Add an EJBCA Sub CA to a Microsoft Standalone Root CA

This integration guide provides instructions for adding an EJBCA Subordinate CA to a Microsoft standalone (Non-Active Directory joined server) Root CA.

The following provides the steps required to configure a Microsoft Certificate Services server running as a Standalone Root CA to sign an EJBCA Subordinate CA certificate signing request.

Introduction

Microsoft Windows Servers have the capability to run a Certification Authority service. This Microsoft Windows server role is called Active Directory Certificate Services. The Certification Authority (CA) can be run as an Enterprise CA (integrated with Microsoft Active Directory) or as a Standalone CA (not integrated with Microsoft Active Directory). The CA service can also be configured as a Root CA, the trust anchor for a PKI, or as a Subordinate CA.

A key difference between the Microsoft Enterprise CA and Standalone CA configuration is that the Enterprise CA can use certificate templates. Using Microsoft Certificate Services certificate templates to configure non Microsoft Subordinate CAs is well documented. This is not the case for the Microsoft Standalone Root CA.

When attempting to enroll a non Microsoft Subordinate CA with a Microsoft Root Standalone CA, the CA certificate typically created has the following issues with the x509 fields:

  • Validity period uses the default of one year

  • CRL Distribution Point (CDP) is not applied to the certificate

  • AIA which contains the OCSP URL or CA certificate point for path building is not applied to the certificate

  • Key Usage for a CA is not applied to the certificate

  • Basic Constraints Subject Type is configured as End Entity instead of CA

The following procedure applies to a Microsoft Server configured as a Standalone Root CA which will sign the EJBCA Certification Authority certificate request.

Requirements

The following lists prerequisites or assumptions for the integration.

  • A Subordinate CA configured as an External CA in EJBCA and a certificate signing request (CSR) generated that includes the Root CA Certificate Chain in PKCS7 format (P7B or P7C) using the instructions on Signing an External CA.

  • An existing Microsoft Server 2019 with Certificate Services configured as a Standalone Offline Root CA.

  • A CRL Distribution Point (CDP) will be used for the Root CA on a separate server and is out-of-scope for this procedure.

  • An Authority Information Access (AIA) OCSP service locator will be used for the Root CA on a separate server and is out-of-scope for this procedure.

Deploy an Online EJBCA Subordinate CA under a Microsoft Standalone Root CA Server

The following covers how to deploy an online EJBCA Subordinate CA under a Microsoft Standalone Root CA Server in the following steps:

All configurations are performed on the Microsoft Windows Standalone Offline Root CA Server.

Step 1 - Configure Certificate Distribution Point and Authority Information Access for OCSP

Configure the Certificate Distribution Point and Authority Information Access for OCSP in the following steps.

Configure CDP for the Root CA

To configure CDP for the Root CA:

  1. Open the Microsoft Windows Server Manager.

  2. Click the Tools menu option and select Certification Authority.

  3. Right-click the Server name and select Properties.

  4. Select the Extensions tab.

  5. In the Select extension field, select CRL Distribution Point (CDP).

  6. Remove all locations except C:\Windows\*

  7. In the section Specify locations from which users can obtain a certificate revocation list (CRL), click Add.

  8. In the Location field, enter the URL location of the CDP (i.e. http://hostname.domain/path/>) and click OK.

  9. Select Include in the CDP extension of issued certificates.

  10. Click Apply and then click No when asked to restart the service.

Configure AIA with OCSP for the Root CA

To configure Authority Information Access (AIA) with OCSP for the Root CA:

  1. In the Select extension field, select Authority Information Access (AIA).

  2. Remove all locations except C:\Windows\*

  3. In the section Specify locations from which users can obtain the certificate for this CA, click Add.

  4. In the Location field, enter the URL location of the OCSP Locator (i.e. http://hostname.domain/path/>) and click OK.

  5. Select Include in the online certificate status protocol (OCSP) extension.

  6. Click Apply then click Yes when asked to restart the service.

Step 2 - Configure Policy Module

To ensure the Policy Module is set so certificate requests are set to pending, do the following:

  1. Continue working on the properties window of the Certificate Authority tool.

  2. Click the Policy Module tab, and then click Properties.

  3. Select the option Set the certificate request status to pending. The administrator must explicitly issue the certificate and then click OK.

  4. Click Apply then click Yes when asked to restart the service.

Step 3 - Set Validity Period

To change the validity of all certificates issued by Microsoft Standalone Offline Root CA:

  1. Open a command prompt as an Administrator.

  2. Enter the following commands to set the Validity Period for all certificates issued by the RootCA and to restart the service:

    certutil -setreg CA\ValidityPeriodUnits 10
    certutil -setreg CA\ValidityPeriod Years
     
    Restart-Service certsvc

Step 4 - Submit Certificate Enrollment Request

Sign the EJBCA Subordinate CA certificate signing request (CSR):

  1. In the Certification Authority management tool window, right-click the Certificate Authority name and select All Tasks>Submit new request.

  2. In the bottom right-hand corner, change the file type to All Files (*.*).

  3. Select the EJBCA Subordinate CA csr file and click Open.

  4. Select the Pending Requests folder and note the Request ID for the new request.

Step 5 - Configure x509 Key Usage for Pending Request

Using the Microsoft Windows Server certutil.exe utility, modify the Key Usage for the pending request.

  1. Open a command prompt and perform the following steps:

    # Change to the C:\Users\Administrator\Documents directory
     
    cd C:\Users\Administrator\Documents directory
     
     
    #Create hex file to set key usage for SubCAs
    echo 03 02 01 86 > key_usage.txt
     
    #certutil -setextension <pending_request_id>  <key_usage_oid> <critical_flag> @<path_to_hex_file>
    # Remember to change the request id to the one noted in the previous step
     
    certutil -setextension <pending_request_id>  2.5.29.15 1 @C:\Users\Administrator\Documents\key_usage.txt

  2. Confirm the changes in the Certification Authority management tool window.

  3. Select the Pending Requests folder and right-click the pending certificate request.

  4. Select All Tasks...View Attributes/Extensions.

  5. Click the Extension tab.

  6. Select the Key Usage extension and confirm the following:

    • The Critical and Enabled columns are set to Yes.

    • The Key Usage is set to Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86).

  7. Click OK.

Step 6 - Modify x509 Basic Constraint for Pending Request

Using the Microsoft Windows Server certutil.exe utility, modify the Basic Constraints for the pending request.

  1. Open a command prompt and perform the following steps:

    # Change to the C:\Users\Administrator\Documents directory
     
    cd C:\Users\Administrator\Documents directory
     
    # Create hex file to set basic constraint to Subject Type=CA and No path constraint echo 30 03 01 01 FF > basic.txt
    # If you want Type=CA and Path Length Constraint=0 echo 30 06 01 01 FF 02 01 00 > basic.txt
     
    # certutil -setextension <pending_request_id> <key_usage_oid> <critical_flag> @<path_to_hex_file>
    # Remember to change the request id to the one noted in the previous step
     
    certutil -setextension <pending_request_id> 2.5.29.19 1 @C:\Users\Administrator\Documents\basic.txt

  2. Confirm the changes in the Certification Authority management tool window.

  3. Select the Pending Requests folder and right-click the pending certificate request.

  4. Select All Tasks>View Attributes/Extensions.

  5. Click the Extension tab.

  6. Select the Basic Constraints extension and confirm the following:

    • The Critical and Enabled columns are set to Yes.

    • The Basic Constraints is set to:

      • Subject Type=CA

      • Path Length Constraint=None

  7. Click OK.

Step 7 - Confirm the CDP and AIA URLs for the Pending Request

To confirm the previous CDP and OCSP settings are present in the pending certificate request.

  1. In the Certification Authority management tool window, select the Pending Requests folder and right-click the pending certificate request.

  2. Select All Tasks>View Attributes/Extensions.

  3. Click the Extension tab.

  4. Select the CRL Distribution Points extension and confirm that the previously set CDP is present.

  5. Select the Authority Information Access extension and confirm that the previously set AIA is present.

  6. Click OK.

Step 8 - Issue Certificate

To issue the EJBCA Subordinate CA certificate.

  1. In the Certification Authority management tool window, select the Pending Requests folder and right-click the pending certificate request.

  2. Select All Tasks>Issue.

Step 9 - Save Certificate

To save the EJBCA Subordinate CA certificate:

  1. In the Certification Authority management tool window, select the Issued Certificates folder and double-click the issued certificate.

  2. Click the Details tab.

  3. Click Copy to File and then click Next.

  4. Select the Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7b) option.

  5. Select the Include all certificates in the certification path if possible option.

  6. Click Next.

  7. Select the file path and name and click Next, and then click Finish.

  8. In the The export was successful confirmation panel, click OK.

  9. Click Finish.

Next, use this certificate to complete the EJBCA External CA procedure described in Signing an External CA.