Đang tải... (xem toàn văn)
Tài liệu mô tả các thực hiện cài đặt 2 máy ảo bằng EJBCA để cấp chứng chỉ Link hướng dẫn: https:youtube.complaylist?list=PLEjCMuUMVuekxK5wpB6ABV_ss30wHh_m5Tài liệu mô tả các thực hiện cài đặt 2 máy ảo bằng EJBCA để cấp chứng chỉ Link hướng dẫn: https:youtube.complaylist?list=PLEjCMuUMVuekxK5wpB6ABV_ss30wHh_m5Tài liệu mô tả các thực hiện cài đặt 2 máy ảo bằng EJBCA để cấp chứng chỉ Link hướng dẫn: https:youtube.complaylist?list=PLEjCMuUMVuekxK5wpB6ABV_ss30wHh_m5Tài liệu mô tả các thực hiện cài đặt 2 máy ảo bằng EJBCA để cấp chứng chỉ Link hướng dẫn: https:youtube.complaylist?list=PLEjCMuUMVuekxK5wpB6ABV_ss30wHh_m5Tài liệu mô tả các thực hiện cài đặt 2 máy ảo bằng EJBCA để cấp chứng chỉ Link hướng dẫn: https:youtube.complaylist?list=PLEjCMuUMVuekxK5wpB6ABV_ss30wHh_m5Tài liệu mô tả các thực hiện cài đặt 2 máy ảo bằng EJBCA để cấp chứng chỉ Link hướng dẫn: https:youtube.complaylist?list=PLEjCMuUMVuekxK5wpB6ABV_ss30wHh_m5Tài liệu mô tả các thực hiện cài đặt 2 máy ảo bằng EJBCA để cấp chứng chỉ Link hướng dẫn: https:youtube.complaylist?list=PLEjCMuUMVuekxK5wpB6ABV_ss30wHh_m5Tài liệu mô tả các thực hiện cài đặt 2 máy ảo bằng EJBCA để cấp chứng chỉ Link hướng dẫn: https:youtube.complaylist?list=PLEjCMuUMVuekxK5wpB6ABV_ss30wHh_m5Tài liệu mô tả các thực hiện cài đặt 2 máy ảo bằng EJBCA để cấp chứng chỉ Link hướng dẫn: https:youtube.complaylist?list=PLEjCMuUMVuekxK5wpB6ABV_ss30wHh_m5Tài liệu mô tả các thực hiện cài đặt 2 máy ảo bằng EJBCA để cấp chứng chỉ Link hướng dẫn: https:youtube.complaylist?list=PLEjCMuUMVuekxK5wpB6ABV_ss30wHh_m5Tài liệu mô tả các thực hiện cài đặt 2 máy ảo bằng EJBCA để cấp chứng chỉ Link hướng dẫn: https:youtube.complaylist?list=PLEjCMuUMVuekxK5wpB6ABV_ss30wHh_m5Tài liệu mô tả các thực hiện cài đặt 2 máy ảo bằng EJBCA để cấp chứng chỉ Link hướng dẫn: https:youtube.complaylist?list=PLEjCMuUMVuekxK5wpB6ABV_ss30wHh_m5
Firewalld Install sudo yum install firewalld sudo systemctl enable firewalld sudo reboot sudo firewall-cmd - -state Open port sudo firewall-cmd zone=public add-port=8443/tcp - -permanent sudo firewall-cmd - -reload sudo iptables-save | grep 8443 EJBCA web Connect to ejbca Get file P12 (in Centos virtual machine) and import certificate on Windows with password: 123456, after that be able to connect https://ipadress:8443/ejbca on Browser If it don’t work, open port 8443 by firewall Create CA for Server In AdminWeb, choose Certificate Profiles, clone ROOTCA then edit: Name: ServerCACertificateProfile with 2048 bits or others and set all default Choose Crypto Tokens, Create new with new ServerCA: Name: ServerCA CryptoToken Generate new key pair Alias encryptKey & signKey with size 2048 then test them Add CA (in Certificate Authorities) ServerCA then Edit CA: Select ServerCA CryptoToken, set Subject DN: CN=ServerCA,OU=CMC,O=CMC company,L=ha noi,ST=cau giay,C=VN, Certificate Profile: ServerCACertificateProfile Validity: 10y and all of rest is setup default Create CA for Client Create Request Certificate for Client Next to Client web, in adminWeb, choose Certificate Profiles, clone SUBCA then edit: Name: ClientCACertificateProfiles with 2048 bits or others and set all default Choose Crypto Tokens, Create new with new ClientCA: Name: ClientCA CryptoToken Generate new key pair Alias encryptKey & signKey with size 2048 then test them Add CA: ClientCA then Edit CA (in Certification Authorities): Select ClientCA Crypto Tokens, set Subject DN: CN=ClientCA,OU=CMC,O=CMC company,L=ha noi,ST=cau giay,C=VN, In Signed By, choose External CA Go to publicWeb Server get file ServerCA PEM chain in Fetch CA Certificates Turn back, insert that file in ServerCA PEM chain Then get a file pem (this is csr - request certificate file) (1) After that, we get ClientCA, (Waiting for Certificate Response) Create Respond file from ServerCA In ServerWeb, choose admin web, choose End Entity Profiles, Add Profile: ClientCAEndEntityProfile then Edit If we want to set: CN=ngmduc2012, OU=CMC, O=CMC company, L=ha noi, ST=cau giay, C=VN, in Subject DN Attributes choose: CN, OU, O, L, ST, C then add them In Main certificate Profile choose: ENDUSER, ServerCA, User Generated All of rest is default, then save Choose Add End Entity, select ClientCAEndEntityProfile Fulfil Username, password, CN: ClientCA, OU: CMC, …, C: VN All of rest set default or don’t fulfil Then save In PublicWebServer, choose Create Certificate from CSR Fill Username and code just create above Insert file Request (1) After that, we get a file respond (2) Insert file Respond In ClientWeb, choose Admin Web, choose Certification Authorities, then Edit ClientCA In Step – Import Certificate: choose file (2), click Receive Certificate Response, then save After that, we get ClientCA, (Active) Keytool – ejbca.sh Create CA for Server Generate keypair In Virtual machine server (Use PKCS12 is instead of default JKS.) keytool -genkeypair -alias signKey -keyalg RSA -keysize 2048 -dname "CN=ngmduc1, OU=CMC, O=CMC company, L=ha noi, ST=cau giay, C=VN" -keypass 123456 -validity 100 -storetype PKCS12 -keystore serverCA.p12 -storepass 123456 Export Certificate keytool -exportcert -alias signKey -keypass 123456 -storetype PKCS12 -keystore serverCA.p12 -file serverCACert.cer -rfc -storepass 123456 Create CA for Client Create Request Certificate for Client In virtual machine client, get file serverCACert.cer Import Server Certificate: keytool -importcert -alias signKey -keypass 123456 -storetype PKCS12 -keystore clientCA.p12 -file serverCACert.cer -rfc -storepass 123456 Generate Keypair: keytool -genkeypair -alias signKey -keyalg RSA -keysize 2048 -dname "CN=ngmduc2, OU=CMC, O=CMC company, L=ha noi, ST=cau giay, C=VN" -keypass 123456 -validity 100 -storetype PKCS12 -keystore ngmduc2.p12 -storepass 123456 keytool -genkeypair -alias nmduc3 -keyalg RSA -keysize 2048 -dname "CN=ngmduc3, OU=CMC, O=CMC company, L=ha noi, ST=cau giay, C=VN" -keypass 123456 -validity 100 -storetype PKCS12 -keystore ngmduc3.p12 -storepass 123456 keytool -genkeypair -alias nmduc4 -keyalg RSA -keysize 2048 -dname "CN=ngmduc4, OU=CMC, O=CMC company, L=ha noi, ST=cau giay, C=VN" -keypass 123456 -validity 100 -storetype PKCS12 -keystore ngmduc4.p12 -storepass 123456 keytool -genkeypair -alias nmduc5 -keyalg RSA -keysize 2048 -dname "CN=ngmduc5, OU=CMC, O=CMC company, L=ha noi, ST=cau giay, C=VN" -keypass 123456 -validity 100 -storetype PKCS12 -keystore ngmduc5.p12 -storepass 123456 Generate a Certificate Request: keytool -certreq -alias signKey -keypass 123456 -storetype PKCS12 -keystore ngmduc2.p12 -storepass 123456 -file ngmduc2.csr keytool -certreq -alias nmduc3 -keypass 123456 -storetype PKCS12 -keystore ngmduc3.p12 -storepass 123456 -file ngmduc3.csr keytool -certreq -alias nmduc4 -keypass 123456 -storetype PKCS12 -keystore ngmduc4.p12 -storepass 123456 -file ngmduc4.csr keytool -certreq -alias nmduc5 -keypass 123456 -storetype PKCS12 -keystore ngmduc5.p12 -storepass 123456 -file ngmduc5.csr Create Respond file from ServerCA Case 1: In web admin server: Choose RA Web, in Request new certificate, Make New Request, ClientCAEndEntityProfile, Provided by user, upload file CSR, then download file pem chain (ngmduc2.pem) Case 2: In virtual machine server, use ejbca.sh /opt/ejbca/bin/ejbca.sh Add End Entity ejbca.sh addendentity username ngmduc3 dn "CN=ngmduc3, OU=CMC, O=CMC company, L=ha noi, ST=cau giay, C=VN" token PEM caname ServerCA type ejbca.sh addendentity username ngmduc4 dn "CN=ngmduc4, OU=CMC, O=CMC company, L=ha noi, ST=cau giay, C=VN" token PEM caname ServerCA type Create Certificate ejbca.sh createcert username ngmduc3 password 123456 -c ngmduc3.csr -f ngmduc3.pem ejbca.sh createcert username ngmduc4 password 123456 -c ngmduc4.csr -f ngmduc4.pem Case 3: In virtual machine server, use clientToolBox Setting clientToolBox Change content in file /opt/ejbca/dist/clientToolBox/ejbcaClientToolBox.sh EjbcaWsRaCli with # Property file for the web service client Used to specify # URL to web service and path to keystore # Web Service URL Important the hostname MUST match the CN of the server certificate # The wsdl schema location is the URL below with '?wsdl' in the end # For example: https://localhost:8443/ejbca/ejbcaws/ejbcaws?wsdl # # default: https://localhost:8443/ejbca/ejbcaws/ejbcaws # for standalone ejbcaws.war deployment use: https://localhost:8443/ejbcaws/ejbcaws ejbcawsracli.url = https://caadmin.cmc.vn:8443/ejbca/ejbcaws/ejbcaws # Path to the keystore used to authenticate the client to the Web Service # The keystore can be: # a java keystore (.jks) If ejbcawsracli.truststore.path is not set the CA certificate of the tomcat server certificate must be in in its truststore, and the server certificate is validated against this # a PKCS12 keystore (.p12) If ejbcawsracli.truststore.path is not set an acceptAll truststore policy will then be used so the servers certificate is not verified against a truststore #default : keystore.jks ejbcawsracli.keystore.path = / /p12/superadmin.p12 # A shared library path to a PKCS#11 so a HSM or smartcard could be used If ejbcawsracli.truststore.path is not set an acceptAll truststore policy will then be used so the servers certificate is not verified against a truststore #ejbcawsracli.p11.sharedlibrary = /usr/lib/libaetpkss.so # The slot number/index/label to be used #ejbcawsracli.p11.slot = #ejbcawsracli.p11.slot = slotlabel # The type of the above label #ejbcawsracli.p11.slotlabeltype = SLOT_NUMBER #ejbcawsracli.p11.slotlabeltype = SLOT_INDEX #ejbcawsracli.p11.slotlabeltype = SLOT_LABEL #Password to unlock the keystore # Comment out this to prompt for every time the client starts #ejbcawsracli.keystore.password ='123456' # Path to the truststore used to authenticate the Web Services server certificate # If not set settings from the keystore is used, see ejbcawsracli.keystore.path #default: not set ejbcawsracli.truststore.path = / /p12/truststore.jks Change content /ect/hosts by sudo: #127.0.0.1 localhost localhost.localdomain localhost4 localhost4.localdomain4 #::1 localhost localhost.localdomain localhost6 localhost6.localdomain6 #127.0.0.1 localhost localhost.localdomain 192.168.1.10 caadmin.cmc.vn caadmin #::1 localhost localhost.localdomain (Example: sudo cp /home/cmc/hosts /etc) Then restart: sudo reboot Run: cd /opt/ejbca/dist/clientToolBox/ export PATH=/opt/ejbca/dist/clientToolBox:$PATH echo $PATH ejbcaClientToolBox.sh EjbcaWsRaCli getClientToolBoxVersion Add End Entity Create New End Entity On web admin server, choose Certificate Profiles, fill: EndEntityCertificateProfile then click Add, next to Edit it Set 2048 bits & Available Cas ServerCA, all of rest set default Choose End Entity Profiles, fill, add, edit: EndEntityProfile Subject DN Attributes: CN, OU, O, L, ST, C Main certificate data: EndEntityCertificateProfile, ServerCA, User Generated ejbcaClientToolBox.sh EjbcaWsRaCli edituser ngmduc5 false "CN=ngmduc5, OU=CMC, O=CMC company, L=ha noi,ST=cau giay,C=VN" NULL NULL ServerCA USERGENERATED NEW EndEntityProfile EndEntityCertificateProfile NULL ejbcaClientToolBox.sh EjbcaWsRaCli edituser ngmduc7 false "CN=ngmduc7, OU=CMC, O=CMC company, L=ha noi,ST=cau giay,C=VN" NULL NULL ServerCA USERGENERATED NEW EndEntityProfile EndEntityCertificateProfile NULL ejbcaClientToolBox.sh EjbcaWsRaCli edituser Create Certificate ejbcaClientToolBox.sh EjbcaWsRaCli certreq ngmduc5 "CN=ngmduc5, OU=CMC, O=CMC company, L=ha noi, ST=cau giay, C=VN" NULL ServerCA EndEntityProfile EndEntityCertificateProfile /home/cmc/ngmduc5.csr PKCS10 PEM ~ Insert file Respond keytool -importcert -alias signKey -file ngmduc2.pem -keystore ngmduc2.p12 -trustcacerts keytool -importcert -alias signKey -file ngmduc3.pem -keystore ngmduc3.p12 -trustcacerts keytool -importcert -alias signKey -file ngmduc4.pem -keystore ngmduc4.p12 -trustcacerts keytool -importcert -alias signKey -file ngmduc5.pem -keystore ngmduc5.p12 -trustcacerts Remote everywhere Linux/CentOS Create a visual machine as same as EJBCA server Setting clientToolBox the Same Change file host with ip adress Server visual machine that want to connect Now, we can everything about EJBCA as usual Windows Setting file host on Windows 10 Open path c:\Windows\System32\Drivers\etc\hosts on Notepad as Administrator Example: Set 192.168.43.28 caadmin.cmc.vn (Maybe we need a certificate from visual machine Server) Tools Wildfly run: sudo systemctl start wildfly.service check: systemctl status wildfly.service Remote SSH PuTTY - Use for command line WinSCP - Use for file in virtual machine Visual Code - EXTENTON: Marketplace Search “ssh” & install Remote – SSH - All done, select Remote explorer Ful name@ipadress - Choose connect to host in New Windows Select Linux & ful password Run code Translate: Javac name.java Run: Java name Check version: java -version Code Linux/CentOS Using Visual Studio for code Follow here, to find EJBCA libraries Import library of EJBCA in Visual machine: /usr/lib/jvm/java-1.8.0-openjdk-1.8.0.265.b01-4.el8.x86_64/jre/lib/ext Don’t using library RAAdmin.jar Windows Using Intel IJ for code Bug No such provider: BC follow Document Class & functions of EJBCA: https://download.primekey.com/docs/EJBCAEnterprise/6_8_0/ws/org/ejbca/core/protocol/ws/client/gen/UserDataVOWS.html Everything about EJBCA: https://download.primekey.com/docs/EJBCAEnterprise/6_15_0/Web_Service_Interface.html ... https://localhost:8443 /ejbca/ ejbcaws/ejbcaws?wsdl # # default: https://localhost:8443 /ejbca/ ejbcaws/ejbcaws # for standalone ejbcaws.war deployment use: https://localhost:8443/ejbcaws/ejbcaws ejbcawsracli.url... used #ejbcawsracli.p11.slot = #ejbcawsracli.p11.slot = slotlabel # The type of the above label #ejbcawsracli.p11.slotlabeltype = SLOT_NUMBER #ejbcawsracli.p11.slotlabeltype = SLOT_INDEX #ejbcawsracli.p11.slotlabeltype... functions of EJBCA: https://download.primekey.com/docs/EJBCAEnterprise/6_8_0/ws/org /ejbca/ core/protocol/ws/client/gen/UserDataVOWS.html Everything about EJBCA: https://download.primekey.com/docs/EJBCAEnterprise/6_15_0/Web_Service_Interface.html