signserver enterprise cloud edition peering to ejbca ece … · 2018. 11. 1. · ejbca to...

SignServer Enterprise

Cloud Edition Peering

to EJBCA ECE

Configuration Guide

Print date: 2018-11-01

SignServer Enterprise Cloud Edition Peering to EJBCA ECE Configuration Guide

2( )22 © 2018 PRIMEKEY

Table of Contents

Introduction _______________________________________________________________________ 3

Documentation __________________________________________________________________ 3

Related Guides _______________________________________________________________ 3

AWS Operating Environment _________________________________________________________ 4

EC2 ___________________________________________________________________________ 4

VPC Configuration ________________________________________________________________ 4

EJBCA/SignServer Peering Security Groups _____________________________________________ 5

Generate new TLS Certificates for SignServer ___________________________________________ 7

Allow Peer Connections in SignServer __________________________________________________ 9

Peer Connection Configuration ______________________________________________________ 10

Step 1: Create Crypto Token for Peering Key __________________________________________ 10

Step 2: Create a Certificate Profile for the Peer ________________________________________ 10

Step 3: Setup the Key Bindings _____________________________________________________ 12

Step 4: Generate a CSR for the KeyBinding ___________________________________________ 13

Creating the Peer Connection _______________________________________________________ 15

Allow Peer Connection in SignServer _________________________________________________ 16

Configuring Automatic Generation and Key Renewal over Peers ____________________________ 17

SignServer Configuration _________________________________________________________ 17

EJBCA Configuration ____________________________________________________________ 19

Create the End Entity on EJBCA ____________________________________________________ 20

Automatically Renewing the Key Binding Key ___________________________________________ 22


© 2018 PRIMEKEY 3( )22

Introduction

This guide will assist a SignServer Enterprise Cloud Edition administrator with peering to EJBCA

Enterprise Cloud Edition configuration.

This configuration will assume that the user has procured three nodes in the AWS Marketplace

following the SignServer and EJBCA Launch Guides referenced below.

Documentation

SignServer Enterprise Cloud Edition documentation is available on:

https://download.primekey.com/docs/SignServer-Enterprise-Cloud/latest

SignServer Enterprise Edition documentation is available on:

https://download.primekey.com/docs/SignServer-Enterprise/current

Additional information on SignServer Community Edition is available on: www.signserver.org

Related Guides

SignServer ECE Launch Guide

EJBCA ECE Launch Guide

https://aws.amazon.com/marketplace/seller-profile?id=7edf9048-58e6-4086-9d98-b8e0c1d78fce&ref=dtl_B078PLGJWLhttps://download.primekey.com/docs/SignServer-Enterprise-Cloud/latesthttps://download.primekey.com/docs/SignServer-Enterprise/currenthttps://www.signserver.orghttps://download.primekey.com/docs/SignServer-Enterprise-Cloud/latest/signserver-cloud-launch-guide.pdfhttps://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/ejbca-ece-launch-guide.pdf


4( )22 © 2018 PRIMEKEY

AWS Operating Environment

EC2

Begin by starting an and a SignServer Enterprise Cloud Edition EJBCA Enterprise Cloud Edition

instance. In this example we will have the following 2 nodes:

EJBCA Node using IP 172.16.2.21– US East 1 – 172.16.0.0/16 address space

SignServer Node using IP 172.16.2.98 – US East 1 – 172.16.0.0/16 address space

For simplicity of this guide these nodes are in US-East-1 region.

VPC Configuration

If it is desired to have these two nodes communicate from different VPCs, it is assumed a VPC Peering

Connection is setup and in place. For assistance with configuring a VPC Peering Connection, refer to

Amazon’s .VPC Peering Guide

Optionally, all nodes can be setup within different VPCs. A Route Table will need to be created that

allows these nodes to communicate over the Peering Connection. For more information on configuring

Route Tables between VPCs, refer to Amazon’s .VPC Peering Guide

A security group is also needed in each VPC. That configuration is outlined in the section EJBCA

below since it pertains directly to the Galera communication. /SignServer Peering Security Groups

Consult the AWS documentation for further information.

https://aws.amazon.com/marketplace/seller-profile?id=7edf9048-58e6-4086-9d98-b8e0c1d78fcehttps://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/Welcome.htmlhttps://docs.aws.amazon.com/AmazonVPC/latest/PeeringGuide/vpc-peering-routing.html


© 2018 PRIMEKEY 5( )22

1.

2.

EJBCA/SignServer Peering Security Groups

EJBCA to SignServer Peering uses port 443 (SSL/TLS) for communication. This connection is initiated

from the EJBCA server to the SignServer node and needs to only go one way but allow return

communication.

Create a security group that allows for TLS traffic within the VPCs. In this example, the VPC

internal address space is in US-East-1. Create a Security Group called 172.16.0.0/16 Allow All

with the following rules:TLS Traffic

This will allow any connections outbound to any address and any inbound connection on port

443 from any address on the 172.16.0.0/16 subnet. The same rule in the other VPC will also

need the same rule configured. These rules may be tightened as required for the organization.

Apply these Security Groups to the EJBCA Enterprise Cloud Edition and SignServer Cloud

Edition Nodes in each of the VPCs. Right-click the node, select and then Networking Change

:Security Groups


6( )22 © 2018 PRIMEKEY

3.

4.

Apply the security group to the instances so that they can communicate with each other:

In the node details there is a link to . The associated IPs should be set up View Inbound Rules

according to the following example (modified for your IP ranges subnets):


© 2018 PRIMEKEY 7( )22

1.

2.

3.

4.

5.

6.

7.

Generate new TLS Certificates for SignServer

The default certificates for SignServer are generated upon installation and are self-signed. It is

recommended to configure new certificates from a CA which EJBCA trusts. Running a script on the

command line of EJBCA Enterprise Cloud Edition can make this a simple process.

To generate new TLS certificates for SignServer, do the following:

Start a shell session to the EJBCA instance:

# ssh -i ec2-user@

# cd /opt/PrimeKey/support

Run the script titled . Running this script with the and flags create_ra_tls_certs.sh -d -i

will generate certificates that Apache on the SignServer instance will use. In this demo

environment example, our DNS and IP address for our SignServer instance are:

ec2-54-165-63-62.compute-1.amazonaws.com

ip-172-16-2-98.ec2.internal

54.165.63.62

172.16.2.98

Running the script passing these addresses to the command line will look like the following:

# sudo ./create_ra_tls_certs.sh -d ec2-54-165-63-62.compute-1.amazonaws.com -d ip-172

-16-2-98.ec2.internal -i 54.165.63.62 -i 172.16.2.98

Answer to the prompt about copying the certificates with proper names for Apache. This will y

output them to. /home/ec2-user/pem.

Copy this pem folder to the SignServer instance. This should be done over a secure channel

between the nodes, via SSH or whatever method meets the organizations security needs.

Copy these files to then move them into the appropriate position in /home/ec2-user/pem,

on the SignServer node and restart apache with the following commands:/etc/httpd/ssl

# cd /home/ec2-user/pem

# sudo cp * /etc/httpd/ssl/.

# sudo service httpd restart

Run the following command to allow the EJBCA Superadmin access to SignServer:

# cd /opt/signserver

# bin/signserver wsadmins -allowany

Go to the SignServer tab and click .Administrators Add


8( )22 © 2018 PRIMEKEY

8.

9.

Click and add the and for the EJBCA Load Current Roles: Admin, Auditor, Archive Auditor

SuperAdmin, and then click Add.

On the SignServer tab, change the to Administrators Current Setting: Allow any Only Listed

by clicking .Switch to "Only Listed"


© 2018 PRIMEKEY 9( )22

1.

2.

3.

Allow Peer Connections in SignServer

To allow Per Connections in SignServer, do the following:

Log in to the SignServer Administration Web.

Select at the top.Administrators

Under , select and click Peer Systems Allow incoming connections Save.

The following text displays “ .”No peer has successfully connected to this node


10( )22 © 2018 PRIMEKEY

1.

2.

3.

4.

1.

Peer Connection Configuration

The Peer Connection is configured in the following steps:

Step 1: Create Crypto Token for Peering Key

Step 2: Create a Certificate Profile for the Peer

Step 3: Setup the Key Bindings

Step 4: Generate a CSR for the KeyBinding

Step 1: Create Crypto Token for Peering Key

To create a Crypto Token for the Peering Key, do the following:

Create a Crypto Token on the EJBCA instance by selecting under Crypto Tokens CA

.Functions

Click .Create New

Enter a for the Crypto Token, an and enable to Name Authentication Code Auto-activation

ensure that the Crypto Token comes online and is available after a reboot. Click .Save

Enter the key name , select , and click signserver_peer_systems_key RSA 2048 Generate

.new key pair

Step 2: Create a Certificate Profile for the Peer

To create a Certificate Profile for the Peer, do the following:

Select under .Certificate Profiles CA Functions


© 2018 PRIMEKEY 11( )22

2.

3.

4.

5.

6.

In the enter a name such as and click List of Certificate Profiles SignServer Peer Profile Add

.

Click on the newly created . Select the following options in the Edit SignServer Peer Profile

profile and click :Save

Available Key Algorithms: RSA

Available Bit Lengths: 2048

Validity or end date of the certificate: 10y

Extended Key Usage: Client Authentication

Under select .RA Functions, End Entity Profiles

Enter a name for a new profile in the such as , Add Profile Field SignServer Peer EE Profile

and click .Add

Select the and click .SignServer Peer EE Profile Edit End Entity Profile


12( )22 © 2018 PRIMEKEY

7.

1.

2.

3.

Within the profile select the following values and then click .Save

Default Certificate Profile: SignServer Peer EE Profile

Available Certificate Profiles: SignServer Peer EE Profile

Default CA: ManagementCA

Available CAs: ManagementCA

Default Token: User Generated

Available Tokens: User Generated

Step 3: Setup the Key Bindings

Setup the key bindings in the following steps:

Click under .Internal Key Bindings System Functions

On the tab, click and specify the following:AuthenticationKeyBinding Create new

Name: Peer System Key Binding to SignServer

Crypto Token: PeerSystemsToken

Key Pair Alias: signserver_peer_systems_key

Signature Algorithm: SHA256WithRSA

Protocol and Cipher Suite: TLSv1.2;TLS_RSA_WITH_AES_256_CBC_SHA256

Click and then click .Create Back to overview


© 2018 PRIMEKEY 13( )22

1.

2.

3.

4.

5.

Step 4: Generate a CSR for the KeyBinding

Do the following to generate a CSR for the Key Binding:

In the Internal Key Bindings overview, select the action for the CSR Peer System Key Binding

to download a CSR.to SignServer

Save this file to a location on your computer.

Select in the EJBCA Admin Web menu to access the RA Web.RA Web

In the EJBCA RA, click .Make New Request

In , select the . Then upload the CSR by clicking Certificate Type SignServer Peer EE Profile

to select the CSR downloaded in the previous step and click .Browse Upload CSR


14( )22 © 2018 PRIMEKEY

6.

7.

8.

9.

10.

Change the if desired, and then enter the “signserver_peer”.CN, Common Name Username

Click to download the signed certificate and save this file to a location on your Download PEM

computer.

Go back to the EJBCA Admin Web and select under Internal Key Bindings System Functions

.

Under the header, click , select the PEM file Import externally issued certificate Browse

downloaded in the previous step and click .Import

A notification appears at the top that the .Operation completed without errors

Click on the Key Binding. A notice appears at the top that the Enable Peer System Key Binding

and a check-mark indicates its active status.to SignServer status is now ACTIVE


© 2018 PRIMEKEY 15( )22

1.

2.

3.

4.

Creating the Peer Connection

To create the Peer Connection, do the following:

Select under and make sure that thePeer Systems System Functions Allow outgoing

option is selected.connections

Click and specify the following in the screen:Add Create Peer Connector

Name: Peer Connection to SignServer

URL: https://ip-172-16-2-98.ec2.internal/signserver/peer/v1

This will be the internal DNS name for your SignServer instance.NOTE

Authentication Key Binding: Peer System Key Binding to SignServer

Enabled: Selected

Click .Create

Click . You should get an error that says: “ ”. This Ping Unable to connect to peer. Unauthorized

“error” is expected because we have not yet allowed the connection on the SignServer side.


16( )22 © 2018 PRIMEKEY

1.

2.

3.

4.

5.

Allow Peer Connection in SignServer

To allow Per Connection in SignServer, do the following:

Access the SignServer Administration GUI.

Select at the top.Administrators

Under the section you will see a new connection attempt:Incoming Connections

Click .Add Authorization

Select and click .Peer System Add

There will now be a second Authorization with a Peer System role.


© 2018 PRIMEKEY 17( )22

1.

2.

3.

4.

Configuring Automatic Generation and Key Renewal over Peers

Configuration of Automatic Generation and Key Renewal over Peers is done in the following steps:

SignServer Configuration

EJBCA Configuration

Create the End Entity on EJBCA

SignServer Configuration

For this section we are going to create a PDF Signer that will allow key and certificate renewal over the

peer connection. This saves from having to pass around CSRs from SignServer to EJBCA when doing

certificate renewals.

To create the PDF Signer, do the following:

Access the SignServer Administration Web.

Click on , click and then select .Workers Add From Template

In , select and click .Load from Template pdfsigner.properties Next

In the comment out the line Configuration, WORKERGENID1.DEFAULTKEY=signer00003

since we want to use our own key, and click .Apply


18( )22 © 2018 PRIMEKEY

5.

6.

7.

8.

9.

10.

The worker is added with an “Inactive” state. Click the Worker to select it and then PDFSigner

select the tab.Configuration

Click and specify the following under :Add Add Property

Name: “PEERS_VISIBLE”

Value: “true”

Click to add the property to the configuration.Submit

Click onto the worker to select it and then click .back Renew key

Under enter the following details:Renew Keys,

Key Algorithm: “RSA”

Key Specification: “2048”

New Key Alias: “PDFSignKey0001”

Click .Generate


© 2018 PRIMEKEY 19( )22

1.

2.

3.

4.

5.

6.

7.

EJBCA Configuration

Configure EJBCA according to the following:

Access the Administration GUI for EJBCA.

Select under and add a profile called “Certificate Profiles CA Functions PDF Signer

:Certificate Profile

Click on the Certificate Profile once added, specify the following attributes and click Edit Save:

Available Key Algorithms: RSA

Available Bit Lengths: 2048

Validity or end date of the certificate: 5y

Extended Key Usage: PDF Signing

Under , click .RA Functions End Entity Profiles

Enter a name for a new profile in the such as , and Add Profile Field PDF Signer EE Profile

click .Add

Select the and click .SignServer Peer EE Profile Edit End Entity Profile

Within the profile select the following values:

Default Certificate Profile: PDF Signer EE Profile

Available Certificate Profiles: PDF Signer EE Profile

Default CA: ManagementCA

Available CAs: ManagementCA

Default Token: User Generated


20( )22 © 2018 PRIMEKEY

1.

2.

3.

Available Tokens: All

Create the End Entity on EJBCA

To create the End Entity on EJBCA:

In the EJBCA Admin Web, select under the section.Add End Entity RA Functions

Specify the following for the End Entity and then click A d.d

End Entity Profile: PDF Signer EE Profile

Username: PDFSigner

Password:

CN, Common name: “PDFSigner” must match the worker name in SignServer

Certificate Profile: PDF Signer Certificate Profile

Select under .Peer Systems System Functions


© 2018 PRIMEKEY 21( )22

4.

5.

6.

Click on the and select the Manage Peer Connection to SignServer Remote Key Bindings

tab.

The of and the value of should Remote name PDFSigner Remote key pair PDSSignKey0001

be populated already if the configuration was done correctly. In enter Local end entity

:PDFSigner

Click . The certificate details will now show with a certificate serial Issue signing certificate

number bound to the binding:

Go to the SignServer Admin Web, select the tab and check that the PDFSigner worker Workers

now is active.


22( )22 © 2018 PRIMEKEY

1.

2.

3.

4.

Automatically Renewing the Key Binding Key

A service can be created to automatically update the key used for the authentication key binding key.

This is done via an EJBCA service.

To create a service to automatically renew the key binding key, do the following:

Select under .Services System Functions

Under , enter the name and click .Add Service Peer Connection to SignServer Updater Add

Select the newly added service, click and set the following attributes:Edit Service

Select Worker: Remote Internal Key Binding Updater

Peer System: Peer Connection to SignServer

Renew key pair: Selected

Active: Selected

Click .Save

IntroductionDocumentationRelated Guides

AWS Operating EnvironmentEC2VPC Configuration

EJBCA/SignServer Peering Security GroupsGenerate new TLS Certificates for SignServerAllow Peer Connections in SignServerPeer Connection ConfigurationStep 1: Create Crypto Token for Peering KeyStep 2: Create a Certificate Profile for the PeerStep 3: Setup the Key BindingsStep 4: Generate a CSR for the KeyBinding

Creating the Peer ConnectionAllow Peer Connection in SignServerConfiguring Automatic Generation and Key Renewal over PeersSignServer ConfigurationEJBCA ConfigurationCreate the End Entity on EJBCA

Automatically Renewing the Key Binding Key

signserver enterprise cloud edition peering to ejbca ece … · 2018. 11. 1. · ejbca to...

Documents