EJBCA supports the enrollment
Certificate enrollment refers to the process by which a user requests a digital certificate. The user must submit the request to a certificate authority (CA). over secure transport (EST) protocol to allow end entities to enroll for certificates by using a URL and TLS TLS (Transport Layer Security) and its predecessor SSL (Secure Sockets Layer) are protocols for establishing authenticated and encrypted links between networked computers. authentication. For more information, see:
The Keyfactor Enrollment Proxy CA feature in EJBCA allows you to make EST requests to additional CAs outside the EJBCA instance in which EST is configured. EST requests to external CAs are made via Keyfactor Command; both Microsoft and EJBCA CAs are supported. Configuration to support this is done both on the EJBCA instance where EST is enabled and in Keyfactor Command.
Make the configurations as follows:
-
In Keyfactor Command, enable CSR
A CSR or certificate signing request is a block of encoded text that is submitted to a CA when enrolling for a certificate. When you generate a CSR within Keyfactor Command, the matching private key for it is stored in Keyfactor Command in encrypted format and will be married with the certificate once returned from the CA. enrollment for the CA A certificate authority (CA) is an entity that issues digital certificates. Within Keyfactor Command, a CA may be a Microsoft CA or a Keyfactor gateway to a cloud-based or remote CA. and template A certificate template defines the policies and rules that a CA uses when a request for a certificate is received. you will use for the EST request (see HTTPS CAs - The Basic Tab and Templates - Details Tab). -
In Keyfactor Command, grant the service account user who will broker the EST request using Basic authentication the following permissions in Keyfactor Command (see Security Roles and Claims):
Certificates > Enrollment > Csr -
In the EJBCA instance in which EST will be configured for the external CA, browse to System Configuration > Protocol Configuration and enable EST if it is not already enabled.
Figure 482: Enable EST Protocol
-
In EJBCA, browse to CA Functions > Certificate Authorities and choose Import CA certificate... .
-
In EJBCA in the Import CA certificate dialog, enter a reference name for the external CA in The name this CA will be given. This is for reference only and does not need to match the actual logical name
The logical name of a CA is the common name given to the CA at the time it is created. For Microsoft CAs, this name can be seen at the top of the Certificate Authority MMC snap-in. It is part of the FQDN\Logical Name string that is used to refer to CAs when using command-line tools and in some Keyfactor Command configuration settings (e.g. ca2.keyexample.com\Corp Issuing CA Two). of the CA. Toggle the Disabled button for Onboard Keyfactor Enrollment Proxy CA to enable this feature. Additional fields will appear. Populate the fields as per Table 103: EJBCA Certificate Import Settings.
Figure 483: Configure Imported CA
Table 103: EJBCA Certificate Import Settings
Field Name Example Description Upstream URL https://keyfactor.keyexample.com/KeyfactorAPI/ The URL to the Keyfactor API. Typically, this is the Keyfactor Command server name followed by the KeyfactorAPI virtual directory name, but this virtual directory name is user configurable when Keyfactor Command is installed, so your URL may vary. The trailing slash is important. Username The username of the service account in whose context the certificate will be requested through Keyfactor Command. Password The password of the service account in whose context the certificate will be requested through Keyfactor Command. HTTP Headers x-keyfactor-api-version: 1
x-keyfactor-requested-with: APIClient
x-certificateformat: PEM
HTTP headers to submit to the Keyfactor API with the request.
For more information regarding the headers required for the Keyfactor API, see Endpoint Common Features.
Certificate Authority Microsoft: corpca01.keyexample.com\CorpIssuingCA2
EJBCA: https://ejbca3.keyexample.com:8443\\CorpIssuingCA1
The host name and logical name of the CA as defined in Keyfactor Command. Template Microsoft: EnterpriseESTEnrollment
EJBCA: Corporate_ESTEnrollment
The short name of the certificate template to be used for EST certificate requests as defined in Keyfactor Command. SANs Copy{
"dns": [
"dnssan1.keyexample.com",
"dnssan2.keyexample.com",
"dnssan3.keyexample.com"
],
"ip4": [
"192.168.2.73"
]
}Optionally, configure one or more SANs to be included in the request.
Note: SANs submitted outside the CSR may be ignored, appended to SANs in the CSR, or overwrite the SANs in the CSR request depending on the type and configuration of the issuing CA. Please be sure to check that the certificate has the correct SANs after issuance. Any SAN added automatically as a result of the RFC 2818 compliance settings will still be added alongside anything you add here.File containing full CA certificate chain in PEM format or ITS CA certificate in DER format The public key certificate of the CA to which the certificate requests will be directed in PEM or DER format. -
In EJBCA, browse to System Configuration > EST Configuration and Edit the new EST alias that has been automatically created upon importing an external CA and enabling the Keyfactor enrollment proxy feature. The EST alias is given the name that you gave your imported CA with “Est” appended. Configure the EST settings appropriately for the type of requests you wish to make. For more information, see:
Note: The RA Name Generation Prefix and RA Name Generation Postfix and not relevant for proxied requests. -
To test the setup, see: