Setting up an Authentication Key Binding

The following covers how to set up an Authentication Key Binding. For more information about the concepts of Remote Authenticators, see Remote Authenticators Overview.

Remote Authenticators are used to establish mutual TLS, from the upstream node to the downstream node. Thus the Remote Authenticators needs to be established on the upstream node (commonly the CA) and the signing CA (commonly the Management CA) needs to be recognized on the downstream node (commonly a VA or RA).

images/inline/5c484e8463d21d46eae9b518a8fd7c858817cb5163278b4bbbd6ca00933b41b1.png

Step 1 - Create the Remote Authenticator on the Upstream node

  1. On the upstream node, select Remote Authenticators under System Functions.
    images/download/attachments/143744998/remote_auth_start.png

  2. Click Create new to display the edit page.
    images/download/attachments/143744998/remote_auth_create.png

  3. Specify values for the keybinding and optionally choose a Crypto Token to use for the TLS connection - it is strongly suggested that you use a dedicated crypto token for this purpose.

  4. Click Create to generate the authenticator object.
    images/download/attachments/143744998/remote_auth_waiting_csr.png

  5. The created internal keybinding is disabled and not active, since the key pair has not yet been signed. Click CSR in the Actions column to download a PEM file containing the certificate signing request.

Step 2 - Signing the Key Pair

Returning to the Management CA, you're going to want to enroll using the RA UI, as the Remote Authenticator is treated by the Management CA as any other end entity.

This step assumes that an appropriate end entity profile and certificate profile have been generated on the instance containing the Management CA.

  1. Click RA Web, and then select Enroll and Make new request.

  2. Pick the appropriate profiles and CA's as needed, then paste or upload the CSR and click Upload CSR.
    images/download/attachments/143744998/Screenshot_2020-12-18_at_14.35.41.png

  3. Finalize the enrollment by filling out any other fields required by the profiles, adding a username and verifying the information.
    images/download/attachments/143744998/Screenshot_2020-12-18_at_14.40.57.png

  4. Click Download PEM (or your favorite certificate format) to download the generated certificate and save the file.

Step 3 - Activating the Authentication Key Binding

To import the certificate and enable the key binding:

  1. Return to the Remote Authenticators page on the upstream instance (System FunctionsRemote Authenticators).

  2. Under Import Client Certificate, pick your targeted authenticator from the list and upload the certificate you just enrolled for.
    images/download/attachments/143744998/import_csr.png

  3. Click Import to activate the key binding. Notice that the key binding now has a certificate associated with it.
    images/download/attachments/143744998/after_import.png

  4. As the last step, click Enable to activate the key binding.
    images/download/attachments/143744998/enable.png

Next Steps

You can now use this key binding to establish an outgoing peer connection to another EJBCA node, see Peer Systems Operations.