Skip to content

CA handler for EJBCA

Jump to bottom
grindsa edited this page Feb 11, 2023 · 4 revisions

Connecting to Keyfactor's EJBCA

This handler can be used to enroll certificates from the Open Source version of Keyfactor's EJBCA as ACME support is only available in the Enterprise version.

Prerequisites

Configuration

  • modify the server configuration (/acme_srv/acme_srv.cfg) and add the following parameters
[CAhandler]
handler_file: examples/ca_handler/ejbca_ca_handler.py
cert_file: <filename>
cert_passphrase: <passphrase>
ca_bundle: <filename>
cert_profile_name: <name>
ee_profile_name: <name>
username: <name>
enrollment_code: <value>
ca_name: <name>
request_timeout: <seconds>
  • api_host - URL of the EJBCA-Rest service
  • cert_file - certicate and key in pkcs#12 format to authenticate towards EJBCA-Rest service
  • cert_passphrase - phassphrase to access the pkcs#12 container
  • ca_bundle - optional - ca certificate cahin in pem format needed to validate the ejbca-server certificate - can be True/False or a filename (default: True)
  • user - PKI username
  • enrollment_code - enrollment code
  • cert_profile_name - name of the certificate profile
  • ee_profile_name - name of the end entity profile
  • ca_name - name of the CA used to enroll certificates
  • request_timeout - optional - requests timeout in seconds for requests (default: 5s)

You can test the connection by running the following curl command against your ca server.

root@rlh:~#  curl https://<api-host>/ejbca/ejbca-rest-api/v1/certificate/status --cert-type P12 --cert <cert_file>:<cert_passphrase> --cacert <ca_bundle>

The response to this call will show a dictionary containing status und version number of the EJBCA server.

{
  "status":"OK",
  "version":"1.0",
  "revision":"EJBCA 7.11.0 Community (8d14e27cda0b32eba35a1fd1423f8e6a31d1ed8e)"
}

Use your favorite acme client for certificate enrollment. A list of clients used in our regression can be found inthe disclaimer section of our README file

Clone this wiki locally