For more information and reference to all parts of the series, visit Modern and future-proof solution for PKI and trust management.
After successful deployment of CZERTAINLY platform, we are ready to integrate it with various technologies and prepare the necessary configuration. This allows us to automate trust services lifecycle for current and all future use-cases.
In this part of the guide to modern PKI, we are going to integrate EJBCA we have deployed and prepared in Setting up the EJBCA, and Preparing the certification authority.
Once this step is done, we are ready to discover certificates issued by certification authorities, manage certificates lifecycle, use standardized protocols like ACME, automate certificate distribution, and many more.
Configure EJBCA protocols
CZERTAINLY works with the EJBCA through the Web Services and REST API. The following protocols should be therefore enabled and allowed in the EJBCA:
- Web Service
- REST Certificate Management V2
Web Service interface is mandatory, as it serves as a primary point for the certificate management operations. The REST Certificate Management V2 is optional, and it must be available in case you want to run certificate discovery process on the EJBCA.
To access the EJBCA protocols, the firewall needs to allow inbound connections from the connector on TCP/IP port, which is 8443 by default. Make sure you have network connection successfully established before next steps.
The certificate for the administrator is used to authenticate and authorize requests coming from CZERTAINLY. Enroll new administrator using the AdministratorEndEntityProfile:
- Key-pair generation: By the CA
- Common Name: Modern PKI Administrator
- Username: modern-pki-administrator
- Enrollment code: your-strong-password
Download PKCS#12 administrator certificate and private key. We will use this later for authentication to the EJBCA interfaces.
Configure CZERTAINLY role
The CZERTAINLY role in the EJBCA represents the access rule and permissions that are allowed for a given user within the EJBCA.
The following access rules should be allowed for the CZERTAINLY role:
/administrator/ /ca/ModernClientSubCA/ /ca/ModernServerSubCA/ /ca_functionality/create_certificate/ /endentityprofilesrules/PartnerClientEndEntityProfile/ /endentityprofilesrules/WebServerEndEntityProfile/ /ra_functionality/create_end_entity/ /ra_functionality/delete_end_entity/ /ra_functionality/edit_end_entity/ /ra_functionality/revoke_end_entity/
Once the role is created, assign the Modern PKI Administrator to the role CZERTAINLY as member.
Create SoftKeyStore credential
The SoftKeyStore kind of credential represents the administrator credential to access the EJBCA interfaces. Create new credentials in CZERTAINLY:
- Credential Name: Modern PKI Administrator
- Credential Provider: Common-Credential-Connector (if you have a different name, select it)
- Kind: SoftKeyStore
- Key Store Type: PKCS#12
- Upload your PKCS#12 administrator certificate
- Key Store Password: your-strong-password
- Trust Store: configure according to your trusted certificates of Management CA and server certificate
Once the credential is successfully created, you should be able to see its details, including the UUID of the credential.
Create authority instance
We will establish authorized connection with EJBCA using the Modern PKI Administrator and Web Services. Create new authority in the CZERTAINLY:
- Certification Authority Name: Modern EJBCA
- Authority Provider: EJBCA-NG-Connector (if you have a different name, select it)
- Kind: EJBCA
- EJBCA WS URL: your URL address to EJBCA Web Services (https://[host]:[port]/ejbca/ejbcaws/ejbcaws?wsdl)
- Credential: Modern PKI Administrator
Once the authority is successfully created, you should be able to see its details, including the UUID of the authority.
Test the integration
When your integration is configured, you can test if everything is working as expected. The test can be done by trying to load EJBCA resources when creating a new RA Profile.
Create a new RA Profile and select Modern EJBCA as Authority. In case the integration is configured properly, allowed end entity profiles, certificate profiles, and certification authorities will be loaded.
Get more information about the CZERTAINLY
CZERTAINLY is an open-source platform for effective and efficient certificate lifecycle management for companies of any size and individuals. One of its goals is to provide an easy and affordable way to secure digital communication and support information security in more and more connected world.
Do not hesitate to get in touch with us!