Tải bản đầy đủ (.pdf) (252 trang)

PrimeKey PKI appliance operations manual

Bạn đang xem bản rút gọn của tài liệu. Xem và tải ngay bản đầy đủ của tài liệu tại đây (22.19 MB, 252 trang )

PKI Appliance
Operations Manual

Public Key Infrastructure by PrimeKey
Ver: 3.0.0

2018-04-30


Copyright ©2018 PrimeKey Solutions
Published by PrimeKey Solutions AB
Lundagatan 16
171 63 Solna
Sweden

To report errors, please send a note to

Notice of Rights
All rights reserved. No part of this book may be reproduced or transmitted in any form by any means,
electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the
publisher. For more information on getting permission for reprints and excerpts, contact

Notice of Liability
The information in this book is distributed on an “As Is” basis without warranty. While every precaution has
been taken in the preparation of the book, neither the authors nor PrimeKey shall have any liability to any
person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by
the instructions contained in the book or by computer software and hardware products described in it.

Trademarks
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as
trademarks. Where those designations appear in this book, and PrimeKey was aware of a trademark claim,


the designations appear as requested by the owner of the trademark. All other product names and services
identified throughout this book are used in editorial fashion only and for the benefit of such companies with
no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to
convey endorsement or other affiliation with this book.


Contents
I

Preamble

1

1 Release Notes

2

2 Introduction
2.1 Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.1.1 Styling Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . .
2.1.2 Daily operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

4
4
4
5

3 PKI Appliance Overview
3.1 Description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .


6
6

II

7

Advanced Installation

4 Using External CA for Installation
4.1 Smart Card Setup . . . . . . . . . . . . . . . . . . . . . . . . . . .
Use-Case: Smart Card Installation in Firefox . . . . . . . . . . . . .
Use-Case: Install the first PKI Appliance . . . . . . . . . . . . . . .
Use-Case: Install a PKI Appliance with an existing Management CA

III

Appliance Operations

.
.
.
.

.
.
.
.

.

.
.
.

.
.
.
.

.
.
.
.

8
11
11
14
22

23

5 WebConf
24
Use-Case: Create a new TLS server side certificate for Application Interface . . . . 24
Use-Case: Upload a new trusted CA for TLS authentication and new superadmin certificate for Management Interface . . . . . . . . . . . . . . 32
Use-Case: Configure a new trusted CA for TLS authentication and new superadmin certificate for Application Interface . . . . . . . . . . . . . 36
6 Maintenance
39
6.1 PKI Appliance State . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

6.2 Reasons for Maintenance . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6.3 Effects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42


7 Support Package

44

IV

46

EJBCA GUI Operations

8 Certificate Life Cycle Management
8.1 Introduction to Certificate Life Cycle Management
8.1.1 Entity Issuance and Maintenance . . . . . .
8.1.2 Creation of Entity and Certificates . . . . .
8.1.3 Verification . . . . . . . . . . . . . . . . .
8.1.4 Revocation, Re-issuance, Un-Revoke . . . .
8.1.5 Deletion of an End Entity . . . . . . . . . .
8.2 Certification Authorities . . . . . . . . . . . . . . .
8.2.1 Types of Certification Authorities . . . . . .

.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.


.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.


47
47
47
47
48
48
48
48
49

9 Creating a CA Hierarchy
51
9.1 Use-Case: Creation of the RootCA . . . . . . . . . . . . . . . . . . . . . . . 52
Creating a Certificate Profile for the RootCA . . . . . . . . . . . . . . . . . . 52
Create Crypto Token for RootCA . . . . . . . . . . . . . . . . . . . . . . . . 54
Creating an RootCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
9.2 Use-Case: Create Certificate Profile for SubCAs . . . . . . . . . . . . . . . . 59
9.3 Use-Case: Create End Entity Profile for SubCAs . . . . . . . . . . . . . . . . 63
9.4 Use-Case: Import RootCA as External CA in node A . . . . . . . . . . . . . 65
9.5 Use-Case: Create SignCA as SubCA in node A . . . . . . . . . . . . . . . . . 67
Create Crypto Token for SignCA . . . . . . . . . . . . . . . . . . . . . . . . 67
Creating SignCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
9.6 Use-Case: Create AuthCA as SubCA in node A . . . . . . . . . . . . . . . . 75
Create Crypto Token for AuthCA . . . . . . . . . . . . . . . . . . . . . . . . 75
Creating AuthCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
9.7 Use-Case: Create SSLCA as SubCA in node A . . . . . . . . . . . . . . . . . 85
Create Crypto Token for SSLCA . . . . . . . . . . . . . . . . . . . . . . . . 85
Creating SSLCA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
9.8 Use-Case: Create Certificate Profiles for End Entities that will use the SubCAs 95
Create Certificate Profile for End Entities that will use AuthCA . . . . . . . . 95

Create Certificate Profile for End Entities that will use SignCA . . . . . . . . 96
Create Certificate Profile for End Entities that will use SSLCA . . . . . . . . 98
9.9 Use-Case: Create End Entity Profiles for SubCAs . . . . . . . . . . . . . . . 100
Create End Entity Profile for AuthCA . . . . . . . . . . . . . . . . . . . . . 100
Create End Entity Profile for SignCA . . . . . . . . . . . . . . . . . . . . . . 101
Create End Entity Profile for SSLCA . . . . . . . . . . . . . . . . . . . . . . 104
9.10 Use-Case: Create End Entities that will use the SubCAs . . . . . . . . . . . . 106
Create an End Entity that will use SSLCA . . . . . . . . . . . . . . . . . . . 106
Create an End Entity that will use AuthCA . . . . . . . . . . . . . . . . . . . 108
Create an End Entity that will use SignCA . . . . . . . . . . . . . . . . . . . 110


10 Managing End Entities
10.1 Use-Case: Searching for end entities . . . . . . . . . .
10.2 Certificate Revocation . . . . . . . . . . . . . . . . . .
10.2.1 Use-Case: Revoking a Certificate using EJBCA
10.2.2 Use-Case: Re-issuing a Certificate using EJBCA

V

.
.
.
.

.
.
.
.


.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.


.
.
.
.

.
.
.
.

.
.
.
.

VA Setup

114

11 Setting up a VA
11.1 Online Certificate Revocation Protocol . . . . . . . . . . . . . . . . . . . .
11.2 CRL Distribution Point . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11.3 VA setup scenarios . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11.4 Use-Case: Install PKI Appliance as dedicated VA . . . . . . . . . . . . . .
11.5 Use-Case: Create OCSP Keys in VA-Appliance . . . . . . . . . . . . . . . .
11.6 Use-Case: Create OCSP Key Binding in VA and publisher in CA-Appliance
11.7 Use-Case: Set up a VA-Appliance which fetches CRLs from external server .

VI


112
. 112
. 112
. 113
. 113

.
.
.
.
.
.
.

EJBCA Advanced Administration

115
115
115
115
118
133
134
145

149

12 Separation of privileges
150
12.1 EJBCA Access Management . . . . . . . . . . . . . . . . . . . . . . . . . . 150

12.1.1 Managing EJBCA Roles . . . . . . . . . . . . . . . . . . . . . . . . . 150
Use-Case: Create an End Entity Certificate Profile for the Administrator CA . . . . . . . . . . . . . . . . . . . . . . . . . . . 151
Use-Case: Issue New Administrator Credentials . . . . . . . . . . . . 152
Use-Case: Create a CA Administrator Group . . . . . . . . . . . . . . 153
Use-Case: Adding New Administrators to the CA Administrator Group 153
Use-Case: Creating a New RA Administrator Group . . . . . . . . . . 154
Use-Case: Adding New Administrators to the RA Administrator Group 155
Use-Case: Creating a New Supervisor Group . . . . . . . . . . . . . . 155
Use-Case: Adding New Administrators To the Supervisor Group . . . 156
Use-Case: Adding New Administrators to the Super Administrator
Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156
Use-Case: Test the Different Administrators . . . . . . . . . . . . . . 157
12.1.2 CWA Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157
13 Key Recovery
13.1 Profile Requirement . . . . . . . . . . . . . . . .
Use-Case: Configure EJBCA for Recovery . . . .
Use-Case: Configure Profiles to Enable Recovery .
Use-Case: Add a User and Issue an Entity . . . .
Use-Case: Recovering the Lost Entity . . . . . .

.
.
.
.
.

.
.
.
.

.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.

.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.

.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

159
159
160
160
160
161


14 Approval Process
163

Use-Case: Configure CA for Approvals . . . . . . . . . . . . . . . . . . . . . 163
Use-Case: Approve Issuing of the End Entity . . . . . . . . . . . . . . . . . . 164
Use-Case: Remove Approvals From CA . . . . . . . . . . . . . . . . . . . . . 165
15 Timed Services
15.1 CRL Updater . . . . . . . . . . . . .
Use-Case: Configure a CRL Updater
15.2 HSM Keep Alive Service . . . . . . .
15.3 Custom Service . . . . . . . . . . .

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.

.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.

.
.
.

.
.
.
.

16 Customising the Web GUI
16.1 Changing the language . . . . . . . . . . . . . . . . . . .
Use-Case: Change the default language . . . . . . . . . .
16.2 Hiding Menu Options . . . . . . . . . . . . . . . . . . . .
Use-Case: Access the public GUI without the menu options

.
.
.
.
.
.
.
.

.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.


.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

166
166
166

167
167

.
.
.
.

.
.
.
.

.
.
.
.

168
. 168
. 168
. 169
. 169

17 Key Management
170
Use-Case: Create Crypto Tokens . . . . . . . . . . . . . . . . . . . . . . . . . . . 170
Use-Case: Create the CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171
Use-Case: Renew superadmin certificate . . . . . . . . . . . . . . . . . . . . . . . 171
18 Logging and Monitoring

18.1 Logging . . . . . . . . . . . . . . . . .
18.1.1 Security Audit log vs System log
18.2 Monitoring and Health-Check . . . . . .
18.2.1 snmp . . . . . . . . . . . . . . .

VII

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.

.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.

.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.

.

.
.
.
.

.
.
.
.

Appliance in High Availability Setup

19 HA Setup
19.1 Scope of availability . . . . . . . . . . . . . . . . . . .
19.1.1 How it works . . . . . . . . . . . . . . . . . . .
19.1.2 Synchronization of key material . . . . . . . . .
19.1.2.1 Pre-cluster setup generation of keys .
19.1.2.2 Post-cluster setup generation of keys .
Use-Case: Synchronize key material . . . . . . . . . .
19.1.3 Network topology . . . . . . . . . . . . . . . .
19.1.4 Cluster traffic security considerations . . . . . .
19.2 Continuous service availability . . . . . . . . . . . . . .
19.3 Levels of availability . . . . . . . . . . . . . . . . . . .
19.3.1 Stand alone instance . . . . . . . . . . . . . .
19.3.2 Hot stand-by with manual fail-over . . . . . . .

176
. 176

. 176
. 176
. 178

181
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.


.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

182
. 182

. 182
. 182
. 182
. 183
. 183
. 183
. 184
. 184
. 184
. 184
. 184


19.4

19.5

19.6
19.7

19.3.3 High availability with automatic fail-over . . . . . . . . . . . . . . . . 185
High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 185
Use-Case: Setting up a 2 node cluster from scratch . . . . . . . . . . . . . . 185
Use-Case: Setting up a 3 node cluster from scratch . . . . . . . . . . . . . . 186
Use-Case: Extending a cluster from n to n+1 nodes . . . . . . . . . . . . . . 186
Backup, Restore and Update . . . . . . . . . . . . . . . . . . . . . . . . . . 187
19.5.1 Backing up a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . 187
19.5.2 Restoring a cluster from backup . . . . . . . . . . . . . . . . . . . . 187
19.5.3 Updating the software (firmware/applications) on a cluster . . . . . . 188
Use-Case: Software update on a three node cluster from 2.2.0 to 2.3.0 188

Controlled full cluster shutdown and startup . . . . . . . . . . . . . . . . . . 189
19.6.1 Shutting down the cluster in controlled manner . . . . . . . . . . . . 189
19.6.2 Starting a fully shutdown cluster . . . . . . . . . . . . . . . . . . . . 189
Operational Caution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 190
Use-Case: Changing the IP Address of the Application Interface of a
node in a three node cluster . . . . . . . . . . . . . . . . . 190
Replacing a failed cluster node . . . . . . . . . . . . . . . . . . . . . . . . . 191

20 PKCS#11 Slot Smart Card Activation
20.1 Introduction . . . . . . . . . . . . . . . . . . . . . . . . .
20.2 Installation/Configuration . . . . . . . . . . . . . . . . . .
20.2.1 "Number of users required" . . . . . . . . . . . . .
20.2.2 "Number/copies of user smart cards" . . . . . . . .
20.2.3 "Require smart cards to activate system after boot"
20.2.4 Procedure . . . . . . . . . . . . . . . . . . . . . .
20.2.4.1 Example with default values . . . . . . .
20.2.4.2 Slots 0 and 1 . . . . . . . . . . . . . . .
20.3 Application/Activation of a slot . . . . . . . . . . . . . . .
20.3.1 Activation on boot/slot 0 . . . . . . . . . . . . . .

VIII

.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.


SignServer GUI Operations

21 Managing Workers with Admin Web
21.1 Use-Case: Setting up a PDF Signer . . . . . . . . . . . . . . . . . .
21.1.1 Adding a PDF Signer . . . . . . . . . . . . . . . . . . . . .
21.1.2 Generate keys for PDF Signer . . . . . . . . . . . . . . . . .
21.1.3 Create CSR for the Signer . . . . . . . . . . . . . . . . . . .
21.1.4 Configure EJBCA for CSR signing from SignServer Workers .
21.1.5 Install the certificates in SignServer . . . . . . . . . . . . . .
21.2 Use-Case: Signing and verifying a PDF document . . . . . . . . . .
21.2.1 Sign a PDF document using the PDF Signer . . . . . . . . .
21.2.2 Verify the signed PDF with Adobe Reader . . . . . . . . . .
21.3 Use-Case: Rekeying signers . . . . . . . . . . . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.

192
192
192
193

193
193
193
194
194
194
195

196
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.


.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

197
. 197
. 197
. 198
. 199
. 202
. 207

. 207
. 207
. 208
. 214


21.3.1 Generate a new key . . . . . . . . . . . . . . . . . . . . . . . . . . . 214
21.3.2 Create a certificate signing request . . . . . . . . . . . . . . . . . . . 214
21.3.3 Install the certificates . . . . . . . . . . . . . . . . . . . . . . . . . . 215
22 Managing Workers with Admin GUI
22.1 Use-Case: Setting up a PDF Signer . . . . . . . . . . . . . . . . . .
22.1.1 Adding a PDF Signer . . . . . . . . . . . . . . . . . . . . .
22.1.2 Generate keys for PDF Signer . . . . . . . . . . . . . . . . .
22.1.3 Create CSR for the Signer . . . . . . . . . . . . . . . . . . .
22.1.4 Configure EJBCA for CSR signing from SignServer Workers .
22.1.5 Install the certificates in SignServer . . . . . . . . . . . . . .
22.2 Use-Case: Signing and verifying a PDF document . . . . . . . . . .
22.2.1 Sign a PDF document using the PDF Signer . . . . . . . . .
22.2.2 Verify the signed PDF with Adobe Reader . . . . . . . . . .
22.3 Use-Case: Rekeying signers . . . . . . . . . . . . . . . . . . . . . .
22.3.1 Generate a new key . . . . . . . . . . . . . . . . . . . . . .
22.3.2 Create a certificate signing request . . . . . . . . . . . . . .
22.3.3 Install the certificates . . . . . . . . . . . . . . . . . . . . .

.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

217
. 217
. 217
. 219
. 221
. 223
. 228
. 229
. 229
. 229

. 235
. 235
. 236
. 236


PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
LIST OF FIGURES

Ver: 3.0.0

List of Figures
4.1
4.2
4.3
4.4
4.5
4.6
4.7
4.8
4.9
4.10
4.11
4.12
4.13
4.14
4.15
4.16
4.17

4.18
4.19
4.20
4.21
4.22
4.23
4.24
4.25
4.26
4.27
4.28
4.29

Logical hierarchy . . . . . . . . . . . . . . . . . . . . . . .
Node A -Physical Infrastructure with online PKI Appliance
Node B - Physical Infrastructure with offline PKI Appliance
Security Devices in Firefox . . . . . . . . . . . . . . . . .
Device Manager in Firefox . . . . . . . . . . . . . . . . . .
Load module in Firefox . . . . . . . . . . . . . . . . . . .
Device Manager in Firefox . . . . . . . . . . . . . . . . . .
Device Manager in Firefox . . . . . . . . . . . . . . . . . .
First login to the PKI Appliance . . . . . . . . . . . . . .
Notification for untrusted network . . . . . . . . . . . . .
Checking TLS fingerprint . . . . . . . . . . . . . . . . . .
Confirm TLS fingerprint . . . . . . . . . . . . . . . . . . .
Provide OTP password . . . . . . . . . . . . . . . . . . .
Choose installation . . . . . . . . . . . . . . . . . . . . .
Configure Network Settings . . . . . . . . . . . . . . . . .
Configure date and timezone . . . . . . . . . . . . . . . .
Configure Management CA . . . . . . . . . . . . . . . . .

Pre-installation Summary . . . . . . . . . . . . . . . . . .
Enroll process . . . . . . . . . . . . . . . . . . . . . . . .
Provide smart card password . . . . . . . . . . . . . . . .
Key generation in the smart card . . . . . . . . . . . . . .
Successful enrollment . . . . . . . . . . . . . . . . . . . .
Authentication to the system . . . . . . . . . . . . . . . .
Confirmation of connection to the system . . . . . . . . .
EJBCA Public Pages . . . . . . . . . . . . . . . . . . . .
WebConf Access tab . . . . . . . . . . . . . . . . . . . . .
Management CA Setting . . . . . . . . . . . . . . . . . .
EJBCA Administration in first PKI Appliance . . . . . . .
EJBCA Administration in first PKI Appliance . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

9
9
10
11
12
12
13
13
14
14
15
15
16
16
16
17
17

17
18
18
19
19
19
20
20
21
22
22
22

5.1
5.2
5.3
5.4

EJBCA TLS check . . . . . .
EJBCA TLS check certificate
EJBCA CN value for TLS . .
WebConf Access tab . . . . .

.
.
.
.

.
.

.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.

.
.

.
.
.
.

.
.
.
.

25
25
26
26

.
.
.
.

.
.
.
.

.
.

.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

9 (237)


.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.

.
.
.
.


.
.
.
.

.
.
.
.


PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
LIST OF FIGURES

Ver: 3.0.0

5.5
5.6
5.7
5.8
5.9
5.10
5.11
5.12
5.13
5.14
5.15
5.16
5.17

5.18
5.19
5.20
5.21
5.22
5.23
5.24

WebConf Create CSR . . . . . . . . . . . . . . . . . . . . . . . .
WebConf Download CSR . . . . . . . . . . . . . . . . . . . . . .
EJBCA Search End Entities . . . . . . . . . . . . . . . . . . . . .
EJBCA Edit End Entity . . . . . . . . . . . . . . . . . . . . . . .
EJBCA Edit End Entity, cont. . . . . . . . . . . . . . . . . . . . .
EJBCA Create Certificate from CSR . . . . . . . . . . . . . . . .
EJBCA Enroll . . . . . . . . . . . . . . . . . . . . . . . . . . . .
EJBCA Save certificate chain . . . . . . . . . . . . . . . . . . . .
WebConf: Activate certificate chain . . . . . . . . . . . . . . . .
WebConf: Upload certificate chain . . . . . . . . . . . . . . . . .
EJBCA login . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
EJBCA TLS cert CN . . . . . . . . . . . . . . . . . . . . . . . .
WebConf Access . . . . . . . . . . . . . . . . . . . . . . . . . . .
WebConf Access add a new client certificate for TLS authorization
WebConf Upload the new trusted CA chain . . . . . . . . . . . .
WebConf TLS is updated . . . . . . . . . . . . . . . . . . . . . .
WebConf New configuration for Management Interface is in use .
Import new trusted CAs as External ones in EJBCA . . . . . . . .
Add a new trusted client certificate as superadmin in EJBCA . . .
Configure the serial number of the trusted certificate in EJBCA . .

.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

27
27
28
28
29
29
30
30
31
31
31
32
33
34
35
35
36
37
37
38

9.1
9.2
9.3
9.4

9.5
9.6
9.7
9.8
9.9
9.10
9.11
9.12
9.13
9.14
9.15
9.16
9.17
9.18
9.19
9.20
9.21
9.22

Node B with RootCA installed . . . . . .
Node A with SubCAs and ManagementCA
Certificate Profiles. . . . . . . . . . . . .
Clone a certificate profile. . . . . . . . . .
Certificate Profiles. . . . . . . . . . . . .
Crypto Tokens. . . . . . . . . . . . . . .
Crypto Tokens settings. . . . . . . . . . .
Key pair creation. . . . . . . . . . . . . .
Certification Authorities. . . . . . . . . .
Create CA. . . . . . . . . . . . . . . . . .
CA certificate data. . . . . . . . . . . . .

CA CRL data settings. . . . . . . . . . . .
Clone SUBCA. . . . . . . . . . . . . . . .
Create from template. . . . . . . . . . . .
Edit Certificate Profile. . . . . . . . . . .
Edit Certificate Profile 2. . . . . . . . . .
Edit Certificate Profile 3. . . . . . . . . .
Edit Certificate Profile 4. . . . . . . . . .
Create End Entity profile for SUBCAs. . .
Edit End Entity Profile for SubCAs. . . .
Edit End Entity Profile for SubCAs 2. . .
Fetch RootCA certificate. . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.


51
52
52
53
53
54
55
56
56
57
57
58
59
60
60
61
61
62
63
64
64
65

. . . . . .
installed. .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .

. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .
. . . . . .

10 (237)

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.



PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
LIST OF FIGURES
9.23
9.24
9.25
9.26
9.27
9.28
9.29
9.30
9.31
9.32
9.33
9.34
9.35
9.36
9.37
9.38
9.39
9.40
9.41
9.42
9.43
9.44
9.45
9.46
9.47
9.48
9.49

9.50
9.51
9.52
9.53
9.54
9.55
9.56
9.57
9.58
9.59
9.60
9.61
9.62
9.63

Save RootCA pem file. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Import RootCA as External CA. . . . . . . . . . . . . . . . . . . . . . . . .
Crypto Token creation for SignCA. . . . . . . . . . . . . . . . . . . . . . . .
Create keys for SignCA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create SignCA in Certification Authorities. . . . . . . . . . . . . . . . . . . .
SignCA settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SignCA will be signed by ’External CA’. . . . . . . . . . . . . . . . . . . . .
CA CRL data settings for SignCA. . . . . . . . . . . . . . . . . . . . . . . .
Create CSR for SignCA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Generation of CSR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create an End Entity for SignCA in the PKI Appliance where RootCA is
installed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sign CSR request for SignCA. . . . . . . . . . . . . . . . . . . . . . . . . . .
Download signed .pem for SignCA. . . . . . . . . . . . . . . . . . . . . . . .
Upload signed CSR for SignCA. . . . . . . . . . . . . . . . . . . . . . . . . .

Activated SignCA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Crypto Token creation for AuthCA. . . . . . . . . . . . . . . . . . . . . . . .
Create keys for AuthCA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create AuthCA in Certification Authorities. . . . . . . . . . . . . . . . . . .
AuthCA settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
AuthCA Signed by ’External CA’. . . . . . . . . . . . . . . . . . . . . . . . .
CA CRL data settings for AuthCA. . . . . . . . . . . . . . . . . . . . . . . .
Create CSR for AuthCA. . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Generation of CSR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Certification Authorities status. . . . . . . . . . . . . . . . . . . . . . . . . .
Create an End Entity for AuthCA in the PKI Appliance where RootCA is
installed. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Sign CSR request for AuthCA. . . . . . . . . . . . . . . . . . . . . . . . . .
Download signed .pem for AuthCA. . . . . . . . . . . . . . . . . . . . . . . .
Edit AuthCA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Upload signed CSR for AuthCA. . . . . . . . . . . . . . . . . . . . . . . . .
Activated AuthCA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Crypto Token creation for SSLCA. . . . . . . . . . . . . . . . . . . . . . . .
Create keys for SSLCA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create SSLCA in Certification Authorities. . . . . . . . . . . . . . . . . . . .
SSLCA settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SSLCA Signed by ’External CA’. . . . . . . . . . . . . . . . . . . . . . . . .
CA CRL data settings for SSLCA. . . . . . . . . . . . . . . . . . . . . . . .
Create CSR for SSLCA. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Generation of CSR. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Create an End Entity for SSLCA in the PKI Appliance where RootCA is installed.
Sign CSR request for SSLCA. . . . . . . . . . . . . . . . . . . . . . . . . . .
Download signed .pem for SSLCA. . . . . . . . . . . . . . . . . . . . . . . .

11 (237)


Ver: 3.0.0
66
66
68
68
69
69
70
70
71
71
72
73
73
74
74
76
76
77
77
78
78
79
79
80
81
82
82
83

83
84
86
87
87
88
88
89
89
90
91
92
92


PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
LIST OF FIGURES
9.64
9.65
9.66
9.67
9.68
9.69
9.70
9.71
9.72
9.73
9.74
9.75

9.76
9.77
9.78
9.79
9.80
9.81
9.82
9.83
9.84
9.85
9.86
9.87
9.88
9.89
9.90
9.91

Edit SSLCA. . . . . . . . . . . . . . . . . . . . . . . . .
Upload signed CSR for SSLCA. . . . . . . . . . . . . . .
Activated SSLCA. . . . . . . . . . . . . . . . . . . . . .
Create Certificate Profile for AuthCA. . . . . . . . . . .
Certificate Profile Settings for AuthCA. . . . . . . . . . .
Certificate Profile Settings for AuthCA 2. . . . . . . . .
Create Certificate Profile for SignCA. . . . . . . . . . . .
Certificate Profile Settings for SignCA. . . . . . . . . . .
Certificate Profile X.509 extensions Settings for SignCA.
Certificate Profile Settings for SignCA cont. . . . . . . .
Clone Certificate Profile for SSLCA. . . . . . . . . . . .
Certificate Profile Settings for SSLCA. . . . . . . . . . .
Certificate Profile X.509 extensions Settings for SSLCA. .

Create End Entity Profile for AuthCA. . . . . . . . . . .
Subject DN Attributes for AuthCA End Entity Profile. . .
Main certificate data for AuthCA End Entity Profile. . .
Create End Entity Profile for SignCA. . . . . . . . . . .
Subject DN Attributes for SignCA End Entity Profile. . .
Main certificate data for SignCA End Entity Profile. . . .
Clone End Entity Profile for SSLCA. . . . . . . . . . . .
Subject DN Attributes for SSLCA End Entity Profile. . .
Main certificate data for SSLCA End Entity Profile. . . .
Create End Entity for SSLCA. . . . . . . . . . . . . . . .
Keystore Enrollment for testsrv.course. . . . . . . . . . .
Enrollment for testsrv.course. . . . . . . . . . . . . . . .
Save testsrv.course.p12 file. . . . . . . . . . . . . . . . .
Create End Entity for AuthCA. . . . . . . . . . . . . . .
Browser Certificate for Auth_User_1. . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

93
93
94
95
96
96
97
97
98
98
99
99
99
100
101
101
102
103
103
104
105

105
107
107
108
108
109
110

11.1 Peer Connector CA-VA setup. . . . . . . . . . . . . . . . . . . . .
11.2 VA setup for CRL Downloader service. . . . . . . . . . . . . . . .
11.3 Rename ManagementCA to PeerMgmtCA. . . . . . . . . . . . . .
11.4 Fetch PeerMgmtCA certificate . . . . . . . . . . . . . . . . . . .
11.5 Download PeerMgmtCA certificate . . . . . . . . . . . . . . . . .
11.6 VA network settings . . . . . . . . . . . . . . . . . . . . . . . . .
11.7 Install VA with existing ManagementCA . . . . . . . . . . . . . .
11.8 Upload external CA . . . . . . . . . . . . . . . . . . . . . . . . .
11.9 Copy issuer value from VA-WebConf . . . . . . . . . . . . . . . .
11.10Create End Entity in CA-Appliance for VA TLS connections . . . .
11.11Create End Entity in CA-Appliance for VA TLS connections cont.
11.12Create CSR for Application Interface in VA . . . . . . . . . . . .
11.13Download CSR for Application Interface in VA . . . . . . . . . . .
11.14Create certificate in CA for VA Application Interface from CSR . .

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

116
117
118
119
120
120
121

121
122
123
123
124
124
125

12 (237)

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

Ver: 3.0.0


PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
LIST OF FIGURES

Ver: 3.0.0

11.15Sign certificate for VA Application Interface from CSR .
11.16Download signed certificate for VA Application Interface
11.17Activate new certificate for VA Application Interface . . .
11.18Updating Application Interface access in VA . . . . . . .
11.19Rename ManagementCA to PeerMgmtCA in VA . . . . .
11.20Configure connections in VA . . . . . . . . . . . . . . .
11.21Configure connections in CA . . . . . . . . . . . . . . .
11.22Create a Peer Connector in CA . . . . . . . . . . . . . .
11.23Ping to test the connection . . . . . . . . . . . . . . . .
11.24Peer systems request in VA . . . . . . . . . . . . . . . .
11.25Authorize connection request from CA . . . . . . . . . .
11.26Create a new role for incoming request . . . . . . . . . .
11.27Modify Authorization for incoming connections in VA . .
11.28Manage peer connector in CA . . . . . . . . . . . . . . .
11.29Manage Peer Connector in CA . . . . . . . . . . . . . .

11.30Check status of deta synchronization in CA . . . . . . .
11.31Crypto Token for OCSP. . . . . . . . . . . . . . . . . .
11.32Create new OCSP key binding. . . . . . . . . . . . . . .
11.33Configure OCSP Key Binding. . . . . . . . . . . . . . .
11.34Created OCSP key binding. . . . . . . . . . . . . . . . .
11.35Download the CSR for OCSP key binding. . . . . . . . .
11.36Edit OCSPEndEntityProfile. . . . . . . . . . . . . . . . .
11.37Edit OCSPEndEntityProfile cont. . . . . . . . . . . . . .
11.38Edit OCSPEndEntityProfile cont. . . . . . . . . . . . . .
11.39Add OCSP End Entity in CA-Appliance. . . . . . . . . .
11.40. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
11.41OCSP CSR is signed successfully. . . . . . . . . . . . . .
11.42Upload the signed OCSP CSR in VA. . . . . . . . . . . .
11.43Enable OCSP key binding. . . . . . . . . . . . . . . . .
11.44Set default responder. . . . . . . . . . . . . . . . . . . .
11.45Add a publisher in the CA-Appliance. . . . . . . . . . . .
11.46Configure the publisher in CA-Appliance. . . . . . . . . .
11.47Import external CA in VA-Appliance. . . . . . . . . . . .
11.48Configure the CDP of the CA. . . . . . . . . . . . . . .
11.49Add CRL Downloader service. . . . . . . . . . . . . . . .
11.50Configure CRL Downloader service. . . . . . . . . . . . .

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

125
126
126
126
127
127
128
128
129
129
130
130
131
131
132
132
133
134
135
136
136

137
137
138
139
139
140
140
141
141
142
143
145
146
146
147

17.1
17.2
17.3
17.4
17.5

.
.
.
.
.

.
.

.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.

.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

172
172

174
174
175

EJBCA
EJBCA
EJBCA
EJBCA
EJBCA

Search End Entity . . . . . . . . .
superadmin certificate . . . . . .
Certificate enrollment . . . . . . .
Choose certificate to authenticate
Renewed superadmin certificate .

.
.
.
.
.

.
.
.
.
.

.
.

.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.
.
.
.

.
.

.
.
.

21.1 Add new worker. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197
13 (237)


PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
LIST OF FIGURES

Ver: 3.0.0

21.2 Generate key. . . . . . . . . . . .
21.3 Configure key. . . . . . . . . . . .
21.4 Generate key. . . . . . . . . . . .
21.5 Provide CSR. . . . . . . . . . . .
21.6 Save CSR. . . . . . . . . . . . . .
21.7 Manage Certificate Profiles. . . . .
21.8 Clone EndUser certificate profile. .
21.9 Edit SignerCertificateProfile. . . .
21.10Provide CRL distribution point. . .
21.11Create SignerEndEntityProfile. . .
21.12Add end entity. . . . . . . . . . .
21.13Sign CSR. . . . . . . . . . . . . .
21.14CSR created. . . . . . . . . . . . .
21.15Add certificates. . . . . . . . . . .
21.16Sign PDF. . . . . . . . . . . . . .
21.17Fetch RootCA certificate. . . . . .

21.18Adobe Reader Preferences. . . . .
21.19Import trusted certificates. . . . .
21.20Browse for the trusted certificate. .
21.21Edit trust of the certificate. . . . .
21.22Enable trust options. . . . . . . .
21.23Validate signature. . . . . . . . . .
21.24Signature details. . . . . . . . . .
21.25Revocation details. . . . . . . . .
21.26Generate key. . . . . . . . . . . .
21.27Provide CSR. . . . . . . . . . . .
21.28Choose certificates. . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.


.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.


.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

198
199
199
200

201
202
202
203
203
204
205
206
206
207
208
208
209
210
210
211
211
212
212
213
214
215
215

22.1 Add new worker. . . . . . . . . .
22.2 Choose property file. . . . . . . .
22.3 Apply Configuration. . . . . . . .
22.4 Generate key. . . . . . . . . . .
22.5 Configure key. . . . . . . . . . .
22.6 Generate key. . . . . . . . . . .

22.7 Provide CSR. . . . . . . . . . .
22.8 Save CSR. . . . . . . . . . . . .
22.9 Manage Certificate Profiles. . . .
22.10Clone EndUser certificate profile.
22.11Edit SignerCertificateProfile. . .
22.12Provide CRL distribution point. .
22.13Create SignerEndEntityProfile. .
22.14Add end entity. . . . . . . . . .
22.15Sign CSR. . . . . . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.


.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.


.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.

.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

217
218
218
219
220
220
221
222
223
223
224
224

225
226
227

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

14 (237)


PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
LIST OF FIGURES
22.16CSR created. . . . . . . . . . . . .
22.17Certificate installed. . . . . . . . .
22.18Worker is active. . . . . . . . . . .
22.19Sign PDF. . . . . . . . . . . . . .

22.20Fetch RootCA certificate. . . . . .
22.21Adobe Reader Preferences. . . . .
22.22Import trusted certificates. . . . .
22.23Browse for the trusted certificate. .
22.24Edit trust of the certificate. . . . .
22.25Enable trust options. . . . . . . .
22.26Validate signature. . . . . . . . . .
22.27Signature details. . . . . . . . . .
22.28Revocation details. . . . . . . . .
22.29Generate key. . . . . . . . . . . .
22.30Provide CSR. . . . . . . . . . . .
22.31Choose certificates. . . . . . . . .

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.


.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

15 (237)

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.


.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.


.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.

.
.
.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

.
.
.
.
.

.
.
.
.
.
.
.
.
.
.
.

Ver: 3.0.0
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.


.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.

227
228
228
229
230
230
231
231
232
232
233
233
234

235
236
237


PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
Ver: 3.0.0

Part I

Preamble

1 (237)


PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
1. RELEASE NOTES

Ver: 3.0.0

Chapter 1

Release Notes
PKI Appliance 3.0.0 Release Notes
This major release brings an overhauled technology stack for the PKI Appliance
platform. Beside the updates of EJBCA and SignServer the majority of components
and services have been updated.
New Features:

* Support for hardware version 2
* EJBCA Enterprise 6.11.1.1 - Please check out EJBCA release notes for more
detailed information
* SignServer 4.2.2 - Please check out SignServer release notes for more details
Improvements:
* PrimeLFS is now based on LFS 7.9 with updated components and services:
- MariaDB to 10.2.13 and Galera provider 25.3.23
- OpenSSL 1.0.2.n
- Apache 2.4.29
* Adjust quorum weights (127,126,125) for cluster nodes for graceful degradation
of service
* Improved "Force into Active" handling of cluster nodes
* Improve database scalability by using database.useSeparateCertificateTable=true
* Newly structured security/secrets page in the installation wizard
Security Patches:
* Mitigation for Meltdown, Spectre and zombie Dirty COW vulnerability
* Openssl has been updated to 1.0.2
* Apr-Util to 1.6.1
* curl to 7.58.0

2 (237)


PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
1. RELEASE NOTES

Ver: 3.0.0

Known Issues and Limitations:

* Only two of the four available ethernet ports are usable at the moment.
Support for the the disabled ethernet ports will be added in future versions.
* Due to a firmware limitation the appliance only becomes reachable when both
ethernet ports are successfully connected to a switched network.
* Ethernet ports might not establish the link if the network cables have not been
connected before booting the device.
* PKI Appliance 3.0.0 firmware can only be installed on appliances of the latest
generation (hardware version >= 2.0 required). Support for older hardware will
be added in a future version.
* Backups taken on version < 3.0 cannot be restored. Support to restore backups
taken on previous versions will be added in future releases.
* "FIPS restrictions applied" mode is not available for CryptoServer Se52.
Operation in FIPS mode will be added in a future version.
* It is not possible to set up a cluster with nodes running a mix of firmware
version 2 and version 3.

3 (237)


PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
2. INTRODUCTION

Ver: 3.0.0

Chapter 2

Introduction
This manual provides an in depth understanding of the public key infrastructure (PKI) products and services provided by PrimeKey and is intended to serve as a guide to understanding
and implementing PKI as a product and service within the PKI Appliance.


2.1

Audience

This guide is intended for use by Information Technology (IT) professionals with an interest
in implementing the PKI products provided by PrimeKey in their environment using the
PKI Appliance. The guide is presented in a structured manner so that it begins with an
introduction to the subject and progressively moves into more deeper technical topics. This
allows the guide to be useful for a wide variety of personnel from managers to integrators.
The lowest common denominator between the various groups of audiences is the shared
interest in implementing PKI using PrimeKey products.

2.1.1

Styling Conventions

The following items explain the styling conventions that are used throughout this document,
together with an example below each description:
• Buttons on the GUI are represented like

Create .

• Options from popup menus or values that can be choosen like RSA 2048
• Links in the GUI that need to be selected/clicked upon are displayed in blue like:
Search End Entities.
• Values that has to provided in text fields are presented as: a new value.
• Group titles or GUI text that is not selectable is represented as: RA Functions.
• Informative messages provide additional explanation of the steps being performed, or
the configuration being applied. For example:


4 (237)


PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
2. INTRODUCTION

Ver: 3.0.0

This is an informative message containing extra information.
• Warning messages are used to draw the attention to a critical or sensitive step that
has to be performed, or to critical piece of information that has to be provided. For
example:
This is a warning message.
• Shell listings are used to specify commands that should be run on a server in a terminal,
by a specific operating system user. For example:
Run as user
df -h

2.1.2

Daily operations

Exercises are indicated by the "Use-Case" prefix as illustrated below. Exercises provide a step
by step approach to perform an activity and require the practical environment:
Use-Case: Install PKI Appliance
While following the exercises outlined in this document, the following guidelines apply:
Unless the instructions explicitly state so, do not deviate from the instruction order. All steps should be performed in the sequence that they are
outlined in. Do not jump back and forth between different exercises, unless

the instructions explicitly state so.

5 (237)


PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
3. PKI APPLIANCE OVERVIEW

Ver: 3.0.0

Chapter 3

PKI Appliance Overview
3.1

Description

EJBCA Enterprise Appliance is a PKI-in-a-box and combines the flexibility, reliability and
feature set of EJBCA Enterprise software, with a secure technology stack and enterprisegrade hardware including a FIPS 140-2 Level 3 certified HSM. Through the combination of
built in CA, RA and VA functionality and a variety of interfaces like OCSP, CMP, SCEP and
WebServices, EJBCA Enterprise Appliance provides a unique turn-key PKI solution.
EJBCA Enterprise Appliance is based on an unified and controlled technology stack which
reduces technical risks for the entire PKI project and reduces patch management efforts
during operation. Simplified management and maintenance workflows lower the setup time
and operational costs and reduce the TCO.
High flexibility, performance, support for high-availability and load-balancing make the EJBCA
Enterprise Appliance suitable for critical infrastructure setups within commercial and governmental organization of all sizes.
As of version 2.4.0 the EJBCA Enterprise Appliance (or PKI Appliance) exists in three
different product sizes, designated as S, M or L. Previous unlabeled versions are equivalent

to the M size. While the L version takes advantage of recently available bigger hard disks
to provide for more database space, the S version is a highly reduced version with smaller
database size and also a reduced speed HSM.

6 (237)


PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
Ver: 3.0.0

Part II

Advanced Installation

7 (237)


PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION

Ver: 3.0.0

Chapter 4

Using External CA for Installation
In this chapter we will implement the scenario where two different PKI Appliances will be
installed using the same ManagementCA certificate which is installed in a Smart Card.
Following instructions will guide the administrator to:

• configure MARX CrypToken smart card with Firefox,
• install first PKI Appliance and install the SuperAdmin certificate in the smart card,
• install the second PKI Appliance by using an ExternalCA certificate.
General installation instructions can be found in ??.
The use-case is that we have ManagementCA to be the super-administrator for operating both PKI Appliances (node A, node B) and a logical hierarchy with ROOTCA as a the
root certification authority which signs 3 different subCAs (SignCA, AuthCA and SSLCA
see figure 4.1).

8 (237)


PKI Appliance
Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION

Ver: 3.0.0

Figure 4.1: Logical hierarchy
Due to the fact and that in many cases ROOTCA is required to be offline, physical
infrastructure differs than logical hierarchy. In one PKI Appliance (node A), we install
ManagementCA together with the 3 subCAs (see figure 4.2).

Figure 4.2: Node A -Physical Infrastructure with online PKI Appliance
The second box will host the ROOTCA which will be offline as soon it will the sign
SubCAs (see figure 4.3).

9 (237)


PKI Appliance

Operations Manual – Public Key Infrastructure by PrimeKey
4. USING EXTERNAL CA FOR INSTALLATION

Figure 4.3: Node B - Physical Infrastructure with offline PKI Appliance

10 (237)

Ver: 3.0.0


×