Renewal of certificate with status "GENERATED"

[twardy103]

Hi,
I am writing a service which is using EJBCA as a CA. We have a certificate which is working as expected till expiration time.
I know right now how to set automatic renewal of certificate, but wondering about one needed step which I am doing right now:

• setting certificate from GENERATED to NEW. This is according to your documentation:
  https://doc.primekey.com/ejbca/ejbca-operations/ejbca-operations-guide/ca-operations-guide/end-entities/certificate-renewal

On above page you have description:
Since the CA has all public keys of the end entities, as they are in the certificates that the CA stores, this process can be automated. How to automate the process is more advanced and can be done in many ways, suitable for different workflows, and is not described here.

I am wondering how we can automate this I mean we would like to have a scenario:
1). We are configuring EJBCA
2). We are starting our service for which will be new certificate generated
3). Everything is working as expected, we have renewal of certificate for next period.
4). Scenario should continuously working (currently first renewal is working when I changes status from GENERATED to NEW, but after renewal certificate is again in GENERATED state and next renewal will not work automatically.

Options we can see:

• no need to change certificate from GENERATED to NEW
• automate procedure to switch certificate from GENERATED to NEW (I have checked all EJBCA GUI but unfortunately I did not find such option).

We do not want to monitor certificate expiration and then send a config to change statuses for certificates. We would like to make it working automatically (hopefully it is possible).

BR,
Aleksander

[primetomas]

What is your service using? I would expect a service to use one of the APIs of EJBCA. Most APIs have built in renewal support, i.e. CMP have key update, SCEP has renewal, EST have renewal. Using REST or WS, manual status swapping is not needed, but then renewal is performed by an RA so not the same use case.

Status "generated" is there in order to make the enrollment code a one-time code. Otherwise enrollment/renewal depends on the secrecy of the enrollment code, which is not the most secure way. You can configure EJBCA to not change NEW->GENERATED in several ways. One is "number of allowed request" in the EE profile, and the other is to uncheck "finish user" in the CA setting. In the last case status will always remain new.

My generic recommendation is to use an API that has built in (standardized) renewal support.

[twardy103]

Hi,
Thanks for your answer.
I am using CMP server, let me show you some examples of my configuration on the pictures:
1). Certificate hierarchy:
ENM_PKI_Root_CA -> NE_OAM_CA -> CTS
ENM_PKI_Root_CA -> NE_OAM_CA -> MSRBS

Above two needs automatic renewal (CTS and MSRBS).

2). Commands used for EJBCA configuration:
echo -e "\n\nGenerating ENM_PKI_Root_CA certificate"
cmd=ejbca.sh ca init --caname ENM_PKI_Root_CA --dn 'OU=RANI,O=KI,C=SE,CN=ENM_PKI_Root_CA' --keyspec 2048 --keytype RSA -v 365 --policy null -s SHA256WithRSA --tokenType soft
echo $cmd

echo -e "\nGenerating NE_OAM_CA certificate"
cmd=ejbca.sh ca init --caname NE_OAM_CA --dn 'OU=RANI,O=KI,C=SE,CN=NE_OAM_CA' --keyspec 2048 --keytype RSA -v 7 --policy null -s SHA256WithRSA --tokenType soft --signedby 881047250
echo $cmd

echo -e "\nImporting profiles"
cmd=ejbca.sh ca importprofiles -d /tmp
echo $cmd

echo -e "\nLinking certificate profile with NE_OAM_CA"
cmd=ejbca.sh ca changecertprofile --caname NE_OAM_CA --certprofile CtsServerCertProfile
echo $cmd

echo -e "\nSeting up CMP enrollment"
ejbca.sh config cmp addalias --alias CtsCmp
ejbca.sh config cmp updatealias --alias CtsCmp operationmode ra
ejbca.sh config cmp updatealias --alias CtsCmp authenticationmodule "EndEntityCertificate;HMAC"
ejbca.sh config cmp updatealias --alias CtsCmp authenticationparameters "NE_OAM_CA;123456"
ejbca.sh config cmp updatealias --alias CtsCmp ra.endentityprofileid 1790013311
ejbca.sh config cmp updatealias --alias CtsCmp ra.certificateprofile CtsServerCertProfile
ejbca.sh config cmp updatealias --alias CtsCmp ra.caname NE_OAM_CA
ejbca.sh config cmp updatealias --alias CtsCmp response.extracertsca 881047250
ejbca.sh config cmp updatealias --alias CtsCmp response.capubsca 881047250
ejbca.sh roles addrole Allow_Renewal
ejbca.sh roles addrolemember --role Allow_Renewal --with WITH_ORGANIZATIONALUNIT --caname NE_OAM_CA --value RANI
ejbca.sh roles changerule --name Allow_Renewal --rule /ra_functionality/edit_end_entity/ --state ACCEPT

echo -e "\nGetting CA cert locally"
ejbca.sh ca listcas
ejbca.sh ca getcacert ENM_PKI_Root_CA /tmp/ENM_PKI_Root_CA.pem

In this command I need to extend parameters somehow to be able to choose Authorized CAs and EndEntityProfiles:
ejbca.sh roles changerule --name Allow_Renewal --rule /ra_functionality/edit_end_entity/ --state ACCEPT
If you know how to set it -> please let me know also.

Currently after issuing such command I have such config:

Blue arrow are expected to be set.

3). CMP configuration:

4). I found something like:
ejbca.sh ra setendentitystatus CTS 10
ejbca.sh ra setclearpwd CTS r00tme

But it is "working" -> setting status of CTS EndEntity to NEW instead of GENERATED only once.
I believe it is a simple way to just "enable automatic renewal without any complicated configuration".
Is FinishUser good example for me?
How it needs to be configured?

If you need more input about configuration - please let me know also.

BR,
Aleksander

[twardy103]

Update:
I am able to have NEW in EE continuously (also after renewal of certificate).
To make it working I unset FinishUser:

Now I need only last two things, seems so (how to set it from ejbca.sh CLI):
1). How to extend the command to set blue arrow from CLI:
ejbca.sh roles changerule --name Allow_Renewal --rule /ra_functionality/edit_end_entity/ --state ACCEPT

2). How to unset FinishUser option for NE_OAM_CA:
cmd=ejbca.sh ca init --caname NE_OAM_CA --dn 'OU=RANI,O=KI,C=SE,CN=NE_OAM_CA' --keyspec 2048 --keytype RSA -v 7 --policy null -s SHA256WithRSA --tokenType soft --signedby 881047250

BR,
Aleksander

[twardy103]

Sorry for spamming, for second one I have already solution :)
ejbca.sh ca editca --caname NE_OAM_CA --field finishUser --value false

[primetomas]

I'm a bit confused though. If you use CMP in RA mode you do not have to bother about end entities at all. That is all handled in the background. No need to create an end entity, no need to reset status. Just use CMP commands for enrollment and renewal, as documented here. You can find example commands using "openssl cmp" for various example use cases.
https://doc.primekey.com/ejbca/ejbca-operations/ejbca-ca-concept-guide/protocols/cmp

[twardy103]

Hm, good question. We are using some internal service for certificates (CertM) which is sending kur messages as far as I know.

But back to my question (if we would like to keep current config which is almost working for us :)).
How to extend the command to set blue arrow from CLI:
ejbca.sh roles changerule --name Allow_Renewal --rule /ra_functionality/edit_end_entity/ --state ACCEPT

This is last thing which is not working for me.

[primetomas]

The easiest thing is to switch to Advanced mode in the access rule window. Select whatever you want in the Basic view, switch to Advanced view and then you will see the full rule string as you can use it in the CLI.

[twardy103]

Working perfectly! Thanks for your support! Now I am able to enable automatic renewal of my two certificates using only CLI - which was my goal.
BR,
Aleksander