ejbca cloud & aws certificate manager integration guide
TRANSCRIPT
EJBCA Cloud & AWS Certificate Manager Integration
GuideCopyright ©2019 PrimeKey Solutions
Solna Access, Sundbybergsvägen 1
SE-171 73 Solna, Sweden
Notice of Rights
All rights reserved. No part of this guide may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. For more information on getting permission for reprints and excerpts, contact [email protected].
Notice of Liability
The information in this guide is distributed on an “As Is” basis without warranty. While every precaution has been taken in the preparation of the guide, neither the authors nor PrimeKey shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in the guide or by computer software and hardware products described in it.
Trademarks
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this guide, and PrimeKey was aware of a trademark claim, the designations appear as requested by the owner of the trademark. All other product names and services identified throughout this guide are used in editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this guide.
Documentation..................................................................................................................5
Create Root CA Keys.......................................................................................... 7
Create the Root and Issuing CA Certificate Profiles...................................... 10 Introduction .................................................................................................................... 10
Create Root CA Profile................................................................................................... 11
Create End Entity Sub CA Profile .................................................................... 15
Create Root CA that uses the CloudHSM Crypto Token ............................... 16
Create AWS ACM Certificate Authority CSR .................................................. 17
Add ACM PCA End Entity................................................................................. 19
Fulfill the Pending ACM PCA Certificate Request.......................................... 21
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 4 (4)
© 2019 PRIMEKEY 5 (5)
Introduction This Integration Guide is intended to help customers integrate EJBCA Cloud with AWS Certificate Manager (ACM).
ACM requires that you have a Root Certificate Authority (CA) already defined within your organization. By leveraging EJBCA Enterprise Cloud Edition (ECE), you can have a CloudHSM backed Root CA server with secure key storage from a legitimate PKI product. No more need to protect your keys with hacked together CA servers, or even soft keys with OpenSSL.
AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services. With AWS Certificate Manager, you can quickly request a certificate, deploy it on ACM-integrated AWS resources, such as Elastic Load Balancers, Amazon CloudFront distributions, and APIs on API Gateway, and let AWS Certificate Manager handle certificate renewals.
Leveraging EJBCA ECE in your organization can work to support various additional use cases, all from the AWS environment. By creating additional issuing CAs to issue certificates to users, computers, personal devices, and even IoT devices, EJBCA ECE lets you define granular policies for certificate use for Client Certificates, Server Certificates, Code Signing Certificates, Disk Encryption Certificates, PIV Card Certificates and more.
Documentation EJBCA Enterprise Cloud Edition documentation is available on: https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/
EJBCA Enterprise Edition documentation is available on: https://download.primekey.com/docs/EJBCA-Enterprise/latest/
Additional information on EJBCA Community Edition is available on: www.ejbca.org
© 2019 PRIMEKEY 6 (6)
Provisioning EJBCA Instance and setting up CloudHSM EJBCA Enterprise Cloud Edition is available in the AWS Marketplace. Follow existing guides to get EJBCA Enterprise Cloud Edition running if not already done.
1. Launch EJBCA Cloud using the Launch Guide: EJBCA Cloud Launch Guide.
2. Setup and provision CloudHSM using the CloudHSM Integration Guide: EJBCA Cloud CloudHSM Integration Guide.
Once the EJBCA Instance is running in AWS and integrated with Cloud HSM (configuring the cloudHSM Client) using the guides above, continue on with the following steps to create a RootCA and sign the AWS Certificate Manager Private CA (ACM PCA) Certificate Signing Request (CSR).
© 2019 PRIMEKEY 7 (7)
Create Root CA Keys The following describes how to create three keys for the Root CA to use using clientToolBox.
To create a keystore in the HSM using clientToolBox, do the following:
1. Create a testkey with clientToolBox. EJBCA will use this key for healthcheck and keepalive to the HSM.
It is important to run these commands as the wildfly user. This is due to file system access permissions and maintaining the permissions for wildfly to be able to use these keys.
# su - wildfly # /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 2048 testKey0001
2. You will be prompted for a password in the format of <HSM_CryptoUser>:<password> For example, the following is the PKCS #11 PIN for an HSM crypto user (CU) with user name CryptoUser and password CUPassword123!:
CryptoUser:CUPassword123!
3. Create a total of three keys for EJBCA: • testKey (created in step 1) • signKey • defaultKey
4. Create two more keys called signKey and defaultKey with the following commands:
# /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 4096 signKey0001 # /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 4096 defaultKey0001
If ECC keys are desired, you can use a named curve. For example, to generate a prime256v1 curve you could use the following command:
# /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/ PrimeKey/cloudhsm/p11.conf prime256v1 testKeyecdsa0001
For more information consult the EJBCA User Guide on ECC named curves.
© 2019 PRIMEKEY 8 (8)
Create CloudHSM Crypto Token for Root CA The following describes how to create a CloudHSM Crypto Token for the Root CA:
1. Under CA Functions, select Crypto Tokens, and then click Create new.
2. On the New Crypto Token page, enter the following: a. Name: b. Specify the values as follows:
• Name: <anything> (Name for the Root CA CloudHSM Crypto Token, for example, "Corporate Root CA CloudHSM Crypto Token". Note that this is not the CA name but the name of the token.)
• Type: PKCS#11 • Authentication Code: <HSM_CryptoUser>:<password> (ex. CryptoUser:CUPassword123!)
• AutoActivation: Clear. • Use Explicit ECC parameters: Clear. • PKCS#11: Library: AWS CloudHSM • PKCS#11: Reference Type: Slot ID • PKCS#11: Reference: 1 • PKCS#11: Attribute Type: Default
3. Click Save.
© 2019 PRIMEKEY 9 (9)
4. On the Crypto Token: <Name> page, you should then see the three key pairs within the Crypto Token and the information CryptoToken created successfully displayed at the top:
• defaultKey: Used for everything not signing or test. • signKey: Used for cert signing. • testKey: Used for testing health check for CA.
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 10 (10)
Create the Root and Issuing CA Certificate Profiles The following sections describe how to create a Root CA Profile and the AWS Issuing CA Profile.
Introduction Certificate Profiles model how our CAs look with regards to the different types of certificates, DN contents, extensions and so on.
To manage Certificate Profiles, open the Manage Certificate Profiles page (CA Functions Certificate Profiles > CA Functions).
The following section describes how to create a Root CA Profile.
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 11 (11)
Create Root CA Profile Follow these steps to create a Root CA Profile:
1. Clone the ROOTCA profile to create your own for the Root CA you are going to create: a. Click Clone next to the ROOTCA profile. b. Specify Corporate Root CA Certificate Profile and click Create from template in Name of new
certificate profile, .
2. Click Edit on the Corporate Root CA Certificate Profile and specify the following:
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 12 (12)
a. Available key algorithms: Select desired key algorithm, for example, RSA.
b. Available bit lengths: Select desired bit lengths, for example, 2048-4096.
c. Validity or end date of the certificate: Keep the validity at the default 25y7d. d. CRL Distribution Points: Select if desired. CRLs hold the revocation status of certificates.
To make your CRL Distribution Point be on an internal server to your network, use an internal DNS name. It is recommended to put the CRL URL behind a CNAME or load balanced VIP. This way it is stamped in the certificate as something that should not ever change, but the system serving the CRL behind the VIP can. To make your CRL Distribution Point public, use a public DNS name that points to an IP. If using Amazon AWS and the EJBCA Enterprise Cloud Edition, using an Elastic IP is not recommended since this IP/URL will change if the node is shut down invalidating the CRL location. To allow clients to fetch the CRL from the CA directly and have Apache in front of EJBCA, remove port 8080 from the URL and change the DNS name as required. EJBCA does not know if Apache exists and internally responds to 8080 in most cases. Example URLs: From EJBCA server directly: http://ip-172-16-0-148.ec2.internal/ejbca/publicweb/webdist/ certdist?cmd=crl&issuer=CN=Corporate_Root_CA,O=Corporation,C=US. Served from Webserver: http://crl.corporate-dns-url.com/corporate_root_ca.crl (you must setup a script to fetch and copy the file to the URL you choose).
e. Clear LDAP DN order (to get X509 DN ordering) for greater compatibility with systems that use certificates.
f. Click Save to save the Root CA Profile.
NOTE
© 2019 PRIMEKEY 13 (13)
Create AWS ACM Issuing CA Certificate Profile Follow these steps to create the AWS Issuing CA Profile:
1. Click Clone next to the SUBCA profile.
2. In Name of new certificate profile, specify AWS ACM CA Certificate Profile and click Create from template.
3. Click Edit on the AWS ACM CA Certificate Profile and specify the following.
a. Available key algorithms: Select desired key algorithm, for example, RSA. b. Available bit lengths: Select desired bit lengths, for example, 2048-4096. c. Validity or end date of the certificate: Specify the validity 18m (this value will be overridden by
the AWS ACM CSR)
4. Check the box titled "Allow Subject DN Override by CSR" under the Permissions section.
5. Clear LDAP DN order (to get X509 DN ordering) for greater compatibility with systems that use certificates.
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 14 (14)
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 15 (15)
Create End Entity Sub CA Profile To create the End Entity Sub CA Profile, do the following:
1. Go to EJBCA Admin Web.
2. Select End Entity Profiles under RA Functions.
3. Enter a name for the EE profile in the Add Profile section, for example "ACM PCA Sub CA EE Profile", and then click Add.
4. Select the ACM PCA Sub CA EE Profile and click Edit End Entity Profile.
5. Select the AWS ACM CA Certificate Profile for Default Certificate Profile and Available Certificate Profile.
6. Select Corporate Root CA - G1 for Default CA and Available CAs.
7. Click Save.
© 2019 PRIMEKEY 16 (16)
Create Root CA that uses the CloudHSM Crypto Token To areate a Root CA that uses the CloudHSM Crypto Token, do the following:
1. Go to the EJBCA Admin Web and select Certification Authorities.
2. Under the Add CA field, enter a name for the Root CA, for example "Corporate Root CA - G1", and then click Create.
3. Under Crypto Token select the Corporate Root CA CloudHSM Crypto Token Crypto Token. If you named the keys correctly, they should all populate automatically for the proper usages.
4. Under Certificate Profile select Corporate Root CA Certificate Profile.
5. Set the Validity to 25y (or the life you would like this CA to have).
6. Clear LDAP DN order.
7. Click Create.
© 2019 PRIMEKEY 17 (17)
Create AWS ACM Certificate Authority CSR To create the AWS ACM Certificate Authority CSR, do the following:
1. Navigate to console.aws.amazon.com and login with your credentials.
2. From within the AWS Console, select Services and then under Security, Identity, & Compliance, select Certificate Manager.
3. Click Get started.
4. Ensure that Subordinate CA is selected and then click Next.
5. Enter values for Organization (O), Organization Unit (OU), Country Name (C), State or province name, Locality name and Common Name (CN), and then click Next.
6. Ensure RSA 2048 is selected. If any other algorithm is selected (such as ECC), ensure the keys and certificate authority created earlier match.
7. If CRL is desired to be populated to an S3 bucket, select Enable CRL distribution and configure the S3 bucket name.
8. Confirm to their license agreement for the CA charges and then click Confirm and create.
© 2019 PRIMEKEY 18 (18)
9. Click Get Started on the success confirmation screen.
10. Export the CSR to a file using the blue link at the bottom of the page. This is the file that we bring over to EJBCA to be signed. Click Next.
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 19 (19)
Add ACM PCA End Entity To add the ACM PCA End Entity, do the following:
1. In the EJBCA Admin Web, navigate to RA Functions and select Add End Entity.
2. Under End Entity Profile, select ACM PCA Sub CA EE Profile.
3. Enter the following values: • Username: acm_pca • Password: <your chosen password to be used only once> • CN, Common Name: Corporation AWS CA • Certificate Profile: AWS ACM CA Certificate Profile • CA: Corporate Root CA - G1 • Token: User Generated
4. Click Add.
© 2019 PRIMEKEY 20 (20)
Generate the ACM PCA Certificate for AWS 1. Navigate back to the EJBCA Admin Web and click RA Web.
2. Click Enroll > Use Username.
3. Enter the username and Enrollment Code previously entered into the End Entity. The values used in this guide are:
• Username: acm_pca • Password: <your chosen password to be used only once>
4. Click Check.
6. Click Download PEM and save the file.
7. Scroll to the top of the RA Web, select CA Certificates and CRLs.
8. Download the public certificate for the Corporate Root CA - G1 by clicking PEM in the Certificate column, and then click Save this file.
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 21 (21)
Fulfill the Pending ACM PCA Certificate Request To fulfill the pending ACM PCA Certificate Request, do the following:
1. Return to the AWS ACM configuration wizard.
2. If your console is still open to the Import a signed certificate authority (CA) certificate page, skip to step 8. Otherwise, continue.
3. Sign in to your AWS account and open the ACM PCA console at console.aws.amazon.com/acm-pca/ home.
4. Choose Private CAs.
6. Select Actions > Import CA certificate and then click Next.
7. Under Certificate body, click File and browse to the signed CA file, here previously called "AWS Corporation CA.pem".
8. Review the text imported. Remove everything before -----BEGIN CERTIFICATE----- so the following text is on the first line:
9. Click File again and browse to the Root CA public certificate file, here previously called "CorporateRootCAG1.pem".
10. Review the text imported and remove everything before -----BEGIN CERTIFICATE----- so the following text is on the first line:
11. Click Next.
12. Confirm that the certificates look correct and click Confirm and import.
© 2019 PRIMEKEY 22 (22)
13. The ACM PCA wizard returns the following success screen:
Introduction
Documentation
Create Root CA Keys
Create the Root and Issuing CA Certificate Profiles
Introduction
Create End Entity Sub CA Profile
Create Root CA that uses the CloudHSM Crypto Token
Create AWS ACM Certificate Authority CSR
Add ACM PCA End Entity
Generate the ACM PCA Certificate for AWS
Fulfill the Pending ACM PCA Certificate Request
Solna Access, Sundbybergsvägen 1
SE-171 73 Solna, Sweden
Notice of Rights
All rights reserved. No part of this guide may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. For more information on getting permission for reprints and excerpts, contact [email protected].
Notice of Liability
The information in this guide is distributed on an “As Is” basis without warranty. While every precaution has been taken in the preparation of the guide, neither the authors nor PrimeKey shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in the guide or by computer software and hardware products described in it.
Trademarks
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this guide, and PrimeKey was aware of a trademark claim, the designations appear as requested by the owner of the trademark. All other product names and services identified throughout this guide are used in editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this guide.
Documentation..................................................................................................................5
Create Root CA Keys.......................................................................................... 7
Create the Root and Issuing CA Certificate Profiles...................................... 10 Introduction .................................................................................................................... 10
Create Root CA Profile................................................................................................... 11
Create End Entity Sub CA Profile .................................................................... 15
Create Root CA that uses the CloudHSM Crypto Token ............................... 16
Create AWS ACM Certificate Authority CSR .................................................. 17
Add ACM PCA End Entity................................................................................. 19
Fulfill the Pending ACM PCA Certificate Request.......................................... 21
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 4 (4)
© 2019 PRIMEKEY 5 (5)
Introduction This Integration Guide is intended to help customers integrate EJBCA Cloud with AWS Certificate Manager (ACM).
ACM requires that you have a Root Certificate Authority (CA) already defined within your organization. By leveraging EJBCA Enterprise Cloud Edition (ECE), you can have a CloudHSM backed Root CA server with secure key storage from a legitimate PKI product. No more need to protect your keys with hacked together CA servers, or even soft keys with OpenSSL.
AWS Certificate Manager is a service that lets you easily provision, manage, and deploy public and private Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates for use with AWS services. With AWS Certificate Manager, you can quickly request a certificate, deploy it on ACM-integrated AWS resources, such as Elastic Load Balancers, Amazon CloudFront distributions, and APIs on API Gateway, and let AWS Certificate Manager handle certificate renewals.
Leveraging EJBCA ECE in your organization can work to support various additional use cases, all from the AWS environment. By creating additional issuing CAs to issue certificates to users, computers, personal devices, and even IoT devices, EJBCA ECE lets you define granular policies for certificate use for Client Certificates, Server Certificates, Code Signing Certificates, Disk Encryption Certificates, PIV Card Certificates and more.
Documentation EJBCA Enterprise Cloud Edition documentation is available on: https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/
EJBCA Enterprise Edition documentation is available on: https://download.primekey.com/docs/EJBCA-Enterprise/latest/
Additional information on EJBCA Community Edition is available on: www.ejbca.org
© 2019 PRIMEKEY 6 (6)
Provisioning EJBCA Instance and setting up CloudHSM EJBCA Enterprise Cloud Edition is available in the AWS Marketplace. Follow existing guides to get EJBCA Enterprise Cloud Edition running if not already done.
1. Launch EJBCA Cloud using the Launch Guide: EJBCA Cloud Launch Guide.
2. Setup and provision CloudHSM using the CloudHSM Integration Guide: EJBCA Cloud CloudHSM Integration Guide.
Once the EJBCA Instance is running in AWS and integrated with Cloud HSM (configuring the cloudHSM Client) using the guides above, continue on with the following steps to create a RootCA and sign the AWS Certificate Manager Private CA (ACM PCA) Certificate Signing Request (CSR).
© 2019 PRIMEKEY 7 (7)
Create Root CA Keys The following describes how to create three keys for the Root CA to use using clientToolBox.
To create a keystore in the HSM using clientToolBox, do the following:
1. Create a testkey with clientToolBox. EJBCA will use this key for healthcheck and keepalive to the HSM.
It is important to run these commands as the wildfly user. This is due to file system access permissions and maintaining the permissions for wildfly to be able to use these keys.
# su - wildfly # /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 2048 testKey0001
2. You will be prompted for a password in the format of <HSM_CryptoUser>:<password> For example, the following is the PKCS #11 PIN for an HSM crypto user (CU) with user name CryptoUser and password CUPassword123!:
CryptoUser:CUPassword123!
3. Create a total of three keys for EJBCA: • testKey (created in step 1) • signKey • defaultKey
4. Create two more keys called signKey and defaultKey with the following commands:
# /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 4096 signKey0001 # /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/PrimeKey/cloudhsm/p11.conf 4096 defaultKey0001
If ECC keys are desired, you can use a named curve. For example, to generate a prime256v1 curve you could use the following command:
# /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh PKCS11HSMKeyTool generate /opt/ PrimeKey/cloudhsm/p11.conf prime256v1 testKeyecdsa0001
For more information consult the EJBCA User Guide on ECC named curves.
© 2019 PRIMEKEY 8 (8)
Create CloudHSM Crypto Token for Root CA The following describes how to create a CloudHSM Crypto Token for the Root CA:
1. Under CA Functions, select Crypto Tokens, and then click Create new.
2. On the New Crypto Token page, enter the following: a. Name: b. Specify the values as follows:
• Name: <anything> (Name for the Root CA CloudHSM Crypto Token, for example, "Corporate Root CA CloudHSM Crypto Token". Note that this is not the CA name but the name of the token.)
• Type: PKCS#11 • Authentication Code: <HSM_CryptoUser>:<password> (ex. CryptoUser:CUPassword123!)
• AutoActivation: Clear. • Use Explicit ECC parameters: Clear. • PKCS#11: Library: AWS CloudHSM • PKCS#11: Reference Type: Slot ID • PKCS#11: Reference: 1 • PKCS#11: Attribute Type: Default
3. Click Save.
© 2019 PRIMEKEY 9 (9)
4. On the Crypto Token: <Name> page, you should then see the three key pairs within the Crypto Token and the information CryptoToken created successfully displayed at the top:
• defaultKey: Used for everything not signing or test. • signKey: Used for cert signing. • testKey: Used for testing health check for CA.
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 10 (10)
Create the Root and Issuing CA Certificate Profiles The following sections describe how to create a Root CA Profile and the AWS Issuing CA Profile.
Introduction Certificate Profiles model how our CAs look with regards to the different types of certificates, DN contents, extensions and so on.
To manage Certificate Profiles, open the Manage Certificate Profiles page (CA Functions Certificate Profiles > CA Functions).
The following section describes how to create a Root CA Profile.
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 11 (11)
Create Root CA Profile Follow these steps to create a Root CA Profile:
1. Clone the ROOTCA profile to create your own for the Root CA you are going to create: a. Click Clone next to the ROOTCA profile. b. Specify Corporate Root CA Certificate Profile and click Create from template in Name of new
certificate profile, .
2. Click Edit on the Corporate Root CA Certificate Profile and specify the following:
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 12 (12)
a. Available key algorithms: Select desired key algorithm, for example, RSA.
b. Available bit lengths: Select desired bit lengths, for example, 2048-4096.
c. Validity or end date of the certificate: Keep the validity at the default 25y7d. d. CRL Distribution Points: Select if desired. CRLs hold the revocation status of certificates.
To make your CRL Distribution Point be on an internal server to your network, use an internal DNS name. It is recommended to put the CRL URL behind a CNAME or load balanced VIP. This way it is stamped in the certificate as something that should not ever change, but the system serving the CRL behind the VIP can. To make your CRL Distribution Point public, use a public DNS name that points to an IP. If using Amazon AWS and the EJBCA Enterprise Cloud Edition, using an Elastic IP is not recommended since this IP/URL will change if the node is shut down invalidating the CRL location. To allow clients to fetch the CRL from the CA directly and have Apache in front of EJBCA, remove port 8080 from the URL and change the DNS name as required. EJBCA does not know if Apache exists and internally responds to 8080 in most cases. Example URLs: From EJBCA server directly: http://ip-172-16-0-148.ec2.internal/ejbca/publicweb/webdist/ certdist?cmd=crl&issuer=CN=Corporate_Root_CA,O=Corporation,C=US. Served from Webserver: http://crl.corporate-dns-url.com/corporate_root_ca.crl (you must setup a script to fetch and copy the file to the URL you choose).
e. Clear LDAP DN order (to get X509 DN ordering) for greater compatibility with systems that use certificates.
f. Click Save to save the Root CA Profile.
NOTE
© 2019 PRIMEKEY 13 (13)
Create AWS ACM Issuing CA Certificate Profile Follow these steps to create the AWS Issuing CA Profile:
1. Click Clone next to the SUBCA profile.
2. In Name of new certificate profile, specify AWS ACM CA Certificate Profile and click Create from template.
3. Click Edit on the AWS ACM CA Certificate Profile and specify the following.
a. Available key algorithms: Select desired key algorithm, for example, RSA. b. Available bit lengths: Select desired bit lengths, for example, 2048-4096. c. Validity or end date of the certificate: Specify the validity 18m (this value will be overridden by
the AWS ACM CSR)
4. Check the box titled "Allow Subject DN Override by CSR" under the Permissions section.
5. Clear LDAP DN order (to get X509 DN ordering) for greater compatibility with systems that use certificates.
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 14 (14)
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 15 (15)
Create End Entity Sub CA Profile To create the End Entity Sub CA Profile, do the following:
1. Go to EJBCA Admin Web.
2. Select End Entity Profiles under RA Functions.
3. Enter a name for the EE profile in the Add Profile section, for example "ACM PCA Sub CA EE Profile", and then click Add.
4. Select the ACM PCA Sub CA EE Profile and click Edit End Entity Profile.
5. Select the AWS ACM CA Certificate Profile for Default Certificate Profile and Available Certificate Profile.
6. Select Corporate Root CA - G1 for Default CA and Available CAs.
7. Click Save.
© 2019 PRIMEKEY 16 (16)
Create Root CA that uses the CloudHSM Crypto Token To areate a Root CA that uses the CloudHSM Crypto Token, do the following:
1. Go to the EJBCA Admin Web and select Certification Authorities.
2. Under the Add CA field, enter a name for the Root CA, for example "Corporate Root CA - G1", and then click Create.
3. Under Crypto Token select the Corporate Root CA CloudHSM Crypto Token Crypto Token. If you named the keys correctly, they should all populate automatically for the proper usages.
4. Under Certificate Profile select Corporate Root CA Certificate Profile.
5. Set the Validity to 25y (or the life you would like this CA to have).
6. Clear LDAP DN order.
7. Click Create.
© 2019 PRIMEKEY 17 (17)
Create AWS ACM Certificate Authority CSR To create the AWS ACM Certificate Authority CSR, do the following:
1. Navigate to console.aws.amazon.com and login with your credentials.
2. From within the AWS Console, select Services and then under Security, Identity, & Compliance, select Certificate Manager.
3. Click Get started.
4. Ensure that Subordinate CA is selected and then click Next.
5. Enter values for Organization (O), Organization Unit (OU), Country Name (C), State or province name, Locality name and Common Name (CN), and then click Next.
6. Ensure RSA 2048 is selected. If any other algorithm is selected (such as ECC), ensure the keys and certificate authority created earlier match.
7. If CRL is desired to be populated to an S3 bucket, select Enable CRL distribution and configure the S3 bucket name.
8. Confirm to their license agreement for the CA charges and then click Confirm and create.
© 2019 PRIMEKEY 18 (18)
9. Click Get Started on the success confirmation screen.
10. Export the CSR to a file using the blue link at the bottom of the page. This is the file that we bring over to EJBCA to be signed. Click Next.
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 19 (19)
Add ACM PCA End Entity To add the ACM PCA End Entity, do the following:
1. In the EJBCA Admin Web, navigate to RA Functions and select Add End Entity.
2. Under End Entity Profile, select ACM PCA Sub CA EE Profile.
3. Enter the following values: • Username: acm_pca • Password: <your chosen password to be used only once> • CN, Common Name: Corporation AWS CA • Certificate Profile: AWS ACM CA Certificate Profile • CA: Corporate Root CA - G1 • Token: User Generated
4. Click Add.
© 2019 PRIMEKEY 20 (20)
Generate the ACM PCA Certificate for AWS 1. Navigate back to the EJBCA Admin Web and click RA Web.
2. Click Enroll > Use Username.
3. Enter the username and Enrollment Code previously entered into the End Entity. The values used in this guide are:
• Username: acm_pca • Password: <your chosen password to be used only once>
4. Click Check.
6. Click Download PEM and save the file.
7. Scroll to the top of the RA Web, select CA Certificates and CRLs.
8. Download the public certificate for the Corporate Root CA - G1 by clicking PEM in the Certificate column, and then click Save this file.
EJBCA CLOUD & AWS CERTIFICATE MANAGER INTEGRATION GUIDE
© 2019 PRIMEKEY 21 (21)
Fulfill the Pending ACM PCA Certificate Request To fulfill the pending ACM PCA Certificate Request, do the following:
1. Return to the AWS ACM configuration wizard.
2. If your console is still open to the Import a signed certificate authority (CA) certificate page, skip to step 8. Otherwise, continue.
3. Sign in to your AWS account and open the ACM PCA console at console.aws.amazon.com/acm-pca/ home.
4. Choose Private CAs.
6. Select Actions > Import CA certificate and then click Next.
7. Under Certificate body, click File and browse to the signed CA file, here previously called "AWS Corporation CA.pem".
8. Review the text imported. Remove everything before -----BEGIN CERTIFICATE----- so the following text is on the first line:
9. Click File again and browse to the Root CA public certificate file, here previously called "CorporateRootCAG1.pem".
10. Review the text imported and remove everything before -----BEGIN CERTIFICATE----- so the following text is on the first line:
11. Click Next.
12. Confirm that the certificates look correct and click Confirm and import.
© 2019 PRIMEKEY 22 (22)
13. The ACM PCA wizard returns the following success screen:
Introduction
Documentation
Create Root CA Keys
Create the Root and Issuing CA Certificate Profiles
Introduction
Create End Entity Sub CA Profile
Create Root CA that uses the CloudHSM Crypto Token
Create AWS ACM Certificate Authority CSR
Add ACM PCA End Entity
Generate the ACM PCA Certificate for AWS
Fulfill the Pending ACM PCA Certificate Request