EJBCA

Prerequisites

A client certificate and URL are needed to configure the EJBCA account in AppViewX.
  • The URL must be entered in the format https://<node_hostname>:<port>/ejbca/ejbcaws/ejbcaws?wsdl. The node hostname is available on the UI of the EJBCA adminweb portal's welcome screen.
  • An EJBCA client certificate for a user having the necessary access for enrolling the certificates and other CLM operations. To issue a client authentication certificate in EJBCA, do the following:
    1. In EJBCA, click RA Web to access the EJBCA RA user interface.
    2. To enroll, select Enroll > Use Username and specify the following:
      • Username: Enter the username as specified earlier in the step Add end entity
      • Enrollment code: Enter the password specified earlier in the step Add end entity.
      • Click Check.
      • For Key algorithm, you can limit the type of keys to be used, such as only RSA 2048 bits.
      • Click Download PKCS#12 to download and save the keystore.
  • AppViewX server (worker node) / CC should either have internet access/EJBCA endpoint URL access, have a proxy configured in general settings (if required). Refer the Managing Proxy Settings documentation in the Platform guides.
    • For SaaS: 443 communication from the preferred CC (Cloud Connector) to EJBCA API / endpoint URL.
    • For On-Prem: Workers nodes should have internet access or the proxy should be configured in General Settings for connectivity to EJBCA API / endpoint URL.

Configuring EJBCA

  1. Go to (Menu) > CERT+ > ADMINISTRATION > Certificate Authority.
  2. From the displayed CA, select EJBCA.
    The EJBCA home page is displayed.
  3. Click the Configure Now button or +Add icon from the middle or top-right of the page respectively.
    The EJBCA configuration page is displayed.
  4. Update the following details in the General Information section as described in the table:
    Table 1. General Information - Field Description Table
    Fields Description
    *CA Account name A unique name to identify the CA setting. Note: No special characters other than ‘.’, ‘-’,’_’ are allowed. Names should not start with special characters.
    *Purpose/ Usage Certificate Type for which CLM actions will be enabled. E.g. Server, Client.
    Proxy Required Enable this field if the CA communication needs to happen via Proxy. The proxy details configured in general settings will be used for communication.
    Data Center (AppViewX's CA agent) Select the data center through which the CA communication needs to happen.
    *: Mandatory fields
  5. Update the following details in the CA Configuration section as described in the table. These fields are necessary for invoking the APIs for Certificate Management.
    Table 2. CA Configuration - Field Description Table
    Fields Description
    *Client Authentication Client authentication certificate for API communication.
    1. Enter the valid password once the Authentication Details window is displayed.
    2. Click OK.

    The value must be a valid <.p12> or <.pfx> file.
    *URL EJBCA URL in the format https://<node_hostname>:<port>/ejbca/adminweb/
    Click Validate and Fetch.

    The End entity profiles available for the CA account will be fetched along with the certificate profile from the Certificate Authority.
    *Communication mode Choose any of the following modes; it is required for CA Discovery.
    • SOAP
    • REST
    *Discover by expiry days Set the number of days to expiry, which is calculated from the current day.

    The value must be number.
    *: Mandatory fields
  6. Update the following details in the Certificate Attributes section as described in the table:
    Fields Description
    *End Entry Profile Names Select the profile that is used in the certificate enrollment from the dropdown list. This is the required end entity profiles for CA setting.
    Custom Attributes Select the list attributes configured in CA to enroll certificates. These are the required custom attributes for the specific end entity profile.

    Custom attributes should be configured as exactly as it is available in the EJBCA portal. (Validation can be added by the user in the regex box, check if mandatory and modifiable).
    *: Mandatory fields
  7. Click Save.
    In the CA instance inventory, the connection status is initially set to In Progress. Twice after this, this status is automatically checked and refreshed every 5 seconds. Once the CA instance is successfully configured, the status is updated to Success. Status checks after the first two times have to be done via a manual refresh.
    Note: In case the connection fails, you can manually verify the connection status by clicking the Check button in the Connection Status field.

Manually Validating the EJBCA Connection Status

  1. Go to (Menu) > CERT+ > ADMINISTRATION > Certificate Authority.
  2. From the displayed CA, Select EJBCA.
    The EJBCA home page is displayed.
  3. In the Status column of the grid with the listed accounts, click Check to validate the CA setting that has been created.
    The CA communication will be validated and the Connection Status will be shown as either Success or Failure.