This section will cover:

Creation of a 3-tier CA using soft keystores
Creating the custom extension for Microsoft template information
Creating user and computer profiles for auto enrollment
Creating the Web Services API keystore
Creating the server certificate for Apache Tomcat web server
Administrator roles for the Web Services Client

In the examples below, the Certificate Services hostname is csserver.primekey.com. The text highlighted in red should be replaced with names in your environment.

1. Create the 3-tier CA hierarchy

1.1 Create the Root CA

Create Root CA Crypto Token

Click Crypto Tokens under CA Functions
Select Create New
1. Enter a name for the Crypto Token: Root CA Token
2. Select Type as Soft
3. Enter an authentication code for the token.
4. Auto-activation: Not selected
5. Click Save
6. Generate a signKey of size 4096
7. Generate a defaultKey of size 4096
8. Generate a testKey of size 1024

Create Root CA Certificate Profile

Clone the ROOTCA profile for the Root CA and label it as "Root CA Certificate Profile" Select the following values:
1. Available key algorithms: RSA
2. Available bit lengths: 4096
3. Validity: 25y
4. LDAP DN order: Unchecked
5. Available CA: Any CA

Create the Root CA certificate

Click Certificate Authorities, In the Add CA field enter the name "Root CA". Click "Create…"
In the Create CA screen populate the following fields:
1. Signing Algorithm: SHA256WithRSA
2. Crypto Token: Root CA Token
3. Subject DN: <RootCASubjectDN>
4. Signed By: Self Signed
5. Certificate Profile: Root CA Certificate Profile
6. Validity: 25y
7. CRL Distribution Point: http://crl.company.com/Root_CA.crl
8. OCSP Service Locator URI: http://ocsp.company.com

1.2 Create Intermediate CA

Create Intermediate CA Crypto Token

Click Crypto Tokens under CA Functions
Select Create New
1. Enter a name for the Crypto Token: Intermediate CA Token
2. Select Type as Soft
3. Enter an authentication code for the token.
4. Auto-activation: Not selected
5. Click Save
6. Generate a signKey of size 4096
7. Generate a defaultKey of size 4096
8. Generate a testKey of size 1024

Create Intermediate CA Certificate Profile

Clone the SUBCA profile for the Intermediate CA and label it as "Intermediate CA Certificate Profile." Select the following values:
1. Available key algorithms: RSA
2. Available bit lengths: 4096
3. Validity: 25y
4. LDAP DN order: Unchecked
5. Available CA: Any CA

Create Intermediate CA certificate

Click Certificate Authorities, In the Add CA field enter the name "Intermediate CA". Click "Create…"
In the Create CA screen populate the following fields:
1. Signing Algorithm: SHA256WithRSA
2. Crypto Token: Intermediate CA Token
3. Subject DN: <IntermediateCASubjectDN>
4. Signed By: Root CA
5. Certificate Profile: Intermediate CA Certificate Profile
6. Validity: 20y
7. CRL Distribution Point: http://crl.company.com/Intermediate_CA.crl
8. OCSP Service Locator URI: http://ocsp.company.com

1.3 Create Issuing CA

Create Issuing CA Crypto Token

Click Crypto Tokens under CA Functions
Select Create New
1. Enter a name for the Crypto Token: Issuing CA Token
2. Select Type as Soft
3. Enter an authentication code for the token.
4. Auto-activation: Not selected
5. Click Save
6. Generate a signKey of size 4096
7. Generate a defaultKey of size 4096
8. Generate a testKey of size 1024

Create Issuing CA Certificate Profile

Clone the SUBCA profile for the Issuing CA and label it as "Issuing CA Certificate Profile." Select the following values:
1. Available key algorithms: RSA
2. Available bit lengths: 4096
3. Validity: 25y
4. LDAP DN order: Unchecked
5. Available CA: Any CA

Create Issuing CA certificate

Click Certificate Authorities, In the Add CA field enter the name "Issuing CA". Click "Create…"
In the Create CA screen populate the following fields:
1. Signing Algorithm: SHA256WithRSA
2. Crypto Token: Issuing CA Token
3. Subject DN: <IssuingCASubjectDN>
4. Signed By: Intermediate CA
5. Certificate Profile: Issuing CA Certificate Profile
6. Validity: 15y
7. CRL Distribution Point: http://crl.company.com/Issuing_CA.crl
8. OCSP Service Locator URI: http://ocsp.company.com

2. Create Custom Certificate Extensions

On the EJBCA Administration Interface, click System Configuration
Select the Custom Certificate Extensions tab
Enter the Object Identifier (OID) as "1.3.6.1.4.1.311.21.7".
Enter "Certificate Template Information" as the Label.
Click Add.
Click Edit on the object previously added.
Select the Encoding to DEROBJECT
Set Dynamic to true.
Click Save.

3. Create User and Computer Auto Enrollment Certificate Profiles

3.1 Create a certificate profile for User Auto Enrollment

Click Certificate Profiles under CA Functions
Clone from ENDUSER named User_Certificate_Profile
Edit the User_Certificate_Profile
Key Usage: Digital Signature, Non-repudiation, and Key encipherment
Extended Key Usage: Client Authentication, Email Protection, and MS Encrypted File System (EFS)
Used Custom Certificate Extensions: Certificate Template Information
Available CAs: Issuing CA

3.2 Create a certificate profile for Computer Auto Enrollment

Click Certificate Profiles under CA Functions
Clone from ENDUSER named Computer_Certificate_Profile
Edit the Computer_Certificate_Profile
Key Usage: Digital Signature and Key encipherment
Extended Key Usage: Client Authentication and Server Authentication
Used Custom Certificate Extensions: Certificate Template Information
Available CAs: Issuing CA

4. Create Tomcat Server and Web Services API Certificate Profiles

4.1 Create a certificate profile for Tomcat server

Click Certificate Profiles under CA Functions
Clone from SERVER named Tomcat_Server_Certificate_Profile
Edit the Tomcat_Server_Certificate_Profile
Available key algorithms: RSA
Change Validity to 5y
Available bit lengths: 2048
CRL Distribution Point: Use
Use CA defined CRL Dist. Point: Use
Authority Information Access: Use
Use CA defined OCSP locator: Use
Available CAs: Issuing CA

4.2 Create a certificate profile for Web Services API client

Click Certificate Profiles under CA Functions
Clone from ENDUSER named WebService_Client_Certificate_Profile
Edit WebService_Client_Certificate_Profile
Available key algorithms: RSA
Change Validity to 5y
Available bit lengths: 2048
Available CAs: ManagementCA

5. Create User and Computer Auto Enrollment End Entity Profiles

All attributes that may occur in a request should be added and marked as modifiable.

5.1 Create End Entity Profile for User Auto Enrollment

Add End Entity profile named "User_End_Entity_Profile"
Click User_End_Entity_Profile and click Edit End Entity Profile
Subject DN Attributes: CN
Other subject attributes: MS UPN
Default Certificate Profile: User_Certificate_Profile
Available Certificate Profiles: User_Certificate_Profile
Default CA: Issuing CA
Available CAs: Issuing CA
Default Token: User Generated
Available Tokens: User Generated

5.2 Create End Entity Profile for Computer Auto Enrollment

Add End Entity profile named "Computer_End_Entity_Profile"
Click Computer_End_Entity_Profile and click Edit End Entity Profile
Subject DN Attributes: CN
Other subject attributes: DNS Name
Default Certificate Profile: Computer_Certificate_Profile
Available Certificate Profiles: Computer_Certificate_Profile
Default CA: Issuing CA
Available CAs: Issuing CA
Default Token: User Generated
Available Tokens: User Generated

6. Create Tomcat Server and Web Services API End Entity Profiles

6.1 Create End Entity Profile for the SSL server certificate

Click End Entity Profiles under RA Functions
Add End Entity profile named "TomcatServerEEProfile"
Click TomcatServerEEProfile and click Edit End Entity Profile
Uncheck End Entity E-mail
Subject DN Attributes: CN
Default Certificate Profile: Tomcat_Server_Certificate_Profile
Available Certificate Profiles: Tomcat_Server_Certificate_Profile
Default CA: Issuing CA
Available CAs: Issuing CA
Default Token: JKS
Available Tokens: JKS

6.2 Create End Entity Profile for the Web Services Client

Click End Entity Profiles under RA Functions
Add End Entity profile named "WebServiceClientEEProfile"
Click WebServiceClientEEProfile and click Edit End Entity Profile
Uncheck End Entity E-mail
Subject DN Attributes: CN
Default Certificate Profile: WebService_Client_Certificate_Profile
Available Certificate Profiles: WebService_Client_Certificate_Profile
Default CA: ManagementCA
Available CAs: ManagementCA
Default Token: JKS
Available Tokens: JKS

7. Create Tomcat and Web Services End Entities

7.1 Creating and downloading the Tomcat JKS keystore

Add the Tomcat server End Entity
1. Click Add End Entity
2. End Entity Profile: TomcatServerEEProfile
3. Username: tomcat_server
4. Password: <PASSWORD>
5. Confirm Password: <PASSWORD>
6. CN: csserver.primekey.com
7. Click Add
Download Tomcat server certificate as a JKS keystore with FireFox
1. Click Public Web
2. Click Create Keystore
3. Username: tomcat_server
4. Password: <PASSWORD>
Save this keystore as tomcat_server.jks

7.2 Creating and downloading the Web Services JKS keystore

Add the Web Services Client End Entity
1. Click Add End Entity
2. End Entity Profile: WebServiceClientEEProfile
3. Username: aewsclient
4. Password: <PASSWORD>
5. Confirm Password: <PASSWORD>
6. CN: aewsclient
7. Click Add
Download the Web Services Client certificate as a JKS keystore with FireFox
1. Click Public Web
2. Click Create Keystore
3. Username: aewsclient
4. Password: <PASSWORD>
Save this keystore as aewsclient.jks

8. Create Administrator Roles for Web Services Client

Create Administrator Role for Web Services Client
1. Click Administrator Roles
2. Click Add
3. Enter name for role: AutoEnrollment Web Services
4. Click on Administrators for AutoEnrollment Web Services
5. Select the following:
  1. CA: ManagementCA
  2. Match with: X509: CN, Common Name
  3. Match type: Equal, case sens.
  4. Match value: aewsclient
6. Click Add
Click Edit Access Rules for AutoEnrollment Web Services
1. Role Template: RA Administrators
2. Authorized CA: Issuing CA
3. End Entity Rules: View End Entity, Create End Entity, and Edit End Entity
4. End Entity Profiles: User_End_Entity_Profile and Computer_End_Entity_Profile (select all End Entity Profiles that will be used with Auto Enrollment)
5. Other Rules: View Audit Log
6. Click Save