Add CN/first SAN suffix to EJBCA username

[mwllgr]

Hi,

when working with EJBCA, one often uses the Admin UI to search for certificates.
There, EJBCA groups issued certificate using the username ("end entity"). Usually, one would create one end entity per host, for example. This is exactly what the official EJBCA EE implementation does when enabling EJBCA - it creates one End Entity per enrollment if the Common Name/first SAN differs.

When using acme2certifier as bridge, the page would look like this:

As you can see, there's no information about the certificate's hostname or what it might belong to. One has to click through all issued certificates of this end entity to find a specific host certificate.

I circumvented this by modifying the existing EJCBA handler to add the first SAN to a hardcoded username in the _sign-method:

        data_dic = {
            "certificate_request": csr,
            "certificate_profile_name": self.cert_profile_name,
            "end_entity_profile_name": self.ee_profile_name,
            "certificate_authority_name": self.ca_name,
            "username": "usr_issuing-acme_" + self._csr_cn_get(csr_raw), # Changed 2025-06-15
            "password": self.enrollment_code, 
            "include_chain": True,
        }

I took the _csr_cn_get method from the asa_ca_handler:

acme2certifier/examples/ca_handler/asa_ca_handler.py

Line 224 in 4bd861c

def _csr_cn_get(self, csr: str) -> str:

... and don't forget to import the CSR helper method from acme_srv.helper :)

After the change, the list looks like this - neatly grouped:

Now, to my question: Is there any more official way to achieve something like that? Maybe by using a variable in the username or something? Thanks :)

[mwllgr]

... also: Is there any way to donate? Your project is awesome!

[grindsa]

Let me think about it :-). I had multiple people asking for it but I avoided the effort looking for a micropayment partner fitting my needs.

[grindsa]

Hi,

thank you for the feedback. I am not really an EJBCA expert but what you are proposing makes sense.

I am thinking about a configuration option in the handler allowing to add the CN to the "username" used for enrollment (I assume that "usr_issuing-acme" is your username usually configured in acme_srv.cfg).

So something like

[CAhandler]
handler_file: examples/ca_handler/ejbca_ca_handler.py
...
username: usr_issuing-acme
username_append_cn: True

which would then lead to the modified enrollment configuration you described above. Would this fit your needs?

[grindsa]

Hi again,

I pushed a modified ejbca handler to the development branch. This handler adds the the CN (or first SAN) from the CSR to the user-name used in the enrollment request.

It should be enough to replace your current ejbca-handler with the modified one and enable the feature via acme_srv.cfg

[CAhandler]
handler_file: examples/ca_handler/ejbca_ca_handler.py
...
username: usr_issuing-acme
username_append_cn: True

The handler works well in my environment. Hence, feel free to test and to provide feedback.

/G.

[mwllgr]

Is there a Docker image available for the development branch, @grindsa?

[grindsa]

I created one for testing: docker pull grindsa/acme2certifier:devel. Feel free to try it....

[mwllgr]

Works! Although I think it would be better if you'd change

username = f"{self.username}-{self._csr_cn_get(csr)}"

to

username = f"{self.username}{self._csr_cn_get(csr)}"

i. e. removing the "forced" separator - to let the user freely choose one.
I'd like to use an underscore here, so my generated end entity username looks a bit weird now ;-)

Thanks so much for the quick implementation!

[grindsa]

ok. Your proposal makes sense. I will change as you suggested and release the feature with v0.38. So thank you for your help and validation.

[mwllgr]

Tested with new docker image 0.38 - all good too. I'll change the title of the discussion and issue to reflect the real changes and close both of them. Thanks again!

Edit: Can't close the issue and cannot change title either.