For more information and reference to all parts of the series, visit Modern and future-proof solution for PKI and trust management.
We have built the certificate inventory that gives us overview of certificates being used in the infrastructure. Now we want to start to manage these certificates, including issuing new certificates. We can achieve certificate management through so called RA Profiles.
Certificate management has many faces. For someone it is about ability to issue and revoke certificate. However, the complete certificate management consists of many operations, including validation of the certificate, compliance status, automation of the certificate distribution and renewal.
And all of that can be done through various interfaces and tools. We will focus on how RA Profile helps to achieve certificate management consistently in one place that supports integration with literally any technology.
What is RA Profile?
RA Profile is a representation of attributes that collectively provides a complete configuration of the certificate service which can be used by users and applications in a consistent and convenient way.
RA Profile provides an abstraction of the certificate management service configuration through for example:
- Certification authority and its related information
- Certificate management technology-specific attributes
- Service-related configuration
- Access control configuration
- Compliance profiles
- Protocol configuration
The RA Profiles provides a service for management of specific certificate types and for specific purpose. Some examples of RA Profiles are:
- service for infrastructure administrators that need to manage web server certificates
- service for IoT devices that need to issue and renew certificates frequently
- personal certificates to be provisioned and decommissioned for employees
Each RA Profile provides a logically separated service that can enforce certificate management rules independently on the technology being used.
In the previous parts of the guide to modern PKI, we have prepared the certification authority including the integration with the CZERTAINLY platform that are prerequisites to start defining your own RA Profiles.
Create RA Profile
We are ready to create RA Profile for the management of web server certificates. It is based on the EJBCA certification authority and end entity profiles we have created and integrated with the platform.
Create new RA Profile with the following properties:
- RA Profile Name: Web Server
- Description: RA Profile for management of internal web server certificates
- Select Authority: select your EJBCA Authority instance available
RA Profile attributes are loaded based on the selected Authority instance. These attributes define the behaviour of the certificate management integration with selected technology. We will configure attributes to manage web server certificates issued by EJBCA.
- End Entity Profile: select WebServerEndEntityProfile
- Certificate Profile: select WebServerEndEntityCertificateProfile
- Certification Authority: select ModernServerSubCA
- Send Notifications: we can keep unchecked
- Key Recoverable: keep unchecked
- Username Generation Method: RANDOM, the username will be randomly generated as Base64-encoded string
- Username Prefix: czertainly-, randomly generated username will be prefixed with this value
- Username Postfix: -generated, randomly generated username will be postfixed with this value
Create Web Server RA Profile. Enable the Web Server RA Profile to start working with it.
The basic certificate management operations are issue, renew, and revoke. We will create a sample web server certificate, then renew it, and eventually revoke the web server certificate.
First, generate the private key and CSR using the OpenSSL, or any other tool of your choice:
openssl req -newkey rsa:2048 -keyout webserver01.key -out webserver01.csr -nodes -subj "/CN=test.example.com"
Through the certificate inventory, create new certificate and provide information to issue certificate:
- RA Profile: select Web Server from the list of available RA Profiles
- Upload the CSR
- Fill in additional information like Email, Subject Alternative Name, or Extension Data
Once the certificate is issued, it is included in the inventory, assigned to Web Server RA Profile for the management. You can find it for example using the Common Name = test.example.com and see all its details.
In the certificate details, we can ask for renewal of the certificate. For the renewal, we do not need new information, as we already have the attributes and other properties related to the certificate.
You can create new CSR with existing key using the following command:
openssl req -new -key webserver01.key -out webserver01_new.csr -subj "/CN=test.example.com"
Upload new CSR to renew certificate for web server test.example.com. You can notice that there are 2 different certificates in the inventory with the same Common Name = test.example.com.
In the certificate details, you can revoke the certificate. Select the certificate and revoke it choosing the UNSPECIFIED revocation reason. The status of the certificate is changed to Revoked.
The RA Profile can be configured to meet the specific certificate management needs and to provide service for group of users, application, or machines.
For the advanced configuration of the certificate management, you can try to:
- create specific roles with permissions to be assigned for the RA Profile
- enable protocols for RA Profile like ACME
- manage certificate compliance through Compliance Profile attached to the RA Profile
- and more
Advanced configuration supports the automation of the certificate lifecycle operations that is the ultimate goal for each RA Profile.
Get more information about the CZERTAINLY
CZERTAINLY is an open-source platform for effective and efficient certificate lifecycle management for companies of any size and individuals. One of its goals is to provide an easy and affordable way to secure digital communication and support information security in more and more connected world.
Do not hesitate to get in touch with us!