Post: Explore EJBCA Technology

1. Official Document Translation

1. Introduction

EJBCA is a full-featured CA system software based on J2EE technology and provides a powerful, high-performance and component-based ca. EJBCA is flexible and platform independent. It can be used independently and can be integrated with any J2EE application.

2. Features
Lgpl open source license
Built on the J2EE 1.3 (ejb2.0) Specification
Flexible, Component-Based Architecture
Multi-level Ca
Establish one or more complete infrastructure in one EJBCA instance with multiple CAS and multi-level cas
Run it independently or integrate it in any J2EE Application
Simple installation and configuration
Powerful Web-based management interface with high-intensity Identification Algorithms
Supports command line-Based Management and scripts.
Support individual certificate application or certificate Batch Production
The server and client certificates can be exported in PKCS12, jks, or PEM format.
Supports direct certificate application using Netscape, Mozilla, ie, and other browsers
Supports using open APIs and tools to apply for certificates from other applications
New users added by RA can send email reminders.
Passwords can be generated randomly or manually for new user authentication.
Supports hardware modules to integrate hardware issuing systems (such as smart cards)
SCEP supported
Multi-polarization management with specific user permissions and user groups
You can configure certificates of different types and contents.
You can configure objects for different types of users.
Complies with X509 and pkix (rfc3280) Standards
Supports CRL
Fully supports OCSP, including AIA Extension
CRL generation and URL-based CRL distribution points follow rfc3280 and can store certificates and CRL in any SQL database (processed by the Application Server ).
Multiple publishers are available to publish certificates and CRL in LDAP.
Supports the key recovery module used to restore private keys for specified users and certificates
Component-based architecture for publishing certificates and CRL to different destinations
Component-based architecture, used to adopt multiple entity authorization methods when publishing certificates
It is easy to integrate into large applications and optimized for integration into business processes

3. Development Platform
EJBCA is fully written in Java and can run on any platform using J2EE servers. Development and testing are performed on Linux and Windows2000.

Ii. EJBCA technical experience
1. related software and Development Kits
L j2dk 1.4.2 j2ee1.3 download the development kit from the sun website

L JBoss 3.2.5 JBoss website

L EJBCA 3.0.2 at ejbca.sourceforge.org

L mysql4.0.1 MySQL website

L ant Apache website

L sqlyog MySQL graphical Management Terminal

L OpenSSL optional

2. Development and testing environment
OS: Windows2000 adv Server SP4

DB: MySQL

In addition, to address the export restrictions in the United States, you need to download the strong encryption package.

MySQL JDBC driver for connecting to the database mm. mysql-2.0.4-bin.jar or mysql-connector-java-3.0.14-production.jar.

3. Configure EJBCA
1. Configure the Basic Java environment

2. Install ant. Pay attention to setting the system path

3. Install MySQL and create a database, such as EJBCA

4. Install JBoss, set the system path, write the data source configuration file, set jndiname, and set the JBoss environment variable jboss_home.

5. configure a strong encryption package. (Sun website) unlimited strength jurisdiction policy files 'for JDK

6. Decompress ejbca to the ejbca directory and execute ant to build.

7. Copy the compiled ear file to the JBoss deployment directory. $ jboss_home/Server/default/deploy directory.

8. Start JBoss to automatically deploy EJBCA.

4. EJBCA document configuration Translation

1. build and deploy everything with 'Ant deploy '.

Build and deploy all parts using ant deploy

2. Start JBoss, ejbca-ca.ear shocould be deployed.

When JBoss is started, EJBCA is deployed.

3. Execute 'Install. sh/cmd' in the ejbca directory. The installation script

Will use the default javacacerts password. If you have changed it (from changeit)

It you shoshould use 'Install. sh/cmd'

Run install. sh/CMD in EJBCA. The installation script uses the default javacacert password. If you modify it accordingly, run the command with parameters install. sh/CMD.

3. Restart JBoss.

Restart JBoss

5. Import p12/superadmin. p12 in your browser and go to https: // localhost: 8443/EJBCA

To access the admin GUI of EJBCA.

Import the p12/superadmin. p12 certificate, https: // localhost: 8443/EJBCA to access the GUI version manager of EJBCA.

3. Configure two-way SSL (IIS)
1. CA root Cert config
1. Go to the EJBCA Root Certificate acquisition page

2. Obtain CA root Cert

3. You can install it directly or save it.

4. Complete

2. Server config
1. to configure bidirectional SSL, you must issue a certificate to the server and each client that can access the server.

2. Obtain the req file (base64 encoding) through the IIS certificate wizard ).

3. Create a server user in EJBCA.

4. Specify the key pair creation method.

5. Enter user_name and user_password on the Certificate acquisition page.

6. paste the req File

7. Click Save.

8. Go to IIS and find the Certificate file through the certificate wizard.

9. Install the certificate.

10. Complete.

3. Client config
1. Create a user in EJBCA

2. Specify the key pair generation method

3. Enter user_name and user_password on the Certificate acquisition page.

4. Click "save". (We recommend that you do not directly install the SDK by using the "save" method)

5. Install the certificate

Another problem is that the current DN cannot be capitalized, especially the C cannot be capitalized! There is also a problem with the base functions in adminweb.