Setting-up EJBCA as Certification Authority

Branko Majic — 15. March 2011 - 23:16

A Word of Warning

A lot of people have come to this page following the links on the EJBCA main website. You should be warned that although I've tried my best to make a straight-forward guide, if you are only beginning with the EJBCA deployment, make sure you've at least ran through several set-ups following the Quick Start Guide for Ubuntu (should work for Debian Squeeze as well). The entire installation below takes on a more serious deployment schema, and you might find yourself a little overwhelmed if this is your first time starting-out.

There are plans to write some troubleshooting guidelines related to installation described below, but it's currently not the first thing on the TODO list, unfortunately.

Software Requirements

For the purpose of running the EJBCA as certification authority, several software requirements need to be met. For the sake of this guide the EJBCA will be used coupled with MySQL database server and JBoss AS JEE5 application server. It will also be necessary to install the JDK on the target server.

The version of JBoss AS used in this guide is 5.1.0.GA. The version of EJBCA used is 4.0.5. The rest of the components come from the native package manager.

Since both the EJBCA and JBoss AS are distributed in form of a zip archive, it will also be necessary to install the unzip utility (by default it doesn't come with Debian Squeeze network installation):

? root

$ apt-get install unzip

Installing Required Java Packages

Practically any proper JDK should suffice for the use with JBoss AS and EJBCA (although Oracle's JDK might yield some additional configuration steps which are not covered in this guide). Debian Squeeze comes with the OpenJDK package available in default repositories, which can be installed with (take notice that installing just the JRE is not sufficient):

? root

$ apt-get install openjdk-6-jdk

Additionally, it will also be necessary to install the Apache Ant build tool (which will be used for building the EJBCA):

? root

$ apt-get install ant

Since the EJBCA will be using MySQL JDBC connectors, it's also necessary to install the appropriate JDBC drivers for it:

? root

$ apt-get install libmysql-java

Setting-up MySQL Server

Installation of the MySQL server on top of Debian Squeeze is a pretty much straightforward step, and it can be done with a simple:

? root

$ apt-get install mysql-server

It's a very good idea to make MySQL use UTF-8 all the time. This can save a lot of trouble if you end-up adding non-latin characters in subject DN's or anywhere else in the EJBCA front-end. Create the following configuration file:

# /etc/mysql/conf.d/utf-8.cnf

----BEGIN----

[client]

default-character-set=utf8
[mysqld]

default-character-set=utf8

default-collation=utf8_unicode_ci

character-set-server=utf8

init-connect='SET NAMES utf8'

character-set-client = utf8

-----END-----

After this you need to restart the MySQL server to apply the changes:

? root

$ service mysql restart

Once the MySQL server has been installed and set-up to use UTF-8, it is necessary to create the database that will store EJBCA data, as well as to create and grant appropriate permissions to the user which will be used for accessing the database:

? root

mysql> create database ejbca;

mysql> grant all privileges on ejbca.* to 'ejbca'@'localhost' identified by '{{ejbca_mysql_password}}';

mysql> flush privileges;

Parameter ejbca_mysql_password should be replaced by the desired password for the ejbca user.

Setting-up System Accounts

In order to increase the security of the system, two system accounts will be used for deployment of JBoss AS and EJBCA. The first account will be used in order to restrict the access to JBoss AS shared files and directories, while the second one will be used for running the JBoss AS instance on top of which EJBCA will be running.

Create the necessary accounts for JBoss AS and EJBCA

? root

$ adduser --system --shell /bin/bash --group jboss

$ adduser --system --shell /bin/bash --group ejbca

$ usermod -a -G jboss ejbca

This kind of separation will allow for shared JBoss AS files to be owned by the jboss user and jboss group, and with proper mask it will be possible to grant the ejbca user, which will be running the JBoss AS instance with EJBCA on top of it, sufficient privileges to access those shared files.

Setting-up JBoss AS

Unpack the JBoss AS and set-up the file permissions:

? root

$ unzip ~/packages/bin/jboss-5.1.0.GA.zip -d /opt/

$ chown -R jboss.jboss /opt/jboss-5.1.0.GA

$ chmod -R o= /opt/jboss-5.1.0.GA

When it's necessary to upgrade a system, it is often convenient when it's not required to change any of the installation paths. In order to achieve this with the EJBCA deployment, a symbolic link should be created to point at the currently active installation of JBoss AS:

? root

$ cd /opt/

$ ln -s jboss-5.1.0.GA jboss

Starting-up the EJBCA automatically during boot is a necessity in most environments. To achieve this a custom init script has been provided attached to this guide. The script itself is basically a rewrite of the JBoss-provided run.sh script. The script should be copied over into location:

# /etc/init.d/ejbca

Set-up the file permissions for the init script:

? root

$ chown root.root /etc/init.d/ejbca

$ chmod 755 /etc/init.d/ejbca

Change the init script so that it provides the EJBCA service:

# /etc/init.d/ejbca

----BEGIN----p

--- # Provides: jboss

+++ # Provides: ejbca

-----END-----p

The script itself relies on having a separate configuration directory within the /etc tree. Set-up the configuration directory for JBoss AS instances with the following commands:

? root

$ mkdir /etc/jboss

$ chmod 750 /etc/jboss

Create a configuration file for the EJBCA JBoss AS instance (if you're interested, take a look at the attached jboss.conf file for details on what the parameters do and what parameters are available):

# /etc/jboss/ejbca.conf

----BEGIN----

user=ejbca

group=ejbca

javaHome=/usr/lib/jvm/java-6-openjdk/

javaOpts=(-XX:PermSize=96m -XX:MaxPermSize=128m -Xms128m -Xmx512m -Dsun.rmi.dgc.client.gcInterval=3600000 -Dsun.rmi.dgc.server.gcInterval=3600000)

jbossHome=/opt/jboss

jbossConf=ejbca

jbossBind=0.0.0.0

jbossClasspath=/usr/share/java/mysql.jar

-----END-----

Set-up the configuration file permissions:

? root

$ chmod 640 /etc/jboss/ejbca.conf

With JBoss AS it's possible to create multiple configurations which allow you to deploy different applications in each one of them. The configuration is selected during start-up. In order to differentiate the EJBCA configuration from the stock configurations, we will create a new one based on the default configuration:

? root

$ cd /opt/jboss/server/

$ cp -pr default ejbca

$ chown -R ejbca.ejbca ejbca

Finally, it's useful to take some security precautions with JBoss AS instance used for EJBCA by removing the unnecessary applications from its configuration. This can be done with:

? ejbca

$ rm -rf /opt/jboss/server/ejbca/deploy/ROOT.war/

$ rm -rf /opt/jboss/server/ejbca/deploy/jmx-console.war/

$ rm -rf /opt/jboss/server/ejbca/deploy/management/

If you do not require the administration console, you can also remove it with:

$ ejbca

$ rm -rf /opt/jboss/server/ejbca/deploy/admin-console.war/

If you do not remove the administration console, at least make sure you have properly secured it. Some of the techniques which can be used for securing the JBoss AS can be found on the Securing JBoss wiki page. This includes alternatives to removing the above applications.

Tweaking the Firewall Rules

By default the JBoss AS instance will be listening on port 8080 for HTTP, and port 8443 for HTTPS protocol. The standard ports for these protocols are 80 and 443, respectively, but the unprivileged user which will be running the JBoss AS EJBCA instance cannot bind to ports lower than 1024. There's several ways to solve this problem, but as a convenient way to do so, a simple redirect of ports 80 and 443 to ports 8080 and 8443 can be performed instead.

This can be done with the following iptables rules:

-t nat -A PREROUTING -p tcp -m tcp --dport 80 -j REDIRECT --to-ports 8080

-t nat -A PREROUTING -p tcp -m tcp --dport 443 -j REDIRECT --to-ports 8443

These rules should be set-up to be loaded automatically upon each boot. Take note that these rules won't be useful in cases where you're accessing the URL's from localhost (you'll need to use 8080 and 8443 in URL's).

An alternative (and probably a much saner approach) would be to use the Apache HTTP server to this purpose usind mod_jk. For the time being this type of deployment falls outside of scope of this guide.

Preparing EJBCA Installation Files

Unpack the EJBCA installation files and set-up their permissions:

? root

$ unzip ~/packages/src/ejbca_4_0_5.zip -d /opt/

$ chown -R ejbca.ejbca /opt/ejbca_4_0_5/

$ chmod -R o= /opt/ejbca_4_0_5/

The same way as with JBoss AS, it is useful to have a more constant path to EJBCA, while still preserving the information about what version it is. To this end a symbolic link will be set-up in a similar way:

? root

$ cd /opt/

$ ln -s ejbca_4_0_5 ejbca

It is now necessary to set-up the configuration files for the EJBCA. The configuration file samples, with plenty of comments describing various options, can be found within the /opt/ejbca/conf/ directory. The sample configuration files are ending with sample. The configuration files described here will be relatively simple, but sufficient for test deployments.

First of all, set-up the EJBCA's main configuration file by populating it with the following options (short comments provided as a basic explanation):

# /opt/ejbca/conf/ejbca.properties

----BEGIN----

# Specify the root directory of the application server that's being used.

appserver.home=/opt/jboss
# Explicitly specify the application server being used. Useful if the root

# (home) directory of the application server doesn't use a standard name.

appserver.type=jboss
# Force deployment only of CA part. OCSP will be deployed on a separate server.

ejbca.productionmode=ca
# Specify the password which will be used for protecting the keystore where the

# CA's private key and certificate will be stored.

ca.keystorepass={{keystore_password}}
# Specify the configuration of JBoss AS that should be used.

jboss.config=ejbca
# Make the healthchecker a bit more strict than the default. It will trigger an

# alarm once this much of free memory is left (in megabytes).

healthcheck.amountfreemem=32
# Make the healthcheck actually perform signing operation to make sure it's

# working properly.

healthcheck.catokensigntest=true

-----END-----

Don't forget to replace the keystore_password parameter with your own desired password (make sure the password is at least six characters long or you won't be getting any keystore at all due to built-in checks of Java utilities). This password will protect the private key and certificate used by the certification authority itself.

Set-up the database configuration file:

# /opt/ejbca/conf/database.properties

----BEGIN----

# Specify desired type of database server.

database.name=mysql
# Specify the database connection URL. This property should be set according to

# the JDBC connector used (in this case the MySQL connector). See the MySQL JDBC

# for details on other options.

database.url=jdbc:mysql://127.0.0.1:3306/ejbca?characterEncoding=UTF-8
# Specify the class which should be used for the communication with the

# database. This class should correspond to the select database, and its name is

# dependant on the JDBC implementation for the given database server.

database.driver=com.mysql.jdbc.Driver
# Login credentials for the database which should store the CA information.

database.username=ejbca

database.password={{ejbca_mysql_password}}

-----END-----

The ejbca_mysql_password parameter should be replaced with the same password used during creation of ejbca user on the MySQL database.

One of the most important configuration files is the install.properties, which specifies lots of useful information about the initial certification authority. This starting certification authority is used in order to provide secure access to the EJBCA prior to deployment of proper certification authority hierarchy. In some cases it can also be kept as permanent administrative CA. The file should contain the following information:

# /opt/ejbca/conf/install.properties

----BEGIN----

# Name of the temporary CA used for initial configuration and access (before the

# proper CA hierarchy is in place).

ca.name=ExampleTempAdminCA
# Distinguished name of the temporary admin CA

ca.dn=CN=ExampleTempAdminCA,O=Example Inc.,C=RS
# Software tokens should have this set to null

ca.tokenpassword=null
# Type of the temporary admin CA private key. (default value listed)

ca.keytype=RSA
# RSA key size for the temporary admin CA.

ca.keyspec=4096
# Default signing algorithm for the temporary admin CA.

ca.signaturealgorithm=SHA256WithRSA
# Validity period for the temporary admin CA in days.

ca.validity=30
# Policy for the temporary admin CA.

ca.policy=null

-----END-----

In order to access the EJBCA it's also necessary to set-up the properties for the actual web server which will be serving its public and administrative web interfaces. The file should have the following contents:

# /opt/ejbca/conf/web.properties

----BEGIN----

# Password for the Java truststore used by EJBCA.

java.trustpassword={{ejbca_truststore_password}}
# Common and distinguished name for the temporary super-administrator.

superadmin.cn=TempSuperAdmin

superadmin.dn=CN=${superadmin.cn}
# Password for the temporary super-administrator's p12 keystore.

superadmin.password={{temporary_superadmin_password}}
# Specify that the temporary super-administrator's p12 keystore should be

# generated a part of a 'batch' operation. (otherwise it's useful for storing it

# on a smart-card through the EJBCA public web interface)

superadmin.batch=true
# Password for protecting the keystore containing the application server's

# private key and certificate.

httpsserver.password={{ejbca_https_keystore_password}}
# Hostname which will be used for accessing the CA (must be resolvable from

# client stations accessing the web interface).

httpsserver.hostname=ca.example.com
# Distinguished name for the application server.

httpsserver.dn=CN=${httpsserver.hostname},O=Example Inc.,C=RS
# Specify external port visible to users of EJBCA.

httpserver.external.privhttps=443
# Specify desired language for the web frontend.

web.availablelanguages=EN
# Error message which should be shown to end users in case of an error.

web.errorpage.notification=An exceptions has occurred while trying to process your request. Please contact the administrators and provide the information presented within this page.

-----END-----

The password parameters should be replaced by desired passwords (make sure the keystore/truststore passwords are at least six characters long or you won't be getting any keystore/truststore at all due to built-in checks of Java utilities).

Finally, if there's a functioning mail server which can be used for sending outgoing e-mails from EJBCA itself, it is also useful to set-up the appropriate configuration file for it:

# /opt/ejbca/conf/mail.properties

----BEGIN----

# Log-in credentials for sending email notifications from EJBCA.

mail.user=ejbca@example.com

mail.password={{ejbca_mail_password}}
# Mail server used for sending out email notifications.

mail.smtp.host=mail.example.com
# Specify whether the mail server requires the authentication or not.

mail.smtp.auth=true
# Specify whether STARTTLS should be used or not.

mail.smtp.starttls.enable=true
# Email address used for sending the emails.

mail.from=ejbca-noreply@example.com

-----END-----

The ejbca_mail_password parameter should be replaced with the password used for the ejbca@example.com user on the mail server itself (in this case mail.example.com).

Finally, make sure that permissions on configuration files are set-up properly (keeping them safe from prying eyes):

? root

$ chown ejbca.ejbca /opt/ejbca/conf/*.properties

$ chmod 640 /opt/ejbca/conf/*.properties

As for the rest of the configuration files, those will be left as is for the purpose of this guide (default values from sample configuration files will be used).

Installing EJBCA

The installation itself is more or less a straightforward process. For start bootstrap the EJBCA:

? ejbca

$ cd /opt/ejbca/

$ ant bootstrap

After the boostrap process finishes, it is necessary to actually run the JBoss AS EJBCA instance in order to get on with the next step:

? root

$ service ejbca start

You should wait until the instance finishes starting-up. You can check for its progress with a tail command:

? ejbca

$ tail -f /opt/jboss/server/ejbca/log/server.log

Once the server has stared up, you'll see a line like this in the log file:

2011-03-28 22:22:40,743 INFO  [org.jboss.bootstrap.microcontainer.ServerImpl] (main) JBoss (Microcontainer) [5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221053)] Started in 4m:59s:229ms

Once the instance is up and running, proceed with the installation of EJBCA (this will actually create the necessary private keys, certificates, truststores etc):

? ejbca

$ cd /opt/ejbca/

$ ant install

The install command might take a while. Once the command finishes, the JBoss AS EJBCA instance should be stopped before proceeding with the next step:

? root

$ service ejbca stop

Finalise the deployment with:

? ejbca

$ cd /opt/ejbca/

$ ant deploy

Once the deployment has finished, start the JBoss AS EJBCA instance again, and let it start automatically on boot:

? root

$ update-rc.d ejbca defaults

$ service ejbca start

This concludes the basic installation of EJBCA itself. What's left is to perform configurations steps from within the administrative interface. This actually forms the meat and bones of the entire process. Everything up until now was simply a preparation.

Importing Temporary Super-Administrator Token

Since EJBCA is protecting the access to administration segment through client certificates, it is necessary to import the temporary super-administrator token into web browser. The token itself is stored within a PKCS#12 file. The file should be copied over from the EJBCA server onto workstation which will be used for further configuration from the following location on CA server:

# /opt/ejbca/p12/superadmin.p12

In case of Firefox, this file can be imported by going to Edit -> Preferences -> Security -> Advanced -> Encryption -> Show Certificates dialogue. Within this dialogue select the Your Certificates tab, click on the Import... button, and navigate to the PKCS#12 file. The file is protected by the appropriate password specified in web.properties configuration file.

Once this has been completed, it should be possible to access the administration interface of the EJBCA through the following URL:

@ http://ca.example.com/ejbca/

Enabling Key Recovery

An important aspect when generating private keys is their secrecy and safekeeping. In case of private keys which should be used for non-repudiation, these keys should not be backed-up.

On the other hand, in case of private keys which are used for encryption, it is essential to maintain copies of those keys. If the keys get lost, the data encrypted with them is rendered useless.

To this end it's possible to use the EJBCA itself. In order to allow key recovery, go to the Administration -> System Configuration page and turn on the Enable Key Recovery option. Click on the Save button.

Creating the Root CA

With basic installation done, it's time to set-up the certification authority hierarchy. The starting point is the root CA. Go to the Edit Certificate Authorities page and enter Example Root CA as the name of new certification authority, then click on Create... button. Make the following changes:

Signing Algorithm: SHA256WithRSA

RSA key size: 4096

Description: Root CA for Example Inc.

Validity (*y *mo *d) or end date of the certificate: 20y

Subject DN: CN=Example Root CA,O=Example Inc.,C=RS

Use Issuing Distribution Point on CRLs: On

Default CRL Dist. Point: http://crl.example.com/rootca.crl

CRL Expire Period (*y *mo *d *h *m): 1y

CRL Overlap Time (*y *mo *d *h *m): 2d

Once the information is filled-in, click on the Create button. Wait until the operation finishes (it can take a while depending on CPU speed and amount of available entropy). Once it's done a new certification authority will be available in the list of CA's.

Creating Sub-CA's

Before proceeding with creation of the rest of production CA hierarchy, it is useful to create a distinct certificate profile for sub-CA's (CA's that are not root). EJBCA does come with some pretty sane defaults, but it's still very helpful to create a distinct profile in order to be sure what has been used for each authority (in cases that the defaults change between versions).

Open the Edit Certificate Profiles page, select the SUBCA (FIXED) profile from the list, enter Example Sub-CA in the edit box, and click on the Use selected as template button. This will create a new certificate profile with properties copied from the SUBCA profile.

Select the newly created Example Sub-CA and click on the Edit Certificate Profile button. The following options for this profile should be changed:

Available bit lengths: 4096 bits

Validity: 15y

Allow validity override: Off

CRL Distribution Points: On

Use CA defined CRL Dist. Point: On

Available CAs: Example Root CA

Click on the Save button to commit the changes.

Once the certificate profile has been completed, it's time to move on to creation of the certification authorities which will be in charge of issuing certificates to end entities (people and servers). Open the Edit Certificate Authorities page, and enter Example Person CA in the text box, then click on the Create... button. Make the following changes on the page:

Signing Algorithm: SHA256WithRSA

RSA key size: 4096

Description: Example's CA in charge of issuing certificates for individuals within the organisation.

Validity (*y *mo *d) or end date of the certificat: 15y

Subject DN: CN=Example Person CA,O=Example Inc.,C=RS

Signed By: Example Root CA

Certificate Profile: Example Sub-CA

Use Issuing Distribution Point on CRLs: On

Default CRL Dist. Point: http://crl.example.com/personca.crl

CRL Expire Period (*y *mo *d *h *m): 14d

CRL Overlap Time (*y *mo *d *h *m): 12h

Default OCSP Service Locator: http://ocsp.example.com/ejbca/publicweb/status/ocsp

Once the information is in place, click on the Create button. After a while a new CA will be created and it will appear in the list of available certification authorities.

The next CA in line is the certification authority which will issue certificates for servers. Open the Edit Certificate Authorities page, and enter Example Server CA in the text box, then click on the Create... button. Make the following changes on the page:

Signing Algorithm: SHA256WithRSA

RSA key size: 4096

Description: Example's CA in charge of issuing certificates for servers within the organisation.

Validity (*y *mo *d) or end date of the certificat: 15y

Subject DN: CN=Example Server CA,O=Example Inc.,C=RS

Signed By: Example Root CA

Certificate Profile: Example Sub-CA

Use Issuing Distribution Point on CRLs: On

Default CRL Dist. Point: http://crl.example.com/serverca.crl

CRL Expire Period (*y *mo *d *h *m): 14d

CRL Overlap Time (*y *mo *d *h *m): 12h

Default OCSP Service Locator: http://ocsp.example.com/ejbca/publicweb/status/ocsp

Click on the Create button to finalise the creation of basic CA hierarchy.

Creating Certificate Profiles for End Entities

The same way certificate profiles were created for sub-CA's, it is also necessary to create certificate profiles for end entities. These profiles will be based off the default profiles provided by the EJBCA itself.

Go to the Edit Certificate Profiles page and select the ENDUSER (FIXED) profile. Enter the name for the new profile in the text box - Example Person Signing, then click on the Use selected as template button. Select the newly created Example Person Signing profile from the list, and click on the Edit Certificate Profile button. Make the following changes:

Available bit lengths: 1024, 2048, 4096

Validity (*y *mo *d) or end date of the certificate: 1y

Key Usage: Digital Signature, Non-repudiation

Extended Key Usage: Client Authentication, Email Protection

CRL Distribution Points: On

Use CA defined CRL Dist. Point: On

Authority Information Access: On

Use CA defined OCSP locator: On

Available CAs: Example Person CA

Once the information is filled-in, click on the Save button (make sure the Key encipherment is turned off, otherwise the mailing software will pick up the signing certificate for encryption as well).

Select the ENDUSER (FIXED) profile again, and enter Example Person Encryption as the name of the new profile. Click on the Use selected as template button. Select the newly created profile and click on the Edit Certificate Profile button. Make the following changes to the profile:

Available bit lengths: 1024, 2048, 4096

Validity (*y *mo *d) or end date of the certificate: 1y

Key Usage: Key encipherment, Data encipherment

Extended Key Usage: Email Protection

CRL Distribution Points: On

Use CA defined CRL Dist. Point: On

Authority Information Access: On

Use CA defined OCSP locator: On

Available CAs: Example Person CA

Click on the Save button to apply the changes.

The next profile will be created for purpose of being used by servers. Select the SERVER (FIXED) profile, enter Example Server as the profile name, and click on the Use selected as template. Select the newly created certificate profile and click on the Edit Certificate Profile button. Make the following changes to the profile:

Available bit lengths: 1024, 2048, 4096

CRL Distribution Points: On

Use CA defined CRL Dist. Point: On

Authority Information Access: On

Use CA defined OCSP locator: On

Available CAs: Example Server CA

Save the changes. This concludes the creation of basic certificate profiles.

Creating End Entity Profiles

While the certificate profiles basically define what a certificate can be used for, the end entity profiles define the contents of certificate profiles. Two distinct end entity profiles will be created - one for individuals within the organisation, and another one for servers.

Go to the Administration -> Edit End Entity Profiles page. Enter Person within the text field and click on the Add button. Select the newly created Person profile and click on the Edit End Entity Profile button. Add the following Subject DN Attributes:

UID, Unique identifier
O, Organization
C, Country (ISO 3166)

Make all the three newly added attributes required and modifiable. Add the subject alternative name RFC 822 Name (e-mail address).

Change the fields of Person profile as follows:

E-mail Domain: example.com

O, Organization: Example Inc.

C, Country (ISO 3166): RS

RFC 822 Name (e-mail address) Required: On

Default Certificate Profile: Example Person Signing

Available Certificate Profiles: Example Person Signing, Example Person Encryption

Default CA: Example Person CA

Available CAs: Example Person CA

Default Token: P12 file

Number of allowed requests: 2

Number of allowed requests use: On

Key Recoverable Use: On

Once the changes have been made, click on the Save button.

Next in line is the server end entity profile. Go back to the Administration -> Edit End Entity Profiles page and enter Server in the text box. Click on the Add button. Select the newly-created Server profile and click on the Edit End Entity Profile button. Add the following Subject DN Attributes and mark them all as required:

O, Organization
C, Country (ISO 3166)

Add the subject alternative name DNS Name. Add the subject alternative name RFC 822 Name (e-mail address). Change the fields of Server profile as follows:

Batch generation (clear text pwd storage) use: On

E-mail Domain: example.com

O, Organization: Example Inc.

C, Country (ISO 3166): RS

RFC 822 Name (e-mail address) Required: On

Default Certificate Profile: Example Server

Available Certificate Profiles: Example Server

Default CA: Example Server CA

Available CAs: Example Server CA

Default Token: PEM file

Click on the Save button. All the basic necessary end entity profiles are now available.

Moving EJBCA to Production Hierarchy

It's time to replace the existing certificates used by the EJBCA web frontend with certificates issued by Example Server CA, as well as to switch to using Example Person CA's certificates for authenticating and authorising administrators.

Issuing New Super-administrator Key and Certificate

Go to the Administration -> Add End Entity page. Select the Person end entity profile. Fill in the following information:

Username: {{admin_username}}

Password: {{admin_password}}

Confirm Password: {{admin_password}}

Email: {{admin_mail}} @ example.com

CN, Common name: {{admin_name}} {{admin_surname}}

UID, Unique Identifier: {{user_id}}

O, Organization: Example Inc.

C, Country (ISO 3166): RS

Use data from E-mail address field: On

Certificate Profile: Example Person Signing

CA: Example Person CA

Token: P12 file

Number of allowed requests: 2

Key Recoverable: Off

Don't forget to replace all the parameters with desired information. Click on Add End Entity button. The key/certificate pair can now be obtained and imported into browser through the public web interface. Go to the Public Web -> Create Browser Certificate page and provide the credentials previously specified for the administrator end entity. Make sure that the Example Person Signing profile is selected, and click on the OK button. You will be provided with a p12 file which can be saved locally, then imported into the web-browser you'll be using for further administration (other parts of this book also deal with storing of private keys and certificates on smart-cards instead, as well as generating private keys independently of EJBCA itself). The file is protected with the same password as specified for the end entity.

Head back to the Administration -> Edit Administrator Privileges page. Click on the Add link and enter Super Administrators as a name. Click on the Administrators link next to the Super Administrators group and provide the following information:

CA: Example Person CA

Match with: Certificate serial number (recommended)

Match type: Equals, case sens.

Match value: {{certificate_serial}}

The certificate_serial parameter should be replaced by the certificate serial number you've just issued. It can be obtained through the web browser, for example. Make sure the serial number specified doesn't contain colons (Mozilla Firefox displays the serial number with colons).

Click on the Add button, then click on the Edit Access Rules on the same page. Select role Super Administrators, and click on the Save button.

Preparing New Keystore for the EJBCA Web Server

It's time to create a new keystore and truststore for the EJBCA web server. Go to the Administration -> Add End Entity page and select the Server profile. Provide the following information:

Username: ca.example.com_ejbca

Password: {{ca_keystore_password}}

Confirm Password: {{ca_keystore_password}}

Batch generation (clear text pwd storage): On

E-mail address: ejbca@example.com

CN, Common name: Example CA Server

O, Organization: Example Inc.

C, Country (ISO 3166): RS

DNS Name: ca.example.com

Use data from E-mail address field: On

Certificate Profile: Example Server

CA: Example Server CA

Token: JKS file

The password provided should match the password specified in the web.properties configuration file for the ejbca_https_keystore_password parameter. Once done, click on the Add button.

Now login to the CA server itself and add the following line at the end of the file:

# /opt/ejbca/bin/batchtool.properties

----BEGIN----

keys.spec=4096

-----END-----

The keystore can now be generated with the following commands:

? ejbca

$ cd /opt/ejbca/

$ bin/ejbca.sh batch

In addition to generating the keystore, it's also necessary to create a new truststore. The truststore identifies which certificates should be trusted for the purpose of accessing the EJBCA administration interface. This can be done with the following set of commands:

? ejbca

----BEGIN----$

cd /opt/ejbca/

bin/ejbca.sh ca getrootcert 'Example Root CA' rootca.der -der

bin/ejbca.sh ca getrootcert 'Example Person CA' personca.pem

openssl x509 -in personca.pem -out personca.der -outform DER

keytool -importcert -alias examplerootca -file rootca.der -keystore p12/truststore_new.jks

keytool -importcert -alias examplepersonca -file personca.der -keystore p12/truststore_new.jks

-----END-----$

The password provided for the new truststore should be exactly the same as the one provided in the web.properties configuration file for the ejbca_truststore_password parameter (this must be at least characters due to constraints imposed by Java and its tools).

Before proceeding with deployment of new keystore and truststore, make sure to stop the EJBCA service:

? root

$ service ejbca stop

The keystore and truststore can be deployed with the following commands:

? ejbca

$ cd /opt/ejbca/p12/

$ cp ca.example.com_ejbca.jks /opt/jboss/server/ejbca/conf/keystore/keystore.jks

$ cp truststore_new.jks /opt/jboss/server/ejbca/conf/keystore/truststore.jks

Once this is done, EJBCA can be started again:

? root

$ service ejbca start

Once the EJBCA has started-up you can try accessing the certification authority using your new key/certificate pair (you might need to restart your browser or clear its authentication credentials to be able to do so). If all goes well, it's recommended to make the new keystore/truststore default for future calls to deploy within the EJBCA source directory:

? ejbca

$ cd /opt/ejbca/p12/

$ mv ca.example.com_ejbca.jks tomcat.jks

$ mv truststore_new.jks truststore.jks

The final step includes disabling the old temporary super-administrator group, as well as temporary certification authority. Go to the Administration -> Edit Administrator Privileges page and click on the delete link next to the Temporary Super Administrator Group.

Once this has been completed, go to the page Administration -> CA Activation, select the Make off-line radio-box and turn off the Monitored check-box next to the ExampleTempAdminCA. Click on the Apply button.

It is also a good idea to revoke the old certificates used for the initial configuration (for end entities superadmin and tomcat) through the Administration -> Search/Edit End Entities page. Go to that page, and search for entities with status Generated. Click on the checkboxes next to the superadmin and tomcat end entities, and click on the Revoke And Delete button.

Configuring the Publish Queue Process Service

While this service may not be of any use yet, it will be useful in some of the later guides where OCSP, CRL, and LDAP get introduced. Once we start publishing the certificates and CRL's to remote locations it will be necessary to somehow make sure that in case of failures the certificates and CRL's do get published once the technical issues are resolved.

Go to the Administration -> Edit Services page. Enter Publis Queue Process Service in the edit box, and click on hte Add button. Select the newly-created service, and click on the Edit Service button. Provide the following information for it:

Select Worker: Publish Queue Process Service

Select Interval: Periodical Interval

Period: 1 minutes

Select Action: No Action

Active: On

Pin to Specific Node(s): ca.example.com

Description: Publish certificates and CRL's from the publisher queue.

Click on the Save button to apply the changes.

Configuring the CRL Updater

As a final step to installing the EJBCA, it is necessary to set-up the CRL updater. CRL updater is in charge of generating the CRL's and making sure that once they expire they get regenerated. It is executed periodically. It should be noted that the CRL updater does not actually put CRL's in the spot from which they will be obtained. It merely generates them on the CA itself. Other parts of this book deal with making CRL's publicly available to the rest of the environment on the predefined location.

Go to the Administration -> Edit Services page. Enter CRL Updater in the edit box, and click on the Add button. Select the newly-created service, and click on the Edit Service button. Provide the following information for it:

Select Worker: CRL Updater

CAs to Check: Example Root CA, Example Person CA, Example Server CA

Select Interval: Periodical Interval

Period: 5 minutes

Select Action: No Action

Active: On

Pin to Specific Node(s): ca.example.com

Description: Updates the CRL's if necessary. Checks are made every 5 minutes.

Once the information is filled-in, click on the Save button. This concludes the initial deployment, installation, and configuration of the EJBCA as certification authority. You should proceed onto chapters covering the deployment of OCSP responder and CRL distribution point.

Attachment	Size
jboss.conf	1.66 KB
jboss.init	5.52 KB

External RA

Quintiliano (not verified) — 28. March 2012 - 22:57

Good night,

First of all, great post, very helpfull.
Second, did you manage to configura a external RA for EJBCA? If yes, how you did it?

Cheers

Quintiliano

Not yet (tm)

Branko Majic — 29. March 2012 - 21:19

Hello Quintiliano,

Glad you like the posts. So far I actually haven't played with the external RA functionality of EJBCA at all (if we're talking about EJBCA's own app). I did use some other software (proprietary stuff unfortunately), providing it with RA roles.

What's the issue you're running into? (you can always check out the EJBCA forum if you have trouble with base instructions from the EJBCA website).

Best regards

Brand New RE-Install

Anonymous (not verified) — 16. February 2012 - 20:04

Hi there !!

First of all thanks a lot for this tutorial soooooo good !! It's probably one of the best I found on the net. I've been able to build it (nearly...) with 4_0_8.. no big troubles except.... I'll tell u ;)

So I got few questions.

First regarding the "preparing new keystore" part:
1- When you speak in about "ejbca_https_keystore_password " you mean the "httpsserver.password" directive don't u ? Same thing for "ejbca_truststore_password" it's the "java.trustpassword" directive ?

Second, I mistake myself during implementing this password.. so Jboss isn't working anymore (password exceptions). It was late, I was in a hurry, so I delete my p12/keystore, delete my MYSQL table, rm -rf /opt/ejbca/ and tried to implement it again (ant clean/ant bootstrap)... But the fact is the keytool is probably keeping an information somewhere I can't find... CAUSE MY JBOSS IS STILL NOT ABLE TO START !! :(

I got this first error on my server.log:

2012-02-16 18:43:59,718 INFO  [org.jboss.wsf.stack.jbws.WSDLFilePublisher] (main) WSDL published to: file:/opt/jboss-5.1.0.GA/server/ejbca/data/wsdl/ejbca.ear/ejbca-ws-ejb.jar/EjbcaWSService8504433848831815047.wsdl

2012-02-16 18:44:02,296 INFO  [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (main) deploy, ctxPath=/ejbca/ejbcaws

2012-02-16 18:44:02,348 WARNING [javax.enterprise.resource.webcontainer.jsf.config] (main) Unable to process deployment descriptor for context '/ejbca/ejbcaws'

2012-02-16 18:44:02,360 INFO  [javax.enterprise.resource.webcontainer.jsf.config] (main) Initializing Mojarra (1.2_12-b01-FCS) for context '/ejbca/ejbcaws'

2012-02-16 18:44:03,530 INFO  [org.jboss.web.tomcat.service.deployers.TomcatDeployment] (main) deploy, ctxPath=/ejbca/adminweb

2012-02-16 18:44:04,371 INFO  [javax.enterprise.resource.webcontainer.jsf.config] (main) Initializing Mojarra (1.2_12-b01-FCS) for context '/ejbca/adminweb'

2012-02-16 18:44:05,908 INFO  [org.ejbca.config.ConfigurationHolder] (main) Allow external re-configuration: false

2012-02-16 18:44:05,980 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/ejbca/adminweb]] (main) Marking servlet StartServices as unavailable

2012-02-16 18:44:05,993 ERROR [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/ejbca/adminweb]] (main) Servlet /ejbca/adminweb threw load() exception

javax.naming.NameNotFoundException: CAAdminSessionBean not bound

        at org.jnp.server.NamingServer.getBinding(NamingServer.java:771)

        at org.jnp.server.NamingServer.getBinding(NamingServer.java:779)

        at org.jnp.server.NamingServer.getObject(NamingServer.java:785)

        at org.jnp.server.NamingServer.lookup(NamingServer.java:396)

        at org.jnp.server.NamingServer.lookup(NamingServer.java:399)

        at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:726)

        at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:686)

        at javax.naming.InitialContext.lookup(InitialContext.java:409)

        at org.jnp.interfaces.NamingContext.resolveLink(NamingContext.java:1346)

        at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:817)

        at org.jnp.interfaces.NamingContext.lookup(NamingContext.java:686)

        at org.jboss.ejb3.JndiUtil.lookup(JndiUtil.java:44)

        at org.jboss.injection.JndiPropertyInjector.lookup(JndiPropertyInjector.java:75)

        at org.jboss.injection.JndiPropertyInjector.inject(JndiPropertyInjector.java:99)

        at org.jboss.web.tomcat.service.TomcatInjectionContainer.processInjectors(TomcatInjectionContainer.java:366)

        at org.jboss.web.tomcat.service.TomcatInjectionContainer.newInstance(TomcatInjectionContainer.java:271)

        at org.jboss.web.tomcat.service.TomcatInjectionContainer.newInstance(TomcatInjectionContainer.java:265)

        at org.jboss.web.tomcat.service.TomcatInjectionContainer.newInstance(TomcatInjectionContainer.java:256)

        at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1006)

        at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:950)

        at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4122)

        at org.apache.catalina.core.StandardContext.start(StandardContext.java:4421)

        at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeployInternal(TomcatDeployment.java:310)

        at org.jboss.web.tomcat.service.deployers.TomcatDeployment.performDeploy(TomcatDeployment.java:142)

        at org.jboss.web.deployers.AbstractWarDeployment.start(AbstractWarDeployment.java:461)

        at org.jboss.web.deployers.WebModule.startModule(WebModule.java:118)

        at org.jboss.web.deployers.WebModule.start(WebModule.java:97)

        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)

        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)

        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

        at java.lang.reflect.Method.invoke(Method.java:616)

        at org.jboss.mx.interceptor.ReflectedDispatcher.invoke(ReflectedDispatcher.java:157)

        at org.jboss.mx.server.Invocation.dispatch(Invocation.java:96)

        at org.jboss.mx.server.Invocation.invoke(Invocation.java:88)

        at org.jboss.mx.server.AbstractMBeanInvoker.invoke(AbstractMBeanInvoker.java:264)

        at org.jboss.mx.server.MBeanServerImpl.invoke(MBeanServerImpl.java:668)

        at org.jboss.system.microcontainer.ServiceProxy.invoke(ServiceProxy.java:206)

        at $Proxy38.start(Unknown Source)

        at org.jboss.system.microcontainer.StartStopLifecycleAction.installAction(StartStopLifecycleAction.java:42)

        at org.jboss.system.microcontainer.StartStopLifecycleAction.installAction(StartStopLifecycleAction.java:37)

        at org.jboss.dependency.plugins.action.SimpleControllerContextAction.simpleInstallAction(SimpleControllerContextAction.java:62)

        at org.jboss.dependency.plugins.action.AccessControllerContextAction.install(AccessControllerContextAction.java:71)

        at org.jboss.dependency.plugins.AbstractControllerContextActions.install(AbstractControllerContextActions.java:51)

        at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:348)

        at org.jboss.system.microcontainer.ServiceControllerContext.install(ServiceControllerContext.java:286)

        at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1631)

        at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:934)

        at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:1082)

        at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:984)

        at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:822)

        at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:553)

        at org.jboss.system.ServiceController.doChange(ServiceController.java:688)

        at org.jboss.system.ServiceController.start(ServiceController.java:460)

        at org.jboss.system.deployers.ServiceDeployer.start(ServiceDeployer.java:163)

        at org.jboss.system.deployers.ServiceDeployer.deploy(ServiceDeployer.java:99)

        at org.jboss.system.deployers.ServiceDeployer.deploy(ServiceDeployer.java:46)

        at org.jboss.deployers.spi.deployer.helpers.AbstractSimpleRealDeployer.internalDeploy(AbstractSimpleRealDeployer.java:62)

        at org.jboss.deployers.spi.deployer.helpers.AbstractRealDeployer.deploy(AbstractRealDeployer.java:50)

        at org.jboss.deployers.plugins.deployers.DeployerWrapper.deploy(DeployerWrapper.java:171)

        at org.jboss.deployers.plugins.deployers.DeployersImpl.doDeploy(DeployersImpl.java:1439)

        at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1157)

        at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1178)

        at org.jboss.deployers.plugins.deployers.DeployersImpl.doInstallParentFirst(DeployersImpl.java:1210)

        at org.jboss.deployers.plugins.deployers.DeployersImpl.install(DeployersImpl.java:1098)

        at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:348)

        at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1631)

        at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:934)

        at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:1082)

        at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:984)

        at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:822)

        at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:553)

        at org.jboss.deployers.plugins.deployers.DeployersImpl.process(DeployersImpl.java:781)

        at org.jboss.deployers.plugins.main.MainDeployerImpl.process(MainDeployerImpl.java:702)

        at org.jboss.system.server.profileservice.repository.MainDeployerAdapter.process(MainDeployerAdapter.java:117)

        at org.jboss.system.server.profileservice.repository.ProfileDeployAction.install(ProfileDeployAction.java:70)

        at org.jboss.system.server.profileservice.repository.AbstractProfileAction.install(AbstractProfileAction.java:53)

        at org.jboss.system.server.profileservice.repository.AbstractProfileService.install(AbstractProfileService.java:361)

        at org.jboss.dependency.plugins.AbstractControllerContext.install(AbstractControllerContext.java:348)

        at org.jboss.dependency.plugins.AbstractController.install(AbstractController.java:1631)

        at org.jboss.dependency.plugins.AbstractController.incrementState(AbstractController.java:934)

        at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:1082)

        at org.jboss.dependency.plugins.AbstractController.resolveContexts(AbstractController.java:984)

        at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:822)

        at org.jboss.dependency.plugins.AbstractController.change(AbstractController.java:553)

        at org.jboss.system.server.profileservice.repository.AbstractProfileService.activateProfile(AbstractProfileService.java:306)

        at org.jboss.system.server.profileservice.ProfileServiceBootstrap.start(ProfileServiceBootstrap.java:271)

        at org.jboss.bootstrap.AbstractServerImpl.start(AbstractServerImpl.java:461)

        at org.jboss.Main.boot(Main.java:221)

        at org.jboss.Main$1.run(Main.java:556)

        at java.lang.Thread.run(Thread.java:636)

2012-02-16 18:44:05,996 INFO  [org.apache.catalina.core.ContainerBase.[jboss.web].[localhost].[/ejbca/adminweb]] (main) Marking servlet GetCRL as unavailable

So:

How could make it clean again to re-install everything from scratch ? Please don't speak about reinstall, I can't think about it (many other stuff backup on it) !! ;)

And an optional last question: did someone tried to install ejbca with JBOSS 6 ? Is there some point to know ??

Thanks everyone for your support !!

Ben.

Don't forget the JBoss directories

Branko Majic — 17. February 2012 - 16:26

Hello Ben,

Yes, you're correct - those are the two parameters I'm referring to. The '{{blah}}' means the parameter should be replaced (they brackets are just open/close tags).

Essentially, if you want to redeploy from scratch, you'll need to create a fresh copy of the jboss/server/ejbca directory as well. And keep in mind that you need to have proper permissions set, I think a number of people had hit a wall by running the ant targets etc. as wrong users.

Finally, thanks for the compliments, I've tried to make it as good as possible, although it might've turned out a bit complicated based on some feedback from different people :)

i don't have a log file

Anonymous (not verified) — 30. January 2012 - 8:03

hi
I get error when i type "ant install" and i realized that i don't have server.log file in path: JBOSS_HOME/server/default/log/server.log
I use linux ubuntu10.11, jboss_5.1.0.GA , ejbca_4_0_6 , openjdk_6_jre in vmware workstaion
what shoud i do now?

Forgot to start JBoss AS?

Branko Majic — 30. January 2012 - 10:28

If you've followed my installation instructions, the log files should be in JBOSS_HOME/server/ejbca/log/ directory. If they're not there prior to ant install, you probably forgot to run the server (which is required for the ant install step).

i don't forget

maryam (not verified) — 30. January 2012 - 11:50

I followed your installation instructions,
but i don't forgot to run the server.

Thanks a lot

In that case you should find

Branko Majic — 30. January 2012 - 12:06

In that case you should find the log files in the server/ejbca/log directory instead (I avoid using the stock minima/default/all configurations in order to keep them in pristine state in case I need them later on).

ant boostraping failed

step (not verified) — 25. January 2012 - 21:27

using ant 1.8.1 from apache website, jboss 5.10 and ejbca4.0.7, the ant bootstrap failed on "addWebXMLMappings" not supported by jasper2. It seems that jspc has been deprecated in ant (tomcat 4.1.36), leaving nothing to compile JSP except manual compilation that is far above my abilities.
There is no jasper-compiler.jar,jasper-runtime.jar in tomcat 6 to replace ant's. There is no help on the ant FAQ, apart 2 lines saying "go using buitins....".
My distro's ant is 1.7.0 (under your minimum limit (1.7.1)). Installing ant was a torture due to missing files in the repository used (marven), i needed to install and search them by hand, i think using ant is in the same mood.
Any help ? are you aware about this problem ?

Does it work with 1.8.0?

Branko Majic — 25. January 2012 - 21:42

Hm... On Debian Squeeze, Ant is currently at version 1.8.0, and that's what I used. Was the removal included between 1.8.0 and 1.8.1? Could you tell me what distro you're using (might be helpful for others as well to know it the issue exists)?

Distro ant

step (not verified) — 25. January 2012 - 22:56

I'm using debian lenny (ant 1.7.0-6). My hardware servers are not able to handle debian squeeze due to vmware limitations. So i installed ant using the zip downloaded from the apache ant's website. So I didn't used an ant packaged by Debian but apache's up to date one.

Could you try using the

Branko Majic — 25. January 2012 - 23:42

Could you try using the Apache Ant 1.8.0 by any chance to see if you have the same problem? I haven't deployed CA on Lenny for a while, to be honest. And, not wanting to be a wise-arse, but you know that Lenny support is being dropped by Debian in early February (I think on 5th or so)?

On the other hand, I might try deploying on Lenny to see what kind of trouble I run into, but not sure when I'll be able to do so. I'm going to attend FOSDEM this year again, this time as lecturer, and still have some chores to do for that :)

same problem

step (not verified) — 26. January 2012 - 12:24

using the 1.8.0 ant from apache website does not resolve the problem as it want to download jasper-compiler and jasper runtime 4.1.36 (compiler for tomcat 4 for JSP) that is deprecated (http://ant.apache.org/manual/Tasks/jspc.html) and i do not understand the new compiler howto (how to install, how it works). The only page i found talking about it is (http://tomcat.apache.org/tomcat-6.0-doc/jasper-howto.html). It only says it's new and good but not how to use it.

After i collected two other information about this horror:

A quick answer from a forum (3 years old) : "go using tomcat compiler jars" , but no other explanations.
An answer from FAQ ant that is rather hallucinatory : "How to I precompile Java Server Pages (JSPs)?

Apache Ant has a built in optional task which was intended for that. But this task is deprecated. Here the alternative suggested by the manual:

Instead of relying on container specific JSP-compilers we suggest deploying the raw files (*.jsp) and use the container build-in functions: after deploying run a test suite (e.g. with Cactus or HttpUnit) against the deployed web application. So you'll get then test result and the compiled JSPs.
".
I think ant binaries from apache website are unusable, and not used so nobody sees any problem, apart me... I can't use debian 6 before an hardware update of my servers, but the template is ready. It"s a compatibility issue in the hardware compatibility list of vmware before using esxi, whitch is a prerequisite for having debian 6 supported that prevent me from using a newer distro.

some more information

step (not verified) — 26. January 2012 - 12:32

I think the java compiler used in distros is GCJ, and not the jasper compiler from tomcat4. I think it's all the différence. I follow this path.

if found some info

step (not verified) — 26. January 2012 - 13:17

is possible to use different compilers. This can be specified by either setting the global build.compiler property, which will affect all tasks throughout the build, by setting the compiler attribute, specific to the current task or by using a nested element of any typedeffed or componentdeffed type that implements org.apache.tools.ant.taskdefs.compilers.CompilerAdapter. Valid values for either the build.compiler property or the compiler attribute are:
•classic (the standard compiler of JDK 1.1/1.2) – javac1.1 and javac1.2 can be used as aliases.
•modern (the standard compiler of JDK 1.3/1.4/1.5/1.6/1.7) – javac1.3 and javac1.4 and javac1.5 and javac1.6 and javac1.7 (since Ant 1.8.2) can be used as aliases.
•jikes (the Jikes compiler).
•jvc (the Command-Line Compiler from Microsoft's SDK for Java / Visual J++) – microsoft can be used as an alias.
•kjc (the kopi compiler).
•gcj (the gcj compiler from gcc).

Yes we can... But how ? It's funny as explanation always stop when aproaching to practical way. I also received the confirmation ant's distro is build usign gcj as default and ant from apache website using "modern" . I do not find the file these properties are stored in.

confirmed, i removed the

step (not verified) — 26. January 2012 - 13:31

confirmed, i removed the tomcat 4 jasper jar from ant's lib directory and the error changes, as it's using javac (from openjdk) compiler. Still not working but you can change the compiler for java used by ant. Still searching how...

One thing just came to my

Branko Majic — 26. January 2012 - 13:40

One thing just came to my mind. At some point I've had some kind of compiler error (can't recall which one/when), and it turned out that gcj was instead of OpenJDK. I think this might've been on a CentOS machine (version 5, iirc). Upon removing the gcj stuff altogether I think I've had more luck (or it was something in line of that).

Could you see if you can update the alternatives to make sure that no part of gcj is being used?

no gcj is installed for the

step (not verified) — 26. January 2012 - 14:28

no gcj is installed for the moment, so thereis not such problem. This is the compile error i had :

publicweb-gui/build.xml :83 java.lang.NosuchmethodError: javax.servlet.jsp.tagext.tagattributeinfo ...

Do you use Gcj in your recent

step (not verified) — 26. January 2012 - 15:50

Do you use Gcj in your recent install ?

interesting. same error using

step (not verified) — 26. January 2012 - 17:05

interesting. same error using Sun jdk...

Since there seems to be quite

Branko Majic — 26. January 2012 - 17:15

Since there seems to be quite a bit of communication between you and me, feel free to contact me through e-mail (we'll make sure a solution is posted in comments if/when we discover what the problem is). Just it'd be useful to reduce the amount of not so useful comments so far :)

Btw, I've just done a quick search on the net, and found someone mentioning existence of superfluous Tomcat jars being available in the path. Well, I might've had a similar problem at some point like this, so maybe this could be the issue? Could you check if you have some extra jar's installed system-wide which overlap in some way with the contents of JBoss directory?

My mail is easy to figure out if you know that my name is branko, and my domain is majic.rs ;)

perfectly working !

bsarda (not verified) — 10. August 2011 - 16:20

Hello,
I follow exactly this tutorial, and everythings works perfect.
I tried many tuts before, including some tuts of ejbca's partner companys, and neither get worked.

two little precisions about installation process :
- make passwords (specially truststore) longer than 6, else the deploy shall fail.
- the newly generated admin certificate doesn't works with Opera browser. It says that the certificate chain isn't properly ordered (sorry, I translate from French, but the error message itself is not clear!)

Any ideas ?

Anyway, very good job ! works with VMware vSphere's VM, Debian 6.0.2.
Regards

Ok, I've (finally) updated

Branko Majic — 20. October 2011 - 21:42

Ok, I've (finally) updated the guide a bit to draw attention to this. Thanks for the good catch :)

Another thing that pops to my

Branko Majic — 11. August 2011 - 22:48

Another thing that pops to my mind in regards to the 6-character requirement is that maybe a small patch could be written for build.xml to make those checks during ant target execution (but I'd need to learn a bit about the system) and warn user of such things.

Yes, the 6-character password

Branko Majic — 11. August 2011 - 22:46

Yes, the 6-character password is a requirement for keytool to work. I'll try to add this information as soon as possible (there's some tidbits that need to be changed already, just can't get enough time to do it). I'm also working on introductory material for the cookbook (a bit stalled atm, unfortunately).

Hm... Maybe in case of Opera the problem is the DN ordering? EJBCA by default uses LDAP-like notation, distinct to more broad from left to right. This, for example, can cause issues for IBM Domino. You could turn off the LDAP ordering to see if Opera will swallow such certificates instead (maybe you could even generate a self-signed certificate with openssl just to verify importing).

Always glad to hear that people are finding these guides useful :)

Still a long way to go for the cookbook, though ;)

How to generate Certs from a DB

Tupac (not verified) — 10. June 2011 - 17:48

Hi:

Nice tutorial Branko. I've just installed EJBCA for evaluation purpose in my job.
My goal is to generate automatically Certs for 50.000 users saved in an Oracle DB.
But, now I need some help.

Can you tell me what is the best way to do this?
Does the EJBCA suit me or do I need additional tools?

We can keep in touch through e-Mail if you prefer.
Thank you in advance,
Tupac

Depends on requirements

Branko Majic — 10. June 2011 - 21:04

I haven't dealt with that much myself, but you could attempt using the web service provided by the EJBCA, and there's also possibility of scripting it by using the ejbca.sh utility.

It all depends on what you want to achieve. Do you just want to create end entities, and send out e-mail notifications to persons who will afterwards connect to the web interface and get the certificate/key themselves? Do you intend to prepare a huge batch which will be used to populate some hardware token (smart-cards, USB flash drives, or something else)? Do you want to be able to use external key for signing the CSR?

It also depends on how you define "automatically". If you have some kind of existing database with all the necessary data, you could create end entities through a shell (bash/python/perl) script (using the above-mentioned ejbca.sh ra functionality). In this case you want to be careful to make sure that each entity is generated properly. Maybe splitting it all into several batches.

If you want operators to enter data for it, you'd probably go for some kind of custom web interface and interaction through the web service.

Just a small suggestion - make sure you've estimated how much time it takes for your CA server to generate the keys. You could also stress-test it a bit by using the openssl utility for generating those. Two impossible aspects are the amount of entropy on the server, and possibly an existence of a crypto-accelerator (HSM). I've ran into some interesting articles about entropy myself (and _still_ haven't read them due time constraints :). Here are the links (take note that I haven't tried/used etc. the Entropy Key, but just found the concept interesting):

http://www.linuxfromscratch.org/hints/downloads/files/entropy.txt
http://linuxcertified.com/hw_random.html
http://www.entropykey.co.uk/

Two (personal) examples on entropy use:

1. I was setting-up a Kerberos server on a virtual machine. The installation step where the keys were generated took quite a while. As it turned out, the key generator was trying to get enough entropy, and virtual machine didn't provide enough.
2. Cisco VPN client on GNU/Linux used to take quite long to connect to server (IPSec). At some point I got annoyed, and started moving mouse over my desktop (the "come on, you damn thing, work!" nervous procedure). And whoosh - the client connected. A small strace afterwards, and I discovered the client used /dev/urandom. Mouse movement generated enough entropy obviously :)

I hope this is useful for you :)

Thanks, your answer was pretty useful ...

Tupac (not verified) — 10. June 2011 - 23:12

Hi Branko:

Thank you a lot for your answer.
I´m not an expert and your post was useful to make me more clear about this issue.
Let me explain my original question.

I was reading some documentation and I think there are two steps to get my goal:
1. To create 50.000 end-entities and generate their CSRs from validated data stored in an Oracle DB ("automatically" is the key word).
2. To generate my 'Certificates/Keys' from those CSRs and stored them back in the Oracle DB.

So, at the moment I´m in the first step and I wonder: Is there any EJBCA tool or external tool to open the conection with the database and read it in order to let the EJBCA to create its end-entities and generate all the CSRs by itself? Is it possible? Furthermore, these 'certificates/keys' have to be uploaded to personal smartcards in order to sign secure messages.

Maybe, I have to program a Java application to generate these CSRs and save them in some batch file (but what about of the ejbca end-entities?). Then, I will be able to send these CSRs to the CA server.

Now, I'm evaluating the configuration and functionality of the EJBCA. It's a quiete interesting tool. Nevertheless, my final requirement is to do it for about 20 million users. Then, I think, we will have the chance to talk more about the entropy on the server and other issues. :)

Cheers, I look foward your advice.
Tupac

Well, there's this -

Branko Majic — 10. June 2011 - 23:49

Well, there's this - Framework for External Data Sources (haven't worked with this, and I'm generally more of a sysadmin than Java coder). You can also write custom application that'd read things from the database and create entities on EJBCA through web service API (or as fallback through command-line ejbca.sh script) - implementing practically a registration authority of your own. If you want any kind of complex identity management or smart-card management (reissuing documents and tracking them), you'll want to use the custom application approach (probably something web-based).

For CSR generation you'll need private keys for those end entities and information about end entities (you've got this in that Oracle database, if I got it right). Now, seeing you want to use smart-cards, there's an important aspect to think about - do you want non-repudiation? If yes, it will be desirable that the cards generate the private key and that the private key doesn't leave the cards (again, using the web service API you can send CSR's signed by those cards to EJBCA). If not, you can just let EJBCA generate both the keys and certificates by itself.

Nice tutorial

Anonymous — 26. May 2011 - 19:54

I folowed your tutorial and i have an error when i try ant install - "BUILD FAILED
/opt/ejbca_4_0_2/build.xml:61: The following error occurred while executing this line:

an you hellp me please?

thans

Could you possible upload the

Branko Majic — 27. May 2011 - 11:37

Could you possibly upload the full error message/trace onto pastebin.com or some similar service? (if it's too big, if it's smaller or you can identify the important parts, you can copy it over here).

Glad you like the tutorial :)

Thank you for your tutorial

linuxgeek (not verified) — 2. February 2012 - 15:08

Hi,

I followed your tutorial to the letter and I also encountered a similar problem that Anonymous encountered in the post "Nice Tutorial". The following error is displayed.

---Begin---
BUILD FAILED
/opt/ejbca_4_0_7/build.xml:64: The following error occurred while executing this line:
/opt/ejbca_4_0_7/bin/cli.xml:93: The following error occurred while executing this line:
/opt/ejbca_4_0_7/bin/cli.xml:128: Batch generation failed!
--End---

My system specs are as follow:
OS: Debian Squeeze
Java: Open-JDK6
MySQL: Version 14.14 Distribution 5.1.49
EJBCA: Version 4.0.7
JBoss: Version 5.1.0-GA
Ant: Apache Version 1.8.0

The complete output log can be located at: http://pastebin.com/P4i28D5B

I would appreciate any help that I can receive as I am not sure what is wrong.

Thank you for the tutorial and all the time you have invested.
linuxgeek

Ok, so this happened when you

Branko Majic — 2. February 2012 - 23:43

Ok, so this happened when you ran the ant install command, but did you previously start the JBoss EJBCA instance? It might be a good idea to also check if the server started-up correctly by looking at the server.log file. Could you possibly paste the server.log somewhere?

(it might take me some time to respond to this, I'm going to FOSDEM tomorrow :)

Key encipherment in person signing certificate

Branko Majic — 8. May 2011 - 17:36

Ok, I've made a small change related to the key usage for the person signing certificate profile. If key encipherment is turned on, Thunderbird and other mailing programs are likely to pick-up a wrong certificate for actual encryption purposes.

Some minor things..

Anonymous — 29. March 2011 - 10:25

Nice howto!

J2EE5: EJBCA 3.x is J2EE and EJBCA 4.x is JEE5 compliant. Same with the app-server. JEE can be used for short.

"In addition to implementing an X.509 certification authority, ..." should probably be "In addition to implementing an X.509 PKI, ...".

The only thing really missing for a basic PKI setup, is a "securing JBoss" part.. Check out http://www.ejbca.org/security.html#Securing%20JBoss for some hints.

Thanks, I've corrected the

Branko Majic — 29. March 2011 - 19:19

Thanks, I've corrected the J2EE part. I always get annoyed by some of the acronyms/shorts used throughout the Java world :)

When it comes down to the implementing sentence, my intention was to emphasize that beyond CA it also implements additional features. I've emphasized the CA part since this part of the book actually concerns that one in particular (i.e. PKI would encompass CA, OCSP, RA etc).

When it comes down to JBoss, yes, it would certainly be a nice addition. If I catch some time I'll probably document it, although maybe in a separate "book" (and probably when I have enough time). I've done some securing in the past by protecting those parts of the web-site with usernames/passwords. An interesting option would be to actually use the https (forcing the user to redirect there if they attempt to access through plain http). I've added a link to the above page at the end of the Setting-up JBoss AS section.

securing JBoss

Anonymous — 31. March 2011 - 14:05

You should simply add something simple like, http://ejbca.org/security.html#Securing%20JBoss.

Since JBoss (4 and 5 available) have glaring security holes, if someone follows this guide and puts the installation public he will get hacked very quickly.

Added basic instructions

Branko Majic — 31. March 2011 - 21:02

Thanks. I've added some basic instructions, based on EJBCA's Securing JBoss page, and I've also added a link to the JBoss wiki page with more details for interested.

Search

Gallery

Random Image

Recent blog posts

Links