Setup for Enrolment over Secure Transport

[siilitman]

We already run a Microsoft Enterprise PKI stack consisting of an offline Root CA and two Issuing CA's for our users, PC's, and servers which has been running for many years. Unfortunately, the microsoft PKI setup for handling non-windows devices and devices other than PC's/servers is pretty dire and hasn't improved with time. We are now in a position where we need to setup EST profiles from a management application for a significant number of IoT and network devices and this application was recommended.

After throwing up a docker container and having a look at the software, I have a number of questions that I'm hoping someone can either advise me on or direct me to the answers.

I've worked out how to setup an CA in our EJBCA authenticated by an external CA. As our Root CA is offline, would it be better to have one of our ICA's process the EJBCA request as they have ocsp setup. Both our RCA and ICA publish CRL's to a web folder in our organization.

How can we change the "management ca" certificate to one that is authorised by our Root CA

Once I've setup the end entity for the application, I take it I use the RA url to make the certificate requests from within the app?

Thanks in advance for your answers on this.

[primetomas]

Hi, I'll start from the bottom :-).

1. External Management CA. You import the external CA into EJBCA, so you can add a role member issued from that CA. You then have to add that CA certificate to the TLS truststore. I "think" that when restarting the container the TLS truststore is populated with the found Root CAs in the database. If I am wrong about that, It is described in the dockerhub doc how to mount a custom trust store when starting the container. This enables client certs issued by that CA to be used to authentication to EJBCA/Container.
2. ICA in EJBCA. You can do however you like here, any CA hierarchy is possible. I tend to recommend as shallow as possible, i.e. the EJBCA ICA signed by your off-line Root CA. The CDP in the issued ICA certificate of course then points to the Root CA CRL. Having an intermediate just makes the hierarchy longer, and I don't recommend an intermediate CA that also issues other end entity certificates, and intermediate should just be an intermediate (and I'd say it's rare with intermediate CAs today).

I hope I understood the questions correctly. Otherwise just back back with clarifications.