Building a stand-alone CA System Management digital certificate based on EJBCA community 6.3.1.1

The term "digital certificate" is believed to have been heard by many people, but it is not understood that "EJBCA" may not have been heard by many people

Digital certificate (Certificate), is the Internet communication process in the identification of the identity of the communication of a document, can be understood as "network ID", the main purpose is to verify the identity

EJBCA, is a CA (Certificate authority) system software, CA is the abbreviation of digital Certificate Certification Center, the main function is to manage digital certificates, including certificate issuance, destruction, update, etc., EJBCA implementation of the CA specification, so can be used to manage digital certificates

Next, the author will follow EJBCA installation, use, digital certificate use, Web service interface, Nginx Agent sequence to introduce the complete establishment and use process of a standalone CA system

CentOS Installation ejbca-community-6.3.1.1

EJBCA installation process is more complicated, this article takes the CentOS 6.5 system as an example to introduce the installation process, other Linux can be referenced, the installation process under Windows is almost the same, the installation process is EJBCA Community 6.3.1.1 (Community Edition), The installation process strictly follow the following steps, otherwise it is easy to make mistakes!

1. Installation of the basic environment

Installing EJBCA requires jdk-1.7 above, ant Build tool, available MySQL database, jboss-7.1.1, including JDK, ant, MySQL installation configuration process reference http://www.cnblogs.com/ywlaker/p/ 6129872.html, if you have installed these, can be ignored, directly into the following steps

2. Install Start JBoss

Download JBoss installation package from JBoss official website: jboss-as-7.1.1.final.tar.gz, unzip and configure environment variables

Tar xvf jboss-as-7.1.1.final.tar.gz-c/usr/javavi/etc/profile

Append content

#jboss Confexport jboss_home=/usr/java/jboss-as-7.1.1.final

Make configuration effective immediately

Source/etc/profile

Start JBoss, note the final & symbol, and then run "exit" when you are ready to start

Sh/usr/java/jboss-as-7.1.1.final/bin/standalone.sh &exit

This way, JBoss runs in the background, and the following command looks at the JBoss process and shuts down

Ps-ef|grep jbosskill-9 Process Number

3. Configuring the MySQL data source for JBoss

Create the directory, and then create the Module.xml in the directory

Mkdir-p/usr/java/jboss-as-7.1.1.final/modules/com/mysql/maincd/usr/java/jboss-as-7.1.1.final/modules/com/mysql /mainvi Module.xml

Module.xml content is as follows

<?xml version= "1.0" encoding= "UTF-8"? ><module xmlns= "urn:jboss:module:1.0" name= "Com.mysql" >< Resources><resource-root path= "Mysql-connector-java-5.1.27.jar"/></resources><dependencies ><module name= "Javax.api"/><module name= "Javax.transaction.api"/></dependencies></module >

Download the MySQL driver Pack Mysql-connector-java-5.1.27.jar, put it in the/usr/file directory, and then copy it to the current directory

Cp/usr/file/mysql-connector-java-5.1.27.jar./

Open a new shell window, run

Sh/usr/java/jboss-as-7.1.1.final/bin/jboss-cli.sh-c

If it is a "disconnect" state, enter "Connect" first, return multiple times, run the following command

/subsystem=datasources/jdbc-driver=com.mysql.jdbc.driver:add (Driver-name=com.mysql.jdbc.driver, Driver-class-name=com.mysql.jdbc.driver,driver-module-name=com.mysql,driver-xa-datasource-class-name= Com.mysql.jdbc.jdbc.jdbc2.optional.MysqlXADataSource): Reload

4. Installation Configuration EJBCA

Download EJBCA installation package from EJBCA official website: ejbca_ce_6_3_1_1.zip, put in/usr/file directory, unzip, prepare to modify configuration

unzip/usr/file/ejbca_ce_6_3_1_1.zip-d/USR/JAVACD/USR/JAVAMV ejbca_ce_6_3_1_1 ejbca-ce-6.3.1.1cd/usr/java/ ejbca-ce-6.3.1.1/conf/

1, modify the Ejbca.properties

MV Ejbca.properties.sample EJBCA.PROPERTIESVI Ejbca.properties

Modify the following content

Appserver.home=/usr/java/jboss-as-7.1.1.finalappserver.type=jboss

2, modify the Database.properties

MV Database.properties.sample DATABASE.PROPERTIESVI Database.properties

Modify the following content

# datasourcedatasource.jndi-name=jboss/datasources/mysqlds# MySQL Infodatabase.name=mysqldatabase.url=jdbc:mysql ://127.0.0.1:3306/ejbca?characterencoding=utf-8database.driver=com.mysql.jdbc.driverdatabase.username= Rootdatabase.password=root

3, modify the Install.properties

MV Install.properties.sample INSTALL.PROPERTIESVI Install.properties

Modify the following content

#设置ca名称ca. name=test# Setting CA Information CA.DN=CN=TEST,O=TEST,C=CN

4, modify Cesecore.properties, jaxws.properties, do not need to modify the content

MV Cesecore.properties.sample CESECORE.PROPERTIESMV Jaxws.properties.sample jaxws.properties

5, modify the Web.properties

MV Web.properties.sample WEB.PROPERTIESVI Web.properties

Modify the following content

#密码最好6位superadmin. password=123456superadmin.cn=superadminhttpsserver.hostname=ca.test.comhttpsserver.dn=cn=${ Httpsserver.hostname},o=test,c=cn

5. Deploy EJBCA to JBoss

First, create a "EJBCA" database in the configured MySQL, encode "utf-8", and then formally build EJBCA with Ant and install it to JBoss

Cd/usr/java/ejbca-ce-6.3.1.1ant Clean Deployant installant deploy-keystore

Deploy with ant deployment, install generate certificate, Deploy-keystore to deploy the certificate to JBoss, the first two steps takes a long time, in the process if required, please enter directly

6. Configure JBoss to turn on HTTPS

Open a new shell window, run

Sh/usr/java/jboss-as-7.1.1.final/bin/jboss-cli.sh-c

If it is "disconnect" state, run "Connect", return multiple times, ready to run the following 4-part configuration

First section (configure any host to access)

/interface=http:add (inet-address= "0.0.0.0")/interface=httpspub:add (inet-address= "0.0.0.0")/interface=httpspriv : Add (inet-address= "0.0.0.0")/socket-binding-group=standard-sockets/socket-binding=http:add (port= "8080"), Interface= "http")/subsystem=undertow/server=default-server/http-listener=http:add (socket-binding=http)/ Subsystem=undertow/server=default-server/http-listener=http:write-attribute (Name=redirect-socket, value= " Httpspriv "): Reload

Part II (Configuration certificate)

/core-service=management/security-realm=sslrealm:add ()/core-service=management/security-realm=sslrealm/ Server-identity=ssl:add (keystore-path= "${jboss.server.config.dir}/keystore/keystore.jks", keystore-password= " Serverpwd ", alias=" PROD-ICA1 ")/core-service=management/security-realm=sslrealm/authentication=truststore:add ( Keystore-path= "${jboss.server.config.dir}/keystore/truststore.jks", keystore-password= "Changeit")/ Socket-binding-group=standard-sockets/socket-binding=httpspriv:add (port= "8443", interface= "Httpspriv")/ Socket-binding-group=standard-sockets/socket-binding=httpspub:add (port= "8442", interface= "Httpspub"): Reload

Part III (Configuring SSL)

/subsystem=undertow/server=default-server/https-listener=httpspriv:add (Socket-binding=httpspriv, Security-realm = "Sslrealm", verify-client=required)/subsystem=undertow/server=default-server/https-listener=httpspub:add ( Socket-binding=httpspub, security-realm= "Sslrealm"): Reload

Part IV (Configuring Web service)

/system-property=org.apache.tomcat.util.buf.udecoder.allow_encoded_slash:add (value=true)/system-property= Org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH:add (value=true)/system-property= Org.apache.catalina.connector.URI_ENCODING:add (value= "UTF-8")/system-property= Org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add (value=true)/subsystem=webservices: Write-attribute (Name=wsdl-host, Value=jbossws.undefined.host)/subsystem=webservices:write-attribute (name= Modify-wsdl-address, value=true): Reload

Managing digital certificates with EJBCA

EJBCA the installation is complete, we can use it to manage the digital certificate, assuming that the server address installed EJBCA is: 172.17.210.124, we configure a hosts under Windows system, edit "C:\Windows\System32\ Drivers\etc "Directory of Hosts file, join a row

172.17.210.124 ca.test.com

Then copy the Superadmin.p12 file in the EJBCA server "/usr/java/ejbca-ce-6.3.1.1/p12/" directory to the Windows system, double-click the file to start the installation, the default password is "EJBCA", if the configuration process has been modified, Please use a modified password such as "123456"

The EJBCA system provides two interfaces

Administrator interface (requires a certificate, using the Superadmin certificate you just installed)

https://ca.test.com:8443/ejbca/adminweb/

User interface

http://ca.test.com:8080/ejbca/

Once you have the Super Admin certificate, let's start managing the digital certificate!

1. User Registration

The digital certificate is the identity authentication carrier, the identity authentication object is "The user", the digital certificate contains "the user" the basic information, wants the ID card to contain your name and so on the basic information, the registration process is you want EJBCA to submit the personal basic information

EJBCA the Admin interface, open the "RA Functions"-"Add End Entity" menu and fill in the following "Required" column tick.

User Template Select "EMPTY"

Enter user name and password

Common name, if it is a server certificate, please fill in the domain name here

Fill in the certificate information, certificate template Select "Enduser", CA Select "Dev", token select "P12 file"

Finally click on the "Add" button to register

2. Download the certificate

After registering the user, naturally can't wait to get a certificate, in the EJBCA user interface, open the "Enroll"-"Create Browser Certificate" menu

Enter the user name and password, click "OK" button, go to the following page

"Key Length" select "2048 bits", "Certificate profile" select "Enduser", click "Enroll" button to download the certificate

3. Revocation of certificates

Administrator found that the user certificate has been stolen, good to do, revoke it

EJBCA the Administrator interface, open the "RA Functions"-"Search End Entities" menu. "Search end Entities with status" drop-down box select "All" and click on the "Search" button on the right to view user information (omit other columns)

Tick the user who needs to be revoked, click the "Revoke Selected" button below the table to revoke the user

4, update the certificate

The last certificate requested by the user expires, to replace the new certificate

EJBCA the Administrator interface, open the "RA Functions"-"Search End Entities" menu. "Search end Entities with status" drop-down box select "All" and click on the "Search" button on the right to view user information (omit other columns)

Click the "Edit End Entity" hyperlink in the rightmost column of the user who needs to update the certificate to edit the user

Set "Status" to "New" and click on the "Save" button on the right. Then enter the new password, the other items remain unchanged, click the "Save" button at the bottom of the page to save the settings

5. Root Certificate

EJBCA as a CA, has its own root certificate

EJBCA user interface, open the "Retrieve"-"Fetch CA Certificates" menu to download root certificates in different formats

6. Request the Tomcat server certificate

The above method can be used to manage the common user browser certificate, format for the P12,TOMCAT server with the certificate format of JKS, how to apply?

When the user registers, the certificate template selects "SERVER", the CA chooses "Dev", the token chooses "JKS file", the value of the other item is not changed

When downloading the certificate, in the EJBCA user interface, open the "Enroll"-"Create Keystore" menu, enter the user name and password, enter the following page

"Key Length" select "2048 bits"; "Certificate profile" select "SERVER" and click "Enroll" button to download the certificate

Other server certificate formats are similar, I believe you can grope out!

Build your own CA system using a Web service

EJBCA system, although installed, can also manage digital certificates, but all of our operations are performed in the interface provided by EJBCA, not to speak of all in English, just a lot of configuration in it is confusing, many configuration items are either fixed or not needed, so The most reasonable approach is to build a middle tier on top of the EJBCA, the user accesses the certificate Management service provided by the middle tier, and the middle tier service is implemented using EJBCA, just EJBCA provides a complete Web service interface

Middle tier only need to provide digital certificate registration, download, revocation, update can, more functions of course can be achieved, see the specific requirements, the following introduction of the basic implementation of the middle tier process

1. Superadmin.jks Certificate

EJBCA provides a Web service interface requires certificate authentication, the official source of the example used is the Superadmin Super Administrator certificate, but the format is JKS, So we need to get the SUPERADMIN.JKS certificate, which can be done by tool conversion, but EJBCA can be generated directly

Perform an update operation on the Superadmin user before saving, modifying the value of the following key to "JKS file"

Download Superadmin's JKS format certificate by following the steps to download a common user certificate

2. Initializing the Web service connection

With the Superadmin.jks certificate, we can use it to connect to the Web service, but you must add the jar packages required by the Web service to the project, which are all jars in the following two directories

/usr/java/ejbca-ce-6.3.1.1/dist/ejbca-ws-cli/lib/usr/java/ejbca-ce-6.3.1.1/dist/ejbca-ws-cli

Then initialize the Web service connection in your code

public void init () {if (!new File (Certpath). Exists ()) return; Cryptoprovidertools.installbcprovider (); System.setproperty ("Javax.net.ssl.trustStore", "D:/superadmin.jks"); System.setproperty ("Javax.net.ssl.trustStorePassword", "123456"); System.setproperty ("Javax.net.ssl.keyStore", "D:/superadmin.jks"); System.setproperty ("Javax.net.ssl.keyStorePassword", "123456"); QName QName = new QName ("http://ws.protocol.core.ejbca.org/", "Ejbcawsservice"); try {Ejbcawsservice service = new Ejbcawsservice (New URL ("https://ca.test.com:8443/ejbca/ejbcaws/ejbcaws?wsdl"), QName); Ejbcaws ejbcaws = Service.getejbcawsport ();} catch (Exception e) {}}

　　Note : The connection address can only be a domain name, which is specified for the EJBCA server when the EJBCA is installed, so the machine that connects EJBCA provides the Web service interface service to configure the hosts

172.17.210.124 ca.test.com

The purpose of initialization is to get an instance of the Ejbcaws object, and the next digital certificate registration, download and other services are based on it

3. Realize digital certificate Management Service

See if the user is already registered

Private Boolean isexist (String username) throws Exception {Usermatch Usermatch = new Usermatch (); Usermatch.setmatchwith ( Usermatch.match_with_username); Usermatch.setmatchtype (usermatch.match_type_equals); Usermatch.setMatchvalue ( username); try {list<userdatavows> users = Ejbcaws.finduser (Usermatch); if (users! = null && users.size () & Gt 0) {return true;} else {return false;}} catch (Exception e) {throw new Exception ("Check user" + username () + "If there is an error:" + e.getmessage ());}}

The user registers and updates, uses the Edituser () method, therefore must first determine whether exists

public void Edituser () throws Exception {userdatavows userData = new Userdatavows (); Userdata.setusername ("testname");// User name Userdata.setpassword ("123456");//password userdata.setclearpwd (false);//Default Userdata.setsubjectdn ("cn=" + "testname" + " , ou= "+" Testou "+", o= "+" testo "+", C=CN "+", telephonenumber= "+" 1234567890 ");//Set unique discrimination name string pattern =" Yyyy-mm-dd hh:m M:sszz "; ISO 8601 Standard Time Format userdata.setstarttime (Dateformatutils.format (new date (), pattern));//Certificate valid Starting Date Userdata.setendtime ( Dateformatutils.format (Dateutils.adddays (new Date (), (), pattern));//End Date Userdata.setcaname ("test");//ca name, The name of the EJBCA userdata.setsubjectaltname (null); Userdata.setemail ("[email protected]");//e-mail address userdata.setstatus ( userdatavows.status_new);//Status is Newuserdata.settokentype (USERDATAVOWS.TOKEN_TYPE_P12);// Set P12 format certificate userdata.setendentityprofilename ("user");//terminal entity template Userdata.setcertificateprofilename ("user");//Certificate Template try {Ejbcaws.edituser (userData);} catch (Exception e) {throw new Exception (E.getmessage ());}}

There are several noteworthy in the code, the Terminal entity template "User" and the certificate template "user" need to be configured in the EJBCA administrator interface, and the terminal entity template "user" to configure the "SubjectDN" to enable the properties such as CN, OU, O, C, Telephonenumber and so on, also allow modification of starttime and Endtime

Revoking a certificate

public void Revoke (String username) throws Serviceexception {try {ejbcaws.revokeuser (username, Revokedcertinfo.revocation_reason_unspecified, false);} catch (Exception e) {}}

Create a certificate

private void Createcert (string username, string password, string path) throws Exception {FileOutputStream FileOutputStream = null;try {//Create certificate file KeyStore ksenv = ejbcaws.pkcs12req (username, password, NULL, "2048", Algorithmconstants.keyalgorithm_rsa); Java.security.KeyStore ks = Keystorehelper.getkeystore ( Ksenv.getkeystoredata (), "PKCS12", password) FileOutputStream = new FileOutputStream (path + file.separator + username + " . P12 "); Ks.store (FileOutputStream, Password.tochararray ());//Create password files file Pwdfile = new file (path + File.separator + Username + ". pwd");p wdfile.createnewfile (); BufferedWriter out = new BufferedWriter (new FileWriter (Pwdfile)); out.write (password); Out.flush (); Out.close ();} catch (Exception e) {throw new Exception ("user" + Username + "Certificate creation failed:" + e.getmessage ());} finally {if (FileOutputStream! = null) {try {fileoutputstream.close ();} catch (IOException e) {}}}} 

The certificate is created on the server, the user calls the interface service to download the certificate, should return a, here is the use of Nginx as a file download server, refer to the http://www.cnblogs.com/ywlaker/p/6129872.html article about Nginx part

So far, EJBCA built CA system has been completed, of course, the above is just the core code, how to run, deployment is not introduced, the following is a brief introduction to the HTTPS basic principles and the use of digital certificates

HTTPS fundamentals and the use of digital certificates

Building a stand-alone CA System Management digital certificate based on EJBCA community 6.3.1.1