EJBCA Dev Environment Quickstart¶
This document describes the steps necessary to install and setup a minimal EJBCA instance for testing Serles.
Installing EJBCA Community¶
docker pull primekey/ejbca-ce
docker run -it -p 9980:8080 -p 9443:8443 -h ejbca-test -e TLS_SETUP_ENABLED="simple" primekey/ejbca-ce
These commands expose the Web UI on Port 9443 using a self-signed certificate (Note that the SOAP-API cannot be accessed over plain text). Port 8443 is the default port of Serles, so we will use 9443 for EJBCA.
Configuring EJBCA for use with Serles¶
Create a Certificate Authority
suggested name: ACMECA
Create a Certification Profile
suggested name: ACMEServerProfile
Notes: Set Extended Key Usage to Server Authentication.
Create End Entity Profile
suggested name: ACMEEndEntityProfile
Notes: Add a few DNS Name entries to the allowed Subject Alternative Name Other subject attributes and under Main certificate data set the CA to the one from Step 1, and the Certificate Profile to the one from Step 2.
Create a Certificate Profile for the API client:
suggested name: APIClientProfile
Notes: Set Extended Key Usage to Client Authentication. The CA should be the ManagementCA.
Create a End Entity Profile for the client certificate:
suggested name: APIClientEntityProfile
Notes: Under Main certificate data set it to use APIClientProfile and ManagementCA.
Create a user for the API:
suggested name: client01
Notes: Use the End Entity Profile from Step 5 and set Common Name to same as username.
Create user role for acme-client-cert:
suggested name: ACMEUser
Notes: Set Access Rules using Advanced Mode to allow the following:
/administrator
/ca_functionality/create_certificate
/ra_functionality/create_end_entity
/ra_functionality/edit_end_entity
/ca/<CA_OF_USER>
(using CA from Step 1)/endentityprofilesrules/<END_ENTITY_PROFILE_OF_USER>/create_end_entity
/endentityprofilesrules/<END_ENTITY_PROFILE_OF_USER>/edit_end_entity
(using End Entity Profile from Step 3)
Add ACMEUser to the new usergroup/role:
Notes: Set the Members of the Administrator Role from Step 7 to match (e.g. on CN and CA) the client entity from Step 6.
Issue a certificate for the user
Create Certificate from CSR or EJBCA RA-Request new certificate
Notes:
openssl req -newkey rsa:2048 -keyout client01.key -out client01.csr -nodes -subj /CN=client01
upload CSR, then download certificate (
client01.pem
)cat client01.key client01.pem > client01-privpub.pem