Add an EJBCA Sub CA to a Microsoft Standalone Root CA
This integration guide provides instructions for adding an EJBCA Subordinate CA to a Microsoft standalone (Non-Active Directory joined server) Root CA.
The following provides the steps required to configure a Microsoft Certificate Services server running as a Standalone Root CA to sign an EJBCA Subordinate CA certificate signing request.
Introduction
Microsoft Windows Servers have the capability to run a Certification Authority service. This Microsoft Windows server role is called Active Directory Certificate Services. The Certification Authority (CA) can be run as an Enterprise CA (integrated with Microsoft Active Directory) or as a Standalone CA (not integrated with Microsoft Active Directory). The CA service can also be configured as a Root CA, the trust anchor for a PKI, or as a Subordinate CA.
A key difference between the Microsoft Enterprise CA and Standalone CA configuration is that the Enterprise CA can use certificate templates. Using Microsoft Certificate Services certificate templates to configure non Microsoft Subordinate CAs is well documented. This is not the case for the Microsoft Standalone Root CA.
When attempting to enroll a non Microsoft Subordinate CA with a Microsoft Root Standalone CA, the CA certificate typically created has the following issues with the x509 fields:
Validity period uses the default of one year
CRL Distribution Point (CDP) is not applied to the certificate
AIA which contains the OCSP URL or CA certificate point for path building is not applied to the certificate
Key Usage for a CA is not applied to the certificate
Basic Constraints Subject Type is configured as End Entity instead of CA
The following procedure applies to a Microsoft Server configured as a Standalone Root CA which will sign the EJBCA Certification Authority certificate request.
Requirements
The following lists prerequisites or assumptions for the integration.
A Subordinate CA configured as an External CA in EJBCA and a certificate signing request (CSR) generated that includes the Root CA Certificate Chain in PKCS7 format (P7B or P7C) using the instructions on Signing an External CA.
An existing Microsoft Server 2019 with Certificate Services configured as a Standalone Offline Root CA.
A CRL Distribution Point (CDP) will be used for the Root CA on a separate server and is out-of-scope for this procedure.
An Authority Information Access (AIA) OCSP service locator will be used for the Root CA on a separate server and is out-of-scope for this procedure.
Deploy an Online EJBCA Subordinate CA under a Microsoft Standalone Root CA Server
The following covers how to
deploy an online EJBCA Subordinate CA under a Microsoft Standalone Root CA Server in the following steps:
Step 1 - Configure Certificate Distribution Point and Authority Information Access for OCSP
Step 7 - Confirm the CDP and AIA URLs for the Pending Request
All configurations are performed on the Microsoft Windows Standalone Offline Root CA Server.
Step 1 - Configure Certificate Distribution Point and Authority Information Access for OCSP
Configure the Certificate Distribution Point and Authority Information Access for OCSP in the following steps.
Configure CDP for the Root CA
To configure CDP for the Root CA:
Open the Microsoft Windows Server Manager.
Click the Tools menu option and select Certification Authority.
Right-click the Server name and select Properties.
Select the Extensions tab.
In the Select extension field, select CRL Distribution Point (CDP).
Remove all locations except C:\Windows\*
In the section Specify locations from which users can obtain a certificate revocation list (CRL), click Add.
In the Location field, enter the URL location of the CDP (i.e. http://hostname.domain/path/>) and click OK.
Select Include in the CDP extension of issued certificates.
Click Apply and then click No when asked to restart the service.
Configure AIA with OCSP for the Root CA
To configure Authority Information Access (AIA) with OCSP for the Root CA:
In the Select extension field, select Authority Information Access (AIA).
Remove all locations except C:\Windows\*
In the section Specify locations from which users can obtain the certificate for this CA, click Add.
In the Location field, enter the URL location of the OCSP Locator (i.e. http://hostname.domain/path/>) and click OK.
Select Include in the online certificate status protocol (OCSP) extension.
Click Apply then click Yes when asked to restart the service.
Step 2 - Configure Policy Module
To ensure the Policy Module is set so certificate requests are set to pending, do the following:
Continue working on the properties window of the Certificate Authority tool.
Click the Policy Module tab, and then click Properties.
Select the option Set the certificate request status to pending. The administrator must explicitly issue the certificate and then click OK.
Click Apply then click Yes when asked to restart the service.
Step 3 - Set Validity Period
To change the validity of all certificates issued by Microsoft Standalone Offline Root CA:
Open a command prompt as an Administrator.
Enter the following commands to set the Validity Period for all certificates issued by the RootCA and to restart the service:
certutil -setreg CA\ValidityPeriodUnits
10
certutil -setreg CA\ValidityPeriod Years
Restart-Service certsvc
Step 4 - Submit Certificate Enrollment Request
Sign the EJBCA Subordinate CA certificate signing request (CSR):
In the Certification Authority management tool window, right-click the Certificate Authority name and select All Tasks>Submit new request.
In the bottom right-hand corner, change the file type to All Files (*.*).
Select the EJBCA Subordinate CA csr file and click Open.
Select the Pending Requests folder and note the Request ID for the new request.
Step 5 - Configure x509 Key Usage for Pending Request
Using the Microsoft Windows Server certutil.exe utility, modify the Key Usage for the pending request.
Open a command prompt and perform the following steps:
# Change to the C:\Users\Administrator\Documents directory
cd C:\Users\Administrator\Documents directory
#Create hex file to set key usage
for
SubCAs
echo
03
02
01
86
> key_usage.txt
#certutil -setextension <pending_request_id> <key_usage_oid> <critical_flag> @<path_to_hex_file>
# Remember to change the request id to the one noted in the previous step
certutil -setextension <pending_request_id>
2.5
.
29.15
1
@C
:\Users\Administrator\Documents\key_usage.txt
Confirm the changes in the Certification Authority management tool window.
Select the Pending Requests folder and right-click the pending certificate request.
Select All Tasks...View Attributes/Extensions.
Click the Extension tab.
Select the Key Usage extension and confirm the following:
The Critical and Enabled columns are set to Yes.
The Key Usage is set to Digital Signature, Certificate Signing, Off-line CRL Signing, CRL Signing (86).
Click OK.
Step 6 - Modify x509 Basic Constraint for Pending Request
Using the Microsoft Windows Server certutil.exe utility, modify the Basic Constraints for the pending request.
Open a command prompt and perform the following steps:
# Change to the C:\Users\Administrator\Documents directory
cd C:\Users\Administrator\Documents directory
# Create hex file to set basic constraint to Subject Type=CA and No path constraint echo
30
03
01
01
FF > basic.txt
# If you want Type=CA and Path Length Constraint=
0
echo
30
06
01
01
FF
02
01
00
> basic.txt
# certutil -setextension <pending_request_id> <key_usage_oid> <critical_flag> @<path_to_hex_file>
# Remember to change the request id to the one noted in the previous step
certutil -setextension <pending_request_id>
2.5
.
29.19
1
@C
:\Users\Administrator\Documents\basic.txt
Confirm the changes in the Certification Authority management tool window.
Select the Pending Requests folder and right-click the pending certificate request.
Select All Tasks>View Attributes/Extensions.
Click the Extension tab.
Select the Basic Constraints extension and confirm the following:
The Critical and Enabled columns are set to Yes.
The Basic Constraints is set to:
Subject Type=CA
Path Length Constraint=None
Click OK.
Step 7 - Confirm the CDP and AIA URLs for the Pending Request
To confirm the previous CDP and OCSP settings are present in the pending certificate request.
In the Certification Authority management tool window, select the Pending Requests folder and right-click the pending certificate request.
Select All Tasks>View Attributes/Extensions.
Click the Extension tab.
Select the CRL Distribution Points extension and confirm that the previously set CDP is present.
Select the Authority Information Access extension and confirm that the previously set AIA is present.
Click OK.
Step 8 - Issue Certificate
To issue the EJBCA Subordinate CA certificate.
In the Certification Authority management tool window, select the Pending Requests folder and right-click the pending certificate request.
Select All Tasks>Issue.
Step 9 - Save Certificate
To save the EJBCA Subordinate CA certificate:
In the Certification Authority management tool window, select the Issued Certificates folder and double-click the issued certificate.
Click the Details tab.
Click Copy to File and then click Next.
Select the Cryptographic Message Syntax Standard - PKCS #7 Certificates (.P7b) option.
Select the Include all certificates in the certification path if possible option.
Click Next.
Select the file path and name and click Next, and then click Finish.
In the The export was successful confirmation panel, click OK.
Click Finish.
Next, use this certificate to complete the EJBCA External CA procedure described in Signing an External CA.