Guide to modern PKI: Integration and configuration

Modern and future-proof solution for PKI and trust management This is a part of a series of articles about building a modern and future-proof solution for PKI and trust management using CZERTAINLY platform and various technologies.
For more information and reference to all parts of the series, visit Modern and future-proof solution for PKI and trust management.

After successful deployment of CZERTAINLY platform, we are ready to integrate it with various technologies and prepare the necessary configuration. This allows us to automate trust services lifecycle for current and all future use-cases.

In this part of the guide to modern PKI, we are going to integrate EJBCA we have deployed and prepared in Setting up the EJBCA, and Preparing the certification authority.

Once this step is done, we are ready to discover certificates issued by certification authorities, manage certificates lifecycle, use standardized protocols like ACME, automate certificate distribution, and many more.

Connectors Successful integration of EJBCA with CZERTAINLY requires the following connectors to be registered and available in the platform: Common Credential Provider, EJBCA NG Connector. Check if these connectors are available and ready in the Connector Store.

Configure EJBCA protocols

CZERTAINLY works with the EJBCA through the Web Services and REST API. The following protocols should be therefore enabled and allowed in the EJBCA:

Web Service
REST Certificate Management V2

Web Service interface is mandatory, as it serves as a primary point for the certificate management operations. The REST Certificate Management V2 is optional, and it must be available in case you want to run certificate discovery process on the EJBCA.

Firewall configuration

To access the EJBCA protocols, the firewall needs to allow inbound connections from the connector on TCP/IP port, which is 8443 by default. Make sure you have network connection successfully established before next steps.

Enroll administrator

The certificate for the administrator is used to authenticate and authorize requests coming from CZERTAINLY. Enroll new administrator using the AdministratorEndEntityProfile:

Key-pair generation: By the CA
Common Name: Modern PKI Administrator
Username: modern-pki-administrator
Enrollment code: your-strong-password

Download PKCS#12 administrator certificate and private key. We will use this later for authentication to the EJBCA interfaces.

Configure CZERTAINLY role

The CZERTAINLY role in the EJBCA represents the access rule and permissions that are allowed for a given user within the EJBCA.

The following access rules should be allowed for the CZERTAINLY role:

/administrator/
/ca/ModernClientSubCA/
/ca/ModernServerSubCA/
/ca_functionality/create_certificate/
/endentityprofilesrules/PartnerClientEndEntityProfile/
/endentityprofilesrules/WebServerEndEntityProfile/
/ra_functionality/create_end_entity/
/ra_functionality/delete_end_entity/
/ra_functionality/edit_end_entity/
/ra_functionality/revoke_end_entity/

RA Administrators You can also use the RA Administrator role template to quickly configure access to required certification authorities and end entity profiles.

Once the role is created, assign the Modern PKI Administrator to the role CZERTAINLY as member.

Create SoftKeyStore credential

The SoftKeyStore kind of credential represents the administrator credential to access the EJBCA interfaces. Create new credentials in CZERTAINLY:

Credential Name: Modern PKI Administrator
Credential Provider: Common-Credential-Connector (if you have a different name, select it)
Kind: SoftKeyStore
Key Store Type: PKCS#12
Upload your PKCS#12 administrator certificate
Key Store Password: your-strong-password
Trust Store: configure according to your trusted certificates of Management CA and server certificate

Once the credential is successfully created, you should be able to see its details, including the UUID of the credential.

Trusted certificates The Trust Store should be configured to access EJBCA services that have a server certificate issued by internal CA. The certificate of the internal CA should be trusted in order to successfully establish mutually authenticated connection between CZERTAINLY and EJBCA.

Create authority instance

We will establish authorized connection with EJBCA using the Modern PKI Administrator and Web Services. Create new authority in the CZERTAINLY:

Certification Authority Name: Modern EJBCA
Authority Provider: EJBCA-NG-Connector (if you have a different name, select it)
Kind: EJBCA
EJBCA WS URL: your URL address to EJBCA Web Services (https://[host]:[port]/ejbca/ejbcaws/ejbcaws?wsdl)
Credential: Modern PKI Administrator

Once the authority is successfully created, you should be able to see its details, including the UUID of the authority.

Test the integration

When your integration is configured, you can test if everything is working as expected. The test can be done by trying to load EJBCA resources when creating a new RA Profile.

Create a new RA Profile and select Modern EJBCA as Authority. In case the integration is configured properly, allowed end entity profiles, certificate profiles, and certification authorities will be loaded.

EJBCA Integration Guide In the CZERTAINLY documentation, you can find more details about configuration of EJBCA and integration with the platform. See EJBCA integration guide.

Get more information about the CZERTAINLY

Need Help

Do not hesitate to get in touch with us!