EJBCA CA ja OCSP kasutamine WildFly v. 10 rakendusserveriga

Allikas: Imre kasutab arvutit

Sissejuhatus

EJBCA https://www.ejbca.org/ on Java keeles programeeritud PKI lahenduse tarkvara. Olemas on Community ja Enterprise versioon, käesolevas tekstis kirjeldatakse Community versiooni kasutamist.

Tööpõhimõte

EJBCA sisaldab mitmeid komponente, neid võib kasutada koos ja saab kasutada ka üksikuid osi

  • CA
  • OCSP
  • TODO

Ettevalmistused

Operatsioonisüsteemi ja WildFly rakendusserveri ettevalmistamist kirjeldatakse tekstis Java rakendusserver WildFly (kuni bin/standalone.sh käivitamiseni ja admin kasutaja tekitamiseni, kaasa arvatud). EJBCA paigaldamist kirjeldatakse aadressil https://www.ejbca.org/docs/installation.html, eelduseks on

  • operatsioonisüsteem Ubuntu 16.04
  • OpenJDK v. 8
  • PostgreSQL andmebaas v. 9.4 (PGDG repost, UTF-8 ja en_US.UTF-8)
  • WildFly v. 10 java rakendusserver, kus on kirjeldatud PostgreSQL baasi data source

Alternatiiv on kasutada valmis virtuaalse arvuti tõmmist, https://www.ejbca.org/download.html.

Andmebaasi ettevalmistamine

Eelduseks on, et süsteemi on paigaldatud või on muidu kasutada PostgreSQL v. 9.4 andmebaas (http://www.auul.pri.ee/wiki/Paketihaldusest_paigaldatud_PostgreSQL_kasutamine_operatsioonis%C3%BCsteemiga_Debian_Squeeze#PGDG_repositoorium), mida saab UTF8 kodeeringus kasutada. Seejärel tuleb moodustada EJBCA jaoks kasutaja ning create database andmebaas

# su - postgres
$ psql
postgres=# create role ejbca login password 'ejbca' NOSUPERUSER INHERIT NOCREATEDB NOCREATEROLE;
postgres=# create database ejbca owner = ejbca;

Java rakendusserver kasutab baasi JDBC draiveriga, mille saab kopeerida aadressilt https://jdbc.postgresql.org/download.html, vasvalt Java ja PostgreSQL versioonile, nt

# cd /tmp
# wget https://jdbc.postgresql.org/download/postgresql-9.4.1208.jar

WildFly juurde draiveri paigaldamiseks peab WildFly protsess töötama ja sobib öelda (WildFly protsess peab töötama ja käsud antakse jboss-cli promptis)

[standalone@localhost:9990 /] module add --name=org.postgresql --resources=/tmp/postgresql-9.4.1208.jar --dependencies=javax.api,javax.transaction.api

tulemusena tekib failisüsteemi

/opt/wildfly/modules/org/postgresql/main/postgresql-9.4.1208.jar
/opt/wildfly/modules/org/postgresql/main/module.xml

Seejärel öelda

[standalone@localhost:9990 /] /subsystem=datasources/jdbc-driver=postgresql:add(driver-name="postgresql",driver-module-name="org.postgresql",driver-class-name=org.postgresql.Driver)

ja lõpuks registreerida data source

[standalone@localhost:9990 /] data-source add --name=ejbcads --driver-name="postgresql" --connection-url="jdbc:postgresql://127.0.0.1/ejbca" --jndi-name="java:/ejbcads" --use-ccm=true --user-name="ejbca" --password="ejbca" --validate-on-match=true --background-validation=false --prepared-statements-cache-size=50 --share-prepared-statements=true --min-pool-size=5 --max-pool-size=150 --pool-prefill=true --transaction-isolation=TRANSACTION_READ_COMMITTED --check-valid-connection-sql="select 1"

kus

  • tundub, et name väärtuses on oluline jälgida tõstutundlikkust (ejbcads vs EJBCADS)

Testimiseks

[standalone@localhost:9990 /] /subsystem=datasources/data-source=ejbcads:test-connection-in-pool
{
    "outcome" => "success",
    "result" => [true]
}

Andmebaasi initsialiseerib EJBCA rakendus esmakordsel käivitamisel.

EJBCA tarkvara paigaldamine ja käivitamine

Tegevuse aluseks on kasutatud juhendit https://www.ejbca.org/docs/installation.html

  • üldosa
  • WildFly 10 sektsioon

Pakkida lahti ejbca v. 6.3.1.1

# cd /opt/wildfly-home/tarkvara
# wget http://downloads.sourceforge.net/project/ejbca/ejbca6/ejbca_6_3_1_1/ejbca_ce_6_3_1_1.zip
# cd /opt
# unzip /opt/wildfly-home/tarkvara/ejbca_ce_6_3_1_1.zip
# chown -R wildfly:wildfly /opt/ejbca_ce_6_3_1_1

moodustada link

# ln -s /opt/ejbca_ce_6_3_1_1 /opt/ejbca

Kopeerida seadistusfailid

# su - wildfly
$ cd /opt/ejbca
$ cp conf/ejbca.properties.sample conf/ejbca.properties
$ cp conf/install.properties.sample conf/install.properties
$ cp conf/cesecore.properties.sample conf/cesecore.properties
$ cp conf/database.properties.sample conf/database.properties

Kirjeldada seadistusfailis WildFly asukoht failisüsteemis, seadistusfaili conf/ejbca.properties sisu on seejärel

$ egrep -v "^$|^#"  conf/ejbca.properties
appserver.home=/opt/wildfly
 
ejbca.cli.defaultusername=ejbca
ejbca.cli.defaultpassword=ejbca

Seadistusfaili conf/database.properties sisu

$ egrep -v "^$|^#" conf/database.properties
datasource.jndi-name=ejbcads
database.name=postgres
database.url=jdbc:postgresql://127.0.0.1/ejbca
database.driver=org.postgresql.Driver
database.username=ejbca
database.password=ejbca

Kohendada WildFly olukorda (käsud antakse jboss-cli promptis)

/subsystem=remoting/http-connector=http-remoting-connector:remove
/subsystem=remoting/http-connector=http-remoting-connector:add(connector-ref="remoting",security-realm="ApplicationRealm")
/socket-binding-group=standard-sockets/socket-binding=remoting:add(port="4447")
/subsystem=undertow/server=default-server/http-listener=remoting:add(socket-binding=remoting)
:reload
/subsystem=logging/logger=org.ejbca:add
/subsystem=logging/logger=org.ejbca:write-attribute(name=level, value=DEBUG)
/subsystem=logging/logger=org.cesecore:add
/subsystem=logging/logger=org.cesecore:write-attribute(name=level, value=DEBUG)
/subsystem=undertow/server=default-server/http-listener=default:remove
/socket-binding-group=standard-sockets/socket-binding=http:remove
:reload

Kompileerida EJBCA rakendus ja deploy'ida ilma WildFly seadistustega tegelemata

$ ant clean deployear

Tulemusena on rakendus deploy'itud

[standalone@localhost:9990 /] deployment-info
NAME      RUNTIME-NAME PERSISTENT ENABLED STATUS 
ejbca.ear ejbca.ear    false      true    OK   

ja baasi tekkinud tabelid

                  List of relations
 Schema |            Name             | Type  | Owner 
--------+-----------------------------+-------+-------
 public | accessrulesdata             | table | ejbca
 public | adminentitydata             | table | ejbca
 public | admingroupdata              | table | ejbca
 public | adminpreferencesdata        | table | ejbca
 public | approvaldata                | table | ejbca
 ...
$ ant runinstall
..
   [echo] Common Name (CN) of httpsserver dn is by default taken from the httpsserver.hostname.
   [input] Please enter the server dn (default: CN=localhost,O=EJBCA Sample,C=SE) ? [CN=localhost,O=EJBCA Sample,C=SE]
   [input] Please enter the superadmin cn (default: SuperAdmin) ? [SuperAdmin]
   [input] Please enter the superadmin dn (default: CN=SuperAdmin) ? [CN=SuperAdmin]
   [input] Please enter the if superadmin keystore should be batched (default: true) ? [true]
   Please enter the superadmin password (default: ejbca) ? [ejbca]
   ejbca:deploytrustprompt:
   Please enter the password of the truststore with the CA certificate for https? [changeit]
   ejbca:deployprompt:
   Please enter the password of the keystore with the TLS key for https [serverpwd]

ejbca:init:
    [echo] 
    [echo] ------------------- CA Properties ----------------
    [echo] ca.name                : ManagementCA
    [echo] ca.dn                  : CN=ManagementCA,O=EJBCA Sample,C=SE
    [echo] ca.tokentype           : soft
    [echo] ca.keytype             : RSA
    [echo] ca.keyspec             : 2048
    [echo] ca.signaturealgorithm  : SHA256WithRSA
    [echo] ca.validity            : 3650
    [echo] ca.policy              : null
    [echo] ca.tokenproperties     : ${ca.tokenproperties}
    [echo] httpsserver.hostname   : localhost
    [echo] httpsserver.dn         : CN=localhost,O=EJBCA Sample,C=SE
    [echo] superadmin.cn          : SuperAdmin
    [echo] superadmin.dn          : CN=SuperAdmin
    [echo] superadmin.batch       : true
    [echo] appserver.home         : /opt/wildfly
    [echo]

ejbca:initCA:
    [echo] Initializing CA with 'ManagementCA' 'CN=ManagementCA,O=EJBCA Sample,C=SE' 'soft' <ca.tokenpassword hidden> '2048' 'RSA' '3650' 'null' 'SHA256WithRSA'   -superadmincn 'SuperAdmin'...
    [java] SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
    [java] SLF4J: Defaulting to no-operation (NOP) logger implementation
    [java] SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
    [java] Initializing CA
    [java] Generating rootCA keystore:
    [java] CA Type:x509
    [java] CA name: ManagementCA
    [java] SuperAdmin CN: SuperAdmin
    [java] DN: CN=ManagementCA,O=EJBCA Sample,C=SE
    [java] CA token type: soft
    [java] CA token password: hidden
    [java] Keytype: RSA
    [java] Keyspec: 2048
    [java] Validity (days): 3650
    [java] Policy ID: null
    [java] Signature alg: SHA256WithRSA
    [java] Certificate profile: ROOTCA
    [java] CA token properties: {}
    [java] Signed by: Self signed
    [java] Initalizing authorization module with caid=1652389506 and superadmin CN 'SuperAdmin'.
    [java] Creating CA...
    [java] CAId for created CA: 1652389506
    [java] Created and published initial CRL.
    [java] CA initialized
    [java] Note that any open browser sessions must be restarted to interact with this CA.

ejbca:adminweb:
    [java] SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
    [java] SLF4J: Defaulting to no-operation (NOP) logger implementation
    [java] SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
    [java] Using certificate profile: SERVER, with id: 9
    [java] Trying to add end entity:
    [java] Username: tomcat
    [java] Password: <password hidden>
    [java] DN: CN=localhost,O=EJBCA Sample,C=SE
    [java] CA Name: ManagementCA
    [java] SubjectAltName: dnsName=localhost,IPAddress=127.0.0.1
    [java] Email: null
    [java] Type: 1
    [java] Token: JKS
    [java] Certificate profile: 9
    [java] End entity profile: 1
    [java] User 'tomcat' has been added.
    [java] Note: If batch processing should be possible, also use 'ra setclearpwd tomcat <pwd>'.
    [java] SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
    [java] SLF4J: Defaulting to no-operation (NOP) logger implementation
    [java] SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
    [java] Setting clear text password for user tomcat
    [echo] batch tomcat
    [java] SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
    [java] SLF4J: Defaulting to no-operation (NOP) logger implementation
    [java] SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
    [java] Generating keys in directory /opt/ejbca_ce_6_3_1_1/p12.
    [java] Loading configuration from defaults.
    [java] Generating RSA keys of size 2048 for tomcat.
    [java] Created Keystore for 'tomcat'.
    [java] New user generated successfully - tomcat.
    [java] SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
    [java] SLF4J: Defaulting to no-operation (NOP) logger implementation
    [java] SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
    [java] Using certificate profile: ENDUSER, with id: 1
    [java] Trying to add end entity:
    [java] Username: superadmin
    [java] Password: <password hidden>
    [java] DN: CN=SuperAdmin
    [java] CA Name: ManagementCA
    [java] SubjectAltName: null
    [java] Email: null
    [java] Type: 1
    [java] Token: P12
    [java] Certificate profile: 1
    [java] End entity profile: 1
    [java] User 'superadmin' has been added.
    [java] Note: If batch processing should be possible, also use 'ra setclearpwd superadmin <pwd>'.
    [java] SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
    [java] SLF4J: Defaulting to no-operation (NOP) logger implementation
    [java] SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
    [java] Setting clear text password for user superadmin

ejbca:batchsuperadmin:
    [echo] batch superadmin
    [java] SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
    [java] SLF4J: Defaulting to no-operation (NOP) logger implementation
    [java] SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
    [java] Generating keys in directory /opt/ejbca_ce_6_3_1_1/p12.
    [java] Loading configuration from defaults.
    [java] Generating RSA keys of size 2048 for superadmin.
    [java] Created Keystore for 'superadmin'.
    [java] New user generated successfully - superadmin.

ejbca:deploytrustprompt:
   [input] skipping input as property java.trustpassword has already been set.

ejbca:javatruststore:
   [input] skipping input as property ca.name has already been set.
    [echo] Getting root certificate in DER format...
    [echo] ca getcacert "ManagementCA" /tmp/rootca.der -der
    [java] SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder".
    [java] SLF4J: Defaulting to no-operation (NOP) logger implementation
    [java] SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details.
    [java] Wrote CA certificate to '/tmp/rootca.der' using DER encoding.
    [echo] Adding to or creating keystore: /opt/ejbca_ce_6_3_1_1/p12/truststore.jks

ejbca:javatruststore-removeold:
    [exec] Certificate was added to keystore
    [exec] [Storing /opt/ejbca_ce_6_3_1_1/p12/truststore.jks]
  [delete] Deleting: /tmp/rootca.der

BUILD SUCCESSFUL
Total time: 2 minutes 59 seconds
$ ant deploy-keystore
/interface=http:add(inet-address="0.0.0.0")
/interface=httpspub:add(inet-address="0.0.0.0")
/interface=httpspriv:add(inet-address="0.0.0.0")
/socket-binding-group=standard-sockets/socket-binding=http:add(port="8080",interface="http")
/subsystem=undertow/server=default-server/http-listener=http:add(socket-binding=http)
/subsystem=undertow/server=default-server/http-listener=http:write-attribute(name=redirect-socket, value="httpspriv")
:reload

Seejärel tekivad vead

..
01:07:33,088 ERROR [org.jboss.as.controller.management-operation] (Controller Boot Thread) WFLYCTL0013: Operation ("deploy") failed -  address: ([("deployment" => "ejbca.ear")]) - failure description: {"WFLYCTL0288: One or more services were unable to start due to one or  more indirect dependencies not being available." => {
   "Services that were unable to start:" => [
       "jboss.deployment.subunit.\"ejbca.ear\".\"adminweb.war\".PARSE",
       "jboss.deployment.subunit.\"ejbca.ear\".\"cesecore-ejb.jar\".PARSE",
       "jboss.deployment.subunit.\"ejbca.ear\".\"clearcache.war\".PARSE",
       "jboss.deployment.subunit.\"ejbca.ear\".\"cmp.war\".PARSE",
       "jboss.deployment.subunit.\"ejbca.ear\".\"doc.war\".PARSE",
       "jboss.deployment.subunit.\"ejbca.ear\".\"edition-specific-ejb.jar\".PARSE",
       "jboss.deployment.subunit.\"ejbca.ear\".\"ejbca-ejb.jar\".PARSE",
       "jboss.deployment.subunit.\"ejbca.ear\".\"ejbca-ws-ejb.jar\".PARSE",
       "jboss.deployment.subunit.\"ejbca.ear\".\"healthcheck.war\".PARSE",
       "jboss.deployment.subunit.\"ejbca.ear\".\"publicweb.war\".PARSE",
       "jboss.deployment.subunit.\"ejbca.ear\".\"scep.war\".PARSE",
       "jboss.deployment.subunit.\"ejbca.ear\".\"status.war\".PARSE",
       "jboss.deployment.subunit.\"ejbca.ear\".\"webdist.war\".PARSE",
       "jboss.deployment.unit.\"ejbca.ear\".PARSE"
   ],
   "Services that may be the cause:" => ["jboss.binding.httpspriv"]
}}
...
/core-service=management/security-realm=SSLRealm:add()
/core-service=management/security-realm=SSLRealm/server-identity=ssl:add(keystore-path="${jboss.server.config.dir}/keystore/keystore.jks", keystore-password="serverpwd", alias="localhost")
/core-service=management/security-realm=SSLRealm/authentication=truststore:add(keystore-path="${jboss.server.config.dir}/keystore/truststore.jks", keystore-password="changeit")
/socket-binding-group=standard-sockets/socket-binding=httpspriv:add(port="8443",interface="httpspriv")
/socket-binding-group=standard-sockets/socket-binding=httpspub:add(port="8442", interface="httpspub")
:reload
/subsystem=undertow/server=default-server/https-listener=httpspriv:add(socket-binding=httpspriv, security-realm="SSLRealm", verify-client=REQUIRED)
/subsystem=undertow/server=default-server/https-listener=httpspub:add(socket-binding=httpspub, security-realm="SSLRealm")
:reload
/system-property=org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH:add(value=true)
/system-property=org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH:add(value=true)
/system-property=org.apache.catalina.connector.URI_ENCODING:add(value="UTF-8")
/system-property=org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING:add(value=true)
/subsystem=webservices:write-attribute(name=wsdl-host, value=jbossws.undefined.host)
/subsystem=webservices:write-attribute(name=modify-wsdl-address, value=true)
:reload
:shutdown(restart=true)

Tulemusena saab sisse logida administreerimise liidesesse aadressil https://192.168.10.46:8443/ejbca/adminweb/, kasutamikse tuleb kliendisertifikaat /opt/ejbca/p12/superadmin.p12 laadida brauserisse

Ejbca-1.gif

kus

  • TODO

Kasutamine

Veebipõhine GUI

EJBCA rakenduse käsurida

Rollide nimekirja küsimine

$ bin/ejbca.sh roles listroles
RAAdministratorRole (0 admins)
Super Administrator Role (2 admins)

help küsimine

$ bin/ejbca.sh roles listroles --help

LISTROLES            EJBCA CLI Commands Manual            LISTROLES

NAME
    listroles - Lists admin roles

SYNOPSIS
    listroles [OPTIONAL PARAMETERS]

DESCRIPTION
    Lists admin roles

PARAMETERS
   Optional parameters:
       --clipassword <CLI_PASSWORD>
           Set the password explicitely in the command line with --clipassword=<password>
       --verbose
           Set this value for verbose output of parameter values.
       -p <User will be prompted, input will not be shown>
           Set this flag to be prompted for the username password
       -u <CLI_USERNAME>
           Username for the CLI user, if required.
  • sertifikaadi kopeerimine
$ bin/ejbca.sh ca getcacert ManagementCA /tmp/failinimi.pem
Wrote CA certificate to '/tmp/m.pem' using PEM encoding.
  • sertifikaadi mooodustamine req alusel (PKCS#10 ehk tavaline openssl genereeritud request fail)
$ bin/ejbca.sh createcert --username infra --password infra -c /tmp/req.pem -f /tmp/req-cert.pem
PEM certificate written to file '/tmp/req-cert.pem'
  • ententity lisamine
$ bin/ejbca.sh ra addendentity --username infra6 --dn "C=EE, O=Moraal, CN=moraal6" --caname "ManagementCA" --type 1 \
  --token P12 --certprofile "AdministratorEndEntityCertificateProfile" --eeprofile "AdministratorEndEntityProfile" \
  --password infra6

Using certificate profile: AdministratorEndEntityCertificateProfile, with id: 771189990
Using entity profile: AdministratorEndEntityProfile, with id: 1686390533
Trying to add end entity:
Username: infra6
Password: <password hidden>
DN: C=EE, O=Moraal, CN=moraal6
CA Name: ManagementCA
SubjectAltName: null
Email: null
Type: 1
Token: P12
Certificate profile: 771189990
End entity profile: 1686390533
User 'infra6' has been added.
Note: If batch processing should be possible, also use 'ra setclearpwd infra6 <pwd>'.
  • endentity lisamine admin rollile
$ bin/ejbca.sh roles addadmin --role "Super Administrator Role" --caname "ManagementCA"\
  --with WITH_COMMONNAME --type TYPE_EQUALCASE --value moraal7

Testimine

  • OCSP päring vaikimisi genereeritud CA sertifikaadi enda kohta, sertifikaadi saab avalikust veebiliidesest
https://192.168.10.46:8443/ejbca/ -> Fetch CA certificates -> CA certificate: Download as PEM

ning OCSP päring esitada ejbca arvutist enda poole

# openssl ocsp -VAfile /var/tmp/ManagementCA.pem -issuer /var/tmp/ManagementCA.pem -cert /var/tmp/ManagementCA.pem -url http://127.0.0.1:8080/ejbca/publicweb/status/ocsp
Response verify OK
/var/tmp/ManagementCA.pem: good
       This Update: Jul 11 21:55:56 2016 GMT

CA juursertifikaat

  • Signature Algorithm: sha256WithRSAEncryption
  • Issuer: C=EE, O=Moraal OÜ, CN=EE Moraal Root CA/emailAddress=pki@moraal.ee
  • Validity: 20 aastat
  • Key length: 2048 bit

X509v3 extensions:

  • X509v3 Basic Constraints: critical - CA:TRUE
  • Key Usage: critical - Certificate Sign, CRL Sign
  • X509v3 Subject Key Identifier: XXX
  • X509v3 Extended Key Usage: non critical - TLS Web Client Authentication, TLS Web Server Authentication, Code Signing, E-mail Protection, Time Stamping, OCSP Signing

EJBCA v. 4 ligipääsu tekitamine käsurealt

Osutub, et olukorras, kus on brauseri kaudu ligipääs EJBCA teenusele kadunud, kuid süsteem ise toimib, saab tõenäoliselt käsurealt tekitada uue kasutaja ning pääseda kokkuvõttes ligi ka brauseriga EJBCA haldusliidesele. (Pedagoogilises mõttes võib olla hea täieliselt töötava EJBCA v. 6 peal enne treenida käsurea kasutamist.) Selleks tuleb

  • tutvuda bin/ejbca.sh utiliidi abil süsteemiga
$ bin/ejbca.sh
$ bin/ejbca.sh admins listadmins "Super Administrators"
$ bin/ejbca.sh ra listusers 00
$ bin/ejbca.sh ca exportprofiles /tmp/profiles
$ bin/ejbca.sh admins listgroups
  • tekitada uus kasutaja (EJBCA v. 6 mõistes End Entity)
$ bin/ejbca.sh ra adduser imre imre "UID=imre, C=EE, O=Moraal, CN=imre" "rfc822Name=imre@moraal.ee" \
  "Fixtee55_Person_CA" "imre@moraal.ee" 1 USERGENERATED "Fixtee55_Person_Signing" "AdminMORAAL"

kusjuures käsk annab nimekirjad olemasolevatest CA, End Entity profiilidest jms; samuti käsurea help'i

$ bin/ejbca.sh ra adduser
  • tekitada endale sertifikaat (võttes aluseks nö tavalise sertifikaadipärigu, mis on eelnevalt nt openssl abil valmistatud)
$ bin/ejbca.sh createcert imre imre /var/tmp/imre-req.pem /var/tmp/imre-cert.pem
  • lisada enda kasutaja EJBCA administraatorite nimekirja
$ bin/ejbca.sh admins addadmin "Super Administrators" "Fixtee55_Person_CA" WITHUID EQUALCASE imre

Seejärel tuleb moodustada .p12 formaadis kliendisertifikaat

$ cat /var/tmp/imre-key.pem /var/tmp/imre-req.pem > /var/tmp/imre-sisend-p12
$ openssl pkcs12 -export -in /var/tmp/imre-sisend-p12 -out /var/tmp/imre.p12

Laadida brauserisse ning pöörduda tavalisel viisil 8443 port teenuse poole.

Varundamine ja taaste

TODO

Kasulikud lisamaterjalid