The term "digital certificate" is believed to have been heard by many people, but it is not understood that "EJBCA" may not have been heard by many people
Digital certificate (Certificate), is the Internet communication process in the identification of the identity of the communication of a document, can be understood as "network ID", the main purpose is to verify the identity
EJBCA, is a CA (Certificate authority) system software, CA is the abbreviation of digital Certificate Certification Center, the main function is to manage digital certificates, including certificate issuance, destruction, update, etc., EJBCA implementation of the CA specification, so can be used to manage digital certificates
Next, the author will follow EJBCA installation, use, digital certificate use, Web service interface, Nginx Agent sequence to introduce the complete establishment and use process of a standalone CA system
CentOS Installation ejbca-community-6.3.1.1
EJBCA installation process is more complicated, this article takes the CentOS 6.5 system as an example to introduce the installation process, other Linux can be referenced, the installation process under Windows is almost the same, the installation process is EJBCA Community 6.3.1.1 (Community Edition), The installation process strictly follow the following steps, otherwise it is easy to make mistakes!
1. Installation of the basic environment
Installing EJBCA requires jdk-1.7 above, ant Build tool, available MySQL database, jboss-7.1.1, including JDK, ant, MySQL installation configuration process reference http://www.cnblogs.com/ywlaker/p/ 6129872.html, if you have installed these, can be ignored, directly into the following steps
2. Install Start JBoss
Download JBoss installation package from JBoss official website: jboss-as-7.1.1.final.tar.gz, unzip and configure environment variables
Tar xvf jboss-as-7.1.1.final.tar.gz-c/usr/javavi/etc/profile
Append content
#jboss Confexport jboss_home=/usr/java/jboss-as-7.1.1.final
Make configuration effective immediately
Source/etc/profile
Start JBoss, note the final & symbol, and then run "exit" when you are ready to start
Sh/usr/java/jboss-as-7.1.1.final/bin/standalone.sh &exit
This way, JBoss runs in the background, and the following command looks at the JBoss process and shuts down
Ps-ef|grep jbosskill-9 Process Number
3. Configuring the MySQL data source for JBoss
Create the directory, and then create the Module.xml in the directory
Mkdir-p/usr/java/jboss-as-7.1.1.final/modules/com/mysql/maincd/usr/java/jboss-as-7.1.1.final/modules/com/mysql /mainvi Module.xml
Module.xml content is as follows
<?xml version= "1.0" encoding= "UTF-8"? ><module xmlns= "urn:jboss:module:1.0" name= "Com.mysql" >< Resources><resource-root path= "Mysql-connector-java-5.1.27.jar"/></resources><dependencies ><module name= "Javax.api"/><module name= "Javax.transaction.api"/></dependencies></module >
Download the MySQL driver Pack Mysql-connector-java-5.1.27.jar, put it in the/usr/file directory, and then copy it to the current directory
Cp/usr/file/mysql-connector-java-5.1.27.jar./
Open a new shell window, run
Sh/usr/java/jboss-as-7.1.1.final/bin/jboss-cli.sh-c
If it is a "disconnect" state, enter "Connect" first, return multiple times, run the following command
/subsystem=datasources/jdbc-driver=com.mysql.jdbc.driver:add (Driver-name=com.mysql.jdbc.driver, Driver-class-name=com.mysql.jdbc.driver,driver-module-name=com.mysql,driver-xa-datasource-class-name= Com.mysql.jdbc.jdbc.jdbc2.optional.MysqlXADataSource): Reload
4. Installation Configuration EJBCA
Download EJBCA installation package from EJBCA official website: ejbca_ce_6_3_1_1.zip, put in/usr/file directory, unzip, prepare to modify configuration
unzip/usr/file/ejbca_ce_6_3_1_1.zip-d/USR/JAVACD/USR/JAVAMV ejbca_ce_6_3_1_1 ejbca-ce-6.3.1.1cd/usr/java/ ejbca-ce-6.3.1.1/conf/
1, modify the Ejbca.properties
MV Ejbca.properties.sample EJBCA.PROPERTIESVI Ejbca.properties
Modify the following content
Appserver.home=/usr/java/jboss-as-7.1.1.finalappserver.type=jboss
2, modify the Database.properties
MV Database.properties.sample DATABASE.PROPERTIESVI Database.properties
Modify the following content
# datasourcedatasource.jndi-name=jboss/datasources/mysqlds# MySQL Infodatabase.name=mysqldatabase.url=jdbc:mysql ://127.0.0.1:3306/ejbca?characterencoding=utf-8database.driver=com.mysql.jdbc.driverdatabase.username= Rootdatabase.password=root
3, modify the Install.properties
MV Install.properties.sample INSTALL.PROPERTIESVI Install.properties
Modify the following content
#设置ca名称ca. name=test# Setting CA Information CA.DN=CN=TEST,O=TEST,C=CN
4, modify Cesecore.properties, jaxws.properties, do not need to modify the content
MV Cesecore.properties.sample CESECORE.PROPERTIESMV Jaxws.properties.sample jaxws.properties
5, modify the Web.properties
MV Web.properties.sample WEB.PROPERTIESVI Web.properties
Modify the following content
#密码最好6位superadmin. password=123456superadmin.cn=superadminhttpsserver.hostname=ca.test.comhttpsserver.dn=cn=${ Httpsserver.hostname},o=test,c=cn
5. Deploy EJBCA to JBoss
First, create a "EJBCA" database in the configured MySQL, encode "utf-8", and then formally build EJBCA with Ant and install it to JBoss
Cd/usr/java/ejbca-ce-6.3.1.1ant Clean Deployant installant deploy-keystore
Deploy with ant deployment, install generate certificate, Deploy-keystore to deploy the certificate to JBoss, the first two steps takes a long time, in the process if required, please enter directly
6. Configure JBoss to turn on HTTPS
Open a new shell window, run
Sh/usr/java/jboss-as-7.1.1.final/bin/jboss-cli.sh-c
If it is "disconnect" state, run "Connect", return multiple times, ready to run the following 4-part configuration
First section (configure any host to access)
/interface=http:add (inet-address= "0.0.0.0")/interface=httpspub:add (inet-address= "0.0.0.0")/interface=httpspriv : Add (inet-address= "0.0.0.0")/socket-binding-group=standard-sockets/socket-binding=http:add (port= "8080"), Interface= "http")/subsystem=undertow/server=default-server/http-listener=http:add (socket-binding=http)/ Subsystem=undertow/server=default-server/http-listener=http:write-attribute (Name=redirect-socket, value= " Httpspriv "): Reload
Part II (Configuration certificate)
/core-service=management/security-realm=sslrealm:add ()/core-service=management/security-realm=sslrealm/ Server-identity=ssl:add (keystore-path= "${jboss.server.config.dir}/keystore/keystore.jks", keystore-password= " Serverpwd ", alias=" PROD-ICA1 ")/core-service=management/security-realm=sslrealm/authentication=truststore:add ( Keystore-path= "${jboss.server.config.dir}/keystore/truststore.jks", keystore-password= "Changeit")/ Socket-binding-group=standard-sockets/socket-binding=httpspriv:add (port= "8443", interface= "Httpspriv")/ Socket-binding-group=standard-sockets/socket-binding=httpspub:add (port= "8442", interface= "Httpspub"): Reload
Part III (Configuring SSL)
/subsystem=undertow/server=default-server/https-listener=httpspriv:add (Socket-binding=httpspriv, Security-realm = "Sslrealm", verify-client=required)/subsystem=undertow/server=default-server/https-listener=httpspub:add ( Socket-binding=httpspub, security-realm= "Sslrealm"): Reload
Part IV (Configuring Web service)
/system-property=org.apache.tomcat.util.buf.udecoder.allow_encoded_slash:add (value=true)/system-property= Org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH:add (value=true)/system-property= Org.apache.catalina.connector.URI_ENCODING:add (value= "UTF-8")/system-property= Org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add (value=true)/subsystem=webservices: Write-attribute (Name=wsdl-host, Value=jbossws.undefined.host)/subsystem=webservices:write-attribute (name= Modify-wsdl-address, value=true): Reload
Managing digital certificates with EJBCA
EJBCA the installation is complete, we can use it to manage the digital certificate, assuming that the server address installed EJBCA is: 172.17.210.124, we configure a hosts under Windows system, edit "C:\Windows\System32\ Drivers\etc "Directory of Hosts file, join a row
172.17.210.124 ca.test.com
Then copy the Superadmin.p12 file in the EJBCA server "/usr/java/ejbca-ce-6.3.1.1/p12/" directory to the Windows system, double-click the file to start the installation, the default password is "EJBCA", if the configuration process has been modified, Please use a modified password such as "123456"
The EJBCA system provides two interfaces
Administrator interface (requires a certificate, using the Superadmin certificate you just installed)
https://ca.test.com:8443/ejbca/adminweb/
User interface
http://ca.test.com:8080/ejbca/
Once you have the Super Admin certificate, let's start managing the digital certificate!
1. User Registration
The digital certificate is the identity authentication carrier, the identity authentication object is "The user", the digital certificate contains "the user" the basic information, wants the ID card to contain your name and so on the basic information, the registration process is you want EJBCA to submit the personal basic information
EJBCA the Admin interface, open the "RA Functions"-"Add End Entity" menu and fill in the following "Required" column tick.
User Template Select "EMPTY"
Enter user name and password
Common name, if it is a server certificate, please fill in the domain name here
Fill in the certificate information, certificate template Select "Enduser", CA Select "Dev", token select "P12 file"
Finally click on the "Add" button to register
2. Download the certificate
After registering the user, naturally can't wait to get a certificate, in the EJBCA user interface, open the "Enroll"-"Create Browser Certificate" menu
Enter the user name and password, click "OK" button, go to the following page
"Key Length" select "2048 bits", "Certificate profile" select "Enduser", click "Enroll" button to download the certificate
3. Revocation of certificates
Administrator found that the user certificate has been stolen, good to do, revoke it
EJBCA the Administrator interface, open the "RA Functions"-"Search End Entities" menu. "Search end Entities with status" drop-down box select "All" and click on the "Search" button on the right to view user information (omit other columns)
Tick the user who needs to be revoked, click the "Revoke Selected" button below the table to revoke the user
4, update the certificate
The last certificate requested by the user expires, to replace the new certificate
EJBCA the Administrator interface, open the "RA Functions"-"Search End Entities" menu. "Search end Entities with status" drop-down box select "All" and click on the "Search" button on the right to view user information (omit other columns)
Click the "Edit End Entity" hyperlink in the rightmost column of the user who needs to update the certificate to edit the user
Set "Status" to "New" and click on the "Save" button on the right. Then enter the new password, the other items remain unchanged, click the "Save" button at the bottom of the page to save the settings
5. Root Certificate
EJBCA as a CA, has its own root certificate
EJBCA user interface, open the "Retrieve"-"Fetch CA Certificates" menu to download root certificates in different formats
6. Request the Tomcat server certificate
The above method can be used to manage the common user browser certificate, format for the P12,TOMCAT server with the certificate format of JKS, how to apply?
When the user registers, the certificate template selects "SERVER", the CA chooses "Dev", the token chooses "JKS file", the value of the other item is not changed
When downloading the certificate, in the EJBCA user interface, open the "Enroll"-"Create Keystore" menu, enter the user name and password, enter the following page
"Key Length" select "2048 bits"; "Certificate profile" select "SERVER" and click "Enroll" button to download the certificate
Other server certificate formats are similar, I believe you can grope out!
Build your own CA system using a Web service
EJBCA system, although installed, can also manage digital certificates, but all of our operations are performed in the interface provided by EJBCA, not to speak of all in English, just a lot of configuration in it is confusing, many configuration items are either fixed or not needed, so The most reasonable approach is to build a middle tier on top of the EJBCA, the user accesses the certificate Management service provided by the middle tier, and the middle tier service is implemented using EJBCA, just EJBCA provides a complete Web service interface
Middle tier only need to provide digital certificate registration, download, revocation, update can, more functions of course can be achieved, see the specific requirements, the following introduction of the basic implementation of the middle tier process
1. Superadmin.jks Certificate
EJBCA provides a Web service interface requires certificate authentication, the official source of the example used is the Superadmin Super Administrator certificate, but the format is JKS, So we need to get the SUPERADMIN.JKS certificate, which can be done by tool conversion, but EJBCA can be generated directly
Perform an update operation on the Superadmin user before saving, modifying the value of the following key to "JKS file"
Download Superadmin's JKS format certificate by following the steps to download a common user certificate
2. Initializing the Web service connection
With the Superadmin.jks certificate, we can use it to connect to the Web service, but you must add the jar packages required by the Web service to the project, which are all jars in the following two directories
/usr/java/ejbca-ce-6.3.1.1/dist/ejbca-ws-cli/lib/usr/java/ejbca-ce-6.3.1.1/dist/ejbca-ws-cli
Then initialize the Web service connection in your code
public void init () {if (!new File (Certpath). Exists ()) return; Cryptoprovidertools.installbcprovider (); System.setproperty ("Javax.net.ssl.trustStore", "D:/superadmin.jks"); System.setproperty ("Javax.net.ssl.trustStorePassword", "123456"); System.setproperty ("Javax.net.ssl.keyStore", "D:/superadmin.jks"); System.setproperty ("Javax.net.ssl.keyStorePassword", "123456"); QName QName = new QName ("http://ws.protocol.core.ejbca.org/", "Ejbcawsservice"); try {Ejbcawsservice service = new Ejbcawsservice (New URL ("https://ca.test.com:8443/ejbca/ejbcaws/ejbcaws?wsdl"), QName); Ejbcaws ejbcaws = Service.getejbcawsport ();} catch (Exception e) {}}
Note : The connection address can only be a domain name, which is specified for the EJBCA server when the EJBCA is installed, so the machine that connects EJBCA provides the Web service interface service to configure the hosts
172.17.210.124 ca.test.com
The purpose of initialization is to get an instance of the Ejbcaws object, and the next digital certificate registration, download and other services are based on it
3. Realize digital certificate Management Service
See if the user is already registered
Private Boolean isexist (String username) throws Exception {Usermatch Usermatch = new Usermatch (); Usermatch.setmatchwith ( Usermatch.match_with_username); Usermatch.setmatchtype (usermatch.match_type_equals); Usermatch.setMatchvalue ( username); try {list<userdatavows> users = Ejbcaws.finduser (Usermatch); if (users! = null && users.size () & Gt 0) {return true;} else {return false;}} catch (Exception e) {throw new Exception ("Check user" + username () + "If there is an error:" + e.getmessage ());}}
The user registers and updates, uses the Edituser () method, therefore must first determine whether exists
public void Edituser () throws Exception {userdatavows userData = new Userdatavows (); Userdata.setusername ("testname");// User name Userdata.setpassword ("123456");//password userdata.setclearpwd (false);//Default Userdata.setsubjectdn ("cn=" + "testname" + " , ou= "+" Testou "+", o= "+" testo "+", C=CN "+", telephonenumber= "+" 1234567890 ");//Set unique discrimination name string pattern =" Yyyy-mm-dd hh:m M:sszz "; ISO 8601 Standard Time Format userdata.setstarttime (Dateformatutils.format (new date (), pattern));//Certificate valid Starting Date Userdata.setendtime ( Dateformatutils.format (Dateutils.adddays (new Date (), (), pattern));//End Date Userdata.setcaname ("test");//ca name, The name of the EJBCA userdata.setsubjectaltname (null); Userdata.setemail ("[email protected]");//e-mail address userdata.setstatus ( userdatavows.status_new);//Status is Newuserdata.settokentype (USERDATAVOWS.TOKEN_TYPE_P12);// Set P12 format certificate userdata.setendentityprofilename ("user");//terminal entity template Userdata.setcertificateprofilename ("user");//Certificate Template try {Ejbcaws.edituser (userData);} catch (Exception e) {throw new Exception (E.getmessage ());}}
There are several noteworthy in the code, the Terminal entity template "User" and the certificate template "user" need to be configured in the EJBCA administrator interface, and the terminal entity template "user" to configure the "SubjectDN" to enable the properties such as CN, OU, O, C, Telephonenumber and so on, also allow modification of starttime and Endtime
Revoking a certificate
public void Revoke (String username) throws Serviceexception {try {ejbcaws.revokeuser (username, Revokedcertinfo.revocation_reason_unspecified, false);} catch (Exception e) {}}
Create a certificate
private void Createcert (string username, string password, string path) throws Exception {FileOutputStream FileOutputStream = null;try {//Create certificate file KeyStore ksenv = ejbcaws.pkcs12req (username, password, NULL, "2048", Algorithmconstants.keyalgorithm_rsa); Java.security.KeyStore ks = Keystorehelper.getkeystore ( Ksenv.getkeystoredata (), "PKCS12", password) FileOutputStream = new FileOutputStream (path + file.separator + username + " . P12 "); Ks.store (FileOutputStream, Password.tochararray ());//Create password files file Pwdfile = new file (path + File.separator + Username + ". pwd");p wdfile.createnewfile (); BufferedWriter out = new BufferedWriter (new FileWriter (Pwdfile)); out.write (password); Out.flush (); Out.close ();} catch (Exception e) {throw new Exception ("user" + Username + "Certificate creation failed:" + e.getmessage ());} finally {if (FileOutputStream! = null) {try {fileoutputstream.close ();} catch (IOException e) {}}}}
The certificate is created on the server, the user calls the interface service to download the certificate, should return a, here is the use of Nginx as a file download server, refer to the http://www.cnblogs.com/ywlaker/p/6129872.html article about Nginx part
So far, EJBCA built CA system has been completed, of course, the above is just the core code, how to run, deployment is not introduced, the following is a brief introduction to the HTTPS basic principles and the use of digital certificates
HTTPS fundamentals and the use of digital certificates
Building a stand-alone CA System Management digital certificate based on EJBCA community 6.3.1.1