Notice of Rights All rights reserved. No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. For more information on getting permission for reprints and excerpts, contact salesprimekey.com Notice of Liability The information in this book is distributed on an “As Is” basis without warranty. While every precaution has been taken in the preparation of the book, neither the authors nor PrimeKey shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in the book or by computer software and hardware products described in it. Trademarks Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this book, and PrimeKey was aware of a trademark claim, the designations appear as requested by the owner of the trademark. All other product names and services identified throughout this book are used in editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this book.
PKI Appliance Operations Manual Public Key Infrastructure by PrimeKey Ver: 3.0.0 2018-04-30 Copyright ©2018 PrimeKey Solutions Published by PrimeKey Solutions AB Lundagatan 16 171 63 Solna Sweden To report errors, please send a note to support@primekey.com Notice of Rights All rights reserved No part of this book may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher For more information on getting permission for reprints and excerpts, contact sales@primekey.com Notice of Liability The information in this book is distributed on an “As Is” basis without warranty While every precaution has been taken in the preparation of the book, neither the authors nor PrimeKey shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in the book or by computer software and hardware products described in it Trademarks Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks Where those designations appear in this book, and PrimeKey was aware of a trademark claim, the designations appear as requested by the owner of the trademark All other product names and services identified throughout this book are used in editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this book Contents I Preamble 1 Release Notes 2 Introduction 2.1 Audience 2.1.1 Styling Conventions 2.1.2 Daily operations 4 PKI Appliance Overview 3.1 Description 6 II Advanced Installation Using External CA for Installation 4.1 Smart Card Setup Use-Case: Smart Card Installation in Firefox Use-Case: Install the first PKI Appliance Use-Case: Install a PKI Appliance with an existing Management CA III Appliance Operations 11 11 14 22 23 WebConf 24 Use-Case: Create a new TLS server side certificate for Application Interface 24 Use-Case: Upload a new trusted CA for TLS authentication and new superadmin certificate for Management Interface 32 Use-Case: Configure a new trusted CA for TLS authentication and new superadmin certificate for Application Interface 36 Maintenance 39 6.1 PKI Appliance State 39 6.2 Reasons for Maintenance 40 6.3 Effects 42 Support Package 44 IV 46 EJBCA GUI Operations Certificate Life Cycle Management 8.1 Introduction to Certificate Life Cycle Management 8.1.1 Entity Issuance and Maintenance 8.1.2 Creation of Entity and Certificates 8.1.3 Verification 8.1.4 Revocation, Re-issuance, Un-Revoke 8.1.5 Deletion of an End Entity 8.2 Certification Authorities 8.2.1 Types of Certification Authorities 47 47 47 47 48 48 48 48 49 Creating a CA Hierarchy 51 9.1 Use-Case: Creation of the RootCA 52 Creating a Certificate Profile for the RootCA 52 Create Crypto Token for RootCA 54 Creating an RootCA 56 9.2 Use-Case: Create Certificate Profile for SubCAs 59 9.3 Use-Case: Create End Entity Profile for SubCAs 63 9.4 Use-Case: Import RootCA as External CA in node A 65 9.5 Use-Case: Create SignCA as SubCA in node A 67 Create Crypto Token for SignCA 67 Creating SignCA 68 9.6 Use-Case: Create AuthCA as SubCA in node A 75 Create Crypto Token for AuthCA 75 Creating AuthCA 76 9.7 Use-Case: Create SSLCA as SubCA in node A 85 Create Crypto Token for SSLCA 85 Creating SSLCA 87 9.8 Use-Case: Create Certificate Profiles for End Entities that will use the SubCAs 95 Create Certificate Profile for End Entities that will use AuthCA 95 Create Certificate Profile for End Entities that will use SignCA 96 Create Certificate Profile for End Entities that will use SSLCA 98 9.9 Use-Case: Create End Entity Profiles for SubCAs 100 Create End Entity Profile for AuthCA 100 Create End Entity Profile for SignCA 101 Create End Entity Profile for SSLCA 104 9.10 Use-Case: Create End Entities that will use the SubCAs 106 Create an End Entity that will use SSLCA 106 Create an End Entity that will use AuthCA 108 Create an End Entity that will use SignCA 110 10 Managing End Entities 10.1 Use-Case: Searching for end entities 10.2 Certificate Revocation 10.2.1 Use-Case: Revoking a Certificate using EJBCA 10.2.2 Use-Case: Re-issuing a Certificate using EJBCA V VA Setup 114 11 Setting up a VA 11.1 Online Certificate Revocation Protocol 11.2 CRL Distribution Point 11.3 VA setup scenarios 11.4 Use-Case: Install PKI Appliance as dedicated VA 11.5 Use-Case: Create OCSP Keys in VA-Appliance 11.6 Use-Case: Create OCSP Key Binding in VA and publisher in CA-Appliance 11.7 Use-Case: Set up a VA-Appliance which fetches CRLs from external server VI 112 112 112 113 113 EJBCA Advanced Administration 115 115 115 115 118 133 134 145 149 12 Separation of privileges 150 12.1 EJBCA Access Management 150 12.1.1 Managing EJBCA Roles 150 Use-Case: Create an End Entity Certificate Profile for the Administrator CA 151 Use-Case: Issue New Administrator Credentials 152 Use-Case: Create a CA Administrator Group 153 Use-Case: Adding New Administrators to the CA Administrator Group 153 Use-Case: Creating a New RA Administrator Group 154 Use-Case: Adding New Administrators to the RA Administrator Group 155 Use-Case: Creating a New Supervisor Group 155 Use-Case: Adding New Administrators To the Supervisor Group 156 Use-Case: Adding New Administrators to the Super Administrator Group 156 Use-Case: Test the Different Administrators 157 12.1.2 CWA Roles 157 13 Key Recovery 13.1 Profile Requirement Use-Case: Configure EJBCA for Recovery Use-Case: Configure Profiles to Enable Recovery Use-Case: Add a User and Issue an Entity Use-Case: Recovering the Lost Entity 159 159 160 160 160 161 14 Approval Process 163 Use-Case: Configure CA for Approvals 163 Use-Case: Approve Issuing of the End Entity 164 Use-Case: Remove Approvals From CA 165 15 Timed Services 15.1 CRL Updater Use-Case: Configure a CRL Updater 15.2 HSM Keep Alive Service 15.3 Custom Service 16 Customising the Web GUI 16.1 Changing the language Use-Case: Change the default language 16.2 Hiding Menu Options Use-Case: Access the public GUI without the menu options 166 166 166 167 167 168 168 168 169 169 17 Key Management 170 Use-Case: Create Crypto Tokens 170 Use-Case: Create the CA 171 Use-Case: Renew superadmin certificate 171 18 Logging and Monitoring 18.1 Logging 18.1.1 Security Audit log vs System log 18.2 Monitoring and Health-Check 18.2.1 snmp VII Appliance in High Availability Setup 19 HA Setup 19.1 Scope of availability 19.1.1 How it works 19.1.2 Synchronization of key material 19.1.2.1 Pre-cluster setup generation of keys 19.1.2.2 Post-cluster setup generation of keys Use-Case: Synchronize key material 19.1.3 Network topology 19.1.4 Cluster traffic security considerations 19.2 Continuous service availability 19.3 Levels of availability 19.3.1 Stand alone instance 19.3.2 Hot stand-by with manual fail-over 176 176 176 176 178 181 182 182 182 182 182 183 183 183 184 184 184 184 184 19.4 19.5 19.6 19.7 19.3.3 High availability with automatic fail-over 185 High Availability 185 Use-Case: Setting up a node cluster from scratch 185 Use-Case: Setting up a node cluster from scratch 186 Use-Case: Extending a cluster from n to n+1 nodes 186 Backup, Restore and Update 187 19.5.1 Backing up a cluster 187 19.5.2 Restoring a cluster from backup 187 19.5.3 Updating the software (firmware/applications) on a cluster 188 Use-Case: Software update on a three node cluster from 2.2.0 to 2.3.0 188 Controlled full cluster shutdown and startup 189 19.6.1 Shutting down the cluster in controlled manner 189 19.6.2 Starting a fully shutdown cluster 189 Operational Caution 190 Use-Case: Changing the IP Address of the Application Interface of a node in a three node cluster 190 Replacing a failed cluster node 191 20 PKCS#11 Slot Smart Card Activation 20.1 Introduction 20.2 Installation/Configuration 20.2.1 "Number of users required" 20.2.2 "Number/copies of user smart cards" 20.2.3 "Require smart cards to activate system after boot" 20.2.4 Procedure 20.2.4.1 Example with default values 20.2.4.2 Slots and 20.3 Application/Activation of a slot 20.3.1 Activation on boot/slot VIII SignServer GUI Operations 21 Managing Workers with Admin Web 21.1 Use-Case: Setting up a PDF Signer 21.1.1 Adding a PDF Signer 21.1.2 Generate keys for PDF Signer 21.1.3 Create CSR for the Signer 21.1.4 Configure EJBCA for CSR signing from SignServer Workers 21.1.5 Install the certificates in SignServer 21.2 Use-Case: Signing and verifying a PDF document 21.2.1 Sign a PDF document using the PDF Signer 21.2.2 Verify the signed PDF with Adobe Reader 21.3 Use-Case: Rekeying signers 192 192 192 193 193 193 193 194 194 194 195 196 197 197 197 198 199 202 207 207 207 208 214 21.3.1 Generate a new key 214 21.3.2 Create a certificate signing request 214 21.3.3 Install the certificates 215 22 Managing Workers with Admin GUI 22.1 Use-Case: Setting up a PDF Signer 22.1.1 Adding a PDF Signer 22.1.2 Generate keys for PDF Signer 22.1.3 Create CSR for the Signer 22.1.4 Configure EJBCA for CSR signing from SignServer Workers 22.1.5 Install the certificates in SignServer 22.2 Use-Case: Signing and verifying a PDF document 22.2.1 Sign a PDF document using the PDF Signer 22.2.2 Verify the signed PDF with Adobe Reader 22.3 Use-Case: Rekeying signers 22.3.1 Generate a new key 22.3.2 Create a certificate signing request 22.3.3 Install the certificates 217 217 217 219 221 223 228 229 229 229 235 235 236 236 PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey LIST OF FIGURES Ver: 3.0.0 List of Figures 4.1 4.2 4.3 4.4 4.5 4.6 4.7 4.8 4.9 4.10 4.11 4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23 4.24 4.25 4.26 4.27 4.28 4.29 Logical hierarchy Node A -Physical Infrastructure with online PKI Appliance Node B - Physical Infrastructure with offline PKI Appliance Security Devices in Firefox Device Manager in Firefox Load module in Firefox Device Manager in Firefox Device Manager in Firefox First login to the PKI Appliance Notification for untrusted network Checking TLS fingerprint Confirm TLS fingerprint Provide OTP password Choose installation Configure Network Settings Configure date and timezone Configure Management CA Pre-installation Summary Enroll process Provide smart card password Key generation in the smart card Successful enrollment Authentication to the system Confirmation of connection to the system EJBCA Public Pages WebConf Access tab Management CA Setting EJBCA Administration in first PKI Appliance EJBCA Administration in first PKI Appliance 9 10 11 12 12 13 13 14 14 15 15 16 16 16 17 17 17 18 18 19 19 19 20 20 21 22 22 22 5.1 5.2 5.3 5.4 EJBCA TLS check EJBCA TLS check certificate EJBCA CN value for TLS WebConf Access tab 25 25 26 26 (237) PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey LIST OF FIGURES Ver: 3.0.0 5.5 5.6 5.7 5.8 5.9 5.10 5.11 5.12 5.13 5.14 5.15 5.16 5.17 5.18 5.19 5.20 5.21 5.22 5.23 5.24 WebConf Create CSR WebConf Download CSR EJBCA Search End Entities EJBCA Edit End Entity EJBCA Edit End Entity, cont EJBCA Create Certificate from CSR EJBCA Enroll EJBCA Save certificate chain WebConf: Activate certificate chain WebConf: Upload certificate chain EJBCA login EJBCA TLS cert CN WebConf Access WebConf Access add a new client certificate for TLS authorization WebConf Upload the new trusted CA chain WebConf TLS is updated WebConf New configuration for Management Interface is in use Import new trusted CAs as External ones in EJBCA Add a new trusted client certificate as superadmin in EJBCA Configure the serial number of the trusted certificate in EJBCA 27 27 28 28 29 29 30 30 31 31 31 32 33 34 35 35 36 37 37 38 9.1 9.2 9.3 9.4 9.5 9.6 9.7 9.8 9.9 9.10 9.11 9.12 9.13 9.14 9.15 9.16 9.17 9.18 9.19 9.20 9.21 9.22 Node B with RootCA installed Node A with SubCAs and ManagementCA Certificate Profiles Clone a certificate profile Certificate Profiles Crypto Tokens Crypto Tokens settings Key pair creation Certification Authorities Create CA CA certificate data CA CRL data settings Clone SUBCA Create from template Edit Certificate Profile Edit Certificate Profile Edit Certificate Profile Edit Certificate Profile Create End Entity profile for SUBCAs Edit End Entity Profile for SubCAs Edit End Entity Profile for SubCAs Fetch RootCA certificate 51 52 52 53 53 54 55 56 56 57 57 58 59 60 60 61 61 62 63 64 64 65 installed 10 (237) PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey 22 MANAGING WORKERS WITH ADMIN GUI 22.1.4 Ver: 3.0.0 Configure EJBCA for CSR signing from SignServer Workers Open EJBCA Administration Web page Navigate to Certificate Profiles in CA Functions (see fig 22.9) Figure 22.9: Manage Certificate Profiles Click on Clone next to ENDUSER profile to copy this certificate profile Provide SignerCertificateProfile as name of new certificate profile and click Create from template afterwards (see fig 22.10) Figure 22.10: Clone EndUser certificate profile 223 (237) PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey 22 MANAGING WORKERS WITH ADMIN GUI Next to the new SignerCertificateProfile click Edit Ver: 3.0.0 button (see fig 22.11) Figure 22.11: Edit SignerCertificateProfile Enable Use option in CRL Ditribution Points and provide the URL in CRL Distribution Point (see fig 22.12) and delete the auto-generated text in CRL Issuer field Click Save Figure 22.12: Provide CRL distribution point At RA Functions open End Entity Profiles link Fill the text field Add Profile with SignerEndEntityProfile 10 Press Add button 224 (237) PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey 22 MANAGING WORKERS WITH ADMIN GUI 11 Highlight 22.13) SignerEndEntityProfile and press Edit End Entity Profile Ver: 3.0.0 (see fig Figure 22.13: Create SignerEndEntityProfile 12 For both Default Certificate Profile and Available Certificate Profiles choose SignerCertificateProfile 13 Press Save button 14 At RA Functions click on Add End Entity link and provide the following values (see fig 22.14): • End Entity Profile: SignerEndEntityProfile • Username: pdfSigner • Password (or Enrollment Code): foo123 • Confirm Password: foo123 • CN, Common name: PDF Signer 15 Press Add button 225 (237) PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey 22 MANAGING WORKERS WITH ADMIN GUI Ver: 3.0.0 Figure 22.14: Add end entity 16 Navigate to Public Web 17 Under Enroll open Create Certificate from CSR link and fill the text fields and options with (see fig 22.15): • Username: pdfSigner • Enrollment Code: foo123 • Open Browse • Result type: • Press and upload the pdfSigner_req.csr file PEM - full certificate chain OK 226 (237) PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey 22 MANAGING WORKERS WITH ADMIN GUI Figure 22.15: Sign CSR 18 Figure 22.16 shows that CSR is signed and the certificate is downloaded Figure 22.16: CSR created 227 (237) Ver: 3.0.0 PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey 22 MANAGING WORKERS WITH ADMIN GUI 22.1.5 Ver: 3.0.0 Install the certificates in SignServer Back in SignServer Administration GUI press Install certificates Use button to upload the PDFSigner.pem certificate in both Signer certificate and Certificate chain Click Install button to install it A message is displayed which informs that the certificate is installed (see fig 22.17) Press OK Figure 22.17: Certificate installed Figure 22.18 shows that the worker is active now If the worker is not active use Status Summary are any errors or the token is listed as offline Figure 22.18: Worker is active 228 (237) tab to check if there PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey 22 MANAGING WORKERS WITH ADMIN GUI 22.2 Ver: 3.0.0 Use-Case: Signing and verifying a PDF document This use case assumes that a PDF Signer has been previously setup with the name "PDFSigner" See section 22.1 22.2.1 Sign a PDF document using the PDF Signer Open http:///signserver URL and click Signing and Validation Demo Click PDF link, upload a pdf file and press Submit button (see fig 22.19) The file will be signed by PDF worker Figure 22.19: Sign PDF As an alternative the page called "Generic signing" can instead be used On that page the user has to input the name of the worker (ie "PDFSigner") that should process the request 22.2.2 Verify the signed PDF with Adobe Reader If certificates from your own CA are used and not from a CA already trusted by Adobe Reader, your CA certificates have to be imported in the application Note: in a real world scenario you would want to use certificates issued by a CA already trusted by the application or have a strategy for how to distribute your CA certificate within your organization From EJBCA Public Web fetch the CA certificate via Fetch CA Certificates and Download as PEM (see fig 22.20) The file will be downloaded as ManagementCA.pem But as Adobe Reader does not support the pem file extension, rename it to ManagementCA.cer instead 229 (237) PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey 22 MANAGING WORKERS WITH ADMIN GUI Ver: 3.0.0 Figure 22.20: Fetch RootCA certificate In Adobe Reader open Preferences -> Signatures and press Identities & Trusted Certificates (see fig 22.21.) Figure 22.21: Adobe Reader Preferences 230 (237) More button in PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey 22 MANAGING WORKERS WITH ADMIN GUI Ver: 3.0.0 Click on Trusted Certificates on the menu on the left and then the Import button from the options on the top of the window (see fig 22.22) Figure 22.22: Import trusted certificates Use the Browse to upload the ManagementCA.cer file and click button to install it (see fig 22.23) Figure 22.23: Browse for the trusted certificate 231 (237) Import PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey 22 MANAGING WORKERS WITH ADMIN GUI Now that the certificate is installed press Edit Trust Ver: 3.0.0 button (see fig 22.24) Figure 22.24: Edit trust of the certificate At least enable the options Use the certificate as a trusted root and Certified documents (See fig 22.25) Press OK Figure 22.25: Enable trust options 232 (237) PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey 22 MANAGING WORKERS WITH ADMIN GUI Open the document that was signed in step and click (see fig 22.25) Ver: 3.0.0 Validate All Signatures Figure 22.26: Validate signature A confirmation dialog pops up which asks you if you want to verify the signatures Click OK button to confirm If the validation is done, another dialog tells you Completed validating all signatures Confirm this dialog by clicking OK 10 The last button on the left will show signature details Click on Certificate Details link (see fig 22.27) Figure 22.27: Signature details 11 The Revocation tab shows information about CRL (see fig 22.28) 233 (237) PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey 22 MANAGING WORKERS WITH ADMIN GUI Figure 22.28: Revocation details 234 (237) Ver: 3.0.0 PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey 22 MANAGING WORKERS WITH ADMIN GUI 22.3 Ver: 3.0.0 Use-Case: Rekeying signers Eventually the signer certificate will expire and a new certificate is needed for it to continue working The current validity of a signer can be seen in the Administration GUI by selecting the signer and click the Status Properties tab The field Validity not after shows the date after which the signer can not be used due to its certificate has expired or its private key usage period will end 22.3.1 Generate a new key Select the worker and click Renew key button If not already filled in, provide the values for: • Key algorithm: example: RSA • Key specification: example: 2048 The Administration GUI will suggest the name of the new key to be the current name with its numeric suffix increased by one (see fig 22.29) Figure 22.29: Generate key Click Generate to start the key generation A message will be displayed saying: "Renewed keys for all chosen signers." Click on OK At this point a new key is available in the HSM slot but the signer is still using the old key as pointed out with its DEFAULTKEY property A new property called NEXTCERTSIGNKEY has been created with the name of the new key so that the GUI will remember it 235 (237) PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey 22 MANAGING WORKERS WITH ADMIN GUI 22.3.2 Ver: 3.0.0 Create a certificate signing request Next step is to generate the CSR for the new key Click on Generate CSR button and provide the following values (see fig 22.30): • Key: Next key • Signature algorithm: example: SHA256WithRSA • DN: example: CN=My Signer 1,O=My Organization,C=SE Figure 22.30: Provide CSR Click on saved to Click button, provide filename mysigner_req.csr and the folder it will be Generate Bring the request file to the CA to obtain the signer certificate and any CA certificates 22.3.3 Install the certificates Click Install certificates If you got one PEM certificate containing both the signer certificate and any signer certificate then you can use the button in the Certificate chain column to select the file If you instead got two files, one with the signer certificate and one with the CA certificates use the Signer certificate column for the signer certificate file and the Certificate chain for the CA certificate file Click Install button to install it A message is displayed which informs that certificates are installed Press 236 (237) OK PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey 22 MANAGING WORKERS WITH ADMIN GUI Ver: 3.0.0 Figure 22.31: Choose certificates At this point the Administration GUI has changed the DEFAULTKEY property to point to the new key and removed the NEXTCERTSIGNKEY property The worker status should now switch to ACTIVE If the worker status is not ’ACTIVE’ use Status Summary tab to check if there are any errors or the token is listed as offline 237 (237) ... (237) PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey PKI APPLIANCE OVERVIEW Ver: 3.0.0 Chapter PKI Appliance Overview 3.1 Description EJBCA Enterprise Appliance is a PKI- in-a-box... first PKI Appliance Figure 4.29: EJBCA Administration in first PKI Appliance 22 (237) PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey Ver: 3.0.0 Part III Appliance Operations. .. (237) PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey Ver: 3.0.0 Part II Advanced Installation (237) PKI Appliance Operations Manual – Public Key Infrastructure by PrimeKey