create a PKCS10 certificate request that is sent to the external CA. When the external CA returns your CAs certificate, this is processed and the CA becomes activated.

In order to have your CA signed by an external CA you have to go through the following steps.

1. Go the the 'Edit Certificate Authorities' page in the Administration GUI.
2. Create a new CA in the same way as internal CA:s. But when selecting signing CA, select 'External CA' instead. Now will the 'Certificate Profile', 'Validity', 'Subject Alternative Name' and 'Policy Id' fields become gray and not editable. Fill in the Description and CRL Specific data and click on the 'Make Certificate Request' button in the bottom of the page.
3. At the next page called 'Make Certificate Request' you have to upload the external CA certificate chain that you want to sign your CA certificate with. This file should be in PEM encoding. If there is more than one top CA certificate then should all their certificates be appended into one single file. It should be in plain PEM format without blank lines before or after. An example is below.
4. Next, after clicking 'Make Certificate Request' and if everything went successful, should the generated PKCS10 certificate request be displayed that you can copy and paste to the signing CA. There is also the option to download the PEM file if that approach is preferred.
5. Now should the signing external CA sign the certificate request and return a certificate. Meanwhile will the newly created CA have a status of 'Waiting for Certificate Response' and will not appear anywhere in the system except in the 'Edit CA' page until it's activated.
6. When the Certificate Response has arrived, it must be converted to PEM format if it isn't already so. This can be accomplished with OpenSSL among other tools with the following command if you have received a file in DER encoding (.cer ending):
   >openssl x509 -inform DER -in filename.cer -outform PEM -out filename.pem
7. To activate the new CA, you mark the waiting CA and click on 'Edit' button in the 'Edit CA' page. Go to the bottom of the page and click on 'Receive Certificate Response'. Then upload the received PEM certificate and click again on 'Receive Certificate Response'.
8. Now if the received certificate creates a valid certificate chain with the previously uploaded top CA certificates will the status of the CA be set to 'Active'. Observe if you want to activate OCSP functionality for this new CA you have to edit it once again and mark the OCSP functionality as active.
9. The new externally signed CA is ready to use.

Exmaple of a plain PEM file for uploading as a certificate chain when creating the request from a CA:

-----BEGIN CERTIFICATE-----
MIIDSjCCAjKgAwIBAgIIEvabM2CgLZcwDQYJKoZIhvcNAQEFBQAwMzETMBEGA1UE
AxMKV2FsdGVyIENBMTEPMA0GA1UEChMGV2FsdGVyMQswCQYDVQQGEwJTRTAeFw0w
MzA5MjkwOTI2MzRaFw0wNDA5MjgwOTM2MzRaMDMxEzARBgNVBAMTCldhbHRlciBD
QTExDzANBgNVBAoTBldhbHRlcjELMAkGA1UEBhMCU0UwggEgMA0GCSqGSIb3DQEB
AQUAA4IBDQAwggEIAoIBAQC3hXksEud68WwPWWHLJQQkTCuX/K32KHPPn/uPUzab
Cpc/FnaTmF9yEHmpFdAUr0v5ZPnxVQpcuwrDZc4YfaTLfyUHicQbkftsPAj/2hE4
UukS2j+nQQcJEnIY0vSZOAOLU3j4bf/RlS6Jl7TPFFfWTxuQF8AruQ+YhaE52JFi
SapGGXKQJxhsvKT91rLaWSFWNMTTLSDPaBXYEYFuFhLNclDJWf4whfxHSHHkARB/
3Z0XlT4sFj0fmqEQ6yQb6/WqMFK+1XAIBXZO2MXe26IigWkXw1GfkIx1+fbUPrzu
8EI2jb0TWl21j1+Mvh3APZtVj5FJNuZN9bgdbrq88hLXAgERo2QwYjAPBgNVHRMB
Af8EBTADAQH/MA8GA1UdDwEB/wQFAwMHBgAwHQYDVR0OBBYEFNhHOtAwo8MOE/nI
zzg9KFxCYs8YMB8GA1UdIwQYMBaAFNhHOtAwo8MOE/nIzzg9KFxCYs8YMA0GCSqG
Sib3DQEBBQUAA4IBAQBHpvicbuJTACtpdwe6cF1nQ57FHnnYr+aAe+ZpH43R6R9d
eMps02nFAMSs5o8sbPokrpwAtk2yYwCohEFDkZ5JPzIBkgNlNnVHNNRHQTRJ6v6Q
F2MWUEPc1u5kxSjXEVMmZerG9oknMwpYFmkOnKF46vP3Njt/ExOeRAvCEQq2b8pz
2QGg8/IK6Omfi7IwxtVYUpgvhdcWekbFIlxkXZiEdlHNBIV1GzzPK1VEzg5kugD/
h6jeykrsKASx+55AkkBPt2kI+ZikVtp3SVhfZQMGY86c5QMQGlPWYNsr4ociyhfX
I52Qby+/HNG1ijpx66Z30lUMmXTtWtL4Cu8s7UvC
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIICxzCCAa+gAwIBAgIIBfqGjbQu14swDQYJKoZIhvcNAQEFBQAwMzETMBEGA1UE
AxMKV2FsdGVyIENBMTEPMA0GA1UEChMGV2FsdGVyMQswCQYDVQQGEwJTRTAeFw0w
MzA5MjkwOTMzMDFaFw0wNDAxMDcwOTQzMDFaMDQxETAPBgNVBAMTCER1ZGUgQ0Ex
MRIwEAYDVQQKEwlEdWRlIEluYy4xCzAJBgNVBAYTAlNFMIGdMA0GCSqGSIb3DQEB
AQUAA4GLADCBhwKBgQCM1hR/DYPXfKDa3oVJbppV4OcYtn2XP9W5Kc1d0+U4qLOm
JsqIFHDWR07o1QFiPhc9z0UGtwYeE3CpQ8fG8zeur5e286PYptZIST77B9vOdQdl
PA+dFKFIaEwdzcS7H3Lf38WTE4D1OnyRX5jsiUe+YIQRtjv/Bmem+kSR84G9TwIB
EaNkMGIwDwYDVR0TAQH/BAUwAwEB/zAPBgNVHQ8BAf8EBQMDBwYAMB0GA1UdDgQW
BBTDrXZGYXS9GyIUBOZrglhwNjjcnTAfBgNVHSMEGDAWgBTYRzrQMKPDDhP5yM84
PshcQmLPGDANBgkqhkiG9w0BAQUFAAOCAQEAdmTP1qVUcAKOf+/zvb2lcLKvFwKT
6KqDlO5NofjqCIfNgCjO2mO176cslnFIbEZQqgGIUnJ3AwfHKHj+U3kM3n5T29kF
xiLKxIDfjsY6qC03KHeGAgxI92XZyPsO1is6Y6qUnAmiwhIp5HS6E0+xIP1shmtJ
ZvqU8bueKUWSjx3JDzq+UNLX5pFkK0P0R90TCUEkBx1FNWqoWwb8zfAuO5zcNTEj
5E9esLjwxJQnIVPiA2l3FfZN9yomK+q7kTZJkX2kMx7G850lPR8CneXZT6bIOfck
Dw3PqQiroMNx2+gzC/f/wTXsF92aujyG+IZx1FIcNg/MoHXBWG7T8YrjnQ==
-----END CERTIFICATE-----

You can treat an internal CA, i.e. a CA risiding on the same EJBCA instance as another CA, as an external CA. From the SubCA this works just like the normal case, but on the RootCA you must choose the exact same CA Name as the already existing internal CA when you choose to "Process Certificate Request".
This can be useful if you have an HSM setup where only one set of keys can be active at one time, for example using nCipher with two different, non-persistens, operator cards sets for the RootCA and the SubCA. Using the SubCA as an external CA you can still create the PKI but with only one CA activa at a time.

Signing an External CA

In some cases you might want to have one of your CA:s signing another external CA. This is done in the following way:

1. In the 'Edit CA' page, choose a CA name of the external CA you are about to sign and click on 'Process Certificate Request'.
2. Then you are requested to upload the certificate request sent from the external CA. This should be a file in PEM-encoding.
3. The next step is to fill in the data about the CA certificate you are about to create. This is very similar to when you are creating an internal CA but with a fewer fields. The Subject DN is taken from the request. But the signing CA, certificate profile, validity, subject alt name and policy id have to filled in manually.
4. After clicking 'Process Certificate Request' the certificate is created and displayed in PEM format. You can also download it as a regular PEM file or as a PKCS7 PEM file.
5. Send the processed certificate back to the external CA for activation.
6. In the 'Edit CA' page will the newly processed CA be displayed with the status 'External'. This processed CA will only be shown in the 'Edit CA' pages and nowhere else since the system cannot use it. If you want to view the processed certificate, go to the edit page and click on the 'View CA Certificate' link in the bottom of the page.

Converting an OpenSSL CA

You can convert a PEM-style Root CA key to a PKCS12 file that can be imported in EJBCA.

openssl pkcs12 -export -out server1.p12 -inkey cakey.pem -in ca.pem -name privateKey

You can import the CA with the Admin GUI or the cli. See the section 'Export and import CAs'.
After importing CAs you can also import users and certificates. See the section 'Import users'.

Creating Users

Users are added in the admin-GUI, 'Add End Entity' or with the cli 'bin/ejbca.sh ra adduser'. The users DN is normally entered in the cli as "C=SE,O=MyOrg,OU=MyOrgUnit,CN=MyName". If a ',' is needed in the DN the comma must be escaped using '\,'.

Create User certificates

To enroll for a certificate using a browser, go to http://your_server_name:servlet_container_port/ejbca/ (e.g. http://127.0.0.1:8080/ejbca/) and select "Create Browser Certificate". Enter username and password, click the "OK"-button and follow the instructions.

To enroll for certificates manually (e.g. for server certificates), go to http://your_server_name:servlet_container_port/ejbca/, select "Create Server Certificate" and fill out the form.

Note that application for certificates only work when the status of a user is NEW, FAILED or INPROCESS (one time password thing). The status is set to GENERATED after a certificate has been issued. To issue a new certificate, the status must be reset to NEW, which can be done through the admin-GUI or the cli.

During batch generation of certificates, users with status NEW or FAILED are generated. This is due to the possibility that a batch generation for some reason failed. If it fails status is set to FAILED and you can try again after fixing the error.

Create server certificates

The best way to create server certificates is to generate a PKCS12, JKS or PEM file for the server, depending on what server it is. To do this:

1. Create desired profiles (the default entity and certificate profiles work fine, but are perhaps too generic). You certificate profile should have:
   - KeyUsage: Digital signature, Key encipherment
   - Extended key usage: Server Authentication
   
2. Create a user with the admin-GUI or 'bin/ejbca.sh ra'.
   The Distinguished name (DN) of the server should have the the servers full hostname (host.domain.com) in the CommonName (CN) field.
   Example DN for webserver: "C=SE,O=AnaTom,CN= www.anatom.se", or for mailserver "C=SE,O=AnaTom,OU=Engineering,CN=mail.anatom.se".
   You can also put the same name (or several names) as a DNSName in SubjectAlternativeNames.
   For so-called wildcard certificates, use *.anatom.se.
   Set the token type to match the kind of token that should be generated for your server.
3. To be able to batch-generate certificates, the batch generation program must have access to the users (servers) password in order to request a certificate on behalf of the user. Normally the password is stored in hashed form, so the password must be stored in clear text form by running 'bin/ejbca.sh ra setclearpwd username password'
4. Generate private keys and certificates by running 'bin/ejbca.sh batch'

Many servers (ex Apache, Tomcat) wants keys and certificates in PEM-format (Apache) or SUN JKS (Tomcat). To generate PEM-files use token type PEM. The PEM-files will be stored in a separate subdirectory, 'pem'. The generated PEM-files can be used with Apache etc, and are NOT protected by any password. To generate JKS-files use token type JKS. The JKS-files will be stored in the subdirectory, 'p12' instead of PKCS12-files. The generated JKS- files can be used with Tomcat etc, and are protected (both private key password and keystore password) by the users password.

If the server generates the keys and a certificate request (CSR) for you, select token type "User generated". You can use the public enrollment web pages (http://127.0.0.1:8080/ejbca/) to paste the request and receive the certificate. This function is under "Certificate Enrollment->manually for a server".

It is also possible to use openssl to transform a PKCS12 file to PEM- format.

openssl pkcs12 -in pkcs12-file -nodes

copy and paste the private key to key file, the first certificate to server cert file and last certificate to CA cert file (If your CA is a subordinate CA to another Root CA, the CA cert file may need to contain the whole cert chain). Exactly how your server wants the files is server dependent.

For your convenience, here is the standard text (RFC2818) how browsers validate the name(s) in the certificate.

If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.

Matching is performed using the matching rules specified by
[RFC2459].  If more than one identity of a given type is present in
the certificate (e.g., more than one dNSName name, a match in any one
of the set is considered acceptable.) Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but
not bar.foo.a.com. f*.com matches foo.com but not bar.com.

In some cases, the URI is specified as an IP address rather than a
hostname. In this case, the iPAddress subjectAltName must be present
in the certificate and must exactly match the IP in the URI.

CRL Distribution Points

The CRL Distribution Point (CDP) extension is provided as info for clients verifying a certificate. The value is a URI that points to a CRL that can be used to check if the certificate is revoked. The CRL is issued by the CA. There are different kinds of CRL Distribution Points and currently EJBCA supports a URI.

Note that you are responsible for the order and encoding of your CRLIssuer, if this is important check it!

A CRLDistributionPoint for a CA in EJBCA could look like:

http://host:port/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=url-encoded-issuerDN

(such as the link from the web distribution pages)

• host is the DNS name by which the CA is accessible. Port 8080 is the default port that JBoss listens to, but if you changed the JBoss port, this value should also change.
• url-encoded-issuerDN is the CAs common name as configured when the CA was created. This is the same DN as occurs as Issuer in certificates issued by this CA.

When configuring this extension you should take the URI entered and test it in a normal browser, from another machine than the CA, to see that it works before issuing any certificates.

It should also be possible to use an LDAP distribution point, if you have configued a publisher to publish CRLs to LDAP.

ldap://yourLdapServer:port_number/cn=CA-test,ou=CRLPUB,dc=mycompany,dc=com?certificateRevocationList

When defining CRL distribution point and CRL issuer in a certificate profile, you can choose to set the values in either the certificate profile, or in the CA configuration (edit CAs). By having the setting in the CA configuration it is possible to use the same certificate profile for several CAs, otherwise you would have to create a new certificate profile for all CRL distribution points.
By checking 'Use CA defined CRL Distribution Point' you can configure the CRL distribution point in the edit CA page instead, and use this value in every certificate profile that uses that CA. It is a convenience function, so you don't have to enter the same CDP in all certificate profiles.

It is possible to configure multiple URLs for CDPs if they are separated by ';'. For example:
http://cdpurl-1/mycrl.der;http://cdpurl-2/crl.crl

The same applies to CRLIssuer, for example:
CN=Foo,C=SE;CN=Bar,C=US

CRL Issuer

According to RFC3280 a CRL issuer is:

An optional system to which a CA delegates the publication of certificate revocation lists;

The contents of the field in the profile is a DN, like "CN=CRLIssuerForAdminCA1,O=foo,C=SE". You have to build the actual CRL Issuer software yourself.

CRL Update service worker

From EJBCA 3.4 there is a timed service framework in EJBCA. In the Admin-GUI you can go to 'Edit Services' and add a new service. Edit the service and select the 'CRL Updater' worker and the interval you want to use. Don't forget to set the service to 'Active'.
Now this service will run with the interval you have configured and generate CRLs according to the settings for each CA.

JBoss service

DEPRECATED! The JBoss Mbean CRL Service generator has been deprecated.

This service has been removed as of EJBCA 3.6. If you are still using this service, you must create a CRL Update service as described above. It is very simple.

Cron job

Yet another way to generate CRLs way is to have a cron job or equivalent call 'bin/ejbca.sh ca createcrl'. The 'createcrl' command will then check all active CAs if it is a need to update their CRLs, otherwise nothing is done.

If you want to force CRL generation for a CA, use 'bin/ejbca.sh ca createcrl caname'

Example crontab entry:

PATH=$PATH:/usr/java/jdk1.6.0_01/bin
@daily cd /home/ejbca;/home/ejbca/bin/ejbca.sh ca createcrl;

where '/usr/java/jdk1.4.2_01/bin' is the path to where 'java' can be found. '/home/ejbca' is where ejbca is installed and 'ca.sh' located.

Sample crontab to be installed with 'crontab -e':

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
CLASSPATH=$CLASSPATH:/root/ejbca
APPSRV_HOME=/usr/local/jboss
# m h dom mon dow command
00 0    * * *   cd /root/ejbca;./bin/ejbca.sh ca createcrl

Delta CRLs

a.k.a. Freshest CRL Extension

EJBCA can issue deltaCRLs as well. In the CA configuration, set 'Delta CRL Period' to the number of hours your delta CRLs should be valid if delta CRLs should be issued. Command line interface and CRL Update service will generate delta CRLs if 'Delta CRL Period' is larger than 0.

Level of SCEP support

EJBCA implements features from (at least) draft 11 of the SCEP spec. This means that we implement the following SCEP messages:

• PKCSReq
• GetCRL
• GetCACert
• GetCACertChain
• GetCACaps

• GetCertInitial

• POSTPKIOperation
• SHA-1

EJBCA will not send back proper SCEP error messages in all cases of failure. The error messages are not completely implemented, although most of them are implemented.

Tested devices

./scep -k test.key -r test.pemreq -c ejbca-ca.pem -q foo123 -u http://localhost:8080/ejbca/publicweb/apply/scep

openssl genrsa -out test.key

openssl req -key test.key -new -days 30 -out test.req -outform DER -config ../openssl/openscep.cnf

openssl req -key test.key -new -days 30 -out test.pemreq -outform PEM -config ../openssl/openscep.cnf

Verbose = "yes"
Debug = "no"

CADir="/home/autosscep/"
CertDir="/home/autosscep/"
KeyDir="/home/autosscep/"

[CA]
DN="C=SE, O=EJBCA Sample, CN=AdminCA1"
URL="http://localhost:8080/ejbca/publicweb/apply/scep/pkiclient.exe"
CertFile="AdminCA1.cacert.pem"
EncCertFile="AdminCA1.cacert.pem"
[/CA]

[Certificate]
CertFile="mycert"
KeyFile="mykey"
CADN="C=SE, O=EJBCA Sample, CN=AdminCA1"

# Create a user with username "router4711" and password "foo123" in EJBCA
# to automatically enroll
# Note you need to add a user with exactly these fields in the DN in EJBCA
Email = "mymail@mydomain"
Country="SE"
State="BS"
Location="Stockholm"
Organization="PrimeKey"
CommonName="router4711"

ChallengePassword="foo123"
[/Certificate]

[CA]
DN="C=SE, O=EJBCA Sample, CN=AdminCA1"
URL="http://localhost:8080/scepraserver/scep/pkiclient.exe"
CertFile="scepra.pem"
EncCertFile="scepra.pem"
[/CA]

-- Connect with pix and enter admin mode
telnet 10.1.1.1 (default pwd cisco)
enable (default blank pwd)
configure terminal
-- Enable CA logging
debug crypto ca
-- Clear current PKI config
clear ca identity
-- Enter PKI config, i.e location of CA etc. Don't require CRLs, it's easier
ca identity pixca ca-ip:/ejbca/publicweb/apply/scep/pkiclient.exe
ca configure pixca ca 1 0 crloptional
ca authenticate pixca
-- wait --
-- Look at the fetched certificate
show ca certificate
ca save all
wr mem
-- Get a CRL if you really want to (if you did not configure CRL as optional you must)
ca crl request pixca
-- wait --
show ca crl
-- Generate keys and enroll for the certificate (user in ejbca has password foo123)
ca generate rsa key 1024
ca enroll pixca foo123
-- wait, wait, this will take a long time --
-- Look at the fetched certificate, this should now show both the pix cert and the ca cert
show ca certificate

pix(config)# show ca cert
Certificate
  Status: Available
  Certificate Serial Number: 594f643a6916d78d
  Key Usage: General Purpose
  Subject Name:
    C = SE
    O = PrimeKey
    CN = pix.primekey.se
    UNSTRUCTURED NAME = pix.primekey.se
    UNSTRUCTURED IP = 10.1.1.1
  Validity Date:
    start date: 14:42:29 GMT Sep 17 2005
    end   date: 14:52:29 GMT Sep 17 2007

CA Certificate
  Status: Available
  Certificate Serial Number: 7c7cf75236955a51
  Key Usage: General Purpose
    C = SE
    O = PrimeKey
    CN = pixca
  Validity Date:
    start date: 15:59:20 GMT Sep 16 2005
    end   date: 16:09:20 GMT Sep 14 2015

Configuration

Copy conf/cmp.properties.sample to conf/cmp.properties and configure. The options in the configuration file should be documented there.

CMP over http

By default EJBCA support CMP over the http transport protocol. The URL for the CMP servlet is:
http://127.0.0.1:8080/ejbca/publicweb/cmp

CMP over TCP

You can enable a CMP TCP service by changing the option 'cmp.tcp.enabled' in conf/cmp.properties. The service MBean is so far JBoss specific (at least the deployment of it).
When re-deploying EJBCA this will start a TCP listener on the default port for CMP over TCP. You must run JBoss as root to use the default port, since it is a low port (<1024). See the documentation in conf/cmp.properties for information about configuration options for TCP. We recommend using a non standard port > 1024.

User authentication

Initialization and certification requests uses the CRMF request message (RFC4211). There messages are interesting as there are a zillion options how to authenticate them. EJBCA currently does authentication through the means of a regToken control (id-regCtrl-regToken) in the CRMF message. The regToken is a UTF8String which is the users password as registered in EJBCA.

Users can be looked up from the request in different ways, as configured in conf/cmp.properties. By default the subject DN from the certTemplate in the request is used to look up the used in EJBCA. You can also configure EJBCA to use the CN or the UID from the subject DN as the username in EJBCA.

Proof of possession

Proof of Possession (POP) is another part where CMP has gazillions of different options.
The following POPs in the CRMF are supported by EJBCA:

• raVerify - if configured so in conf/ejbca.properties EJBCA will support the raVerify POP and in that case not do any verification of POP. By default this is false, because the standard does not recommend this option.
• signature - where the PublicKey is in the CertTemplate and the signature is calculated over the CertReqMsg.certReq (the standard procedure when the CertTemplate contains the subject and publicKey values).

Normal or RA mode for CMP

CMP in EJBCA can work in two modes:

cmp.operationmode=ra
cmp.allowraverifypopo=true
cmp.responseprotection=pbe
cmp.ra.authenticationsecret=password
cmp.ra.namegenerationscheme=DN
cmp.ra.namegenerationparameters=UID
cmp.ra.namegenerationprefix=cmp
#cmp.ra.namegenerationpostfix=
cmp.ra.endentityprofile=CMP_ENTITY
cmp.ra.certificateprofile=CMP_CERT
cmp.ra.caname=AdminCA1

Certificate validity

Normally the validity period of issued certificates are controlled by the certificate profile. If you enable 'Allow validity override' in the certificate profile, and the CMP initialization- or certification request contains a validity time in the CRMF request template, this validity period will be used.

Certificate Key Usage

Normally the key usage extension of issued certificates are controlled by the certificate profile. If you enable 'Allow Key Usage Override' in the certificate profile, and the CMP initialization- or certification request contains a key usage in the CRMF request template, this key usage will be used.

Interoperability

CMP has been tested using RSA jCert toolkit for initialization requests. To run this as an RA you should configure CMP with:

• cmp.operationmode=ra
• cmp.allowraverifypopo=true
• cmp.responseprotection=pbe
• cmp.ra.authenticationsecret=your shared password
• and other configurations you want for your RA.

CMP has been tested with BlueX from AET Europe (http://www.aeteurope.nl/). From EJBCA's point of view BlueX functions as an RA with the same configuration options as for jCert.

Stand-alone OCSP responder

You can set up separated OCSP responders in EJBCA. Using this you can isolate the CA from the Internet and still be able to answer OCSP request. You can set up firewalls so that only outgoing traffic is allowed from the CA, and nothing to the CA.

Separated OCSP responders is also good when you don't require high-performance clustering for the CA, but you do need high-performance for the OCSP responders. This should be a usual setup, if the CA only issues certificates once every year for one million users, this does not put much pressure on the CA, but the OCSP responders can be put under high load continuously.

See the document doc/howto/HOWTO-OCSP-RESPONDER.txt for information how to set up stand-alone, separated OCSP responders.
See the image HOWTO-OCSP-RESPONDER.jpg for an overview of a sample setup.

Simple OCSP client

You can build a simple OCSP client with 'ant ocspclient.jar'. This will place ocspclient.zip in the directory EJBCA_HOME/ocsp-dist. You can unzip this file and use the 'ocsp.sh' shell script on Linux/Unix. You can also use the API directly from your java program.

See the document doc/howto/HOWTO-OCSP-Unid-client.txt for information how to use the simple OCSP client.

Adobe Acrobat Reader

A good example of using OCSP is to check digitally signed PDF documents using Adobe Reader.

To be able to verify certificates in Adobe Reader, you must first add the CA-certificate as trusted in Adobe Reader. You can do that in the menu Document->Trusted Identities. Choose Certificates in the drop-down list and click 'Add contacts', now you can browse to the CA-certificate that you have downloaded in DER format (for example by choosing download to IE on the public EJBCA pages). The CA-certificate must have been saved with a name ending with '.cer'. After adding the new contact, you have to click 'Edit trust' and check at least 'Signatures and as trusted root' and 'Certified documents'. This works the same using both internal and external OCSP responders.

Certificates that have an 'OCSP service locator' will be verified against the OCSP responder. You can configure this in the certificate profile used to issue certificates.

Configuring Web Services CLI

There exists one propertyfile in conf/jaxws.properties.sample that is used to configure the behaviour of the WS service. To configure it copy it and name it jaxws.properties.

See the sample file for details of how to configure the Web Service interface.

Using the Web Services CLI

When building EJBCA, a Web Service CLI tool is also generated. The tool is placed in the directory dist/ejbcacli and consists of the all the necessary files needed to run the cli.

To use the client do the following, copy the directory with all included files to the computer you want to remote administrate from. Then create a JKS file with the appropriate access rights (See the Using API section for details) and finally configure the file ejbcawsracli.properties. In this file you should specify the hostname of the CA server, the name of the JKS keystore and the password to unlock it.

Use 'ejbcaraws.sh/cmd' for a list of each subcommand and 'ejbcaraws.sh/cmd "subcommand"' for detailed help how to use the cli.

Example usage: ejbcawsracli.cmd pkcs12req testuser2 foo123 2048 NONE tmp

ejbcawsracli.cmd revokeuser testuser2 false

Using the Web Service API for Integration

You can use the Web Service interface to integrate EJBCA from other applications.

If you are using another language than Java you should start by downloading the WSDL file at http://hostname:8080/ejbca/ejbcaws/ejbcaws?wsdl

When using java you can find the required libs in 'dist/ejbcawscli' and it's 'lib' subdirectory.

Some programming examples:

To initialize the web service:

  CertTools.installBCProvider();	
  String urlstr = "https://localhost:8443/ejbca/ejbcaws/ejbcaws?wsdl";
	
  System.setProperty("javax.net.ssl.trustStore","p12/wstest.jks");
  System.setProperty("javax.net.ssl.trustStorePassword","foo123");  
	
  System.setProperty("javax.net.ssl.keyStore","p12/wstest.jks");
  System.setProperty("javax.net.ssl.keyStorePassword","foo123");      
                             
  QName qname = new QName("http://ws.protocol.core.ejbca.org/", "EjbcaWSService");
  EjbcaWSService service = new EjbcaWSService(new URL(urlstr),qname);
  ejbcaraws = service.getEjbcaWSPort();  

Example call to find all users having 'Vendil' in their subject dn:

  UserMatch usermatch = new UserMatch();
  usermatch.setMatchwith(org.ejbca.util.query.UserMatch.MATCH_WITH_DN);
  usermatch.setMatchtype(org.ejbca.util.query.UserMatch.MATCH_TYPE_CONTAINS);
  usermatch.setMatchvalue("Vendil");
  List(UserDataVOWS) result= ejbcaraws.findUser(usermatch);

Example to generate a certificate form a PKCS10 request:

  UserDataVOWS user1 = new UserDataVOWS();
  user1.setUsername("WSTESTUSER1");
  user1.setPassword("foo123");
  user1.setClearPwd(true);
  user1.setSubjectDN("CN=WSTESTUSER1");
  user1.setCaName("AdminCA1");
  user1.setEmail(null);
  user1.setSubjectAltName(null);
  user1.setStatus(10);
  user1.setTokenType("USERGENERATED");
  user1.setEndEntityProfileName("EMPTY");
  user1.setCertificateProfileName("ENDUSER");
			
  ejbcaraws.editUser(user1);	
  KeyPair keys = KeyTools.genKeys("1024", CATokenConstants.KEYALGORITHM_RSA);
  PKCS10CertificationRequest  pkcs10 = new PKCS10CertificationRequest("SHA1WithRSA",
  CertTools.stringToBcX509Name("CN=NOUSED"), keys.getPublic(), null, keys.getPrivate());
  CertificateResponse certenv =  ejbcaraws.pkcs10Request("WSTESTUSER1","foo123",new String(Base64.encode(pkcs10.getEncoded())),null,CertificateHelper.RESPONSETYPE_CERTIFICATE);
		
  X509Certificate cert = (X509Certificate) CertificateHelper.getCertificate(certenv.getData()); 		

Example checking the revocation status of a certificate:

  RevokeStatus revokestatus = ejbcaraws.checkRevokationStatus(cert.getIssuerDN.toString,cert.getSerialNumber().toString(16));
  if(revokestatus != null){
    if(revokestatus.getReason() != RevokeCertInfo.NOT_REVOKED)){
      // Certificate is revoked
    }else{
	  // Certificate isn't revoked
    }
  }else{
	// Certificate doesn't exist
  }	  

Sample code

See the file src/java/org/ejbca/core/protocol/ws/common/IEjbcaWS for more detailed instructions of the API. Sample code can be taken from:

• The JUnit tests for the WS-API: src/test/java/org/ejbca/core/protocol/ws/TestEjbcaWS
• The WS-API CLI: src/java/org/ejbca/core/protocol/ws/client/*.java

Accessrules required when using the Web Service API

All the calls requires HTTPS client authentication. The keystore used must be set up as a regular administrator with the administrator flag set and access rules according to the following:

Common for all calls (except isAuthorized, existsHardToken, isApproved that only needs a valid trusted certificate):

• Administrator flag set
• /administrator
• /ca/'related CA'

editUser:

• /ra_functionality/create_end_entity and/or edit_end_entity
• /ra_functionality/'end entity profile of user'/create_end_entity and/or edit_end_entity

findUser, findCert:

• /ra_functionality/view_end_entity
• /ra_functionality/'end entity profile of the user'/view_end_entity

pkcs10req, pkcs10Request, pkcs12req:

• /ra_functionality/view_end_entity
• /ra_functionality/'end entity profile of the user'/view_end_entity
• /ca_functionality/create_certificate

revokeCert, revokeToken: These calls support approvals.

• /ra_functionality/revoke_end_entity
• /ra_functionality/'end entity profile of the user owning the cert'/revoke_end_entity

revokeUser: This call support approvals.

• /ra_functionality/revoke_end_entity
• /ra_functionality/'end entity profile of the user'/revoke_end_entity
• /ra_functionality/delete_end_entity (only if users should be deleted)
• /ra_functionality/'end entity profile of the user'/delete_end_entity (only if users should be deleted)

fetchUserData: It is possible to turn of authorization of this call in the jaxws.properties

• /userdatasourcesrules/'user data source'/fetch_userdata

genTokenCertificate: Important this call also supports approvals, and the default behaviour is when someone without the '/administrator' access is creating a call then will a GenerateTokenApprovalRequest be created. This behaviour can be turned off in the jaxws.properties file.

• /ra_functionality/create_end_entity and/or edit_end_entity
• /endentityprofilesrules/'end entity profile of user'/create_end_entity and/or edit_end_entity
• /ra_functionality/revoke_end_entity (if overwrite flag is set)
• /endentityprofilesrules/'end entity profile of user'/revoke_end_entity (if overwrite flag is set)
• /ca_functionality/create_certificate
• /ca/'ca of all requested certificates'
• hardtoken_functionality/issue_hardtokens

getHardTokenData: Important this call also supports approvals, and the default behaviour is when someone without the '/administrator' access is creating a call then will a ViewHardTokenApprovalRequest be created. This behaviour can be turned off in the jaxws.properties file.

• /ra_functionality/view_hardtoken
• /endentityprofilesrules/'end entity profile of user'/view_hardtoken
• /endentityprofilesrules/'end entity profile of user'/view_hardtoken/puk_data (if viewPUKData = true)

getHardTokenDatas:

• /ra_functionality/view_hardtoken
• /endentityprofilesrules/'end entity profile of user'/view_hardtoken
• /endentityprofilesrules/'end entity profile of user'/view_hardtoken/puk_data (if viewPUKData = true)

republishCertificate:

• /ra_functionality/view_end_entity
• /endentityprofilesrules/'end entity profile of the user'/view_end_entity
• /endentityprofilesrules/'end entity profile of user'/view_hardtoken/puk_data (if viewPUKData = true)

customLog: No CA access rule is required.

• /log_functionality/log_custom_events

deleteUserDataFromSource:

• /userdatasourcesrules/'user data source'/remove_userdata (for all the given user data sources)

getCertificate: no requirement of the '/administrator' flag

• /ca_functionality/view_certificate

Error codes on web services

Business error code have been added in order to discriminate exception of type EjbcaException.

The following code sample shows how to use error codes :

try {
    ejbcaraws.editUser(user1);
} catch(EjbcaException_Exception e) {
    if(org.ejbca.core.ErrorCode.CERT_PROFILE_NOT_EXISTS.getInternalErrorCode().equals(e.getFaultInfo().getErrorCode().getInternalErrorCode())) {
        log.error("No such certifcate profile.");
    }
}
    

All error codes are described in org.ejbca.core.ErrorCode.

You can also take a look at src/test/org/ejbca/core/protocol/ws/CommonEjbcaWSTest.java to see how the error code can be used.

Introduction

From EJBCA 3.4 the XKMS protocol is supported as a service as a complement to the EJBCA Web Service interface.

It's included (but can be disabled) in the standard installation. And have the Web Service URL http://"hostname":8080/ejbca/xkms/xkms

How to configure the XKMS Service

The XKMS service is configured in the file conf/xkms.properties, just edit the file before building the application.

The following settings exists:

• xkms.enabled: Enables the XKMS Service (default: true)
• xkms.request.requiresignature: id signed XKMS request should be required (default: false)
• xkms.request.acceptedcas: List of CA names that are accepted for XKMS signed requests. Use ';' as a separate for multiple. (default 'AdminCA1')
• xkms.response.acceptsignrequest: Accept signed responses on request (default: true)
• xkms.response.alwayssign: Always sign responses (default: false)
• xkms.response.causedforsigning: Specify which CA that should be used with the signed responses. Only one can be specified. (default 'AdminCA1')
• xkms.keyusage.signatureisnonrep: Setting specifying the keyusage in a X509 certificate that is mapped to XKMS KeyUsage Signature, Default is non-repudiation but if set to false will XKMS KeyUsage Signature be mapped against digital signature X509 key usage.
• xkms.serviceport=This is a development setting that is set in the WSDL to instruct the client use a non default port. This is only needed if a WS tap listener is used to review the messages. (default: 8080)
• xkms.krss.poprequired=Defines if proof of possession of the private key is required (default: true)
• xkms.krss.servergenkeylength=Defines the key length of server generated keys (default: 1024)
• xkms.krss.allowrevokation=Defines it should be possible for users to revoke their certificate with a revocation code (default: true)
• xkms.krss.allowautomaticreissue=Setting to allow the user to renew automatically as long as the current key isn't revoked (default: false)

Important, if signing of responses is needed, must the XKMS CA service for the configured CA be activated in the 'Edit CA' page. The XKMS Signer have it's own certificate for each CA just as the OCSP service and is created during the installation or upgrade of a CA.

Implementation Specific Notes

Using the XKMS client

When building EJBCA, a XKMS CLI tool is also generated. The tool is placed in the directory dist/xkmscli and consists of the all the necessary files needed to run the cli.

To use the client do the following, copy the directory with all included files to the computer you want to remote administrate from. (Optionally create a JKS keystore from one XKMS Service trusted CAs) and configure the file xkmscli.properties. In this file you should specify the hostname of the CA server, the name of the JKS keystore, the alias and the password to unlock it.

Use 'xkmscli.sh/cmd' for a list of each subcommand and 'xkms.sh/cmd "subcommand"' for detailed help how to use the cli.

Running the XKMS test script

To automatic test the XKMS Service do the following:

1. Start with a fresh installation with all the default values. Then activate the XKMS CA service in the Edit CA page for AdminCA1.

2. Run 'ant test:xkms' and a report will be generated in tmp/bin/junit/xkms/reports/html/index.html

End entity email notifications

Email notification can be sent when status changes for an end entity, for example when a new user is added (status changes to new).

To configure email notifications in EJBCA:

1. You must create a new end-entity profile to be able to issue certificates to end users using email notifications. Under the RA functions, choose "Edit End Entity Profiles" and add a new profile. Select the profile and go into 'Edit End Entity profile'. In this page you can Enable Send Notifications and create the notification message. Make sure the checkbox 'Use Send Notification' is checked.
2. Add a new end entity. You must select the new end entity profile you created above. Make sure the checkbox 'Send Notification' is checked. Enter the from-address and subject. Enter a message using the variables defined for dynamic substitution in the next section. Use ${NL} for newline in the mail message.

The Notification Recipient can have a few different values:

• USER: send notification to the email registered for the end entity.
• foo@bar.com: send notification to the specified email address. Multiple email addresses can be entered comma separated.
• CUSTOM: plug-in mechanism to retrieve addresses your own way. See interface org.ejbca.core.model.ra.raadmin.ICustomNotificationRecipient for implementation details. Enter a string like "CUSTOM:org.ejbca.MyCustomPluginClass" to use.

The Notification Events specify which status changes for a user that will trigger a notification. The default values are suitable to send an email to a user when he/she should go and pick up a certificate. You can also select for example STATUSGENERATED to send email notifications to an administrator when the user picks up the certificate.

Tip: If you configure autogenerated password in end entity profile you don't need to enter one in the adduser page. A generated one will automatically be sent with the email.

If you want to re-send a notification for a user, reset the status to NEW.

Dynamic Substitution Variables

Parameters that can be used with different usages of email notification. All parameters isn't always set, it depends on the input data.

The following parameters can be set:

• ${NL} = New Line in message
• ${DATE} or ${current.DATE} = The current date

Variables used with userdata:

• ${USERNAME} or ${user.USERNAME} = The users username
• ${PASSWORD} or ${user.PASSWORD} = The users password
• ${CN} or ${user.CN} = The common name of the user.
• ${SN} or ${user.SN} = The serial number (in DN) of the user.
• ${O} or ${user.O} = The user's organization
• ${OU} or ${user.OU} = The user's organization unit
• ${C} or ${user.C} = The user's country
• ${user.E} = The user's email address from Subject DN
• ${user.TIMECREATED} = The time the user was created
• ${user.TIMEMODIFIED} = The time the user was modified
• ${approvalAdmin.XX} variables from below can be used to get the administrator who adds an end entity.

Variables used with approvals:

• ${approvalRequest.DATE} = The time the approval request was created
• ${approvalRequest.ID} = The id of the approval request
• ${approvalRequest.ABS.ID} = The id of the approval request with out any '-' sign, used for presentation purposes.
• ${approvalRequest.TYPE} = The type of approval request
• ${approvalRequest.APROVEURL} = A URL to the review approval page with the current request.
• ${approvalRequest.APPROVALSLEFT} = The number of approvals remaining.
• ${approvalRequest.APPROVALCOMMENT} = The comment made by the approving/rejecting administrator
• ${requestAdmin.USERNAME} = The requesting administrator's username
• ${requestAdmin.CN} = The common name of the requesting administrator.
• ${requestAdmin.SN} = The common name of the requesting administrator.
• ${requestAdmin.O} = The requesting administrator's organization
• ${requestAdmin.OU} = The requesting administrator's organization unit
• ${requestAdmin.C} = The requesting administrator's country
• ${requestAdmin.E} = The requesting administrator's email address from Subject DN
• ${approvalAdmin.USERNAME} = The approving administrator's username
• ${approvalAdmin.CN} = The common name of the approving administrator.
• ${approvalAdmin.SN} = The common name of the approving administrator.
• ${approvalAdmin.O} = The approving administrator's organization
• ${approvalAdmin.OU} = The approving administrator's organization unit
• ${approvalAdmin.C} = The approving administrator's country
• ${approvalAdmin.E} = The approving administrator's email address from Subject DN

Variables used with expiring certificates:

• ${expiringCert.CERTSERIAL} = The serial number of the certificate about to expire
• ${expiringCert.EXPIREDATE} = The date the certificate will expire
• ${expiringCert.CERTSUBJECTDN} = The certificate subject DN
• ${expiringCert.CERTISSUERDN} = The certificate issuer DN

Currently Available Services

Writing Customized Services

It is possible to write customized component plug-ins that can be used with other standard (or customized plug-ins) and this section explains the steps necessary.

Common for all the components is that it is required to create a class implementing the components interface. Then you have to create a jar containing the necessary plug-in classes and deploy it to application server so it is included in the class-path. The next step is to create a service using the custom component by specifying the class path and optionally the custom properties used by the component. The properties field have the same syntax as a regular Java property file.