Using EJBCA with an existing Samba Active Directory + PKI setup

[oliviermartin]

Hello all,
I have a lab setup in which I have created my own PKI using openssl. It is a simple PKI with a root CA, two intermediates CA (User CA and Service CA).
In this lab setup, I also have a Samba Active Directory.
Now, I would like to use ECBJA to manage my user certificates.
I managed to deploy EJBCA (v8.3.2) into WildFly (26).

My understanding for my setup is I should go for 'Install EJBCA as a CA without a Management CA' as my management CA is in my case "User CA".
To access the ECJBA website, I would also have to have a HTTPS certificate.

I have created my P12 keystore such as:

openssl pkcs12 -export -name https -in /etc/pki/codeur.org/ca/service-ca/https.crt -inkey /etc/pki/codeur.org/ca/service-ca/private/https.key -out truststore.jks
keytool -import -alias RootCA -trustcacerts -file /etc/pki/ca/root-ca.crt -keystore truststore.jks
keytool -import -alias UserCA -trustcacerts -file /etc/pki/ca/user-signing-ca.crt -keystore truststore.jks
keytool -import -alias ServiceCA -trustcacerts -file /etc/pki/ca/service-ca.crt -keystore truststore.jks

I copied it to /opt/ejbca/p12/truststore.jks. Keystore password matches java.trustpassword.

When I wanted to deploy my keystore:

sudo ant deploy-keystore
Buildfile: /opt/ejbca-ce-r8.3.2/build.xml

customejbca.message:
     [echo] No custom changes to merge.

deprecated:check:

customejbca.message:

deprecated:notify:

deploy-keystore:

customejbca.message:

set-paths-jboss7:

set-paths:

jee:check:
     [echo] Using appserver.home : /opt/wildfly

jee:keystore:
     [echo] Using JBoss deploy directory /opt/wildfly/standalone/deployments

BUILD FAILED
/opt/ejbca-ce-r8.3.2/build.xml:842: The following error occurred while executing this line:
/opt/ejbca-ce-r8.3.2/bin/jboss.xml:88: Missing JKS keystore file in '/opt/ejbca-ce-r8.3.2/p12/tomcat.p12'

Total time: 0 seconds

I cannot see any mention of tomcat.p12 in my configuration files or EJBCA documentation.

BTW, I guess in my 'truststore.jks' I must also have at least two certificates: one that matches superadmin.dn and one that matches httpsserver.dn if I want to start the web GUI?

[primetomas]

toimcat.p12 is the TLS server certificate itself. It's usually issued from the same Management CA, but can be from any other CA as long as it can issue TLS server certificates for the correct DNS name.
Typically truststore.jks only need to contain the Root as the issuing CA is typically part of the TLS handshake.

[primetomas]

Did you import the CA certificate as described here

[oliviermartin]

In this page, I only called ant deploy-keystore from the section Deploy TLS Keystores to WildFly.
The reason I did not call the two other commands is:

• Adding in Other Management CAs to the Key Store: I understood it such as I should call this command in case I wanted to add other management CA in addition to my root management CA (in my case Root CA and User CA from my original PKI)
• Import the Management CA Certificate: It is mentioned RA UI and I do not have access to the UI yet.

As mentioned in my previous message, my certificates seem to be present in WildFly:

$ sudo keytool -list -keystore /opt/wildfly/standalone/configuration/keystore/truststore.p12
Enter keystore password:
Keystore type: PKCS12
Keystore provider: SUN

Your keystore contains 5 entries

https, Nov 20, 2024, PrivateKeyEntry,
Certificate fingerprint (SHA-256): F9:AF:F0:60:06:05:2C:CE:0A:73:0D:0C:64:FB:E0:BD:CA:9E:9C:C7:B7:B0:C1:2A:82:03:10:12:95:58:2A:D1
rootca, Nov 20, 2024, trustedCertEntry,
Certificate fingerprint (SHA-256): 54:50:1A:FB:34:6F:03:66:18:15:6C:8B:07:DA:61:60:11:B2:C6:4D:E4:A3:0C:D4:9D:D4:17:7B:30:99:44:C9
serviceca, Nov 20, 2024, trustedCertEntry,
Certificate fingerprint (SHA-256): 5E:6B:CD:93:B4:61:A8:FB:AD:7B:4A:70:44:0B:FF:12:FE:DB:DE:67:5B:00:B3:A2:C5:21:AD:28:E2:31:A2:87
test_user, Nov 20, 2024, trustedCertEntry,
Certificate fingerprint (SHA-256): E6:62:01:22:77:F8:DC:E8:B5:FC:08:80:E3:EC:EA:10:9D:22:63:31:75:11:86:97:B1:0D:EC:16:81:D7:93:FB
userca, Nov 20, 2024, trustedCertEntry,
Certificate fingerprint (SHA-256): 54:F6:D3:DA:28:42:DC:C4:0B:9A:08:62:59:D2:93:A4:A4:33:7C:71:03:D5:BE:5E:17:9E:5C:A2:60:6A:38:E7

And the WildFly logs I can see this message (... with 0 certificates):

2024-11-21 07:34:33,880 INFO  [org.cesecore.certificates.certificate.CertificateStoreSessionBean] (EJB default - 2) Reloaded CA certificate cache with 0 certificates

[primetomas]

Just run the command printed and you will be fine.
bin/ejbca.sh ca importcacert ManagementCA YourExternalManagementCA.cacert.pem -initauthorization -superadmincn CommonNameOfYourAdminClientCertificate

[oliviermartin]

Thanks a lot @primetomas , it works! At least I can access the web UI.

I guess what I need for my Samba AD is to configure the Active Directory Publisher.

In my "Manage Certification Authorities", I can see my ManagementCA mentioned as "External CA". What does it mean for EJBCA? Is it because I have not imported its private key? Or it only means I cannot edit it?
I guess I would need to import its private key (aka "Crypto Tokens") if I want to provision new Samba AD users.

[primetomas]

(just for reference: External CA was settled in a separate issue)

[Babacar98]

@oliviermartin
Hello [Name of person],

I came across this discussion with your project on PKI and I find it particularly interesting, especially in relation to my field. I would love to discuss your work and possibly exchange ideas. Could you please let me know if I might have your contact details to discuss this further?

Thank you in advance for your response!

[oliviermartin]

Feel free to contact me at olivier [AT] keypme.com