External RA config

  • Oleksander Petrov

    Hello everybody!

    I install two ejbca's and want to use it as certification authority and registration authority.
    I read 5 times manul for configurig  http://ejbca.org/externalra.html but it is not clear for me.

    What I need:
    Classic polling model. Users are registered in external RA. CA get and approve users data(subject DN) from external RA and then issuing certificate. External RA get this certificate and bring it back to user.

    If I thinking right i must do following steps:
    1. Configure external RA service worker on CA which will poll data from external database. Should I cofigure user data sources in admin GUI? Or should I configure just EJBCA_HOME/conf/externalra.properties
    2. Configure External RA GUI on registration authority with following steps:

    1.  Create a "messages" database on the External RA GUI host that can be accessed from both the EJBCA installation and locally.
       2. Issue a new JKS keystore with EJBCA to enable SSL (HTTPS) on the External RA GUI host.
       3. Issue a PKCS#12 keystore with EJBCA for signing and encrypting messages to the CA and copy it to the host. Don't forget to add the right administrator privileges to this certificate as described above in 'Security'.
       4. Download the certificate of the CA service's PKCS#12 keystore and copy it to the host.
       5. Download the issuing certificate of the host's PKCS#12 keystore and copy it to the host (should be the same as the issuer for CA service's PKCS#12).
       6. Configure conf/externalra-gui.properties to use the keystores, the certificates, the local database and the local application server.
       7. Make sure a database JDBC connector JAR is installed in the local application server for your database.
       8. Run 'ant externalra-gui-deploy' to deploy the DataSource and External RA GUI application.
       9. Start JBoss and verify that the application is available at http://hostname:8080/externalra-gui/ (and https://hostname:8442/externalra-gui/)

    Tell me if i am thinking wrong.

    Do I need External RA API Clients or SCEP RA Server for my polling model? And If I need it where should I install External RA API Clients (extrenal RA or CA)?

  • Tomas Gustavsson

    In general you are completely right.

    1. No External Data Sources needed in EJBCA, this is something completely different.
    2. No API client or SCEP RA Server needed.


    PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information. 

  • Oleksander Petrov

    Tomas  thank for reply!
    ANyway I have quistion about configurating service worker

    externalra-caservice.keystore.path: Full pathname to the PKCS#12 keystore used to decrypt and sign messages. This file must be available on all EJBCA nodes. Only required if encryption or signing is used. (Default for historic reasons: keystore/extrakeystore.p12

    What does it mean? Are all ejbca nodes mean CA server and RA server? Do they use the same keystore or do they work with copy of keystore?How to make it visible in case if CA and RA are located on different computers?

  • Oleksander Petrov

    Issue a new JKS keystore with EJBCA to enable SSL (HTTPS) on the External RA GUI host.

    I need only to issue new keystore and copy it to external RA host and then edit externalra-hui.properties to set path of keystore copy, am I? Do I need some manipulation with keystore on CA host?

    Issue a PKCS#12 keystore with EJBCA for signing and encrypting messages to the CA and copy it to the host.

    If i am not mistaken this deal with externalra-caservice.keystore.path. So I need only copy key store and set paths in externalra-gui.properties (path to the copy) on RA; in service worker (path to original keystore) on CA, am I?

    # Download the certificate of the CA service's PKCS#12 keystore and copy it to the host.
    # Download the issuing certificate of the host's PKCS#12 keystore and copy it to the host (should be the same as the issuer for CA service's PKCS#12).

    What kind of certificates here involved? Can you explain me where should I get that certifiates?Do I need just create two new end entities and isuue certificates in pem format for CA's External RA API service keystore and in p12 format for External RA GUI keystore. Then I should download this certificates and set paths in externalra-gui.properties, am I?

  • Oleksander Petrov

    And the last qustion what certificate profile should I choose for those certificate(server or enduser?

  • Oleksander Petrov

    Well I suppose tham I am right and try to configure as I write above.
    New table message was creaed on messgaes database automaticly.
    I add new end entity on external RA and go to http://localhost:8080/externalra-gui/facelet/enroll.xhtml . When I am trying to issue certificate i get errror - CA could not create certificate with given credentials.
    If I create new end entity on CA certificate enrollment will work.
    But the main idea of external RA that all entities should be registrated on external RA.
    By the way, there are no data in message table.

  • Tomas Gustavsson

    CA nodes means if you are running a cluster with several CA machines using the same database. Not CA and RA.


  • Mahabub Akram

    Mahabub Akram - 2013-09-17

    I have installed EJBCA succesfully and when I tried to install RA some problem occurs.

    I have done the following steps to set up my RA

    1. I have only one CA that is AdminCA1. I have exported the JKS,P12,PEM files of that AdminCA1 where the password of P12 file is foo123
    2. Then I opened an ENd Entity Profile and the username of that End Entity is CEP1 and the password is foo123.
    3. I have exported all the P12, PEM, and JKS files of that End ENtity.

    4. Then I have created a Custom Worker with the following properties in the Services option of the Admin GUI.
      Custom Worker ClassPath:

    Custom Worker Properties:

    Select Interval:Periodical Interval
    Period: 5 seconds
    Select Action:No Action

    5.I have also opened and changed some properties in externalra.properties. These are

    Last edit: Mahabub Akram 2013-09-17
  • Mahabub Akram

    Mahabub Akram - 2013-09-17

    6.Then I have opened and change some properties in external-gui-properties
    These are:
    7.Then I have deployed using
    ant deploy
    ant externalra-gui-deploy
    8.Then opened the link https://localhost:8442/externalra-gui/facelet/enroll.xhtml
    9.Then I tried to create Keystore or Browser Certificate with the
    Entity identifier (username): CEP1(username of End Entity)
    Shared secret (password): foo123

    BUT after sometime it shows CA did not respond
    Please guide me through to solve this problem and to install RA in EJBCA

  • Tomas Gustavsson

    A keystore for signing and encrypttion is an end user certificate.

  • Tomas Gustavsson

    You have to check the server log files, obviously your CA service did not pick up the message and process it.

  • Mahabub Akram

    Mahabub Akram - 2013-09-17

    So after that when I checked the JBOSS log it shows the following error
    1.ERROR [org.ejbca.extra.db.ExtRAMsgHelper] (http- Error Encryptin Keys::
    2.ERROR [org.ejbca.extra.db.SubMessages] (http- Error writing persistent SubMessages.
    3.ERROR [org.ejbca.extra.db.SubMessages] (EJB-Timer-1379306296481[target=jboss.j2ee:ear=ejbca.ear,jar=ejbca-ejb.jar,name=ServiceSessionBean,service=EJB3]) Error reading persistent SubMessages.
    4.ERROR [org.ejbca.externalra.gui.EnrollInterfaceBean] (http- KeyStore request for 'CEP1' failed. No response from CA.

    I need a guidance to get me through of it.

  • Mahabub Akram

    Mahabub Akram - 2013-09-17

    Hello Tomas,
    Is all my configurations correct ?

    Last edit: Mahabub Akram 2013-09-17
  • Tomas Gustavsson

    I believe there are a lot more information than this in the log?
    It seems you have some misconfiugration somewhere. I would skip using signing and encryption of messages and use unprotected messages in first step.
    If you get that working, you can move on to try using encryption and signing.

  • Mahabub Akram

    Mahabub Akram - 2013-09-17

    I have used false in both the encryption and signing and I have mentioned it in the bullet 4.
    I am pasting it here what I have done in the Custom Worker:
    I am doing non encryption and unsign from the very first of opening Custom Worker.

    I am also attaching the Server Log of JBOSS where detailed ERROR is shown.


Log in to post a comment.

Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks