CA handler for EJBCA

Connecting to Keyfactor's EJBCA

This handler can be used to enroll certificates from the Open Source version of Keyfactor's EJBCA as ACME support is only available in the Enterprise version.

Prerequisites

• EJBCA needs to have the RESTv1-service enabled
• you'll need:
  • a client certificate and key in p12 format to authenticate towards the rest-service
  • the name of the CA issuing the certificates from EJBA admin UI
  • a username and enrolment code
  • a certificate profile name
  • an end-entity profile name

Configuration

• modify the server configuration (acme_srv.cfg) and add the following parameters

[CAhandler]
handler_file: examples/ca_handler/ejbca_ca_handler.py
cert_file: <filename>
cert_passphrase: <passphrase>
ca_bundle: <filename>
cert_profile_name: <name>
ee_profile_name: <name>
username: <name>
enrollment_code: <value>
ca_name: <name>
request_timeout: <seconds>
eab_profiling: <True|False>

• api_host - URL of the EJBCA-Rest service
• cert_file - certicate and key in pkcs#12 format to authenticate towards EJBCA-Rest service
• cert_passphrase - phassphrase to access the pkcs#12 container
• cert_passphrase_variable - optional - name of the environment variable containing the cert_passphrase (a configured cert_passphrase parameter in acme_srv.cfg takes precedence)
• ca_bundle - optional - ca certificate chain in pem format needed to validate the ejbca-server certificate - can be True/False or a filename (default: True)
• username - PKI username
• username_variable - optional - name of the environment variable containing the EJBCA username (a configured username parameter in acme_srv.cfg takes precedence)
• enrollment_code - enrollment code
• enrollment_code_variable - optional - name of the environment variable containing the enrollment_code for the EJBCA user (a configured enrollment_code parameter in acme_srv.cfg takes precedence)
• cert_profile_name - name of the certificate profile
• ee_profile_name - name of the end entity profile
• ca_name - name of the CA used to enroll certificates
• request_timeout - optional - requests timeout in seconds for requests (default: 5s)
• eab_profiling - optional - activate eab profiling (default: False)

You can test the connection by running the following curl command against your EJBCA server.

root@rlh:~#  curl https://<api-host>/ejbca/ejbca-rest-api/v1/certificate/status --cert-type P12 --cert <cert_file>:<cert_passphrase> --cacert <ca_bundle>

The response to this call will show a dictionary containing status und version number of the server.

{
  "status":"OK",
  "version":"1.0",
  "revision":"EJBCA 7.11.0 Community (8d14e27cda0b32eba35a1fd1423f8e6a31d1ed8e)"
}

Use your favorite acme client for certificate enrollment. A list of clients used in our regression can be found in the disclaimer section of our README file

Passing a profile_id from client to server

The handler makes use of the header_info_list feature allowing an acme-client to specify a certificate profile to be used during certificate enrollment. This feature is disabled by default and must be activate in acme_srv.cfg as shown below

[Order]
...
header_info_list: ["HTTP_USER_AGENT"]

The acme-client can then specify the profileID as part of its user-agent string.

Example for acme.sh:

docker exec -i acme-sh acme.sh --server http://<acme-srv> --issue -d <fqdn> --standalone --useragent cert_profile_name=acme_clt --debug 3 --output-insecure

Example for lego:

docker run -i -v $PWD/lego:/.lego/ --rm --name lego goacme/lego -s http://<acme-srv> -a --email "[email protected]" --user-agent cert_profile_name=acme_clt -d <fqdn> --http run

eab profiling

This handler can use the eab profiling feture to allow individual enrollment configuration per acme-account as well as restriction of CN and SANs to be submitted within the CSR. The feature is disabled by default and must be activated in acme_srv.cfg

[EABhandler]
eab_handler_file: examples/eab_handler/kid_profile_handler.py
key_file: <profile_file>

[CAhandler]
eab_profiling: True

below an example key-file used during regression testing:

{
  "keyid_00": {
    "hmac": "V2VfbmVlZF9hbm90aGVyX3ZlcnkfX2xvbmdfaG1hY190b19jaGVja19lYWJfZm9yX2tleWlkXzAwX2FzX2xlZ29fZW5mb3JjZXNfYW5faG1hY19sb25nZXJfdGhhbl8yNTZfYml0cw",
    "cahandler": {
      "cert_profile_name": ["acmeca2", "acmeca1"],
      "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"]
    }
  },
  "keyid_01": {
    "hmac": "YW5vdXRoZXJfdmVyeV9sb25nX2htYWNfZm9yX2tleWlkXzAxX3doaWNoIHdpbGxfYmUgdXNlZF9kdXJpbmcgcmVncmVzc2lvbg",
    "cahandler": {
      "cert_profile_name": "acmeca2",
      "allowed_domainlist": ["www.example.com", "www.example.org", "*.acme"],
      "ca_name": "acmeca"
    }
  },
  "keyid_02": {
    "hmac": "dGhpc19pc19hX3ZlcnlfbG9uZ19obWFjX3RvX21ha2Vfc3VyZV90aGF0X2l0c19tb3JlX3RoYW5fMjU2X2JpdHM",
    "cahandler": {
      "allowed_domainlist": ["www.example.com", "www.example.org"]
    }
  },
  "keyid_03": {
    "hmac": "YW5kX2ZpbmFsbHlfdGhlX2xhc3RfaG1hY19rZXlfd2hpY2hfaXNfbG9uZ2VyX3RoYW5fMjU2X2JpdHNfYW5kX3Nob3VsZF93b3Jr"
  }
}