For more information and reference to all parts of the series, visit Modern and future-proof solution for PKI and trust management.
Certification authority is the heart of the PKI that can issue, renew, and revoke various certificates. In the modern infrastructure, you probably need multiple certification authorities for different purposes, like certificate for web servers, clients, code signing, etc.
In this part of the guide to modern PKI, we will take a look at how to install and setup the EJBCA. We will use EJBCA as one of the PKI software that will handle the certification authorities and issue certificates.
Prerequisites
The following is assumed to be already available before installing EJBCA:
- Kubernetes 1.19+
- Helm 3.2.0+
- PostgreSQL 11+
In case you would like to expose EJBCA to the outside world through Ingress, you should also install Ingress Controller, if none is available. We are going to use NodePort instead of Ingress to access EJBCA deployment.
Deployment of EJBCA
For the successful deployment of the EJBCA, we need to execute the following steps that are further described:
- Create database and database user
- Prepare namespace and Helm chart repository
- Deploy EJBCA
- Access EJBCA Admin Web
Create database and database user
Connect to your PostgreSQL database server and execute the following commands to create user and database that will be used for EJBCA:
postgres=# CREATE USER ejbcauser WITH PASSWORD 'your-strong-password'; postgres=# CREATE DATABASE ejbca ENCODING 'UTF8' LC_COLLATE='en_US.UTF-8' LC_CTYPE='en_US.UTF-8' TEMPLATE=template0; postgres=# GRANT ALL PRIVILEGES ON DATABASE ejbca to ejbcauser;
The database name is ejbca and the user which has access to the database is identified as ejbcauser. We will use these values during deployment.
Prepare namespace
We’ll need to define a Kubernetes namespace where the resources created by the Chart should be installed. The namespace will be named ejbca:
% kubectl create namespace ejbca
Add Helm chart repository
Use helm repo add command to add the Helm chart repository that contains charts to install EJBCA:
% helm repo add ejbca https://harbor.3key.company/chartrepo/ejbca-ce
Deploy EJBCA
All we need should be prepared for the deployment of EJBCA. We need to specify the database properties to access the ejbca database and a few other properties that allow us to manage trusted certificates.
- database.type – database technology, in our case postgresql
- database.host – hostname of the database
- database.port – database port number
- database.username – user to access the database
- database.password – password for the user
- database.properties – database properties to be used with the connection
- ejbca.ui.enabled – creates objects to access EJBCA web interfaces
- ejbca.reverseProxy.caFinderImage.repository – repository for CA image finder deployed as ca-cert-locator init container. Certificate found by this container is used for client certificate authentication by reverse proxy
- ejbca.reverseProxy.caFinderImage.tag – CA finder image pull tag
- ejbca.ejbcaImage.tag – EJBCA image pull tag
We can install it through the Helm command:
% helm install --namespace ejbca \ --set database.type=postgresql \ --set database.host=host.docker.internal \ --set database.port=30107 \ --set database.name=ejbca \ --set database.username=ejbcauser \ --set database.password=your-strong-password \ --set database.properties='?sslmode=disable' \ --set ejbca.ui.enabled=true \ --set ejbca.reverseProxy.caFinderImage.repository=harbor.3key.company/ejbca-ce/ejbca-management-ca-locator \ --set ejbca.reverseProxy.caFinderImage.tag=1.0.0 \ --set ejbca.ejbcaImage.tag=7.10.0.1 \ ejbca ejbca/ejbca-ce
Now, wait few minutes for the Kubernetes to download all required containers (if not present in the local repository) and create all resources that are required for the EJBCA deployment. When the EJBCA is deployed, you should see that the pod is ready and running:
% kubectl get all -n ejbca NAME READY STATUS RESTARTS AGE pod/ejbca-ejbca-ce-6d8cbd7458-zggd6 2/2 Running 0 3m2s NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/ejbca-lb-svc NodePort 10.102.33.255443:32713/TCP,80:32513/TCP 3m2s service/ejbca-ui ClusterIP 10.109.34.82 8443/TCP 3m2s NAME READY UP-TO-DATE AVAILABLE AGE deployment.apps/ejbca-ejbca-ce 1/1 1 1 3m2s NAME DESIRED CURRENT READY AGE replicaset.apps/ejbca-ejbca-ce-6d8cbd7458 1 1 1 3m2s
Access EJBCA Admin Web
During the initial deployment, the database is bootstrapped, ManagementCA is generated and initial superadmin end entity is prepared. You can find information how to issue certificate for superadmin in the ejbca-ce-init container. You should look for the similar information in the log:
% kubectl logs -c ejbca-ce-init -n ejbca ejbca-ejbca-ce-6d8cbd7458-zggd6 ************************************************************************************** * A fresh installation was detected and a ManagementCA was created for your initial * * administaration of the system. * * * * Initial SuperAdmin client certificate enrollment URL (adapt port to your mapping): * * * * URL: https://ejbca-ejbca-ce-6d8cbd7458-zggd6:443/ejbca/enrol/keystore.jsp * Username: superadmin * * Password: hAEjPmy9JudNosM+VGfItGYu * * * * Once the P12 is downloaded, use "hAEjPmy9JudNosM+VGfItGYu" to import it. * **************************************************************************************
Now you can access the web to enrol superadmin certificate:
- https://localhost:32713/ejbca/enrol/keystore.jsp (change your host accordingly)
and enrol with the superadmin as username and uniquely generated password from above ejbca-ce-init container logs:
- Set key specification to RSA 2048 bits
- Set certificate profile to ENDUSER
Once your certificate in the form of PKCS#12 is downloaded, you should import it to your browser and access the Admin Web with the authentication of the superadmin certificate:
- https://localhost:32713/ejbca/adminweb (change your host accordingly)
And that’s it! Your EJBCA instance is successfully deployed, and you can start building certification authorities. Easy, right?
Next steps
When you have successfully deployed EJBCA, you can start playing around with various configuration options and fine-tune your PKI. You can find the list and description of all Helm chart values in the GitHub repository.
You can change the behavior and state of your deployment in time using Helm. Some of the changes may involve:
- Database migration
- Change of web certificates
- Configure Ingress Controller
- Replication setup to achieve high availability and failover
In the next articles, we will prepare new hierarchy of certification authorities to start managing web server certificates.
Get more information about the CZERTAINLY
CZERTAINLY is an open-source platform for effective and efficient certificate lifecycle management for companies of any size and individuals. One of its goals is to provide an easy and affordable way to secure digital communication and support information security in more and more connected world.