When it comes to integration of different use cases with EJBCA, we have some options to use standard protocols like SCEP, EST, ACME, CMP, or currently developed REST API (only for CA management) or XML-based SOAP web services.
Typical setup of the trusted environment contains certification authority (CA) placed in a secure zone with restricted access, and registration authority (RA) with the validation authority (VA) in DMZ, where CA can establish connection. Integration is done through the RA and VA.
One of the important tasks of RA is to manage the status of the end entities. It should have the control about the registration process and all information changes to entities involved in the PKI. This is basically the valid identity which is used to enroll and manage certificate status.
When we would like to start using the interfaces and protocols, we need to have configured several profiles, which then can identify the type of service we would like to use.
Of course, from the integration point of view we would like to know the service, however it should be transparent for us how is the service configured and who is managing it.
Introducing RA Profiles
We introduced RA Profiles in order to provide easy integration of different use cases with the EJBCA. The goals of the RA Profiles are:
- provide a higher level abstraction on top of EJBCA configuration
- introduce agility – change the service configuration on the fly, without impact on integrated clients
- streamline integration procedure and reduce time and costs needed
The RA Profiles are sitting in front of the RA, or can be the part of it. Based on the definition of RA Profiles and configured authorization of clients, RA Profiles will handle the communication with the EJBCA.
The following diagram shows the setup:
Through the RA Profiles, you can manage the integration through the definition of the profiles, which clients are authorized to which profiles, and allow different administrators to take care of the solution, including management of different roles and access rules.
Within the basic functionality you can have the following:
Abstraction of EJBCA configuration
RA Profiles provides a configuration of the integration point based on the following attributes:
- End Entity Profile
- Certificate Profile
- Certification Authority Name
- Initial Status of End Entities
- Token Type
- RA Profile Name
- RA Keystore
- Keystore Credentials
Based on the configuration, clients which would like to integrate with the service should be aware of:
- the RA Profile Name, which is used to provide the service
- RA Pofiles end point
- definition of the services provided (typically REST API with JSON payload)
Agility of the integration
The abstraction of the EJBCA attributes gives us the control about what is changing on the EJBCA side, as well as control about the integrated services and authorized clients.
Without interrupting the operation of the public key infrastructure we can change the service behaviour (change of the issuing CA, change of certificate or end entity attributes, signing algorithms, etc.)
With this approach we have all benefits of agile PKI we can work with. And what is also important, we do not need to put many requirements on the client side in order to make all of the changes happen.
Our customer usually do not want to be specialists and experts in the PKI domain, they have us!
Integration can be sometimes very complex task, but not with the RA Profiles. We believe that all complex tasks regarding the PKI setup should be the responsibility of people who hold the knowledge and experience. Therefore it makes sense to split these two worlds, one of the PKI services and second integration of the final use case.
From the integrator point of view, the process will be simple, because we need to know only the RA Profile Name and all other attributes are not relevant for us, we simply do not need them. All we require is to have:
- REST API end point URL
- RA Profile Name
- Client certificate for authentication and authorization
Nothing more, nothing less. And typically it goes through the following simple steps:
- prepare the service and RA Profile
- register and authorize client to consume RA Profile service
- implement client REST API calls to the RA Profiles
- start consuming service
Typically time to integrate PKI service in this case can be as small as few days.
RA Profiles are everything you need to have in order to easily integrate EJBCA PKI within the environment and digital services. And what is more, it will give you the necessary flexibility and agility in order to prove your future use cases.
It can be your single point of integration, one stop shop for your use cases, with the possibility monitor and report activities. It will quickly become part of your favourite tools!
Basic features of RA Profiles can be extended to include integrations to other solutions or systems.
If you are interested in the solution, come back to us and we will be happy to schedule a demonstration for you.
Get in touch with us to know more!
We can help you to streamline operations and build more effective procedures. if you are struggling with your PKI or would like to build best in class solution, do not hesitate and contact us!
Our experience and knowledge can be a benefit for your business.
Follow us on LinkedIn!