PRINT DATE: 2019-05-22

EJBCA Cloud AWS Launch Guide

Copyright ©2019 PrimeKey Solutions

Published by PrimeKey Solutions AB

Solna Access, Sundbybergsvägen 1

SE-171 73 Solna, Sweden

To report errors, please send a note to support@primekey.com.

Notice of Rights

All rights reserved. No part of this guide may be reproduced or transmitted in any form by any means, electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the publisher. For more information on getting permission for reprints and excerpts, contact support@primekey.com.

Notice of Liability

The information in this guide is distributed on an “As Is” basis without warranty. While every precaution has been taken in the preparation of the guide, neither the authors nor PrimeKey shall have any liability to any person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by the instructions contained in the guide or by computer software and hardware products described in it.

Trademarks

Many of the designations used by manufacturers and sellers to distinguish their products are claimed as trademarks. Where those designations appear in this guide, and PrimeKey was aware of a trademark claim, the designations appear as requested by the owner of the trademark. All other product names and services identified throughout this guide are used in editorial fashion only and for the benefit of such companies with no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to convey endorsement or other affiliation with this guide.

Table of ContentsIntroduction ........................................................................................................ 4

Documentation..................................................................................................................4

Launch EJBCA Cloud AWS................................................................................ 5Locate EJBCA ECE in the AWS Marketplace...................................................................5

Launch the instance..........................................................................................................6

Confirm running EJBCA ECE instance.............................................................................8

Log in to EJBCA Cloud AWS............................................................................ 10Step 1: Get the Instance ID  ........................................................................................... 10

Step 2: Download p12 file from EJBCA Public Web .................................................... 10

Optional Step: Obtain the Management CA Certificate ............................................... 11

Step 3: Install p12 .......................................................................................................... 11

Step 4: Browse to EJBCA Admin Web .......................................................................... 12

Troubleshooting EJBCA Cloud AWS............................................................... 13Issues accessing Public or Admin Web ....................................................................... 13

EJBCA CLOUD AWS LAUNCH GUIDE

© 2019 PRIMEKEY 4 (13)

IntroductionThis guide is intended to help customers deploy EJBCA Cloud from Amazon Web Services (AWS) and log in to the EJBCA Admin Web for the first time.

DocumentationEJBCA Cloud documentation is available on:https://download.primekey.com/docs/EJBCA-Enterprise-Cloud/latest/

EJBCA Enterprise documentation is available on: https://download.primekey.com/docs/EJBCA-Enterprise/latest/

Additional information on EJBCA Community is available on: www.ejbca.org

EJBCA CLOUD AWS LAUNCH GUIDE

© 2019 PRIMEKEY 5 (13)

Launch EJBCA Cloud AWSThis section describes how to launch EJBCA Cloud from AWS Marketplace.

The EC2 Console is a web interface that allows you to configure the EJBCA Cloud instance details from a web browser before you launch it. Follow the instructions below to launch an EJBCA Cloud instance.

Locate EJBCA ECE in the AWS MarketplaceBrowse to the AWS Marketplace and search for "primekey" to display the following two results: one for Standard 8x5 support and the other for Premium 24x7 support. Select the instance type to use and click Continue to Subscribe.

EJBCA CLOUD AWS LAUNCH GUIDE

© 2019 PRIMEKEY 6 (13)

Launch the instanceIn the 1-Click Launch tab, the options will be unavailable and a warning displayed about certain instance types being available only in VPCs.

To select a VPC to display the details, scroll down and expand the VPC Settings. The EC2 Classic is by default selected in the Select a VPC field.  

Select a VPC configured in your organization and all of the instance options will become available.  

Review and specify the pricing model, Annual or Hourly. Then select a Version, the Region to run your instance in, and if needed a Security Group. For details, see VPC and Security Group. Choose a Key Pair to associate with this EJBCA Cloud EC2 instance, see Key Pair. Then click the Accept Software Terms & Launch with 1-click button to launch the instance.

EJBCA CLOUD AWS LAUNCH GUIDE

© 2019 PRIMEKEY 7 (13)

VPC and Security GroupIf you have an existing security group and Virtual Private Cloud (VPC) created, you can select them. Otherwise, choose which of these items you would like to be created. The 22, 80, and 443 are needed for access to the image and for it to perform its functions.

For more information on getting started with Amazon Virtual Private Cloud (Amazon VPC), refer to AWS Documentation on VPCs and Subnets.

EJBCA CLOUD AWS LAUNCH GUIDE

© 2019 PRIMEKEY 8 (13)

Key PairSpecify the name of the key pair you plan to use to access the command line of the EJBCA instance. When you later connect to the instance, you must specify the private key that corresponds to the key pair you specify now when launching the instance. For information on creating a key pair using Amazon EC2, refer to AWS Documentation on Amazon EC2 Key Pairs.

Software Installation DetailsAfter launching, the installation details are displayed and the status of the deployment is available in the EC2 Dashboard.

Confirm running EJBCA ECE instanceIt may take several minutes for your instance to launch. After the Instance State changes from pending to running, the EJBCA Cloud instance is started.

EJBCA CLOUD AWS LAUNCH GUIDE

© 2019 PRIMEKEY 9 (13)

EJBCA CLOUD AWS LAUNCH GUIDE

© 2019 PRIMEKEY 10 (13)

Log in to EJBCA Cloud AWSThis section describes how to log in to EJBCA Cloud for the first time, following these steps:

• Step 1: Get the Instance ID 

• Step 2: Download p12 file from EJBCA Public Web

• Optional Step: Obtain the Management CA Certificate

• Step 3: Install p12

• Step 4: Browse to EJBCA Admin Web

To access the Admin Web of the deployed EJBCA Cloud instance, the superadmin credentials need to be retrieved from the server and installed on a system and/or browser.

PrimeKey recommends using Mozilla Firefox since it currently has self-enrollment capabilities and its own keystore separate from the operating system. Note that if you are using Google Chrome, you will need to import the key file to the local machine keystore.

Step 1: Get the Instance ID You must use the Instance ID of your running instance to download and install the p12 file in the steps described below. To get the instance ID of your instance, do the following:

1. In the Amazon EC2 Console, go to Instance details.

2. In the lower pane, click the Description tab. The Instance ID is the ID for the instance. 

3. Click the icon next to the instance ID to copy the instance ID to your clipboard.

Step 2: Download p12 file from EJBCA Public WebTo obtain the credentials:

1. Browse to EJBCA Public Web at the URL: http://<AWS Public DNS Name or AWS Public IP Address> If you are not able to access the Public Web, refer to the Troubleshooting EJBCA Enterprise Cloud on AWS section.

2. In the Public Web, click Create Keystore under Enroll.A browser warning is shown as the certificate is not yet trusted in your web browser.

EJBCA CLOUD AWS LAUNCH GUIDE

© 2019 PRIMEKEY 11 (13)

3. Click Advanced > Add Exception > Confirm Security Exception to add a browser exception to continue to the secure session.

4. On the Keystore Enrollment page, enter the default username superadmin and paste the Instance IDcopied in Step 1: Get the instance ID as your password and click OK.

Note that these credentials only can be used once and when authenticated, these credentials are expired.

5. On the Token Certificate Enrollment page, click Enroll to download your p12 file certificate.

Optional Step: Obtain the Management CA CertificateAs an optional step, the Management CA's Certificate created during provisioning, can be imported to a machine's Trusted Root Certificate store that will be administering EJBCA. By importing the Management CA certificate to your system/browser, you ensure that administrators are presented with a green lock in their browsers upon accessing the EJBCA Admin Web for the first time, which indicates a trusted website and avoids untrusted website warnings.

To obtain the Management CA Certificate:

• Browse to EJBCA Public Web at the URL:http://<AWS Public DNS Name or AWS Public IP Address>

• Select Fetch CA Certificates.

• Download the CA certificate chain of the format of your choosing and import to your system/browser.

Step 3: Install p12With the p12 file downloaded, install the bundle on your system and/or browser's trust store.

EJBCA CLOUD AWS LAUNCH GUIDE

© 2019 PRIMEKEY 12 (13)

To import the certificate in Mozilla Firefox:

1. On the Firefox menu, select Preferences.

2. Click Privacy & Security.

3. Scroll down to the Security section and click View Certificates.

4. On the tab Your Cerficates, select Import.

5. Browse to the p12 file to import and as password enter the Instance ID of the instance (copied in Step 1: Get the instance ID).

Step 4: Browse to EJBCA Admin WebWith the credentials installed, click Administration in the Public Web to access the EJBCA Admin Web at the URL:https://<AWS Public DNS Name or AWS Public IP Address>/ejbca/adminweb

Your browser should now recognize your new certificate and open the EJBCA Admin Web displaying the Administration page.

If you are not able to access the Admin Web, refer to the Troubleshooting EJBCA Enterprise Cloud on AWSsection.

EJBCA CLOUD AWS LAUNCH GUIDE

© 2019 PRIMEKEY 13 (13)

Troubleshooting EJBCA Cloud AWS

Issues accessing Public or Admin WebIf you are not able to access the Public Web or Admin Web, ensure the Security Group associated with this instance has the following ports allowed from your IP:

Allow Inbound: