Install EJBCA enterprise class PKI Certificate Authority on CentOS, RHEL, Fedora, Debian, Ubuntu

Overview

EJBCA is an enterprise class PKI Certificate Authority built on JEE technology. It is a robust, high performance, platform independent, flexible, and component based CA to be used stand-alone or integrated in other JEE applications.

You can use EJBCA to build a complete PKI infrastructure for your organization. (Source www.ejbca.org). To read more about EJBCA click here.

I could not find a good installation guide on web thus this post is my effort to reduce someone else orderal.

Install EJBCA enterprise class PKI Certificate Authority on CentOS, RHEL, Fedora, Debian, Ubuntu

Install mysql database server and open jdk, you can also use jdk from sun/oracle, however I would recommend open-jdk so does ejbca official website.

On Ubuntu, Debian


# apt-get install openjdk-6-jre mysql-server mysql-client

On CentOS, RHEL, Fedora


# yum install java-1.6.0-openjdk java-1.6.0-openjdk-devel mysql-server

Start the database and create a db and user for ejbca.


# /etc/init.d/mysqld start
# mysql -uroot -p
mysql> create database ejbcadb;
mysql> grant all on ejbcadb.* to 'ejbcauser'@'localhost' identified by 'ejbca@123';

Make sure the host can be resolved using a DNS or enter this to the hosts file


# vi /etc/hosts

Append your server hostname followed by ip address so that it is resolvable.


192.168.209.146 ejbca.linuxdrops.com

Verify Java Version
Sample output from my machine


[root@localhost ~]# java -version
java version "1.6.0_24"
OpenJDK Runtime Environment (IcedTea6 1.11.5) (rhel-1.50.1.11.5.el6_3-x86_64)
OpenJDK 64-Bit Server VM (build 20.0-b12, mixed mode)

If you see some other version then use alternatives or update-alternatives to select java 1.6

Create user ejbca and set its password


# useradd ejbca
# passwd ejbca

Download the following packages. The packages are of apache ant, jboss and ejbca


# cd /home/ejbca
# wget http://apache.techartifact.com/mirror//ant/binaries/apache-ant-1.8.4-bin.zip
# wget http://sourceforge.net/projects/jboss/files/JBoss/JBoss-5.1.0.GA/jboss-5.1.0.GA-jdk6.zip
# wget http://sourceforge.net/projects/ejbca/files/ejbca4/ejbca_4_0_16/ejbca_4_0_16.zip
# wget -O mysql-connector-java-5.1.22.zip http://dev.mysql.com/get/Downloads/Connector-J/mysql-connector-java-5.1.22.zip/from/http://cdn.mysql.com/

Unzip them all


# unzip apache-ant-1.8.4-bin.zip
# unzip jboss-5.1.0.GA-jdk6.zip
# unzip mysql-connector-java-5.1.22.zip
# unzip ejbca_4_0_16.zip

Create symlinks for apache ant, jboss and ejbca


# cd /usr/local
# ln -s /home/ejbca/jboss-5.1.0.GA jboss
# ln -s /home/ejbca/ejbca_4_0_16 ejbca
# ln -s /home/ejbca/apache-ant-1.8.4 ant

Copy the mysql connector java jar file to jboss lib directory


# cp /home/ejbca/mysql-connector-java-5.1.22/mysql-connector-java-5.1.22-bin.jar /usr/local/jboss/server/default/lib/

Change ownership of jboss and ejbca directories


# chown -R ejbca jboss/
# chown -R ejbca ejbca

Open the bash_profile file under the ejbca user home directory and set the following variables.


# vi /home/ejbca/.bash_profile

Append these variables to it


APPSRV_HOME=/usr/local/jboss
JAVA_OPTS="-Xmx512M"
EJBCA_HOME=/usr/local/ejbca
ANT_HOME=/usr/local/ant
ANT_OPTS="-Xmx512M"
PATH=${APPSRV_HOME}/bin:${EJBCA_HOME}/bin:${ANT_HOME}/bin:$PATH
export PATH APPSRV_HOME JAVA_OPTS EJBCA_HOME ANT_HOME ANT_OPTS

Login using ejbca user and move to the conf directory


$ cd /usr/local/ejbca/conf/

Now you have to set some properties like Certificate Authority Distinguished Name, Validity of CA etc, these values varies between installations. The table below shows some of the important ones explained and the values I used for my setup, you can take a cue from these and customize your setup.

First create the properties files from the sample files


$ cp web.properties.sample web.properties
$ cp database.properties.sample database.properties
$ cp ejbca.properties.sample ejbca.properties
$ cp install.properties.sample install.properties

Open the database.properties file in your fav editor.


$ vi database.properties

Uncomment and set the following properties.


database.name=mysql
database.url=jdbc:mysql://127.0.0.1:3306/ejbcadb
database.driver=com.mysql.jdbc.Driver
database.username=ejbcauser
database.password=ejbca@123

Open install.properties, web.properties and ejbca.properties and set the values shown in the table below.

EJBCA important properties
no Configuration Remarks What I used
1 ca.dn CN=The Common Name which could be the name of the Subscriber or domain name for which the certificate has been issued O=The organization name C=The two letter ISO country code or not used ca.dn=CN=LinuxDrops Root Certificate Authority O=LinuxDrops Pvt Ltd C=US
2 ca.name short name for the administrative CA LinuxDropsCA01
3 ca.keytype The keytype for the administrative CA can be RSA ECDSA or DSA RSA
4 ca.validity The validity in days for the administrative CA(only digits) 3650
5 ca.keystorepass This password is used internally to protect CA keystores in database (i.e. the CAs private key) Secret@123#
6 java.trustpassword Password for java trust keystore (p12/truststore.jks) Secret@123
5 ca.keystorepass The password used for the key-store in the httpserver HTTPSecret
6 superadmin.password The password used to protect the generated super administrator P12 keystore 123@abc
7 httpsserver.password The password used to protect the web servers SSL keystore abc@123
8 httpsserver.hostname This entry will be placed in the certificate that the webserver application of JBoss will use. ejbca.linuxdrops.com
9 httpsserver.dn CN=${httpsserver.hostname} O=LinuxDrops Pvt Ltd C=US

Note: I am not using strong passwords as this installation is under a test environment, you should always use unique and strong password if installed for a production environment.

Next we will compile all source files, bundle the binary code and the configuration into an ”ear-file” (think this as a zip file with a standardized structure) that will be copied into the JBoss directory for execution as an application via the JBoss platform. We will use ANT to perform the bootstrap (installation) of EJBCA.


$ cd /usr/local/ejbca
$ ant bootstrap

Wait for a line saying build successful.
BUILD SUCCESSFUL
Total time: 36 seconds

Check that files are installed in JBoss application directory


[ejbca@ejbca conf]$ ls -l /usr/local/jboss/server/default/deploy/ejbca*
-rw------- 1 ejbca ejbca 3344 Nov 7 06:27 /usr/local/jboss/server/default/deploy/ejbca-ds.xml
-rw-rw-r-- 1 ejbca ejbca 29215987 Nov 7 06:27 /usr/local/jboss/server/default/deploy/ejbca.ear
-rw------- 1 ejbca ejbca 2092 Nov 7 06:27 /usr/local/jboss/server/default/deploy/ejbca-mail-service.xml

Change directories to the JBoss directory and execute the JBoss startup script called run.sh


$ cd /usr/local/jboss
$ ./bin/run.sh

Open a new terminal and login to mysql database using ejbcauser account.


$ mysql ejbcadb -u ejbcauser -p
mysql> use ejbcadb
mysql> show tables;

Note: If you don’t see any tables in you MySQL database, do NOT
proceed, since the bootstrap process hasn’t been successful and you
do not need it to continue.

Now that you have confirmed that the JBoss application server is running correctly and the database tables have been created, we will run the final installation steps to create the first CA and the superadmin user.

Change directories to the EJBCA installed directory and run ant install


$ cd /usr/local/ejbca
$ ant install

Before we continue, stop JBoss so it can implement the changes you are about to make in the next step.
If JBoss is running (it should be), press Ctrl-C in the console where you started it or


$ cd /usr/local/jboss
$ ./bin/shutdown.sh -S

Change the directory to ejbca and execute ant deploy


$ cd /usr/local/ejbca
$ ant deploy

Start Jboss


$ cd /usr/local/jboss
$ ./bin/run.sh

Now you can access public web interface staright away.

http://ip-address-or-dnsname:8080/ejbca

To access the Administration web interface you need to import the superadmin cert to the browser. Copy the cert and import it to your browser. For firefox go to Edit–>Preference–>Advanced–>Encryption–>View Certificates–>Import. You will be prompted for a password, enter the superadmin.password.


$ cd /usr/local/ejbca/p12/
$ ls
-rw-rw-r-- 1 ejbca ejbca 3006 Nov 7 06:25 superadmin.p12

Once done access the admin console

https://ipaddress-or-dnsname:8443/ejbca/adminweb

ejbca09 300x169 Install EJBCA enterprise class PKI Certificate Authority on CentOS, RHEL, Fedora, Debian, Ubuntu