Beruflich Dokumente
Kultur Dokumente
Operations Manual
Ver: 2.7.2
2018-01-19
Copyright ©2018 PrimeKey Solutions
Published by PrimeKey Solutions AB
Lundagatan 16
171 63 Solna
Sweden
Notice of Rights
All rights reserved. No part of this book may be reproduced or transmitted in any form by any means,
electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the
publisher. For more information on getting permission for reprints and excerpts, contact sales@primekey.com
Notice of Liability
The information in this book is distributed on an “As Is” basis without warranty. While every precaution has
been taken in the preparation of the book, neither the authors nor PrimeKey shall have any liability to any
person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by
the instructions contained in the book or by computer software and hardware products described in it.
Trademarks
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as
trademarks. Where those designations appear in this book, and PrimeKey was aware of a trademark claim,
the designations appear as requested by the owner of the trademark. All other product names and services
identified throughout this book are used in editorial fashion only and for the benefit of such companies with
no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to
convey endorsement or other affiliation with this book.
Contents
I Preamble 1
1 Release Notes 2
2 Introduction 3
2.1 Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.1 Styling Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
2.1.2 Daily operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
II Advanced Installation 6
5 WebConf 23
Use-Case: Create a new TLS server side certificate for Application Interface . . . . 23
Use-Case: Upload a new trusted CA for TLS authentication and new super-
admin certificate for Management Interface . . . . . . . . . . . . . . 31
Use-Case: Configure a new trusted CA for TLS authentication and new su-
peradmin certificate for Application Interface . . . . . . . . . . . . . 35
6 Maintenance 38
6.1 PKI Appliance State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
6.2 Reasons for Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
6.3 Effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
7 Support Package 43
9 Creating a CA Hierarchy 50
9.1 Use-Case: Creation of the RootCA . . . . . . . . . . . . . . . . . . . . . . . 51
Creating a Certificate Profile for the RootCA . . . . . . . . . . . . . . . . . . 51
Create Crypto Token for RootCA . . . . . . . . . . . . . . . . . . . . . . . . 53
Creating an RootCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
9.2 Use-Case: Create Certificate Profile for SubCAs . . . . . . . . . . . . . . . . 58
9.3 Use-Case: Create End Entity Profile for SubCAs . . . . . . . . . . . . . . . . 62
9.4 Use-Case: Import RootCA as External CA in node A . . . . . . . . . . . . . 64
9.5 Use-Case: Create SignCA as SubCA in node A . . . . . . . . . . . . . . . . . 66
Create Crypto Token for SignCA . . . . . . . . . . . . . . . . . . . . . . . . 66
Creating SignCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
9.6 Use-Case: Create AuthCA as SubCA in node A . . . . . . . . . . . . . . . . 74
Create Crypto Token for AuthCA . . . . . . . . . . . . . . . . . . . . . . . . 74
Creating AuthCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
9.7 Use-Case: Create SSLCA as SubCA in node A . . . . . . . . . . . . . . . . . 84
Create Crypto Token for SSLCA . . . . . . . . . . . . . . . . . . . . . . . . 84
Creating SSLCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
9.8 Use-Case: Create Certificate Profiles for End Entities that will use the SubCAs 94
Create Certificate Profile for End Entities that will use AuthCA . . . . . . . . 94
Create Certificate Profile for End Entities that will use SignCA . . . . . . . . 95
Create Certificate Profile for End Entities that will use SSLCA . . . . . . . . 97
9.9 Use-Case: Create End Entity Profiles for SubCAs . . . . . . . . . . . . . . . 99
Create End Entity Profile for AuthCA . . . . . . . . . . . . . . . . . . . . . 99
Create End Entity Profile for SignCA . . . . . . . . . . . . . . . . . . . . . . 100
Create End Entity Profile for SSLCA . . . . . . . . . . . . . . . . . . . . . . 103
9.10 Use-Case: Create End Entities that will use the SubCAs . . . . . . . . . . . . 105
Create an End Entity that will use SSLCA . . . . . . . . . . . . . . . . . . . 105
Create an End Entity that will use AuthCA . . . . . . . . . . . . . . . . . . . 107
Create an End Entity that will use SignCA . . . . . . . . . . . . . . . . . . . 109
10 Managing End Entities 111
10.1 Use-Case: Searching for end entities . . . . . . . . . . . . . . . . . . . . . . 111
10.2 Certificate Revocation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 111
10.2.1 Use-Case: Revoking a Certificate using EJBCA . . . . . . . . . . . . 112
10.2.2 Use-Case: Re-issuing a Certificate using EJBCA . . . . . . . . . . . . 112
V VA Setup 113
11 Setting up a VA 114
11.1 Online Certificate Revocation Protocol . . . . . . . . . . . . . . . . . . . . . 114
11.2 CRL Distribution Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
11.3 VA setup scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114
11.4 Use-Case: Install PKI Appliance as dedicated VA . . . . . . . . . . . . . . . 117
11.5 Use-Case: Create OCSP Keys in VA-Appliance . . . . . . . . . . . . . . . . . 132
11.6 Use-Case: Create OCSP Key Binding in VA and publisher in CA-Appliance . 133
11.7 Use-Case: Set up a VA-Appliance which fetches CRLs from external server . . 144
19 HA Setup 181
19.1 Scope of availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
19.1.1 How it works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 181
19.1.2 Synchronization of key material . . . . . . . . . . . . . . . . . . . . . 181
19.1.2.1 Pre-cluster setup generation of keys . . . . . . . . . . . . . 181
19.1.2.2 Post-cluster setup generation of keys . . . . . . . . . . . . . 182
Use-Case: Synchronize key material . . . . . . . . . . . . . . . . . . . . . . 182
19.1.3 Network topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182
19.1.4 Cluster traffic security considerations . . . . . . . . . . . . . . . . . . 183
19.2 Continuous service availability . . . . . . . . . . . . . . . . . . . . . . . . . . 183
19.3 Levels of availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 183
19.3.1 Stand alone instance . . . . . . . . . . . . . . . . . . . . . . . . . . 183
19.3.2 Hot stand-by with manual fail-over . . . . . . . . . . . . . . . . . . . 183
19.3.3 High availability with automatic fail-over . . . . . . . . . . . . . . . . 184
19.4 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
Use-Case: Setting up a 2 node cluster from scratch . . . . . . . . . . . . . . 184
Use-Case: Setting up a 3 node cluster from scratch . . . . . . . . . . . . . . 185
Use-Case: Extending a cluster from n to n+1 nodes . . . . . . . . . . . . . . 185
19.5 Backup, Restore and Update . . . . . . . . . . . . . . . . . . . . . . . . . . 186
19.5.1 Backing up a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . 186
19.5.2 Restoring a cluster from backup . . . . . . . . . . . . . . . . . . . . 186
Use-Case: Restoring a cluster from a backup taken on node 1 . . . . 187
Use-Case: Restoring a cluster from a backup taken on node 2 or node
3, PKI Appliance firmware version 2.2.0 (or older) . . . . . 187
Use-Case: Restoring a cluster from a backup taken on node 2 or node
3, PKI Appliance firmware version 2.3.0 . . . . . . . . . . . 187
19.5.3 Updating the software (firmware/applications) on a cluster . . . . . . 188
Use-Case: Software update on a three node cluster from 2.2.0 to 2.3.0 188
19.6 Controlled full cluster shutdown and startup . . . . . . . . . . . . . . . . . . 189
19.6.1 Shutting down the cluster in controlled manner . . . . . . . . . . . . 189
19.6.2 Starting a fully shutdown cluster . . . . . . . . . . . . . . . . . . . . 189
19.7 Operational Caution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 189
Use-Case: Changing the IP Address of the Application Interface of a
node in a three node cluster . . . . . . . . . . . . . . . . . 190
Replacing a failed cluster node . . . . . . . . . . . . . . . . . . . . . . . . . 191
List of Figures
9 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
LIST OF FIGURES Ver: 2.7.2
10 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
LIST OF FIGURES Ver: 2.7.2
11 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
LIST OF FIGURES Ver: 2.7.2
12 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
LIST OF FIGURES Ver: 2.7.2
13 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
LIST OF FIGURES Ver: 2.7.2
14 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
LIST OF FIGURES Ver: 2.7.2
15 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
Ver: 2.7.2
Part I
Preamble
1 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
1. RELEASE NOTES Ver: 2.7.2
Chapter 1
Release Notes
This is a maintenance release to 2.7.1 which mainly brings new versions of EJBCA
and SignServer to the PKI Appliance.
With the new EJBCA version custom certificate extensions for CV certificates are
available. There are also improvements on CT logs.
SignServer comes with support for one click certificate renewals from within
EJBCA.
New Features:
* EJBCA Enterprise 6.10.1.2 - Please check out EJBCA release notes for more
detailed information
* SignServer 4.2.0 - Please check out SignServer release notes for more details
2 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
2. INTRODUCTION Ver: 2.7.2
Chapter 2
Introduction
This manual provides an in depth understanding of the public key infrastructure (PKI) prod-
ucts and services provided by PrimeKey and is intended to serve as a guide to understanding
and implementing PKI as a product and service within the PKI Appliance.
2.1 Audience
This guide is intended for use by Information Technology (IT) professionals with an interest
in implementing the PKI products provided by PrimeKey in their environment using the
PKI Appliance. The guide is presented in a structured manner so that it begins with an
introduction to the subject and progressively moves into more deeper technical topics. This
allows the guide to be useful for a wide variety of personnel from managers to integrators.
The lowest common denominator between the various groups of audiences is the shared
interest in implementing PKI using PrimeKey products.
• Options from popup menus or values that can be choosen like RSA 2048
• Links in the GUI that need to be selected/clicked upon are displayed in blue like:
Search End Entities.
• Values that has to provided in text fields are presented as: a new value.
• Group titles or GUI text that is not selectable is represented as: RA Functions.
• Informative messages provide additional explanation of the steps being performed, or
the configuration being applied. For example:
3 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
2. INTRODUCTION Ver: 2.7.2
• Warning messages are used to draw the attention to a critical or sensitive step that
has to be performed, or to critical piece of information that has to be provided. For
example:
• Shell listings are used to specify commands that should be run on a server in a terminal,
by a specific operating system user. For example:
Run as user
df -h
i Unless the instructions explicitly state so, do not deviate from the instruc-
tion order. All steps should be performed in the sequence that they are
outlined in. Do not jump back and forth between different exercises, unless
the instructions explicitly state so.
4 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
3. PKI APPLIANCE OVERVIEW Ver: 2.7.2
Chapter 3
3.1 Description
EJBCA Enterprise Appliance is a PKI-in-a-box and combines the flexibility, reliability and
feature set of EJBCA Enterprise software, with a secure technology stack and enterprise-
grade hardware including a FIPS 140-2 Level 3 certified HSM. Through the combination of
built in CA, RA and VA functionality and a variety of interfaces like OCSP, CMP, SCEP and
WebServices, EJBCA Enterprise Appliance provides a unique turn-key PKI solution.
EJBCA Enterprise Appliance is based on an unified and controlled technology stack which
reduces technical risks for the entire PKI project and reduces patch management efforts
during operation. Simplified management and maintenance workflows lower the setup time
and operational costs and reduce the TCO.
High flexibility, performance, support for high-availability and load-balancing make the EJBCA
Enterprise Appliance suitable for critical infrastructure setups within commercial and gov-
ernmental organization of all sizes.
As of version 2.4.0 the EJBCA Enterprise Appliance (or PKI Appliance) exists in three
different product sizes, designated as S, M or L. Previous unlabeled versions are equivalent
to the M size. While the L version takes advantage of recently available bigger hard disks
to provide for more database space, the S version is a highly reduced version with smaller
database size and also a reduced speed HSM.
5 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
Ver: 2.7.2
Part II
Advanced Installation
6 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION Ver: 2.7.2
Chapter 4
In this chapter we will implement the scenario where two different PKI Appliances will be
installed using the same ManagementCA certificate which is installed in a Smart Card.
Following instructions will guide the administrator to:
• install first PKI Appliance and install the SuperAdmin certificate in the smart card,
7 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION Ver: 2.7.2
Due to the fact and that in many cases ROOTCA is required to be offline, physical
infrastructure differs than logical hierarchy. In one PKI Appliance (node A), we install
ManagementCA together with the 3 subCAs (see figure 4.2).
The second box will host the ROOTCA which will be offline as soon it will the sign
SubCAs (see figure 4.3).
8 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION Ver: 2.7.2
9 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION Ver: 2.7.2
i The same process that is described here can be done in analogous ways
with smart cards from different branches.
10 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION Ver: 2.7.2
A list of Security Modules and Devices are listed in this window. Through Load we
can define a new Security Device (see fig. 4.5).
11 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION Ver: 2.7.2
The new device is now listed in the Device Manager window. At that point we will be
able to login to the device via Log In and providing the password which is used to lock
the smart card (see fig. 4.7).
As soon as the login process is successful, we have configured smart card with Firefox
correctly (see fig. 4.8).
12 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION Ver: 2.7.2
2. To check if we can trust this connection we have to compare if TLS fingerprint is the
same with the one that shows in the PKI Appliance display. Just press Add Exception...
and on the next window View... (see fig. 4.10 and 4.11)
13 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION Ver: 2.7.2
3. Under Fingerprints group is located SHA1 Fingerprint. The first values has to match
with the one that is displayed in the PKI Appliance front display.
4. After we have confirmed that we trust the TLS certificate for the connection, we can
continue with the installation process by The fingerprints are the same as shown
in fig. 4.12
14 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION Ver: 2.7.2
5. Text field that shows up is the Authentication code: under Authenticate section.
Here we have to provide the OTP (One Time Password) which is shown in the PKI
Appliance display (see fig. 4.13).
6. Figures from 4.14 up to 4.18 show the settings which have to be configured before the
installation process begins.
15 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION Ver: 2.7.2
16 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION Ver: 2.7.2
7. When the installation comes to its end, user will be prompt to Get superadmin certificate
before he can finalize the process. By pressing Enroll a pop-up window will let us
to choose which security device will be use for enrollment (see fig. 4.19).
8. Next figures show the prompt for smart card key (4.20), the key generation (4.21) and
confirmation that enrollment is complete (4.22).
17 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION Ver: 2.7.2
9. Now that the SuperAdmin certificate is installed in the smart card we can finalize the
installation.
10. When we will try to login to the PKI Appliance or EJBCA’s Public Pages we will be
prompted to choose a certificate to authenticate to the system (see fig. 4.23)
18 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION Ver: 2.7.2
11. As in the first time we will have to confirm the connection (see fig. 4.9) and confirm
the exception with Confirm Security Exception (see fig. 4.24)
19 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION Ver: 2.7.2
13. Navigate to IP_ADDRESS in WebConf and under ACCESS tab copy the clientcert value.
It will be used as information to install the next PKI Appliance as shown in fig. 4.26
20 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION Ver: 2.7.2
2. The option that has to be chosen is Use Existing Management CA and in SuperAdmin
full Subject DN field, paste the one you have copied in step 13 above.
4. At that point both of the PKI Appliances are using the same certificate as superadmin
with is installed in the smart card. The difference is that only the first one hosts
ManagementCA (see fig. 4.28 and 4.29)
21 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
Ver: 2.7.2
Part III
Appliance Operations
22 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
5. WEBCONF Ver: 2.7.2
Chapter 5
WebConf
2. Click on the icon where is located before the URL (see figure 5.1) and press More information
.
23 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
5. WEBCONF Ver: 2.7.2
4. Various information about the certificate are displayed. Among them is also CN with
the value node1-tls-app (see figure 5.3).
Now we will create a new TLS server certificate for the Application Interface.
1. Navigate to the tab ACCESS in WebConf
24 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
5. WEBCONF Ver: 2.7.2
3. New options will appear (see figure 5.5) and we will create a CSR with Create CSR
25 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
5. WEBCONF Ver: 2.7.2
4. At that point we can download CSR with Download CSR (see figure 5.6).
5. Now we’ll use EJBCA Admin pages. In RA Functions press Search End Entities. .
In Search end entity with username write tls_app. The result shows in figure 5.7
6. Click Edit End Entity. A popup window will appear.
26 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
5. WEBCONF Ver: 2.7.2
10. and at last set Token to User Generated (see figure 5.9).
27 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
5. WEBCONF Ver: 2.7.2
12. Under Enroll open Create Certificate from CSR (see figure 5.10).
16. and as Result type choose PEM - full certificate chain (see figure 5.11)
17. Press OK .
28 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
5. WEBCONF Ver: 2.7.2
18. At that point we’ll save the pem file with name node1tlsappnew.pem (see figure 5.12)
19. Navigate to WebConf to Access tab. As you see in fig. 5.6, we can Browse... for
Next chain: and upload node1tlsappnew.pem.
20. It is the time to activate the certificate chain to the server with Activate new cert
(see figure 5.13). The procedure will take a while until the new TLS certificate will be
active (see figure 5.14).
29 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
5. WEBCONF Ver: 2.7.2
21. We can verify that the server is using the new certificate by refreshing application
pages. We will be asked to confirm the new connection (see figure 5.15). Once this is
done, we can see the new certificate as shown on fig. 5.1.
30 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
5. WEBCONF Ver: 2.7.2
22. When we verify the certificate that is used for the TLS connection, we can see that it
is the one we created, with the new CN node1-tls-app-new as in fig 5.16.
From now on each time we login to the Application Interface the new TLS certificate
will be used.
Use-Case: Upload a new trusted CA for TLS authentication and new super-
admin certificate for Management Interface
In this exercise we will change the client certificate and update the trusted CA for Manage-
ment Interface using WebConf.
The new superuser certificate has to be issued from the same CA (MyCustomCA) that we will
install for TLS authentication. First we have to provide the information about the certificate
(MyUsername.pem) that will be used as superuser.
1. Open the WebConf and navigate to Access tab (see fig. 5.17)
31 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
5. WEBCONF Ver: 2.7.2
Run as <user>
i In the subject value slashes (/) have to be replaced with commas (,)
32 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
5. WEBCONF Ver: 2.7.2
Figure 5.18: WebConf Access add a new client certificate for TLS authorization
4. Under Trusted CAs for TLS client authentication section we will Browse.. for
the MyCustomCA-chain.pem file (see fig. 5.19).
! It has to be the whole chain from the issuer CA of the client certificate up
to the trusted RootCA.
33 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
5. WEBCONF Ver: 2.7.2
7. When update is done, the new trusted configuration is used for authentication in the
Management Interface (see fig. 5.21).
34 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
5. WEBCONF Ver: 2.7.2
1. Open the EJBCA admin web and navigate to Certification Authorities tab and use
Import CA certificate... (see fig. 5.22) to upload all CA certificates that belong to
the new trust chain. In our paradigm it is MyTrustedRootCA and MyTrustedSubCA.
35 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
5. WEBCONF Ver: 2.7.2
2. Open Administrator Roles link and click Administrators next to Super Adminis-
trator Role as shown in fig. 5.23
36 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
5. WEBCONF Ver: 2.7.2
3. Check the Subject DN of the client certificate which will be used to authenticate using
openssl
Run as <user>
serial=2b4306acbf69224
4. Use the following values (see fig. 5.24) and press Add :
• CA: MyTrustedSubCA
• Match with: X.509: Certificate serial number (Recommended)
• Match type: Equal, case sens.
• Match value: 2b4306acbf69224
Figure 5.24: Configure the serial number of the trusted certificate in EJBCA
Now EJBCA is configured to use this certificate. But the last step is to configure We-
bConf so the Application Interface will also authenticate MyTrustedSubCA-chain.pem
5. Follow the same process but for the Application Interface in analogous ways as de-
scribed in Use-Case: Upload a new trusted CA for TLS authentication and new super-
admin certificate for Management Interface.
37 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
6. MAINTENANCE Ver: 2.7.2
Chapter 6
Maintenance
The PKI Appliance may not be able to operate its services due to specific events like update
installation, RAID failing or similar. In order to avoid showing a customer endless long er-
ror messages during usage the PKI Appliance will be set into a state that we call maintenance.
During maintenance all access to EJBCA/SignServer over HTTP(S) will be disabled and
each request will serve a message giving information that the system is undergoing mainte-
nance and cannot be accessed right now.
• Operational
• Maintenance
• Offline
To find out which state the PKI Appliance is in check WebConf (going to ’WebConf→Platform→Troubleshooting’.
The three states will be described briefly by the following sections.
‘Operational’ State
The PKI Appliance is fully operational. All subsystems are working as expected.
38 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
6. MAINTENANCE Ver: 2.7.2
’Maintenance’ State
The PKI Appliance is in ‘Maintenance’ and application services are cut off due to an auto-
matically detected reason.
’Offline’ State
The PKI Appliance is in maintenance and application services are cut off due to a manual
setting in WebConf.
Note:
1. This state will be entered only if the manual setting has been activated and no other
automatically detected reason appears. Any automatically detected reason will change
the state from “Offline” to “Maintenance”. The “Offline” setting would still be active
but invisible. If all automatically detected reasons disappear the PKI Appliance would
still be in maintenance but again be in “Offline” state.
2. A customer cannot see a difference between “Offline” and “Maintenance” but an oper-
ator knows that an “Offline” state indicates a maintenance set manually in WebConf.
A “Maintenance” state indicates a real world problem and not a choice to take the
PKI Appliance services offline.
3. Setting the PKI Appliance “Offline” in WebConf during a “Maintenance” that has been
detected automatically can make sense. For example an operator wants to check the
integrity of the PKI Appliance on his own after an incident before he exposes services
to customers.
• RAID Failure
• HSM Alarm
• Database is Down
• Application Update
39 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
6. MAINTENANCE Ver: 2.7.2
RAID Failure
If both SSD hard disk drives fail the PKI Appliance would enter an inconsistent state that
could even not trigger any error message until caches are finally flushed. Detection of a fa-
tally broken RAID therefor enables ‘Maintenance’ and prevents any data from being created
that cannot be recovered later.
HSM Alarm
If the embedded HSM has detected an alarm the PKI Appliance will enter ‘Maintenance’.
It does not make sense to run EJBCA/SignServer without a working HSM because all key
materials are erased by the HSM due to the alarm.
Database is Down
If the embedded database system stops operating (disk fill, ...) the PKI Appliance enters
‘Maintenance’ until the database is available again.
Application Update
If an operator updates an application using WebConf the PKI Appliance will enter ‘Mainte-
nance’ until the update procedure has been finished.
40 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
6. MAINTENANCE Ver: 2.7.2
Note: ‘Offline’ state setting will not persist a reboot of the PKI Appliance.
6.3 Effects
The following sections describe changes and information shown when the PKI Appliance is
operating in maintenance.
Notification Page
Every HTTP(S) request to EJBCA/SignServer will lead to a HTTP 501 status code response
showing a web page giving information that the PKI Appliance is currently not operational
and running in maintenance.
Note: OCSP requests will also receive an HTTP 501 status code with that notification
page inside the responses body.
Front Display
Each time the PKI Appliance enters maintenance the messages set on the front display will
include a message showing ’MAINTENANCE (line break) Services unavail’.
The message will be removed from the set when the PKI Appliance State will switch
back to operational.
WebConf
Troubleshooting Section
In WebConf→Platform→Troubleshooting all maintenance reasons will be listed. Setting the
PKI Appliance ‘Offline’ will be reflected in a change of the button ‘Offline’ to ’Online’ only.
Warning Messages
During maintenance each time an operator opens a page in WebConf a white on red message
appears in the upper left that shows ’Services Unavailable’. This message will disappear when
leaving maintenance only if the page gets reloaded or a new page is opened.
41 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
6. MAINTENANCE Ver: 2.7.2
SNMP
If SNMP is enabled it will indicate the PKI Appliance state and also give a human readable
combined message of all reasons for maintenance. Further details can be found in section
SNMP.
Syslog
Syslog and avmserver.log will contain detailed messages about changing events leading to
state changes of the PKI Appliance.
Support Package
Each time the PKI Appliance enters maintenance a ‘Support Package’ will be created. This
even happens if the PKI Appliance has been set ’Offline’ manually. Note: If the PKI Appliance
is already in maintenance no additional ‘Support Package’ will be created. For example: If
the SSD hard disk drives all fail and minutes later the factory reset is triggered only one
‘Support Package’ will be created. Read more about ‘Support Packages’ in the chapter 7.
42 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
7. SUPPORT PACKAGE Ver: 2.7.2
Chapter 7
Support Package
Basically a ‘Support Package’ is an archive file that contains a snapshot of all relevant PKI
Appliance subsystem logging files and some additional configuration and debugging details.
‘Support Packages’ will be created and stored on the PKI Appliance. They can be
downloaded using an operators access to WebConf→Platform→Support. Up to ten Support
Packages will be stored. Any additional created Support Package will delete the oldest one
stored.
• sfp_ips_client_stderr,stdout: IP configuration
43 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
7. SUPPORT PACKAGE Ver: 2.7.2
44 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
Ver: 2.7.2
Part IV
45 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
8. CERTIFICATE LIFE CYCLE MANAGEMENT Ver: 2.7.2
Chapter 8
46 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
8. CERTIFICATE LIFE CYCLE MANAGEMENT Ver: 2.7.2
8.1.3 Verification
Once an end entity or certificate is issued, administrators can verify the information related
to that end entity or certificate prior to delivering them to the end entity for use. While this
is an optional step, it is recommended during initial testing and deployment to ensure proper
configuration of end entity profiles and other operational functions, via a quick command
line verification of the information being issued.
47 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
8. CERTIFICATE LIFE CYCLE MANAGEMENT Ver: 2.7.2
Subordinate CA
A subordinate CA (sub CA) is an entity that is trusted by the root. A sub CA is usually
created for organisational, functional, security or other commercial and non commercial
reasons. While it may be functionally possible to issue all possible certificates from
a single CA, this may not be desirable for security and organisational reasons. For
examples, a Qualified CA (QC) is one that issues certificates for digital signatures
that have the equivalence of normal digitally binding signatures. The compliance
requirements of these certification authorities require that a dedicated CA be used
for issuing qualified certificates. Sub CAs may be created on a functional basis. For
example
• Authentication CA
• Signing CA
• Encryption CA
• Human resources CA
• Finance CA
• Document Verifier CA
• Finance Signing CA
• Finance Authentication CA
For second generation electronic documents, the following certification authority hier-
archy applies
48 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
8. CERTIFICATE LIFE CYCLE MANAGEMENT Ver: 2.7.2
Certification authorities can also be classified based on the format of certificates issued.
49 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
Chapter 9
Creating a CA Hierarchy
This exercise involves the creation of several CAs to illustrate the manner in which authorities
are created. To illustrate certificate life cycle management using EJBCA, the following CAs
are created:
50 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
51 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
5. Going back to Certificate Profiles, the new profile is now displayed among the
others (fig. 9.5).
52 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
4. Populate the form with the following values as shown in fig. 9.7
! Make sure that you have manually generated slot password for that slot!
5. Click Save
53 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
6. In the settings page the following message will be visible: CryptoToken created suc-
cessfully.. Create the following keys as shown in fig. 9.8
• In the section below, enter defaultKey as the key alias, RSA 4096 and click
the Generate new key pair button.
• Next click the Test button. The following message should be visible signKey
tested successfully.
• Enter testKey with RSA 1024 and click the Generate new Key pair but-
ton. The following message should be visible testKey tested successfully.
54 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
Creating an RootCA
This section involves the actual creation of the RootCA
1. Click on Certification Authorities.
2. Enter RootCA in Add CA field (9.9).
3. Click on Create .
55 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
9. As CRL Expire Period (*d *h *m) defines how long a CRL is valid for. Enter 2d
into this field.
10. As CRL Issue Interval (*d *h *m) enter 0d. This defines how often the CRLs are
to be issued. In this case the CRLs will be issued once every day but will be valid for
two days.
56 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
i This value defines the number of minutes both CRLs are valid for. For
example, thirty minutes before the first CRL will expire it will issue a new
CRL.
57 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
58 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
59 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
7. Choose 4096 in Available bit lengths and 5y for Validity(*y *mo *d) or end
date of the certificate (fig. 9.16)
9. In Key Usage check only Key certificate sign and CRL sign (fig. 9.17)
60 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
10. Under section Other data and in Available CAs choose RootCA (fig. 9.18)
61 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
3. Provide SubCAEndEntityProfile in the text field and press Add (see fig. 9.19)
6. Under Subject DN Attributes , Add the following values as shown in fig. 9.20
62 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
7. Under Main certificate data choose the following values as shown in figure 9.21
8. Click Save
63 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
• When CSRs are created and has to be signed by RootCA, no other import is needed
(RootCAs certificate). The chain is autogenerated (like in 11).
• When we do Certificate enrollment from a CSR we just need to PEM - Certificate only
as Result type (like in 16)
In the case that we want to import RootCA’s certificate in the PKI Appliance which is
online, the procedure below describes how to:
64 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
5. Navigate to Certification Authorities in PKI Appliance node A where the pem file
will be imported.
65 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
4. Populate the form with the following values as shown in fig. 9.25
! Make sure that you have manually generated slot password for that slot!
5. Click Save
6. In the settings page the following message will be visible: CryptoToken created suc-
cessfully.. Create the following keys as shown in fig. 9.26
• In the section below, enter defaultKeySignCA as the key alias, RSA 4096 and
click the Generate new key pair button
66 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
• Next click the Test button. The following message should be visible signKeySignCA
tested successfully.
• Enter testKeySignCA with RSA 1024 and click the Generate new Key pair
button The following message should be visible testKeySignCA tested success-
fully.
Creating SignCA
This section involves the actual creation of the SignCA
1. Click on Certification Authorities.
3. Click on Create... .
67 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
68 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
8. As CRL Expire Period (*d *h *m) defines how long a CRL is valid for. Enter 12h
into this field.
9. As CRL Issue Interval (*d *h *m) enter 0. This defines how often the CRLs are to
be issued. In this case the CRLs will be issued once every day but will be valid for two
days.
69 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
i This value defines the number of minutes both CRLs are valid for. For
example, thirty minutes before the first CRL will expire it will issue a new
CRL.
i This step is NOT needed in the case that we have imported RootCA as an
External CA! Otherwise, RootCA.pem can be downloaded from the Public
Web of the PKI Appliance which is installed the RootCA.
13. This will give the option to download or copy the request. In this case save the .csr
file with Save File (see fig. 9.32)
14. At that point check the status of the CAs. Click Certification Authorities under
CA Functions. Status for SignCA is Waiting for Certificate Response
70 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
15. Now back in the PKI Appliance where RootCA is installed (node B), we have to
create an End Entity which will be binded with SignCA certificate. Navigate to RA
Functions -> Add End Entities and provide the following values: (see fig. 9.33)
Figure 9.33: Create an End Entity for SignCA in the PKI Appliance where RootCA is installed.
16. Click under Enroll -> Create Certificate from CSR and fill values with the following:
(see fig. 9.34)
71 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
• Click OK
18. Go back in the PKI Appliance where SignCA is installed (node A). Click Certification
Authorities, highlight SignCA, (Waiting for Certificate) and press Edit CA
72 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
19. Under Externally signed CA creation/renewal section and Step 2: Browse... for
the SignCA.pem (see fig. 9.36)
21. Navigating to Certification Authorities we will see that SignCA is now active
(see fig. 9.37).
73 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
4. Populate the form with the following values as shown in fig. 9.38
! Make sure that you have manually generated slot password for that slot!
5. Click Save
6. In the settings page the following message will be visible: CryptoToken created suc-
cessfully.. Create the following keys as shown in fig. 9.39
• In the section below, enter defaultKeyAuthCA as the key alias, RSA 4096 and
click the Generate new key pair button
74 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
• Next click the Test button. The following message should be visible signKey
tested successfully.
• Enter testKeyAuthCA with RSA 1024 and click the Generate new Key pair
button The following message should be visible testKey tested successfully.
Creating AuthCA
This section involves the actual creation of the AuthCA
3. Click on Create... .
75 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
76 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
8. As CRL Expire Period (*d *h *m) defines how long a CRL is valid for. Enter 12h
into this field.
9. As CRL Issue Interval (*d *h *m) enter 0. This defines how often the CRLs are to
be issued. In this case the CRLs will be issued once every day but will be valid for two
days.
i This value defines the number of minutes both CRLs are valid for. For
example, thirty minutes before the first CRL will expire it will issue a new
CRL.
77 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
file.
i This step is NOT needed in the case that we have imported RootCA as an
External CA. Otherwise, RootCA.pem can be downloaded from the Public
Web of the PKI Appliance which is installed the RootCA (check Use-Case:
Import RootCA as External CA in node A).
13. This will give the option to download or copy the request. In this case save the .csr
file with Save File (see fig. 9.45)
14. At that point check the status of the CAs. Click Certification Authorities under
CA Functions. Status for AuthCA is Waiting for Certificate Response (see fig.
9.46)
78 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
15. Now back in the PKI Appliance where RootCA is installed (node B), we have to
create an End Entity which will be binded with AuthCA certificate. Navigate to RA
Functions -> Add End Entities and provide the following values: (see fig. 9.47)
79 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
Figure 9.47: Create an End Entity for AuthCA in the PKI Appliance where RootCA is
installed.
16. Click under Enroll -> Create Certificate from CSR and fill values with the following:
(see fig. 9.48)
80 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
18. Go back in the PKI Appliance where AuthCA is installed (node A). Click Certification
Authorities, highlight AuthCA, (Waiting for Certificate) and press Edit CA (see
fig. 9.50)
81 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
19. Under Externally signed CA creation/renewal section and Step 2: Browse... for
the AuthCA.pem (see fig. 9.51)
21. Navigating to Certification Authorities we will see that AuthCA is now active
(see fig. 9.52).
82 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
83 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
4. Populate the form with the following values as shown in fig. 9.53
! Make sure that you have manually generated slot password for that slot!
5. Click Save
84 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
6. In the settings page the following message will be visible: CryptoToken created suc-
cessfully.. Create the following keys as shown in fig. 9.54
• In the section below, enter defaultKeySSLCA as the key alias, RSA 4096 and
click the Generate new key pair button
85 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
Creating SSLCA
This section involves the actual creation of the SSLCA
3. Click on Create... .
86 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
8. As CRL Expire Period (*d *h *m) defines how long a CRL is valid for. Enter 12h
into this field.
9. As CRL Issue Interval (*d *h *m) enter 0. This defines how often the CRLs are to
be issued. In this case the CRLs will be issued once every day but will be valid for two
days.
87 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
i This value defines the number of minutes both CRLs are valid for. For
example, thirty minutes before the first CRL will expire it will issue a new
CRL.
i This step is NOT needed in the case that we have imported RootCA as an
External CA. Otherwise, RootCA.pem can be downloaded from the Public
Web of the PKI Appliance which is installed the RootCA (check Use-Case:
Import RootCA as External CA in node A).
13. This will give the option to download or copy the request. In this case save the .csr
file with Save File (see fig. 9.60)
88 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
14. Now back in the PKI Appliance where RootCA is installed (node B), we have to create
an End Entity which will be binded with SSLCA certificate. Navigate to RA Functions
-> Add End Entities and provide the following values: (see fig. 9.61)
89 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
Figure 9.61: Create an End Entity for SSLCA in the PKI Appliance where RootCA is installed.
15. Click under Enroll -> Create Certificate from CSR and fill values with the following:
(see fig. 9.62)
90 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
17. Go back in the PKI Appliance where SSLCA is installed (node A). Click Certification
Authorities, highlight SSLCA, (Waiting for Certificate) and press Edit CA (see
fig. 9.64)
91 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
18. Under Externally signed CA creation/renewal section and Step 2: Browse... for
the SSLCA.pem (see fig. 9.65)
20. Navigating to Certification Authorities we will see that SSLCA is now active (see
fig. 9.66).
92 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
93 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
Create Certificate Profile for End Entities that will use AuthCA
This section involves the creation of the Certificate Profile for the End Entities that will use
AuthCA
3. Click on Add .
8. In the Key Usage section check Digital Signature and Key encipherment
94 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
10. Choose AuthCA from Available CAs under Other data (see fig. 9.69)
Create Certificate Profile for End Entities that will use SignCA
This section involves the creation of the Certificate Profile for the End Entities that will use
SignCA
3. Click on Add .
95 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
10. Choose SignCA from Available CAs under Other data (see fig. 9.73)
96 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
Create Certificate Profile for End Entities that will use SSLCA
This section involves the creation of the Certificate Profile for the End Entities that will use
SSLCA. For that purpose we will clone a template.
5. Back in Certificate Profiles click Edit for the newly created profile.
10. In the Key Usage section check Digital Signature and Key encipherment
97 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
11. In Extended Key Usage choose Server Authentication as shown in fig. 9.75
12. Under Other data in Available CAs choose SSLCA (see fig. 9.76)
98 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
3. Click Add .
99 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
8. Provide the values EJBCA Course and SE on respectively fields above (see fig. 9.78).
9. Check Modifiable for Cn, Common name but not for the other values.
13. In Available Tokens choose User Generated and P12 file (see fig. 9.79)
Figure 9.79: Main certificate data for AuthCA End Entity Profile.
100 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
3. Click Add .
4. Highlight SignCAEndEntityProfile from List of End Entity Profiles (see fig. 9.80)
8. Provide the values EJBCA Course and SE on respectively fields above (see fig. 9.81).
101 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
10. Under Main certificate data choose SignCAEndEntityCertificateProfile for both De-
fault Certificate Profile and Available Certificate Profile.
Figure 9.82: Main certificate data for SignCA End Entity Profile.
102 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
3. Highlight SslServerProfile
5. Highlight SSLCAEndEntityProfile from List of End Entity Profiles (see fig. 9.83)
9. Provide the values EJBCA Course and SE on respectively fields above (see fig. 9.84).
103 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
11. Under Main certificate data choose SSLCAEndEntityCertificateProfile for both De-
fault Certificate Profile and Available Certificate Profile.
14. In Available Tokens choose P12 file , User Generated , JKS file and PEM file
(see fig. 9.85)
Figure 9.85: Main certificate data for SSLCA End Entity Profile.
104 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
9.10 Use-Case: Create End Entities that will use the SubCAs
Now that CAs and Profiles are configured it is time to add some End Entities which will use
those SubCAs.
First End Entities will be created providing values required depending on the End Entity
Pofile. Then either we will Create Browser Certificate either Create Keystore.
2. Provide the various fields with the following values (see fig.9.86) :
• CA : SSLCA
• Token : P12 file
• Click Add .
105 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
7. Click OK
9. Click on Enroll
106 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
10. The next step is to save the testsrv.course.p12 keystore (see fig. 9.89)
2. Provide the various fields with the following values (see fig.9.90) :
107 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
• CA : AuthCA
• Token : P12 file
• Click Add .
7. Click OK
108 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
109 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
9. CREATING A CA HIERARCHY Ver: 2.7.2
7. Click OK
110 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
10. MANAGING END ENTITIES Ver: 2.7.2
Chapter 10
2. Enter Auth_User_1 in the Search end entity with username text field.
3. Click on Search
111 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
10. MANAGING END ENTITIES Ver: 2.7.2
It may also be possible to provide a service for online checking where by a third party
that wishes to check the validity of a certificate.
2. Enter Auth_User_1 in the Search end entity with username text field.
3. Click on Search
6. Click on Revoke
7. A message will appear asking if you are sure you want to revoke the certificate, click
on Ok to accept.
2. Enter Auth_User_1 in the Search end entity with username text field and click on
Search
6. Click on Save
9. Click on OK
11. Click OK
112 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
Ver: 2.7.2
Part V
VA Setup
113 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
Chapter 11
Setting up a VA
• The first one describes the process where CA-Appliance connects directly with VA-
Appliance via Peer Connector as shown in fig. 11.1.
This configuration is described in:
114 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
115 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
• The second setup is more complicated. In that case CA-Appliance publishes CRLs in
an external server and VA-Appliance uses CRL Downloader service to fetch CRLs from
the external server (see fig. 11.2). It is described in:
– Use-Case: Set up a VA-Appliance which fetches CRLs from external server shows
how to setup the VA-Appliance to get CRLs from the external server.
116 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
2. Rename the ManagementCA to PeerMgmtCA by highlighting the first one and while
providing the second one in the Add field, press Rename as shown in fig. 11.3
Now it is time to get the certificate of the PeerMgmtCA. This will be used for the
installation of VA-Appliance instance.
3. In Public Web under Retrieve section open Fetch CA Certificates see fig. 11.4
117 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
118 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
4. The certificate can be downloaded via Download as PEM next to CA Certificate: (see
fig. 11.5)
Now it is time to install VA-Appliance. The installation steps that will be followed
are described in Using External CA for Installation except from the steps that will be
referenced below:
5. When user is prompted to configure network values, adopt a name that defines the
functionality of that PKI Appliance like in fig. 11.6
119 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
6. Choose the Use existing Management CA and Browse... for the .pem file that
has been downloaded in a previous step (see fig. 11.7)
7. Once the .pem is uploaded, fill the SuperAdmin full Subject DN: with the one that
has been used in CA-Appliance (see fig. 11.8).
Continue with the rest setup and finish the installation in VA-Appliance.
120 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
8. In VA-Appliance, navigate in ACCESS tab (in WebConf) and copy the value of Issuer:
CN= as shown in fig. 11.9
Back in CA-Appliance we will create an end entity which will be issued the new TLS
certificate.
9. In CA-Appliance and AdminWeb create a new end entity via Add End Entity and
provide the following values (see fig. 11.10 and 11.11):
121 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
Figure 11.11: Create End Entity in CA-Appliance for VA TLS connections cont.
122 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
• A new button will be displayed to create the CSR. Press Create CSR (see
fig. 11.12)
• Press Download CSR and save the file as shown in fig. 11.13
11. In PublicWeb of CA-Appliance open Create Certificate from CSR (see fig. 11.14).
123 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
12. Provide the Username, Enrollement code which were used for end entity addition
and Browse... for the .csr.pem file we downloaded before (see fig. 11.15).
14. Press OK
124 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
16. In VA-Appliance upload the signed request via Browse... (see fig. 11.13)
17. The Next Issuer: is displayed now (see fig. 11.17). Press Activate new cert .
The new configuration will take some seconds to be updated (see fig. 11.18).
125 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
126 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
26. Provide the following values for the connector setup (see fig. 11.22):
• Name: VA1
• URL: https://<application_VA_IP>:443/ejbca/peer/v1
• Authentication Key Binding: Identity created during installation
• Enabled: ticked
27. Press Create
127 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
30. We now have the option to either assign an existing role Super Administrator Role
or - Create new role - (see fig. 11.25)
128 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
For that connection we will create a new role (see fig. 11.26).
33. Rename Role: as CA_Peer and enable Generic rules:, CAs: and all Publishing:
options (see fig. 11.27)
129 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
34. In CA-Appliance manage the peer connector by opening Peer Systems and press
Manage as shown in fig. 11.28
130 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
37. The result of that configuration is that now CA-peer is authorized to connect to VA-
peer and perform the actions we configured it in the previous step.
i In the Status field we can see that 3 has been added (see fig. 11.30).
131 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
! Make sure that you have manually generated slot password for that slot!
132 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
• In the settings page the following message will be visible: CryptoToken created
successfully..
• Enter signKey with RSA 2048 and click the Generate new key pair button
• Next click the Test button. The following message should be visible signKey
tested successfully.
2. Create new key binding via Create new... link (see fig. 11.32).
3. Provide the following values to set up the key binding (see fig. 11.33):
• Name: VA OcspKeyBinding
• Crypto Token: OCSP key
• Key Pair Alias: signKey
• ResponderID: KEYHASH
• Include signing certificate in response: checked
• Include certificate chain in response: checked
• Press Create
133 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
134 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
The result is the creation of the key binding and we get the following message: VA
OcspKeyBinding created with id 1255634201 as shown in fig. 11.34.
135 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
9. Press Add .
10. Highlight OCSPEndEntityProfile and press Edit End Entity Profile (see fig.
11.36).
13. In the same menu choose C, Country , enable Required and provide SE (see fig.
11.37)
14. Under Main certifcate data section configure the following values (see fig. 11.38):
136 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
15. Open Add End Entity in CA-Appliance and provide the following values (see fig.
11.39):
137 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
16. In Public Web of CA-Appliance click Create Certificate from CSR and fill the text
fields with following (see fig. 11.40):
• Username: OCSP_end_entity
• Enrollment code: foo123
• Request file: Browse... for the CSR we downloaded in previous step.
• Result Type: PEM - full certificate chain
• Press OK
Figure 11.40: .
138 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
19. Under Import externally issued certificate section use Browse... to upload the
signed CSR (see fig. 11.42).
139 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
21. In the same page we have to enable the key binding with Enable button (see fig.
11.43).
27. Now highlight VA1 Publisher and press Edit Publisher (see fig. 11.45).
140 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
141 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
29. Back in the CA-Appliance via Search End Entities link we can view a certificate
that belongs to the end entity that we’re intressted and download it as <certifi-
cate_to_be_controlled>.pem
30. Run the following command to check its validity towards the OCSP setup:
Run as <user>
142 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
143 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
3. In CRL Specific Data and next to External CRL Distribution Point provide the url
from the external server where the CLR is located (see fig. 11.48).
144 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
6. Highlight CRL Downloader (Inactive) and Edit Service (see fig. 11.49)
7. Setup the service with the following values as shown in fig. 11.50:
145 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
• Period: 1 Days
• Active: enabled
• Pin to Specific Node(s): cos-ejbca
• Press Save
Now that we have configured the service to download CRLs from the external server we
have to configure OCSP key binding to authenticate VA-Appliance to sign the responces of
OCSP requests.
This procedure is described in Use-Case: Create OCSP Key Binding in VA and publisher in
CA-Appliance from steps 1 - 24. Just have to consider some naming references that can
differ. Please notice the changes that have to be considered:
146 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
11. SETTING UP A VA Ver: 2.7.2
Run as <user>
147 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
Ver: 2.7.2
Part VI
148 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
12. SEPARATION OF PRIVILEGES Ver: 2.7.2
Chapter 12
Separation of privileges
CA administrator
A CA administrator can manage certificate profiles, end entity profiles, log configuration
and create RA administrators.
RA administrator
An RA administrator can create, modify, revoke, and delete end entities. An RA
administrator can view existing end entities and their audit history.
Supervisor
A Supervisor can view existing end entities and search the EJBCA log to see end entity
audit history.
Super Administrator
The Super Administrator has overall access to EJBCA and can edit system config-
uration, manage CAs, and create publishers (LDAP, AD, and custom). The Super
Administrator can also create CA administrators.
In this exercise you will utilize all four administrator roles that exist in EJBCA. You
will log into the administrative web interface to use the different administrator roles and
graphically view the interface differences for each role.
149 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
12. SEPARATION OF PRIVILEGES Ver: 2.7.2
1. In the browser on the host machine, open the Administration web interface
6. Select AdministratorCertificateProfile .
9. Select ManagementCA .
Creating a New End Entity Profile for the End Entities Using the Administrator CA You
will create a new end entity profile that you will use to create new administrators.
1. Using a web browser, open the Administration web interface and click on End Entity
Profiles.
150 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
12. SEPARATION OF PRIVILEGES Ver: 2.7.2
• CA Administrator
– Username = CA_Administrator
– CN = CA Administrator
• RA Administrator
– Username = RA_Administrator
– CN = RA Administrator
• Supervisor
– Username = Supervisor_Administrator
– CN = Supervisor Administrator
• Super Administrator
– Username = SuperAdministrator
– CN = Super Administrator
3. For the End Entity Profile, choose your end entity profile: AdministratorEndEntityProfile
7. Click Add
10. Enter the user name and password for the user you created.
151 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
12. SEPARATION OF PRIVILEGES Ver: 2.7.2
11. Click OK
12. For Key length choose 2048 bit key ( HIGH GRADE if you are using Firefox).
13. Click OK
After the certificates have been generated they should appear in your browser (Firefox,
Safari or Internet Explorer).
3. Click the Add link located at the bottom center of the page.
4. Enter CAAdministratorGroup when prompted for a new name and then click the OK
button.
5. Click the Access Rules link next to the newly created CAAdministrator Group.
7. From the Authorized CAs list box, select AuthCAv1 and SSLServerCAv1 .
3. Enter CA_Administrator in the Search end entity with username text field and then
click the Find button.
4. Click View Certificates. Doing so opens a new window or tab (depending on your
browsers configuration).
152 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
12. SEPARATION OF PRIVILEGES Ver: 2.7.2
5. Copy the value of the Certificate Serial Number using Ctrl-C or Command-C de-
pending on the host operating system (Windows/Linux or Apple respectively).
6. Click the Close button and then select the Administrative web interface tab or
window containing the search results.
9. Select ManagementCA from the CA popup menu. Leave the Match with and
Match type popup menus with their default values.
10. Paste the value of Certificate Serial Number in the Match Value field.
This process makes the entity associated with that certificate serial number a member of the
CAAdministratorsGroup.
3. Click the Add link located at the bottom center of the page.
9. In the Edit End Entity Profiles list box, select AuthEndEntityProfile and SSLServerEndEntityProfile
.
153 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
12. SEPARATION OF PRIVILEGES Ver: 2.7.2
3. Enter RA_Administrator in the Search end entity with username field and then
click the Find button.
4. Click the View Certificates link located to the right of the search results. Doing so
opens a new window or tab (depending on your browser’s configuration).
5. Copy the value of the Certificate Serial Number, using Ctrl-C or Command-C de-
pending on the host operating system (Windows/Linux or Mac OS X respectively).
6. Click the Close button and reselect the administrative web interface tab or window
containing the search results.
9. Select ManagementCA from the popup menu, leave the Match with and Match
type popup menus with their default values.
10. Paste the value of Certificate Serial Number in the Match Value
8. In the Edit End Entity Profiles listbox select AuthEndEntityProfile and SSLServerEndEntityProfile
.
154 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
12. SEPARATION OF PRIVILEGES Ver: 2.7.2
3. Enter Supervisor_Administrator in the Search end entity with username text field
and click on the Find button.
4. Click on View Certificates link to the right of the search results, this will open a
new window or tab (depending on your browsers configuration)
5. Copy the value of Certificate Serial Number, using Ctrl-C or Command- C depending
on the host operating system (Windows/Linux or Mac OS X respectively).
6. Click the Close button and then reselect the Administrative web interface tab or
window containing the search results.
7. Click the Administrator Roles link located in the System Functions group.
9. Select ManagementCA from the popup menu. Leave the Match with and Match
type popup menus with their default values.
10. Paste the value of Certificate Serial Number in the Match Value.
155 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
12. SEPARATION OF PRIVILEGES Ver: 2.7.2
4. Click the View Certificates link located to the right of the search results. Doing so
opens a new window or tab (depending on your browser’s configuration).
5. Copy the value of Certificate Serial Number, using Ctrl-C or Command-C depending
on the host operating system (Windows/Linux or Mac OS X respectively).
6. Click the Close button and reselect the Administrative web interface tab or window
containing the search results.
9. Select ManagementCA from the popup menu. Leave the Match with and Match
type popup menus with their default values.
10. Paste the value of Certificate Serial Number in the Match Value.
Log in to the EJBCA Admin web by closing the browser and then opening it to the same
URL again. You should see a list with all of the different administrators. Log in as each
administrator type to see the differences among them.
Security Officers
Having overall responsibility for administering the implementation of the security poli-
cies and practices.
Registration Officers
Responsible for approving end entity Certificate generation/revocation/ suspension.
System Administrators Are authorised to install, configure and maintain TWSs, but with
controlled access to security-related information.
System Operators
Are responsible for operating TWSs on a day-to-day basis. Authorised to perform
system backup and recovery.
156 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
12. SEPARATION OF PRIVILEGES Ver: 2.7.2
System Auditors
Authorised to view archives and audit logs of TWSs.
157 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
13. KEY RECOVERY Ver: 2.7.2
Chapter 13
Key Recovery
Key recovery is the use of the CA to recover private keys. The CA is able to recover the
keys because it stores them in an encrypted format in the database.
Key recovery can be used for the following types certificates
• Encryption
This is because if a file is encrypted using a public key, the private key is required to
retrieve this. If this is lost, the encrypted data is lost forever.
Key recovery should never be used for the following certificate types
• Authentication
• Digital Signing
If the digital signing private key is lost, the easiest way to continue operations is to have
another digital signing certificate issued with a newly-generated key pair. The data in the
signed documents is never lost and all digital signatures will still be valid if created before
the key was lost and certificates revoked.
Key recover does not have a role in the retrieval of authentication certificates. If the
private key is lost, the easiest way to continue operations is to issue a new authentication
certificate with a newly-generated key pair. Since best practice dictates that an authenti-
cation key never encrypt persistent data (only session data, that is useless within seconds)
there is no need to backup the private key. All authentication prior to the revocation of the
certificate is still valid.
158 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
13. KEY RECOVERY Ver: 2.7.2
9. For Key Recoverable select the following options: Use , Default , Reuse old certificate
and Required .
159 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
13. KEY RECOVERY Ver: 2.7.2
8. Click Add
9. Click the Public Web link to open the public web interface.
11. Enter the user name and password for the user you created.
12. Click OK .
14. Click OK
3. Enter keyrec-user1 in the Search end entity with username text field.
4. Click Search and from the results click View Certificates link for keyrec-user1.
8. Click Save .
160 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
13. KEY RECOVERY Ver: 2.7.2
12. Enter the user name and password for the user you created.
13. Click OK .
14. For Key length choose 2048 bits key (the key size does not matter since it will
recover the old key).
161 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
14. APPROVAL PROCESS Ver: 2.7.2
Chapter 14
Approval Process
The Approvals process is one way to enforce dual control. When approvals are activated, one
additional administrator is required to accomplish the task. This also provides a mechanism
in which external registration authorities (RA) can validate a user’s information to ensure
that they should be getting a certificate and then place them into an approvals queue for
approval by an administrator. EJBCA supports approvals for adding and editing end entities.
This means that one administrator or administrative process alone will not be able to issue
a certificate for a specified end entity. This is often a good choice if your organisation must
provide checks and balances to the certificate issuance process. The Approvals workflow
for the key recovery process ensures that no single administrator can perform key recovery.
For example, an encryption key used to encrypt/decrypt classified information cannot be
recovered by a single individual. It will require at least two administrators to accomplish
this task, thus providing a safeguard. The Approvals for revocation workflow provides that
two or more administrators are required to approve a revocation request. Depending on the
setup of the infrastructure, this might not be desirable since you typically want to be able to
revoke a rogue certificate as fast as possible. However, in certain instances this functionality
may be desirable or even required.
The Approvals for CA-token activation workflow can ensure that no single individual can
activate a CA. Because the CA is a powerful tool capable of issuing credentials for your
organisation, this workflow is commonly used. For example, this is recommended for root
CA deployments to ensure that no single person can create new CA(s) for the organisation.
1. Using a web browser on the host system, open the Administrative web interface. Select
the SuperAdmin user.
2. Click the Admin Web > CA Functions > Certification Authorities link.
162 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
14. APPROVAL PROCESS Ver: 2.7.2
5. Select the Add/Edit End Entity in the Approval Settings list box.
8. In the Administrative web interface select Admin Web > System Functions > Administrator
Roles link.
10. Add Approve End Entities in the End Entity Rules list box.
12. Click Admin Web > RA Functions > Add End Entity link.
13. Select the AuthEndEntityProfile from the End Entity Profile popup menu .
14. Enter the following values in the associated text boxes, leaving all others at their
default values:
• Username = approval_user1
• Password = foo123
• CN = Approval User 1
1. In the Administrative web interface, select Supervisor Functions > Approve Actions.
2. You should see Add End Entity. Approve the end entity by clicking the Approve
button
i The approval window is a popup window. You must have popups enabled
in your browser to approve a certificate
163 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
14. APPROVAL PROCESS Ver: 2.7.2
5. Enter the user name and password for the user you created.
6. Click OK .
7. For Key length choose 2048 bit key ( HIGH GRADE for Firefox).
8. Click Enroll
5. Deselect the Add/Edit End Entity in the Approval Settings list box.
164 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
15. TIMED SERVICES Ver: 2.7.2
Chapter 15
Timed Services
EJBCA provides a number of time triggered services. These are similar to cron jobs in linux
based environments or windows services in windows based environments. These jobs can be
configured to run at specific intervals. The services provided by EJBCA are the CRL Issuer
and Custom Service.
1. Open the Admin Web Interface in your browser on the host system
4. Click Add
165 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
15. TIMED SERVICES Ver: 2.7.2
10. In the Period field, enter 30 and then select minutes from the popup menu
11. For the Select Action popup menu leave the No Action default setting
• The crypto token is a PKCS#11 crypto token, i.e. have a PKCS#11 library path
configured.
If these conditions are met, a test signature with the testKey is performed. In addition, if
security audit log protection is configured, a test string is protected with the security audit
log protection, also testing this crypto token (which is not available in the crypto tokens in
the GUI).
This will ensure that all configured PKCS#11 slots are used regularly, preventing con-
nection timeouts that could lead to service downtime. You only need to enable this service if
you encounter HSM timeouts. The occurance of such timeouts depend on the specific HSM
used, networking equipment etc.
166 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
16. CUSTOMISING THE WEB GUI Ver: 2.7.2
Chapter 16
There are limited customization options available for configuring both the public and admin-
istrative web GUI.
• English
• German
• Spanish
• French
• Italian
• Japanese
• Portuguese
• Swedish
4. Click Save
167 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
16. CUSTOMISING THE WEB GUI Ver: 2.7.2
7. Click Save
168 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
17. KEY MANAGEMENT Ver: 2.7.2
Chapter 17
Key Management
PrimeKey’s PKI Appliance has an built in FIPS 140-2 Level 3 certified HSM. It is used to
generate and store cryptographic keys used by the CAs and to perform all signing operations
during issuance of certificates, CRLs and answering OCSP requests. The keys can be man-
aged in the Crypto Tokens menu in EJBCA.
The following HSM manufacturer is used in the PKI Appliance:
• Name: Crypto_HSM
• Type: PKCS#11
• Authentication Code : foo123 (which was the password previously set)
i Make sure that you have manually generated slot password for that slot!
169 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
17. KEY MANAGEMENT Ver: 2.7.2
5. Click Save The following message will be visible: CryptoToken created successfully.
6. In the section below, enter defaultKey as the key alias, RSA 2048 and click the
Generate new key pair button.
10. Next click the Test button. The following message should be visible signKey tested
successfully.
11. Enter testKey and click the Generate new Key pair button. The following mes-
sage should be visible testKey tested successfully.
170 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
17. KEY MANAGEMENT Ver: 2.7.2
1. Open Admin Web and navigate to RA Functions and Search End Entities,
2. write superadmin in Search end entity with username text field (see figure 17.1)
3. Click Search
4. Check the values in superadmin certificate (serial nr., valid from/to, SHA-1, etc in
figure 17.2) by clicking View Certificates
5. Open a terminal and provide the following command to log in to the PKI Appli-
ance
171 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
17. KEY MANAGEMENT Ver: 2.7.2
Run as <user>
Run as root
7. Navigate to EJBCA_HOME/bin
Run as root
> cd /opt/ejbca/bin/
Run as root
Run as root
10. Open Public Web of EJBCA and click on Create Browser Certificate Provide
superadmin and foo123 in Username and Enrollment code respectively (see figure
17.3).
172 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
17. KEY MANAGEMENT Ver: 2.7.2
13. Navigate in Admin Web and check the new certificate (see fig. 17.5). You’ll notice
173 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
17. KEY MANAGEMENT Ver: 2.7.2
that values are matching with the one which is used to authenticate.
174 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
18. LOGGING AND MONITORING Ver: 2.7.2
Chapter 18
18.1 Logging
18.1.1 Security Audit log vs System log
EJBCA provides two different types of logs:
• Security Audit Log - Use for PKI auditors to audit important security PKI events that
the system performed.
• System Log - Used to monitor daily operations in the system, debug and track down
errors etc.
The Security Audit Log logs certificate life cycle events. The Security Audit log logs
important events such as "Certificate issued", "Certificate Profile edited", "Administrator
accessed resource". One of the most important aspects to consider is that the Security
Audit log does not log things that do not happen. Things that do not happen are for
example invalid requests that the system rejects, because the PKI system did not perform
any important audit-able event.
The System Log logs all events that are interesting to monitor, such as rejecting invalid
requests, reading profiles etc.
The main purpose of the Security Audit Log is to provide information to an auditor, and
the auditor wants to know what the system has done, what certificates were issued etc, but
is not so interested in what the system did not do.
The Security Audit Log is stored in the database and the System Log is stored in log files.
By default the System Log also contains the Security Audit Log, but this can be configured.
Security Audit Log
175 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
18. LOGGING AND MONITORING Ver: 2.7.2
be active in the cluster (healthy) or taken out of the cluster (unhealthy). The servlet is
located in the URL: http://IP_ADDRESS/ejbca/publicweb/healthcheck/ejbcahealth .
The following configuration parameters may be set to configure authorization and what
the service checks:
By editing a maintenance file on the server, you can make the service return an error
message stating that the server is down for maintenance. This is very useful in a cluster
when you can take cluster nodes in and out of rotation by editing a simple text file.
The following parameters configure what message or HTTP error code the health service
returns.
• healthcheck.okmessage, default: ALLOK - Text string used to say that every thing is
ok with this node.
• MEM: Error Virtual Memory is about to run out, currently free memory : number -
The JVM is about to run out of memory.
176 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
18. LOGGING AND MONITORING Ver: 2.7.2
• DB: Error creating connection to database - JDBC Connection to the database failed,
this might occur if DB craches or network is down.
• Error when testing the connection with publisher: PublisherName - This is reported
when a test connection to one of the publishers failed.”
18.2.1 snmp
You can activate snmp access to the PKI Appliance by checking this button. All snmp
requests are combined in the "public" community. Now the PKI Appliance will answer to the
two standard MIBS SNMPv2-MIB and HOST-RESOURCES-MIB. Additionaly the following
parameters can be accessed with the following OIDs:
OID
Example Value Value
.1.3.6.1.4.1.22408.1.1.2.1.2.118.109.1
Status of all VMs, 0 if all are running, 1 otherwise 0
.1.3.6.1.4.1.22408.1.1.2.1.3.99.112.117.1
Temperature of the CPU 27
.1.3.6.1.4.1.22408.1.1.2.1.4.118.100.98.49.1
Database usage in % 2
.1.3.6.1.4.1.22408.1.1.2.1.4.118.100.98.50.1
1 if space for db exceeds 80% usage, 0 otherwise 0
.1.3.6.1.4.1.22408.1.1.2.1.4.102.97.110.49.1
rpm of cpu fan 1025
.1.3.6.1.4.1.22408.1.1.2.1.4.102.97.110.50.1
rpm of system fan 1 1126
.1.3.6.1.4.1.22408.1.1.2.1.4.102.97.110.51.1
rpm of system fan 2 1028
.1.3.6.1.4.1.22408.1.1.2.1.4.102.97.110.52.1
rpm of system fan 3 982
.1.3.6.1.4.1.22408.1.1.2.1.4.102.97.110.53.1
0 if cpu fan ok, 1 otherwise 0
.1.3.6.1.4.1.22408.1.1.2.1.4.102.97.110.54.1
0 if system fans are ok, 1 otherwise 0
177 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
18. LOGGING AND MONITORING Ver: 2.7.2
.1.3.6.1.4.1.22408.1.1.2.1.5.108.111.97.100.49.1
Load average of the system. Intervals are 1 min, 5 min, 15 min 0.19 0.10 0.06
.1.3.6.1.4.1.22408.1.1.2.1.5.108.111.97.100.50.1
Load average of the system. Intervals is 1 min 0.19
.1.3.6.1.4.1.22408.1.1.2.1.5.108.111.97.100.51.1
Load average of the system. Intervals is 5 min 0.10
.1.3.6.1.4.1.22408.1.1.2.1.5.108.111.97.100.52.1
Load average of the system. Intervals is 15 min 0.06
.1.3.6.1.4.1.22408.1.1.2.1.5.114.97.105.100.49.1
Status of RAID, 0 if active, 1 otherwise 0
.1.3.6.1.4.1.22408.1.1.2.1.5.114.97.105.100.50.1
Status of RAID as string active
.1.3.6.1.4.1.22408.1.1.2.1.5.114.97.105.100.51.1
Devices in RAID Total Devices : 2
.1.3.6.1.4.1.22408.1.1.2.1.5.114.97.105.100.52.1
Devices in RAID as int 2
.1.3.6.1.4.1.22408.1.1.2.1.5.114.97.105.100.53.1
Devices active in RAID Raid Devices : 2
.1.3.6.1.4.1.22408.1.1.2.1.5.114.97.105.100.54.1
Devices active in RAID as int 2
.1.3.6.1.4.1.22408.1.1.2.1.7.118.101.114.115.105.111.110.1
Version of PKI Appliance PrimeKeyAppliance.2.3.0
.1.3.6.1.4.1.22408.1.1.2.1.8.99.108.117.115.116.101.114.49.1
Local node ID 1
.1.3.6.1.4.1.22408.1.1.2.1.8.99.108.117.115.116.101.114.50.1
Db cluster size 3
.1.3.6.1.4.1.22408.1.1.2.1.8.99.108.117.115.116.101.114.51.1
Currently active nodes in db cluster 3
.1.3.6.1.4.1.22408.1.1.2.1.8.99.108.117.115.116.101.114.52.1
Local db cluster (galera) state 4
.1.3.6.1.4.1.22408.1.1.2.1.8.99.108.117.115.116.101.114.53.1
Local db cluster (galera) state as string Synced
.1.3.6.1.4.1.22408.1.1.2.1.8.99.108.117.115.116.101.114.54.1
Last transaction ID 208
.1.3.6.1.4.1.22408.1.1.2.1.8.104.101.97.108.116.104.101.49.1
EJBCA healthcheck as raw string ALLOK
.1.3.6.1.4.1.22408.1.1.2.1.8.104.101.97.108.116.104.101.50.1
EJBCA healthcheck returns 0 for "ALLOK", 1 otherwise 0
178 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
18. LOGGING AND MONITORING Ver: 2.7.2
.1.3.6.1.4.1.22408.1.1.2.1.8.104.101.97.108.116.104.115.49.1
Signserver healthcheck as raw string ALLOK
.1.3.6.1.4.1.22408.1.1.2.1.8.104.101.97.108.116.104.115.50.1
Signserver healthcheck returns 0 for "ALLOK", 1 otherwise 0
.1.3.6.1.4.1.22408.1.1.2.2.4.104.115.109.49.1
Status of HSM as string STATUS_is_OPER
.1.3.6.1.4.1.22408.1.1.2.2.4.104.115.109.50.1
Enum of Status of HSM 0
.1.3.6.1.4.1.22408.1.1.2.2.4.104.115.109.51.1
Status of HSM, 0 if operational, 1 otherwise 0
.1.3.6.1.4.1.22408.1.1.2.2.4.104.115.109.52.1
Battery voltage of HSM 3.100 V
.1.3.6.1.4.1.22408.1.1.2.2.4.104.115.109.53.1
Battery state, 0 if ok, 1 otherwise 0
.1.3.6.1.4.1.22408.1.1.2.2.4.104.115.109.55.1
Battery voltage of external HSM battery 3.272 V
.1.3.6.1.4.1.22408.1.1.2.2.4.104.115.109.56.1
Battery state, 0 if ok or absent, 1 otherwise 0
.1.3.6.1.4.1.22408.1.1.2.2.4.104.115.109.54.1
Serial Number of HSM CS445661
.1.3.6.1.4.1.22408.1.1.2.1.6.109.97.105.110.116.49.1
Maintenance State as int, 0 if operational, 1 if offline or 2 if 0
maintenance
.1.3.6.1.4.1.22408.1.1.2.1.6.109.97.105.110.116.50.1
Maintenance State as string Operational
Alternatively all OIDs can be reached by the following three snmpwalk commands (replace
the ip address with the one of your system):
179 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
Ver: 2.7.2
Part VII
180 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
19. HA SETUP Ver: 2.7.2
Chapter 19
HA Setup
181 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
19. HA SETUP Ver: 2.7.2
complete key material on installation and no additional manual key synchronization will be
necessary.
2. On Node 1: Go to the HSM tab of the PKI Appliance WebConf and download a "Clus-
ter Key Synchronization Package" by clicking Download protected HSM backup
.
3. On Node n: Go to the HSM tab of the PKI Appliance WebConf and upload the
package.
Since node 1 has higher database quorum vote weight, it is generally advised to generate
the keys there to avoid a reboot and potential downtime in a two node setup.
182 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
19. HA SETUP Ver: 2.7.2
A cluster node will never forward traffic between two other nodes to avoid networking
loops. Compared to using the spanning tree protocol (STP), this means that a broken
network connection between two nodes will not trigger any downtime of other connections.
If you prefer the dynamic loop prevention behaviour, you could add managed switches in
front of the Application Interfaces of the PKI Appliances. Please note that if the network
topology change prevents network traffic between the nodes for too long, your cluster nodes
might stop operation and require manual interaction. Rapid Spanning Tree Protocol (RSTP)
might be an interesting alternative to STP in this case.
183 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
19. HA SETUP Ver: 2.7.2
To avoid data loss, the manual interaction is required and the secondary should only be
promoted if the first node really is dead and will be replaced.
2. If possible, generate all keys in the HSM that will be used during the installations
life-time to avoid manual key synchronization later.
3. Go to the cluster tab on the initial node in the PKI Appliance WebConf and add a
connection to where the next node’s Application Interface will be.
4. From the same tab, download the setup bundle for the second node.
5. Factory reset the second node and connect to the web based installer
7. At this point, both network cables need to be connected to the second node. Start
the installation procedure.
8. After installation completes, you should be able to manage the new node using the
same credentials as the first one.
If the first node has been used for a while before the second node was connected, you
might need to wait until the data is fully synchronized, even after the cluster connection has
completed. When the Local node state in the WebConf’s Status tab shows Ok, the node
is ready for use.
184 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
19. HA SETUP Ver: 2.7.2
2. If possible, generate all keys in the HSM that will be used during the installations
life-time to avoid manual key synchronization later.
3. Go to the Cluster tab on the initial node in the PKI Appliance WebConf and add the
two connections to where the next nodes’ Application Interface will be.
4. From the same tab, download the setup bundle for the two new nodes.
5. Factory reset the second node and connect to the web based installer
6. Select Connect to cluster and upload the setup bundle for node 2.
7. At this point, both network cables need to be connected to node 2. Start the instal-
lation procedure.
8. After installation completes, you should be able to manage the new node using the
same credentials as the first one.
9. Even if a full synchronization between the first and second node is still running at this
point, you can proceed with the cluster connection of the third node.
10. Factory reset the third node and connect to the web based installer
11. Select Connect to cluster and upload the setup bundle for node 3.
12. After installation completes, you should be able to manage the new node using the
same credentials as the first one.
If the first node has been used for a while before the two new nodes were connected, you
might need to wait until the data is fully synchronized, even after the cluster connection has
completed. When the Local node state in the WebConf’s Status tab shows Ok, a node is
ready for use.
2. From the same tab on one of the nodes, download the setup bundle for the new node
(n+1).
3. Factory reset the new node (n+1) and connect to the web based installer
185 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
19. HA SETUP Ver: 2.7.2
5. At this point, both network cables need to be connected to the new node. Start the
installation procedure.
6. After installation completes, you should be able to manage the new node (n+1) using
the same credentials as the first one.
When the Local node state in the WebConf’s Status tab shows Ok, the new node is ready
for use.
186 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
19. HA SETUP Ver: 2.7.2
187 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
19. HA SETUP Ver: 2.7.2
188 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
19. HA SETUP Ver: 2.7.2
7. Announce this cluster node to be operational back again or whatever you need to undo
from step 3.
8. Continue with updating your cluster by applying the same steps on the next cluster
node, restarting at step 1.
2. Once the node that has the most up to date copy of the clustered data has started,
promote the node using Force into Active (formerly "Force into Primary").
3. Wait until all N nodes are fully started and database status is OK on each node.
4. If the node you promoted was any other than node 1, reboot this node and wait until
its database status is OK.
189 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
19. HA SETUP Ver: 2.7.2
2. You might also want to make a last manual backup of the PKI Appliance.
3. We’ll assume here that you have announced this cluster node as being not operational
(e.g. disabled in a frontend load balancer) for the time of the change.
4. Now start the actual change by changing the Application Interface IP address on the
cluster node in WebConf, see chapter ?? ?? on page ??.
5. Navigate your browser to the Cluster tab of the WebConf on all of the other cluster
nodes.
6. Wait for the cluster node to appear offline/not connected in the cluster connections
table, the IP address should now be in an editable input field.
7. On every of the other cluster nodes, correct the application IP address of the cluster
node in the cluster table.
8. Confirm the operation by hitting Apply . It could be that you have to wait a couple
of seconds before you are allowed to click that button.
9. After the cluster reconfiguration has finished, all cluster nodes should be connected to
all of the other cluster nodes.
10. When everything works as expected, you should not forget to bring back the node into
the load balancer.
190 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
19. HA SETUP Ver: 2.7.2
191 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
20. PKCS#11 SLOT SMART CARD ACTIVATION Ver: 2.7.2
Chapter 20
20.1 Introduction
All sensitive cryptographic material of the PKI Appliance is stored on a Hardware Secu-
rity Module (HSM). This HSM protects your key material against physical attacks. The
keys required by the PKI Appliance and your infrastructure are organized in so-called slots,
commonly used with the cryptographic API PKCS#11. To operate on these keys, these
slots must be activated with some authentication code. Depending on your requirements
for availability, usability and security, you can select whether those authentication codes
should be stored on the PKI Appliance or not. This can be chosen per slot. Slots with
stored authentication codes can be auto-activated for immediate availability. The generated
and automatically stored authentication codes are of very high quality. This choice can be
changed even later during the operation of the PKI Appliance.
If even manually entered authentication codes do not meet the security requirements, there
is an option for a two-factor authorization: It is possible to additionally require an activation
with smart cards for one or more slots. This choice has to be done during installation.
20.2 Installation/Configuration
PKCS#11 slot smart card activation can be enabled per slot but only during the installation
of the PKI Appliance. To do so, untick (Automatically generated) Authentication
Code for the slot you want to give more security. You will then be given the possibility to tick
Smart card activated for that slot. Then you will see some more options available for the
general slot smart card activation settings. You still have to define an authentication code
per slot. You can either chose something trivial like 1234 since you are relying to external
secrets anyways, or you can make it even more secure by defining a real secret authentication
code which will be required additionally upon activation.
192 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
20. PKCS#11 SLOT SMART CARD ACTIVATION Ver: 2.7.2
! Unlike the backup key share on the smart cards, the user credentials can not
be copied from card to card. A lost, broken or blocked smart card can not
be replaced. Therefore the PKI Appliance offers to create sufficient copies,
once and for all.
The default setting of the PKI Appliance is to create 2 smart cards with the same user
credential.
20.2.4 Procedure
For every slot activation user that has been chosen, the following procedure will first run
during the installation:
• For every copy that has been chosen, the user credentials will be written to a smart
card. It is required to enter the PIN (default PIN on delivery: 123456 ) and acknowledge
with "OK".
• The user credentials (only public key) are read into the HSM, it will only be required
to press the OK button.
After the installation, it is strongly advised to change the PINs of the smart cards through
the WebConf.
193 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
20. PKCS#11 SLOT SMART CARD ACTIVATION Ver: 2.7.2
! The user cards will always be required in ascending order, always starting
with User 1.
Whenever some PKCS#11 slot activation with smart card goes wrong, the internal PKI
Appliance mechanism will restart all applications, which in turn requires that all slots need
to be activated again.
194 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
20. PKCS#11 SLOT SMART CARD ACTIVATION Ver: 2.7.2
195 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
Ver: 2.7.2
Part VIII
196 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
Chapter 21
This chapter uses the new Administration Web interface. For the old Administration GUI
interface, see chapter 22.
2. Click From Template when asked for the method of adding the worker.
197 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
4. The sample properties for that worker are displayed and can be adjusted if needed.
Press Apply button.
1. The PDFSigner is at this point OFFLINE with the error listed "No signer certificate
available". Click Renew key... button (see fig. 21.2).
198 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
2. At this point we can configure values for the key generation (see fig. 21.3)
199 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
200 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
2. Click on Download button and save the file as pdfSigner_req.p10 (see fig. 21.6).
i At this point we have to bring the request to the CA for issuance. In the
current instance we will use EJBCA for that purpose.
201 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
4. Provide SignerCertificateProfile as name of new certificate profile and click Create from template
afterwards (see fig. 22.10).
202 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
5. Next to the new SignerCertificateProfile click Edit button (see fig. 22.11).
6. Enable Use option in CRL Ditribution Points and provide the URL in CRL Dis-
tribution Point (see fig. 22.12) and delete the auto-generated text in CRL Issuer
field.
7. Click Save
203 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
11. Highlight SignerEndEntityProfile and press Edit End Entity Profile (see fig.
22.13)
12. For both Default Certificate Profile and Available Certificate Profiles choose
SignerCertificateProfile .
14. At RA Functions click on Add End Entity link and provide the following values (see
fig. 22.14):
204 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
17. Under Enroll open Create Certificate from CSR link and fill the text fields and
options with (see fig. 22.15):
• Username: pdfSigner
• Enrollment Code: foo123
• Open Browse... and upload the pdfSigner_req.csr file
• Result type: PEM - full certificate chain
• Press OK
205 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
18. Figure 22.16 shows that CSR is signed and the certificate is downloaded.
206 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
2. Use Browse button to load the PDFSigner.pem certificate in the text area and
then click Add to have it uploaded.
3. If the CA certificates where not included in the first PEM file repeat the previous step
for each issuing CA certificate in order up to the root.
i If the worker is not active use Status Summary tab to check if there
are any errors or the token is listed as offline.
2. Click PDF link, upload a pdf file and press Submit button (see fig. 22.19). The file
will be signed by PDF worker.
As an alternative the page called "Generic signing" can instead be used. On that page the
user has to input the name of the worker (ie "PDFSigner") that should process the request.
207 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
1. From EJBCA Public Web fetch the CA certificate via Fetch CA Certificates and
Download as PEM (see fig. 22.20)
2. In Adobe Reader open Preferences -> Signatures and press More... button in
Identities & Trusted Certificates (see fig. 22.21.)
208 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
209 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
3. Click on Trusted Certificates on the menu on the left and then the Import button
from the options on the top of the window (see fig. 22.22).
4. Use the Browse ... to upload the ManagementCA.cer file and click Import
button to install it (see fig. 22.23).
210 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
5. Now that the certificate is installed press Edit Trust button (see fig. 22.24).
6. At least enable the options Use the certificate as a trusted root and Certified documents
(See fig. 22.25). Press OK .
211 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
7. Open the document that was signed in step 2 and click Validate All Signatures
(see fig. 22.25).
8. A confirmation dialog pops up which asks you if you want to verify the signatures.
Click OK button to confirm.
9. If the validation is done, another dialog tells you Completed validating all signatures.
Confirm this dialog by clicking OK .
10. The last button on the left will show signature details. Click on Certificate Details...
link (see fig. 22.27).
11. The Revocation tab shows information about CRL (see fig. 22.28).
212 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
213 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
The Administration Web will suggest the name of the new key to be the current name
with its numeric suffix increased by one (see fig. 21.26).
At this point a new key is available in the HSM slot but the signer is still using the old key as
pointed out with its DEFAULTKEY property. A new property called NEXTCERTSIGNKEY
has been created with the name of the new key so that the GUI will remember it.
214 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
2. Click Generate
5. Bring the request file to the CA to obtain the signer certificate and any CA certificates.
2. If you got one PEM certificate containing both the signer certificate followed by the
CA certificate(s) then you can only have to Browse for that and then add it with
Add . If you got one signer certificate file and the CA certificate(s) separately, then
first browse and add the signer certificate and then each of the issuing CA certificates
in order.
215 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
21. MANAGING WORKERS WITH ADMIN WEB Ver: 2.7.2
4. At this point the Administration GUI has changed the DEFAULTKEY property to point
to the new key and removed the NEXTCERTSIGNKEY property. The worker status
should now switch to ACTIVE.
If the worker status is not ’ACTIVE’ use Status Summary tab to check if there are any
errors or the token is listed as offline.
216 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
Chapter 22
This chapter uses the old Administration GUI. For the new Administration Web interface see
chapter 21.
2. User will be prompted to choose one of the templates for worker configuration.
217 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
4. Choose pdfsigner.properties file and click Open button (see fig. 22.2)
5. The sample properties for that worker are displayed and can be adjusted if needed.
Press Apply button (see fig. 22.3).
218 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
1. The PDFSigner is at this point OFFLINE with the error listed "No signer certificate
available". Highlight PDFSigner and click Renew key... button (see fig. 22.4).
219 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
2. At this point we can configure values for the key generation (see fig. 22.5)
220 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
5. A confirmation dialog shows that the key have been created for the signer. Click on
OK .
221 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
2. Click on ... button, provide filename pdfSigner_req.csr and the folder it will be
saved to (see fig. 22.8).
3. Click on Generate .
i At this point we have to bring the request to the CA for issuance. In the
current instance we will use EJBCA for that purpose.
222 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
4. Provide SignerCertificateProfile as name of new certificate profile and click Create from template
afterwards (see fig. 22.10).
223 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
5. Next to the new SignerCertificateProfile click Edit button (see fig. 22.11).
6. Enable Use option in CRL Ditribution Points and provide the URL in CRL Dis-
tribution Point (see fig. 22.12) and delete the auto-generated text in CRL Issuer
field.
7. Click Save
224 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
11. Highlight SignerEndEntityProfile and press Edit End Entity Profile (see fig.
22.13)
12. For both Default Certificate Profile and Available Certificate Profiles choose
SignerCertificateProfile .
14. At RA Functions click on Add End Entity link and provide the following values (see
fig. 22.14):
225 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
17. Under Enroll open Create Certificate from CSR link and fill the text fields and
options with (see fig. 22.15):
• Username: pdfSigner
• Enrollment Code: foo123
• Open Browse... and upload the pdfSigner_req.csr file
• Result type: PEM - full certificate chain
• Press OK
226 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
18. Figure 22.16 shows that CSR is signed and the certificate is downloaded.
227 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
2. Use ... button to upload the PDFSigner.pem certificate in both Signer certificate
and Certificate chain.
4. A message is displayed which informs that the certificate is installed (see fig. 22.17).
Press OK .
i If the worker is not active use Status Summary tab to check if there
are any errors or the token is listed as offline.
228 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
2. Click PDF link, upload a pdf file and press Submit button (see fig. 22.19). The file
will be signed by PDF worker.
As an alternative the page called "Generic signing" can instead be used. On that page the
user has to input the name of the worker (ie "PDFSigner") that should process the request.
1. From EJBCA Public Web fetch the CA certificate via Fetch CA Certificates and
Download as PEM (see fig. 22.20)
229 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
2. In Adobe Reader open Preferences -> Signatures and press More... button in
Identities & Trusted Certificates (see fig. 22.21.)
230 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
3. Click on Trusted Certificates on the menu on the left and then the Import button
from the options on the top of the window (see fig. 22.22).
4. Use the Browse ... to upload the ManagementCA.cer file and click Import
button to install it (see fig. 22.23).
231 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
5. Now that the certificate is installed press Edit Trust button (see fig. 22.24).
6. At least enable the options Use the certificate as a trusted root and Certified documents
(See fig. 22.25). Press OK .
232 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
7. Open the document that was signed in step 2 and click Validate All Signatures
(see fig. 22.25).
8. A confirmation dialog pops up which asks you if you want to verify the signatures.
Click OK button to confirm.
9. If the validation is done, another dialog tells you Completed validating all signatures.
Confirm this dialog by clicking OK .
10. The last button on the left will show signature details. Click on Certificate Details...
link (see fig. 22.27).
11. The Revocation tab shows information about CRL (see fig. 22.28).
233 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
234 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
The Administration GUI will suggest the name of the new key to be the current name
with its numeric suffix increased by one (see fig. 22.29).
4. A message will be displayed saying: "Renewed keys for all chosen signers."
5. Click on OK .
At this point a new key is available in the HSM slot but the signer is still using the old key as
pointed out with its DEFAULTKEY property. A new property called NEXTCERTSIGNKEY
has been created with the name of the new key so that the GUI will remember it.
235 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
2. Click on ... button, provide filename mysigner_req.csr and the folder it will be
saved to.
3. Click Generate
4. Bring the request file to the CA to obtain the signer certificate and any CA certificates.
2. If you got one PEM certificate containing both the signer certificate and any signer
certificate then you can use the ... button in the Certificate chain column to select
the file.
If you instead got two files, one with the signer certificate and one with the CA
certificates use the Signer certificate column for the signer certificate file and the
Certificate chain for the CA certificate file.
236 (237)
PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
22. MANAGING WORKERS WITH ADMIN GUI Ver: 2.7.2
5. At this point the Administration GUI has changed the DEFAULTKEY property to point
to the new key and removed the NEXTCERTSIGNKEY property. The worker status
should now switch to ACTIVE.
If the worker status is not ’ACTIVE’ use Status Summary tab to check if there are any
errors or the token is listed as offline.
237 (237)