Firewalld
Install
sudo yum install firewalld
sudo systemctl enable firewalld
sudo reboot
sudo firewall-cmd - -state
Open port
sudo firewall-cmd --zone=public --add-port=8443/tcp - -permanent
sudo firewall-cmd - -reload
sudo iptables-save | grep 8443
EJBCA web
Connect to ejbca
Get file P12 (in Centos virtual machine) and import certificate on Windows with password: 123456, after
that be able to connect https://ipadress:8443/ejbca on Browser.
If it don’t work, open port 8443 by firewall.
Create CA for Server
In AdminWeb, choose Certificate Profiles, clone ROOTCA then edit:
Name: ServerCACertificateProfile with 2048 bits or others and set all default.
Choose Crypto Tokens, Create new... with new ServerCA:
Name: ServerCA CryptoToken
Generate new key pair Alias encryptKey & signKey with size 2048 then test them
Add CA (in Certificate Authorities) ServerCA then Edit CA:
Select ServerCA CryptoToken, set Subject DN: CN=ServerCA,OU=CMC,O=CMC company,L=ha
noi,ST=cau giay,C=VN,
Certificate Profile: ServerCACertificateProfile
Validity: 10y and all of rest is setup default.
Create CA for Client
Create Request Certificate for Client
Next to Client web, in adminWeb, choose Certificate Profiles, clone SUBCA then edit:
Name: ClientCACertificateProfiles with 2048 bits or others and set all default.
Choose Crypto Tokens, Create new with new ClientCA:
Name: ClientCA CryptoToken
Generate new key pair Alias encryptKey & signKey with size 2048 then test them
Add CA: ClientCA then Edit CA (in Certification Authorities):
Select ClientCA Crypto Tokens, set Subject DN: CN=ClientCA,OU=CMC,O=CMC company,L=ha
noi,ST=cau giay,C=VN,
In Signed By, choose External CA.
Go to publicWeb Server get file ServerCA PEM chain in Fetch CA Certificates.
Turn back, insert that file in ServerCA PEM chain. Then get a file .pem (this is .csr - request
certificate file) (1)
After that, we get ClientCA, (Waiting for Certificate Response)
Create Respond file from ServerCA
In ServerWeb, choose admin web, choose End Entity Profiles, Add Profile: ClientCAEndEntityProfile then
Edit. If we want to set: CN=ngmduc2012, OU=CMC, O=CMC company, L=ha noi, ST=cau giay, C=VN, in
Subject DN Attributes choose: CN, OU, O, L, ST, C then add them.
In Main certificate Profile choose: ENDUSER, ServerCA, User Generated
All of rest is default, then save.
Choose Add End Entity, select ClientCAEndEntityProfile
Fulfil Username, password, CN: ClientCA, OU: CMC, …, C: VN. All of rest set default or don’t fulfil.
Then save.
In PublicWebServer, choose Create Certificate from CSR. Fill Username and code just create above. Insert
file Request (1)
After that, we get a file respond (2)
Insert file Respond
In ClientWeb, choose Admin Web, choose Certification Authorities, then Edit ClientCA
In Step 2 – Import Certificate: choose file (2), click Receive Certificate Response, then save.
After that, we get ClientCA, (Active)
Keytool – ejbca.sh
Create CA for Server
Generate keypair
In Virtual machine server (Use PKCS12 is instead of default JKS.)
keytool -genkeypair -alias signKey -keyalg RSA -keysize 2048 -dname "CN=ngmduc1, OU=CMC, O=CMC
company, L=ha noi, ST=cau giay, C=VN" -keypass 123456 -validity 100 -storetype PKCS12 -keystore
serverCA.p12 -storepass 123456
Export Certificate
keytool -exportcert -alias signKey -keypass 123456 -storetype PKCS12 -keystore serverCA.p12 -file
serverCACert.cer -rfc -storepass 123456
Create CA for Client
Create Request Certificate for Client
In virtual machine client, get file serverCACert.cer
Import Server Certificate:
keytool -importcert -alias signKey -keypass 123456 -storetype PKCS12 -keystore clientCA.p12 -file
serverCACert.cer -rfc -storepass 123456
Generate Keypair:
keytool -genkeypair -alias signKey -keyalg RSA -keysize 2048 -dname "CN=ngmduc2, OU=CMC, O=CMC
company, L=ha noi, ST=cau giay, C=VN" -keypass 123456 -validity 100 -storetype PKCS12 -keystore
ngmduc2.p12 -storepass 123456
keytool -genkeypair -alias nmduc3 -keyalg RSA -keysize 2048 -dname "CN=ngmduc3, OU=CMC, O=CMC
company, L=ha noi, ST=cau giay, C=VN" -keypass 123456 -validity 100 -storetype PKCS12 -keystore
ngmduc3.p12 -storepass 123456
keytool -genkeypair -alias nmduc4 -keyalg RSA -keysize 2048 -dname "CN=ngmduc4, OU=CMC, O=CMC
company, L=ha noi, ST=cau giay, C=VN" -keypass 123456 -validity 100 -storetype PKCS12 -keystore
ngmduc4.p12 -storepass 123456
keytool -genkeypair -alias nmduc5 -keyalg RSA -keysize 2048 -dname "CN=ngmduc5, OU=CMC, O=CMC
company, L=ha noi, ST=cau giay, C=VN" -keypass 123456 -validity 100 -storetype PKCS12 -keystore
ngmduc5.p12 -storepass 123456
Generate a Certificate Request:
keytool -certreq -alias signKey -keypass 123456 -storetype PKCS12 -keystore ngmduc2.p12 -storepass
123456 -file ngmduc2.csr
keytool -certreq -alias nmduc3 -keypass 123456 -storetype PKCS12 -keystore ngmduc3.p12 -storepass
123456 -file ngmduc3.csr
keytool -certreq -alias nmduc4 -keypass 123456 -storetype PKCS12 -keystore ngmduc4.p12 -storepass
123456 -file ngmduc4.csr
keytool -certreq -alias nmduc5 -keypass 123456 -storetype PKCS12 -keystore ngmduc5.p12 -storepass
123456 -file ngmduc5.csr
Create Respond file from ServerCA
Case 1: In web admin server:
Choose RA Web, in Request new certificate, Make New Request, ClientCAEndEntityProfile, Provided by
user, upload file CSR, then download file pem chain (ngmduc2.pem)
Case 2: In virtual machine server, use ejbca.sh
/opt/ejbca/bin/ejbca.sh
Add End Entity
ejbca.sh ra addendentity --username ngmduc3 --dn "CN=ngmduc3, OU=CMC, O=CMC company, L=ha
noi, ST=cau giay, C=VN" --token PEM --caname ServerCA --type 1
ejbca.sh ra addendentity --username ngmduc4 --dn "CN=ngmduc4, OU=CMC, O=CMC company, L=ha
noi, ST=cau giay, C=VN" --token PEM --caname ServerCA --type 1
Create Certificate
ejbca.sh createcert --username ngmduc3 --password 123456 -c ngmduc3.csr -f ngmduc3.pem
ejbca.sh createcert --username ngmduc4 --password 123456 -c ngmduc4.csr -f ngmduc4.pem
Case 3: In virtual machine server, use clientToolBox
Setting clientToolBox
Change content in file /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh EjbcaWsRaCli with
# Property file for the web service client. Used to specify
# URL to web service and path to keystore.
# Web Service URL. Important the hostname MUST match the CN of the server certificate.
# The wsdl schema location is the URL below with '?wsdl' in the end.
# For example: https://localhost:8443/ejbca/ejbcaws/ejbcaws?wsdl
#
# default: https://localhost:8443/ejbca/ejbcaws/ejbcaws
# for standalone ejbcaws.war deployment use: https://localhost:8443/ejbcaws/ejbcaws
ejbcawsracli.url = :8443/ejbca/ejbcaws/ejbcaws
# Path to the keystore used to authenticate the client to the Web Service.
# The keystore can be:
# 1. a java keystore (.jks). If ejbcawsracli.truststore.path is not set the CA certificate of the tomcat server certificate must be in in its truststore, and the server certificate is validated against this.
# 2. a PKCS12 keystore (.p12). If ejbcawsracli.truststore.path is not set an acceptAll truststore policy will then be used so the servers certificate is not verified against a truststore.
#default : keystore.jks
ejbcawsracli.keystore.path = ../../p12/superadmin.p12
# A shared library path to a PKCS#11 so a HSM or smartcard could be used. If ejbcawsracli.truststore.path is not set an acceptAll truststore policy will then be used so the servers certificate is
not verified against a truststore.
#ejbcawsracli.p11.sharedlibrary = /usr/lib/libaetpkss.so
# The slot number/index/label to be used
#ejbcawsracli.p11.slot = 0
#ejbcawsracli.p11.slot = slotlabel
# The type of the above label
#ejbcawsracli.p11.slotlabeltype = SLOT_NUMBER
#ejbcawsracli.p11.slotlabeltype = SLOT_INDEX
#ejbcawsracli.p11.slotlabeltype = SLOT_LABEL
#Password to unlock the keystore.
# Comment out this to prompt for every time the client starts.
#ejbcawsracli.keystore.password ='123456'
# Path to the truststore used to authenticate the Web Services server certificate.
# If not set settings from the keystore is used, see ejbcawsracli.keystore.path
#default: not set
ejbcawsracli.truststore.path = ../../p12/truststore.jks
Change content /ect/hosts by sudo:
#127.0.0.1
localhost localhost.localdomain localhost4 localhost4.localdomain4
#::1
localhost localhost.localdomain localhost6 localhost6.localdomain6
#127.0.0.1
localhost localhost.localdomain
192.168.1.10
caadmin.cmc.vn caadmin
#::1
localhost localhost.localdomain
(Example: sudo cp /home/cmc/hosts /etc)
Then restart:
sudo reboot
Run:
cd /opt/ejbca/dist/clientToolBox/
export PATH=/opt/ejbca/dist/clientToolBox:$PATH
echo $PATH
ejbcaClientToolBox.sh EjbcaWsRaCli getClientToolBoxVersion
Add End Entity
Create New End Entity
On web admin server, choose Certificate Profiles, fill: EndEntityCertificateProfile then click Add, next to
Edit it.
Set 2048 bits & Available Cas ServerCA, all of rest set default.
Choose End Entity Profiles, fill, add, edit: EndEntityProfile
Subject DN Attributes: CN, OU, O, L, ST, C
Main certificate data: EndEntityCertificateProfile, ServerCA, User Generated.
ejbcaClientToolBox.sh EjbcaWsRaCli edituser ngmduc5 1 false "CN=ngmduc5, OU=CMC, O=CMC
company, L=ha noi,ST=cau giay,C=VN" NULL NULL ServerCA 1 USERGENERATED NEW EndEntityProfile
EndEntityCertificateProfile NULL
ejbcaClientToolBox.sh EjbcaWsRaCli edituser ngmduc7 1 false "CN=ngmduc7, OU=CMC, O=CMC
company, L=ha noi,ST=cau giay,C=VN" NULL NULL ServerCA 1 USERGENERATED NEW EndEntityProfile
EndEntityCertificateProfile NULL
ejbcaClientToolBox.sh EjbcaWsRaCli edituser <username>
<clearpwd (true|false)>
<subjectdn> <subjectaltname or NULL> <email or NULL> <caname> <type> <token> <status>
<endentityprofilename> <certificateprofilename> <starttime or NULL (optional)> <endtime (starttime)>
Create Certificate
ejbcaClientToolBox.sh EjbcaWsRaCli certreq ngmduc5 "CN=ngmduc5, OU=CMC, O=CMC company, L=ha
noi, ST=cau giay, C=VN" NULL ServerCA EndEntityProfile EndEntityCertificateProfile
/home/cmc/ngmduc5.csr PKCS10 PEM ~
Insert file Respond
keytool -importcert -alias signKey -file ngmduc2.pem -keystore ngmduc2.p12 -trustcacerts
keytool -importcert -alias signKey -file ngmduc3.pem -keystore ngmduc3.p12 -trustcacerts
keytool -importcert -alias signKey -file ngmduc4.pem -keystore ngmduc4.p12 -trustcacerts
keytool -importcert -alias signKey -file ngmduc5.pem -keystore ngmduc5.p12 -trustcacerts
Remote everywhere
<When we want connect everywhere to server visual machine>
Linux/CentOS
Create a visual machine as same as EJBCA server.
Setting clientToolBox the Same
Change file host with ip adress Server visual machine that want to connect
Now, we can do everything about EJBCA as usual
Windows
Setting file host on Windows 10
Open path c:\Windows\System32\Drivers\etc\hosts on Notepad as Administrator
Example: Set 192.168.43.28 caadmin.cmc.vn
(Maybe we need a certificate from visual machine Server)
Tools
Wildfly
run: sudo systemctl start wildfly.service
check: systemctl status wildfly.service
Remote SSH
PuTTY
-
Use for command line
WinSCP
-
Use for file in virtual machine
Visual Code
-
EXTENTON: Marketplace
Search “ssh” & install Remote – SSH
-
All done, select Remote explorer
Ful name@ipadress
-
Choose connect to host in New Windows
Select Linux & ful password
Run code
Translate: Javac name.java
Run: Java name
Check version: java -version
Code
Linux/CentOS
Using Visual Studio for code.
Follow here, to find EJBCA libraries
Import library of EJBCA in Visual machine:
/usr/lib/jvm/java-1.8.0-openjdk-1.8.0.265.b01-4.el8.x86_64/jre/lib/ext
Don’t using library RAAdmin.jar
Windows
Using Intel IJ for code
Bug
No such provider: BC follow
Document
Class & functions of EJBCA: />Everything about EJBCA: />