EJBCA Installationshilfe

Submitted by admin on So, 11.12.2016 - 12:26

1455958538385-ejbca_pki_by_primekey_logo.png

Was ist EJBCA?

Es handelt sich um eine professionelle PKI Lösung, die einem die Arbeit mit der Verwaltung einer Public Key Infrastructure (PKI) stark vereinfacht. Egal, ob das Unternehmen nur 5 Mitarbeiter hat oder es sich um einen Konzern mit 10000 Mitarbeitern handelt, die Lösung skaliert bei allen Unternehmensgrößen. Als übergeordnete CA kann man damit auch auch die Probleme mit Windows Zertifizierungsstellen in den Griff bekommen. In der Active Directory Domain muss nur das zuständige Root-CA Zertifikat verteilt werden.

EJBCA stellt auch einen OCSP Server bereit, so dass Revocation Lists leicht verwaltet werden können.

Die SOAP Schnittstelle lässt einen automatisierten Betrieb über beliebige Consumer zu, egal ob es sich um ein einfaches Perl Skript oder eine komplexe Tibco Lösung handelt.

Linux

Unter https://gist.github.com/ip6li/9801a5ed958feb7de6136ea175572bdf gibt es ein Skript, das EJBCA unter Linux installiert.

Wer EJBCA im kommerziellen Umfeld nutzt und ein IT-Sicherheitsmanagement betreiben muss, sollte sich die Enterprise Version kaufen. Wer sich die Arbeit macht, seine private PKI und die Prozesse dazu nach den Regeln des CA/Browser Forums zu dokumentieren, hat bei der Wirtschaftprüfung (bei Banken obligatorisch) keine peinlichen Fragen zu erwarten. Das PKI Audit dauert dann u.U. keine 15 Minuten.

Free-/OpenBSD

EJBCA kann auch unter FreeBSD und OpenBSD installiert werden. Diese Anleitung zeigt, wie man das macht.

Versionen

Diese Anleitung basiert auf den folgenden Versionen:

  • FreeBSD 11.0
  • EJBCA 6.3.1.1CE
  • JBoss 6.4 GA

Pakete

Alle notwendigen Pakete sind zumindest als Ports unter OpenBSD 6.0 verfügbar. Benötigt werden:

  • apache-ant
  • jdk-1.8.0
  • mariadb-server
  • unzip (zum Auspacken der Archive für JBoss und EJBCA)
  • wget (was man sonst so aus dem Internet noch braucht)

OpenJDK Sicherheit unter OpenBSD

für FreeBSD nicht relevant

Leider sind die Ports nicht so auf Sicherheit optimiert, wie man es von OpenBSD gewohnt ist. Beim OpenJDK Port unter OpenBSD wird keine starke Verschlüsselung unterstützt. Im Verzeichnis /usr/local/jdk-1.8.0/jre/lib/security/ müssen daher die Dateien

  • local_policy.jar
  • US_export_policy.jar

ersetzt werden. Die kann man einfach aus einer aktuellen Linux Distribution (OpenJDK 8) oder FreeBSD entnehmen und anstelle der OpenBSD Versionen verwenden. Dann unterstützt auch der OpenBSD Port starke Verschlüsselung.

Testen kann man das mit

jrunscript -e 'exit (javax.crypto.Cipher.getMaxAllowedKeyLength("RC5") >= 256);'
echo $?

Ist die starke Verschlüsselung verfügbar, dann muss da 1 kommen. Andernfalls erscheint 0.

Datenbank

Für EJBCA wird ein eigener User eingerichtet, der in der gleichnamigen Datenbank alles darf.

create database ejbca default character set = utf8 default collate = utf8_general_ci;
GRANT ALL PRIVILEGES ON ejbca.* TO 'ejbca'@'localhost' IDENTIFIED BY 'AveryBadPasswordDoNotUseThis';

login.conf

Die Defaults der /etc/login.conf passen für EJBCA nicht, daher wird eine eigene Klasse dafür eingerichtet.

ejbca:\
        :datasize-cur=4096M:\
        :datasize-max=infinity:\
        :maxproc-max=512:\
        :maxproc-cur=256:\
        :ignorenologin:\
        :tc=default:

Mit vipw wird der Gruppe ejbca, zu der der user ejbca gehört, die Klasse ejbca zugeordnet. Mit diesen Einstellungen funktioniert EJBCA dann auch.

Hostname

Der JBoss verlangt nach einer Auflösung des Hostnamens. Aus diesem Grund muss der FQDN in der /etc/hosts zu finden sein, damit JBoss sauber startet. Der Name aus /etc/myname muss auch in der /etc/hosts zu finden sein, Beispiel:

127.0.1.1       eeepc.lan eeepc

Java Links

Es müssen verschiedene Softlinks erstellt werden, damit der EJBCA Installer alle notwendigen Tools findet:

cd /usr/local/bin
ln -s /usr/local/jdk-1.8.0/bin/java
ln -s /usr/local/jdk-1.8.0/bin/javac
ln -s /usr/local/jdk-1.8.0/bin/javadoc
ln -s /usr/local/jdk-1.8.0/bin/jrunscript
ln -s /usr/local/jdk-1.8.0/bin/keytool

JBoss

EJBCA läuft am besten mit der Version JBoss EAP 6.4.0.GA. Damit JBoss mit MariaDB läuft, muss die Datei mariadb-java-client-1.2.3.jar von MariaDB beschafft werden.

Das folgende Skript erledigt die Einbindung in die JBoss Config.

#!/bin/sh

MYSQL_JBOSS_DIR="modules/com/mysql/main"

cd jboss || exit 1
mkdir -p "$MYSQL_JBOSS_DIR"
cd "$MYSQL_JBOSS_DIR" || exit 1

cp "/home/pki/Download/mariadb-java-client-1.2.3.jar" .
cat <<EOF > module.xml
<?xml version="1.0" encoding="UTF-8"?>
 
<module xmlns="urn:jboss:module:1.1" name="com.mysql">
  <resources>
    <resource-root path="mariadb-java-client-1.2.3.jar"/>
  </resources>
  <dependencies>
    <module name="javax.api"/>
  </dependencies>
</module>
EOF

cd "/home/pki/jboss/standalone/configuration" || exit 1

cat <<EOF | patch -p0
--- standalone.xml.XXX  2015-03-27 14:26:24.000000000 +0100
+++ standalone.xml      2016-02-16 10:37:55.537404590 +0100
@@ -136,6 +136,7 @@
                     </security>
                 </datasource>
                 <drivers>
+                    <driver name="com.mysql" module="com.mysql"/>
                     <driver name="h2" module="com.h2database.h2">
                         <xa-datasource-class>org.h2.jdbcx.JdbcDataSource</xa-datasource-class>
                     </driver>
@@ -289,6 +290,7 @@
             <coordinator-environment default-timeout="300"/>
         </subsystem>
         <subsystem xmlns="urn:jboss:domain:web:2.2" default-virtual-server="default-host" native="false">
+            <connector name="ajp" protocol="AJP/1.3" scheme="http" socket-binding="ajp"/>
             <connector name="http" protocol="HTTP/1.1" scheme="http" socket-binding="http"/>
             <virtual-server name="default-host" enable-welcome-root="true">
                 <alias name="localhost"/>
@@ -338,4 +340,4 @@
             <remote-destination host="localhost" port="25"/>
         </outbound-socket-binding>
     </socket-binding-group>
-</server>
\ No newline at end of file
+</server>
EOF

Filesystem Layout

Für die PKI werden ein eigener User und eine eigene Gruppe angelegt. In unserer Beispiel PKI sind das der User pki und die Gruppe pki. Im Homeverzeichnis werden JBoss und EJBCA ausgepackt. Damit evtl. notwendig werdende Updates vereinfacht werden, sind Softlinks ejbca -> ejbca_ce_6_3_1_1 und jboss -> jboss-eap-6.4 zu erstellen. So muss man nicht die Configs im Falle eines Updates ändern.

Start/Stoppskripte

start.sh

Die folgenden Skripte sind als der PKI User zu verwenden. Zur Automatisierung für init etc. müssen diese Skripte mit su pki -c … aufgerufen werden.

#!/usr/local/bin/bash

PATH=/usr/local/bin:$PATH
export PATH

cd /home/pki || exit 1

nohup jboss/bin/standalone.sh -b 127.0.0.1 > /dev/null 2> /dev/null &

stop.sh

#!/usr/local/bin/bash

PATH=/usr/local/bin:$PATH
export PATH

cd /home/pki || exit 1

jboss/bin/jboss-cli.sh --connect command=:shutdown

ejbca-custom

Die Config Files in der Original Distribution von EJBCA sollten dort nicht bearbeitet werden. Die relevanten Config Files sollten in ein Verzeichnis ejbca-custom kopiert werden, das parallel zum EJBCA Installationsverzeichnis liegt. In ejbca-custom wird dazu das Verzeichnis conf angelegt, dort werden die Config Files erstellt. Bei der Installation werden dann diese Config Files vom EJBCA Installer kopiert und verwendet.

ejbca.properties

Die Basis Konfiguration für die PKI.

#
# $Id: ejbca.properties.sample 20512 2015-01-05 14:25:14Z mikekushner $
#
# This is a sample file to override properties used
# during development (or deployment) of EJBCA. Note that some properties
# have been moved to cesecore.properties.
# 
# You should copy and rename this file to ejbca.properties
# and customize at will.
#

# Application server home directory used during development. The path can not end with a slash or backslash.
# Default: $APPSRV_HOME
appserver.home=/home/pki/jboss

# See also the section 'cluster configuration' for other JBoss options, for example
# for deploying on JBoss EAP.

# Which application server is used? Normally this is auto-detected from 'appserver.home' and should not be configured. 
# Possible values: jboss, glassfish (, weblogic)
# Default: <auto-detect>
#appserver.type=jboss

# To prevent accidental runs of tests or deploying the wrong thing in a production environment, we
# could prevent this by setting this variable to either "true" or "false".
# Setting this value to 'false' will allow system tests to alter the configuration of the running
# EJBCA instance.
# Default: true
ejbca.productionmode=true
#ejbca.productionmode=false

# Set to true to allow dynamic re-configuration using properties files in the file 
# system. Using this you can place a file /etc/ejbca/conf/ocsp.properties in the file system and
# override default values compiled into ejbca.ear.
# Currently this works for most values in ejbca.properties, web.properties, cmp.properties, externalra-caservice.properties, ocsp.properties, extendedkeyusage.properties, jaxws.properties, xkms.properties
#
# Default: false
#allow.external-dynamic.configuration=false

# ------------ Basic CA configuration ---------------------
# Most CA options are configured in cesecore.properties, but some EJBCA-
# specific ones are configured here. When upgrading, the important options are:
# - ca.keystorepass (in cesecore.properties)
# - ca.xkmskeystorepass
# - ca.cmskeystorepass

# Password used to protect XKMS keystores in the database (CAs XKMS signer/enc certificate).
# The default value is the same for convenience.
#ca.xkmskeystorepass=foo123

# Password used to protect CMS keystores in the database (CAs CMS signer/enc certificate).
# The default value is the same for convenience.
#ca.cmskeystorepass=foo123

# ------------- Approval configuration ------------------------
# Settings working as default values in the approval functionality
#
# Default request validity in seconds
# Default : 28800 (8 Hours)
#approval.defaultrequestvalidity=28800
approval.defaultrequestvalidity=86400

# Default approval validity (how long an approved request should stay valid)
# Default : 28800 (8 Hours)
#approval.defaultapprovalvalidity=28800

# Setting excluding some classes from approval. When one of the classes in this list calls a method that normally 
# required approval, the call is immediately allowed, bypassing the approval mechanism. The list is comma separated.
# Uncomment the line below to exclude extra from approvals.
#approval.excludedClasses=org.ejbca.extra.caservice.ExtRACAServiceWorker
# Uncomment the line below to exclude CMP from approval.
#approval.excludedClasses=org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean
# Uncomment the line below to exclude revocation by CMP from approval.
#approval.excludedClasses=org.ejbca.core.protocol.cmp.RevocationMessageHandler
# Default : empty 
#approval.excludedClasses=

# ----------------- cluster configuration ----------------
# The configuration. Use "all" when clustering, 
# or for example "production" when deploying on JBoss EAP.
# Default: default
#jboss.config=all

# Name of the farm directory. Use "farm" when clustering.
# Default: deploy
#jboss.farm.name=farm

#------------------- EJBCA Healthcheck settings -------------
# Specifies the basic settings of the EJBCA Healthcheck servlet
# for more detailed configuration edit the file src/publicweb/healthcheck/WEB-INF/web.xml
# URL: http://localhost:8080/ejbca/publicweb/healthcheck/ejbcahealth
#
# Parameter specifying amount of free memory (Mb) before alarming
# Default: 1
#healthcheck.amountfreemem=1

# Parameter specifying database test query string. Used to check that
# the database is operational.
# Default : Select 1 From CertificateData where fingerprint='XX'
#healthcheck.dbquery=Select 1 From CertificateData where fingerprint='XX'

# Parameter specifying IP addresses authorized to access the healthcheck
# servlet. Use ';' for between multiple IPs.
# IPv6 address can be specified, for example 127.0.0.1;0:0:0:0:0:0:0:1. 
# "ANY" can be specified to allow any remote IP. 
# Default: 127.0.0.1 
#healthcheck.authorizedips=127.0.0.1

# Parameter to specify if the check of CA tokens should actually perform a signature test
# on the CA token, or it should only see if the token status is active.
# Default: false (don't perform a signature operation) 
#healthcheck.catokensigntest=false

# Parameter to specify if a connection test should be performed on each publisher.
# Default: true 
#healthcheck.publisherconnections=true

# Parameter to specify location of file containing information about maintenance
# Use this file to specify weather to include node in healthcheck or report as down for maintenance, 
# which will return an error message (either the property name specified below or a custom message specified in web.xml).
# Default: empty (not used)
#healthcheck.maintenancefile=~/maintenance.properties

# Parameter to configure name of maintenance property, default = DOWN_FOR_MAINTENANCE
# The healthcheck.maintenancefile should contain a single line like this:
# DOWN_FOR_MAINTENANCE=true
# Where the node will be down for maintenance of the property is true, and not down for maintenance if the property is false.
# Default: DOWN_FOR_MAINTENANCE
#healthcheck.maintenancepropertyname=DOWN_FOR_MAINTENANCE

# Text string used to say that every thing is ok with this node.
# Default=ALLOK
#healthcheck.okmessage=ALLOK
        
# Parameter saying if a errorcode 500 should be sent in case of error.
# Default=true
#healthcheck.sendservererror=true

# Uncomment this parameter if you want a static error message instead of one generated by the HealthChecker.
# Default=null
#healthcheck.customerrormessage=EJBCANOTOK

#------------------- CLI settings -------------
ejbca.cli.defaultusername=ejbca
ejbca.cli.defaultpassword=ejbca

#------------------- Debug and special settings -------------
#
# Custom Available Access Rules. Use ';' to separate multiple access rules
# Available values are the Access Rules strings in Advanced mode of 'Access Rules' in 'Administrator Roles'
# Default: ""
#ejbca.customavailableaccessrules=

# When upgrading a 100% up-time cluster, all nodes should be deployed with the effective version
# of the oldest still running EJBCA version.
# Default: ${app.version.number}
#app.version.effective=4.0.x

# To better protect from off-line brute force attacks of passwords on a compromised database, the
# computationally expensive BCrypt algorithm can be used. Using a higher log-rounds value will
# increase computational cost by log2. 1-31 can be used as BCrypt strength.
# 0 means simple SHA1 hashing will be used. A decent value for high security is ~8.
# Default=1
#ejbca.passwordlogrounds=1

# Parallel publishing invokes all the configured publishers for certificates in parallel instead of
# sequentially. So instead of waiting for the total time it takes to write to all publishers, you
# only have to wait for the time it takes to publish to the slowest one.
#
# This feature is non-compliant with the JEE5 specifications and could potentially have unintended
# side effects (even though none has been found so far).
# If you find any type of problem with this feature that can be mitigated by disabling it, please
# report it to the EJBCA developers or this option will disappear in a future version.
#
# Default: true
#publish.parallel.enabled=true

# ------------------- Peer Connector settings (Enterprise Edition only) -------------------
# These settings are never expected to be used and should be considered deprecated. If you do need
# to tweak this, please inform the EJBCA developers how and why this was necessary.
#
# Don't go through JCA for outgoing connections to peer systems. Applied at build time.
# Default: false
#peerconnector.rar.disabled=false
#
# Use TCP keep alive. Applied when connection pool is restarted. Default: true
#peerconnector.connection.sokeepalive=true
#
# Disable Nagle's algorithm. Applied when connection pool is restarted. Default: false
#peerconnector.connection.tcpnodelay=false
#
# Socket timeout in milliseconds. Applied when connection pool is restarted.
# Default: 20000 (default for Tomcat on the server side)
#peerconnector.connection.sotimeout=20000
#
# Connection pool size per peer connector. Applied when connection pool is restarted. Default: 100
#peerconnector.connection.maxpoolsize=100
#
# Background sync of certificate data. Batch size to compare. Default: 2000
#peerconnector.sync.batchsize=2000
#
# Background sync of certificate data. Number of entries to write in parallel. 1=sequential writes. Default: 12
#peerconnector.sync.concurrency=12
#
# Maximum allowed size for incoming messages. Default: 134217728 (128MiB)
#peerconnector.incoming.maxmessagesize=134217728
#
# How long a peer can be absent in milliseconds before (re-)authentication is triggered. Default: 60000
#peerconnector.incoming.authcachetime=60000
#
# How long to cache outgoing PeerData database objects.
# Default: 60000 (60 seconds)
# Possible values -1 (no caching) to 9223372036854775807 (2^63-1 = Long.MAX_VALUE).
#  If you want caching for an infinite time then set something high for example 157680000000 (5years).  
#peerconnector.cachetime=157680000000
#peerconnector.cachetime=-1

database.properties

# ------------- Database configuration ------------------------

# The default values in this file is good for a default install, using the build in H2 test database, with JBoss 7/EAP 6.
# For a default install with Hypersonic database on JBoss 5, change database.name, database.url, database.driver and database.password.

# JNDI name of the DataSource used for EJBCA's database access. The prefix
# (e.g. 'java:/', '' or 'jdbc/')is automatically determined for each
# application server.
# default: EjbcaDS
#datasource.jndi-name=EjbcaDS

# The database name selected for deployment, used to copy XDoclet merge files.
# All supported databases are defined below, others can easily be added
# See the document doc/howto/HOWTO-database.txt for database specifics and tips and tricks.
# (Note that the names below are fixed for the database type, it is not the name of your database instance.)
# Default: h2
database.name=mysql

# Database connection URL.
# This is the URL used to connect to the database, used to configure a new datasource in JBoss.
# Default: jdbc:h2:~/ejbcadb;DB_CLOSE_DELAY=-1
database.url=jdbc:mysql://localhost:3306/ejbca?characterEncoding=UTF-8

# JDBC driver classname.
# The JEE server needs to be configured with the appropriate JDBC driver for the selected database
# The Default h2 works (as test database) on JBoss 7, on JBoss 5 use org.hsqldb.jdbcDriver
# Default: h2
#database.driver=org.mariadb
database.driver=com.mysql

# Database username.
# Default: sa (works with H2 on JBoss 7)
# Set to empty for hsql on JBoss 5
database.username=ejbca

# Database password.
# Default: sa (works with H2 on JBoss 7)
# Set to empty for hsql on JBoss 5)
database.password=AveryBadPasswordDoNotUseThis

# The encoded certificate may be stored in the table Base64CertData instead of
# in a column in the CertificateData table. Using a separate table for the
# certificate data may speed up searching for certificates if there are lots of
# them (>100Million).
# Default: false
database.useSeparateCertificateTable=true

web.properties

Diese Config ist für die Webanwendung relevant.

# ------------ Web GUI configuration ---------------------
# When upgrading, the important options are:
# - httpsserver.password

# If you prefer to manually configure the web settings for your application
# server, you should uncomment this property. Enabling this option will prevent
# the 'ant web-configure' command from making any changes to the configuration
# of your application server (in terms of web settings, like paths etc).
# Can not be set to false, commented away means that web will be configured.
#web.noconfigure=true

# If you enable this option, the 'ant web-configure' command will not set-up the
# SSL access on your application server. This is normally desired for the OCSP
# responder or Validation Authority (unless you want to run them over https as
# well). Normally, in case of a CA build you should _not_ enable this option
# (otherwise you won't have access to the administration web interface). If you
# wish to use the Unid functionality on the OCSP responder, make sure to also
# have a look at the 'Configuring TLS on the Unid lookup server' how-to.
# Can not be set to false, commented away means that web will be configured.
# web.nosslconfigure=true

# Password for java trust keystore (p12/truststore.jks). Default is changeit
# This truststore will contain the CA-certificate after running 'ant javatruststore'
# Run 'ant -Dca.name=FooCA javatruststore' to install the CA-certificate for FooCA instead of the default ManagementCA
java.trustpassword=AnOtherBadPassword

# The CN and DN of the super administrator.
# Comment out if you want 'ant install' to prompt for this.
superadmin.cn=SuperAdminOpenBSD
# Note that superadmin.dn must start with the same CN as in superadmin.cn.
# example:  superadmin.dn=CN=${superadmin.cn},O=EJBCA Sample,C=SE
superadmin.dn=CN=${superadmin.cn},O=Honest Achmed PKI,OU=Used Cars,C=DE

# The password used to protect the generated super administrator P12 keystore (to be imported in browser).
# Choose a good password here.
superadmin.password=ejbca

# Set this to false if you want to fetch the certificate from the EJBCA public web pages, instead of
# importing the P12-keystore. This can be used to put the initial superadmin-certificate on a smart card.
superadmin.batch=true

# The password used to protect the web servers SSL keystore. Default is serverpwd
# Choose a good password here.
# If upgrading from EJBCA 3.1, enter here the password found in 
#   $JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/server.xml
#   under the section about 'HTTPS Connector...', the password is in attribute 'keystorePass=...'.
httpsserver.password=OneMoreBadPassword

# The CA servers DNS host name, must exist on client using the admin GUI.
httpsserver.hostname=mypki.example.com

# The Distinguished Name of the SSL server certificate used by the administrative web gui.
# The CN part should match your host's DNS name to avoid browser warnings.
httpsserver.dn=CN=${httpsserver.hostname},O=Honest Achmed PKI,OU=Used Cars,C=DE

# The Alternative Name (certificate extension) of the SSL server certificate used by the administrative web gui.
# The dnsName part should match your hosts DNS name (and the CN above) to avoid browser warnings.
# Set automatically, so no need to change this property unless you want something exotic.
httpsserver.an=dnsName=${httpsserver.hostname}

# The public port JBoss will listen to http on
# Default 8080
#httpserver.pubhttp=8080

# The public port JBoss will listen to https on, no client cert required
# Default 8442
#httpserver.pubhttps=8442

# The private port JBoss will listen to https on, client cert required
# Default 8443
#httpserver.privhttps=8443

# The private port exposed externally, i.e. if you run an Apache proxy in front of JBoss
# the port may be 443 instead.
# Default same as httpserver.privhttps
httpserver.external.privhttps=443
 
# The fully qualified domain name (FQDN) of the front-end, e.g. an Apache proxy
#   In order to build absolute URL, the server name is got from the web client request.
#   But with an Apache proxy, via ProxyPass directive, the server name is 'localhost'.
# Use:
#   - empty: without Apache proxy, or with Apache proxy via AJP (not with ProxyPass)
#   - ${httpsserver.hostname}: when an Apache proxy is used on the same server than EJBCA
#   - any FQDN: when an Apache proxy with a ProxyPass directive is used (on any server)
# Default: (empty)
#httpserver.external.fqdn=
#httpserver.external.fqdn=${httpsserver.hostname}
 
# The interfaces JBoss will bind to. E.g. 127.0.0.1 will only allow connections from localhost.
# You can also specify ${jboss.bind.address} to use JBoss configuration which interface to listen on.
# Default 0.0.0.0
httpsserver.bindaddress.pubhttp=127.0.0.1
httpsserver.bindaddress.pubhttps=127.0.0.1
httpsserver.bindaddress.privhttps=127.0.0.1

# Defines the available languages by ISO 639-1 language codes separated with a comma (example: en,zh).
# If you are not sure that you know how to add a new language (languagefile.xx.properties, etc.), 
# we suggest you stick with the default the first time you install if you wan't to add your own language.
# Otherwise you may not be able to log in to the Admin GUI.
# Default: en,bs,de,es,fr,it,ja,pt,sv,uk,zh
#web.availablelanguages=en,bs,de,es,fr,it,ja,pt,sv,uk,zh

# Default content encoding used to display JSP pages, for example ISO-8859-1, UTF-8 or GBK.
# Default: UTF-8
web.contentencoding=UTF-8

# The language configuration that should be used internally for logging, exceptions and approval
# notifications has been moved to ejbca.properties from EJBCA 3.10.

# Setting to indicate if the secret information stored on hard tokens (i.e initial PIN/PUK codes) should
# be displayed for the administrators. If false only non-sensitive information is displayed.
# Values should be "true" or "false".
# Default = true
#hardtoken.diplaysensitiveinfo=true

# Show links to the EJBCA documentation. The links can either point to internally deployed
# documentation on the server or any exteral location like ejbca.org.
# Default = internal
#web.docbaseuri=disabled
web.docbaseuri=internal
#web.docbaseuri=http://www.ejbca.org

# Require administrator certificates to be available in database for revocation
# checks. Set this to false, if you want to be able to use admin certificates
# issued by external CAs.
# Default: true
#web.reqcertindb=true

# Allow users to self-register on public web, by entering their information.
# This creates an approval request for the admin.
# Default = false
web.selfreg.enabled=false

# Certificate types to make available for the user
#web.selfreg.defaultcerttype=1
#web.selfreg.certtypes.1.description=User certificate
#web.selfreg.certtypes.1.eeprofile=SOMEPROFILE
#web.selfreg.certtypes.1.certprofile=ENDUSER

# Optional: Instead of asking the user for a username, EJBCA can generate
# the username from a field in the subject DN
#web.selfreg.certtypes.1.usernamemapping=CN

# Deploy the request browser certificate renewal web application and show a 
# link to it from the EJBCA public web.
# Default = false
web.renewalenabled=true

# Wether it should be possible to manually specify a custom class name in
# the admin web (e.g. for a custom Publisher or Service), or if the choice
# of class should be constrained to auto-detected classes only.
# If you are using classes made for EJBCA 5.0 or earlier you must enable
# this option, or wrap them in a "service" JAR file (see the Admin Guide).
# Default = false
#web.manualclasspathsenabled=true

# Presentation of the an exception on the web error page.
#
# General error message to be presented to the user when an exception occur.
# Default: An exception has occurred
web.errorpage.notification=An exception has occurred.
#
# Print the stacktrace of the exception
# Default: true
web.errorpage.stacktrace=false

# Custom Servlet filter for emulation of client certificate authentication to the Admin GUI
# using a Tomcat Valve or similar proxy.
# Default is false.
#web.enableproxiedauth=true

# Whether the remote IP address should be logged during administrator login.
# This works as expected when using an Apache AJP proxy, but if a reverse proxy
# server is running in front of EJBCA then the address of the proxy will be logged.
# In that case the web.log.adminforwardingip can be used in addition to this.
#
# If you want this information to be included in the webservice transaction log,
# you should add ${ADMIN_FORWARDED_IP} to the "ejbcaws.trx-log-order" property instead.
# 
# Default: true
web.log.adminremoteip=true

# Whether the IP address seen at the proxy (from the HTTP header "X-Forwarded-For")
# should be logged. This information can only be trusted if the request
# is known to come from a trusted proxy server.
#
# If you want this information to be included in the webservice transaction log,
# you should add ${ADMIN_FORWARDED_IP} to the "ejbcaws.trx-log-order" property instead.
#
# Default: false
#web.log.adminforwardedip=true

# Available PKCS#11 CryptoToken libraries and their display names
# If a library file's presence is not detected it will not show up in the Admin GUI.
# Default values (see src/java/defaultvalues.properties for most up to date values):
#cryptotoken.p11.lib.10.name=SafeNet ProtectServer Gold Emulator
#cryptotoken.p11.lib.10.file=/opt/ETcpsdk/lib/linux-x86_64/libctsw.so
#cryptotoken.p11.lib.11.name=SafeNet ProtectServer Gold
#cryptotoken.p11.lib.11.file=/opt/ETcpsdk/lib/linux-x86_64/libcryptoki.so
#cryptotoken.p11.lib.20.name=SafeNet Luna SA
#cryptotoken.p11.lib.20.file=/usr/lunasa/lib/libCryptoki2_64.so
#cryptotoken.p11.lib.21.name=SafeNet Luna PCI
#cryptotoken.p11.lib.21.file=/usr/lunapci/lib/libCryptoki2_64.so
#cryptotoken.p11.lib.22.name=SafeNet Luna PCI
#cryptotoken.p11.lib.22.file=/Program Files/LunaPCI/cryptoki.dll
#cryptotoken.p11.lib.30.name=Utimaco
#cryptotoken.p11.lib.30.file=/opt/utimaco/p11/libcs2_pkcs11.so
#cryptotoken.p11.lib.31.name=Utimaco
#cryptotoken.p11.lib.31.file=/opt/Utimaco/Software/PKCS11/lib/Linux-x86-64/libcs2_pkcs11.so
#cryptotoken.p11.lib.32.name=Utimaco
#cryptotoken.p11.lib.32.file=/etc/utimaco/libcs2_pkcs11.so
#cryptotoken.p11.lib.33.name=Utimaco
#cryptotoken.p11.lib.33.file=C:/Program Files/Utimaco/SafeGuard CryptoServer/Lib/cs2_pkcs11.dll
#cryptotoken.p11.lib.40.name=nCipher
#cryptotoken.p11.lib.40.file=/opt/nfast/toolkits/pkcs11/libcknfast.so
#cryptotoken.p11.lib.50.name=ARX CoSign
#cryptotoken.p11.lib.50.file=C:/windows/system32/sadaptor.dll
#cryptotoken.p11.lib.60.name=SmartCard-HSM
#cryptotoken.p11.lib.60.file=/usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
#cryptotoken.p11.lib.61.name=OpenSC
#cryptotoken.p11.lib.61.file=/usr/lib/i386-linux-gnu/opensc-pkcs11.so
#cryptotoken.p11.lib.62.name=OpenSC
#cryptotoken.p11.lib.62.file=/usr/local/lib/opensc-pkcs11.so
#cryptotoken.p11.lib.63.name=OpenSC
#cryptotoken.p11.lib.63.file=C:/Windows/system32/opensc-pkcs11.dll
#
# You can add your own values with an available number, or override numbers from defaults...
#cryptotoken.p11.lib.255.name=P11 Proxy
#cryptotoken.p11.lib.255.file=/home/user/local/p11proxy/dist/p11proxy.so
#
# If you would like to restrict the accessible slots, you can use the following property:
# (you can use ranges, and if you omit the low or high number it means "no limit")
#cryptotoken.p11.lib.30.slotlist=1-100
#cryptotoken.p11.lib.30.slotlist=0,1,65537
#cryptotoken.p11.lib.30.slotlist=i1-i
# To change the default slot (e.g. if you have disabled access to slot 0)
#cryptotoken.p11.defaultslot=1
#cryptotoken.p11.defaultslot=i1

# Available PKCS#11 CryptoToken attribute files and their display names
# Use if the default PKCS#11 attributes are not good for the PKCS#11 module and if needs specific attributes 
#cryptotoken.p11.attr.0.name=
#cryptotoken.p11.attr.0.file=
#...
#cryptotoken.p11.attr.255.name=
#cryptotoken.p11.attr.255.file=

ocsp.properties

Ein oder besser mehrere OCSP Server sind heute unverzichtbar für eine PKI.

# ------------ OCSP responder configuration ---------------------
# These configurations are used both for EJBCA and the Validation Authority (VA).
#
# These values are used for OCSP responses signed by a CA and as defaults for delegated OCSP signing by OcspKeyBindings.
# Certificate Profile or URL specific configuration here will still override the configured values of an OcspKeyBinding.

# OCSP servlet enabled. If false there will be no servlet.
# Default is true.
#ocsp.enabled=false

# Context root (the path in the URL)
# Default is '/${app.name}/publicweb/status'
#ocsp.contextroot=/status

# DEPRECATED VALUE
# Deprecated since 6.2.4. The current value will be used to perform upgrade at first startup, and may be removed afterwards. 
#
# Specifies the subject of a certificate which is used to identify the 
# responder which will generate responses when no real CA can be found from the request. 
# This is used to generate 'unknown' responses when a request is received for a certificate 
# that is not signed by any CA on this server. Recommended to use same as ca.dn.
#
# For the internal OCSP responder this is the subject DN of the CA to use for signing
# For an external OCSP responder this is the issuer DN of the OCSP responders certificate to use for signing, i.e. the CAs subject DN.
ocsp.defaultresponder=CN=ManagementCA,O=Honest Achmed PKI,OU=Used Cars,C=DE

# If set to false the OCSP responses will only contain the signature certificate (if ocsp.includesignercertinresponse is set to 'true'), 
# and not the whole certificate chain of the OCSP responder.
# Default true.
#ocsp.includecertchain=true

# If set to false, the  OCSP response will not contain the signing certificate.
# Default true 
#ocsp.includesignercert=true

# Defines the ResponderID type as defined in RFC2560. Set to name for the Name type and keyhash for the KeyHash type.
# Possible values: name, keyhash
# Default: keyhash 
#ocsp.responderidtype=keyhash

# Specifies which signature algorithms should be used on OCSP responses. You can specify several algorithm
# separated by ';'. If RSA keys are used in the OCSP signing certificate, the algorithm with RSA will be used, and
# if ECDSA keys are used in the OCSP signing certificate, the algorithm with ECDSA will be used and if 
# DSA keys are used in the OCSP signing certificate, the algorithm with DSA will be used.
#
# Default: SHA1WithRSA;SHA1WithECDSA;SHA1WithDSA
#ocsp.signaturealgorithm=SHA1WithRSA;SHA1WithECDSA;SHA1WithDSA

# The interval on which the the OCSP signing certificates are updated in seconds.
# If set to 0 or negative these certificate are never updated.
# Default: 300
#ocsp.signingCertsValidTime=0

# When a signing certificate is about to expire a WARN message could be written to log4j each time the key of the certificate is used.
# This property defines when this message is started to be written.
# The property is set to the number of seconds before the expiration that the WARN message starts to be written.
# If set to 0 the warning is disabled.
# Default: 604800 (1 week)
#ocsp.warningBeforeExpirationTime=10000

# If true a certificate that does not exist in the database, but is issued by a CA the responder handles
# will be treated as not revoked. Default (when value is false) is to treat is as "unknown". Since the OCSP responders database normally contains all issued certificate
# this gives sensible values (in line with RFC6960) to "ok", "revoked" and "unknown" certificates.
# Setting this value to true is useful if you want an External OCSP responder database to only contain revoked certificates, and not
# all certificates. In this case the responder will answer "ok" to requests for certificates that do not exist in the database. 
# If both 'ocsp.nonexistingisgood' and 'ocsp.nonexistingisrevoked' are set to 'true', the responder will answer "ok".
#
# Default: false
#ocsp.nonexistingisgood=false

# The value of 'ocsp.nonexistingisgood=false' may be overridden if the URL that the client used to send the request is matching some regular expression.
# The regular expressions that if any of them is fulfilled will override 'ocsp.nonexistingisgood=false' is numbered from 1 and up. It may be any numbers.
# Here follows an example of 2:
#ocsp.nonexistingisgood.uri.1=.*/thisEndingIsGood$
#ocsp.nonexistingisgood.uri.2=^http://good.myhost.nu:8080/.*

# The value of 'ocsp.nonexistingisgood=true' may be overridden if the URL that the client used to send the request is matching some regular expression.
# The regular expressions that if any of them is fulfilled will override 'ocsp.nonexistingisgood=true' is numbered from 1 and up. It may be any numbers.
# Here follows an example of 2:
#ocsp.nonexistingisbad.uri.1=.*/thisEndingIsBad$
#ocsp.nonexistingisbad.uri.2=^http://bad.myhost.nu:8080/.*

# If true a certificate that does not exist in the database, but is issued by a CA the responder handles,
# will be treated as revoked; the revocation reason will be "Certificate Hold" and the revocation time is January 1st, 1970 (compliant with RFC6960). 
# Default (when this value and value of "Non existing is good" are false) is to treat it as "unknown".
# If both "Non existing is good" and "Non existing is revoked", the responder will answer "ok".
#
# Default: false
#ocsp.nonexistingisrevoked=false

# The value of 'ocsp.nonexistingisrevoked=false' may be overridden if the URL that the client used to send the request is matching some regular expression.
# The regular expressions that if any of them is fulfilled will override 'ocsp.nonexistingisrevoked=false' is numbered from 1 and up. It may be any numbers.
# Here follows an example of 2:
#ocsp.nonexistingisrevoked.uri.1=.*/thisEndingIsRevoked$
#ocsp.nonexistingisrevoked.uri.2=^http://revoked.myhost.nu:8080/.*

# An OCSP responder MAY choose to retain revocation information beyond a certificate's expiration.  The date obtained by subtracting this
# retention interval value from the producedAt time in a response is defined as the certificate's "archive cutoff" date.
# To illustrate, if a server is operated with a 7-year retention interval policy and status was produced at time t1, then the value
# for ArchiveCutoff in the response would be (t1 - 7 years).
#
# OCSP-enabled applications would use an OCSP archive cutoff date to contribute to a proof that a digital signature was (or was not)
# reliable on the date it was produced even if the certificate needed to validate the signature has long since expired
# The value of this configuration should be set to the number of seconds of this retention interval. To disable the archive cutoff extension, 
# the value of this configuration should be set to '-1'
#
# Default: 31536000 (1 year)
#ocsp.expiredcert.retentionperiod = 31536000
#ocsp.expiredcert.retentionperiod = -1

# For HTTP get requests according to RFC5019 we can set HTTP headers in the response to allow caching proxies to cache responses.
# untilNextUpdate is the number of seconds a response will be valid. 0 = disable.
# Default: 0
#ocsp.untilNextUpdate = 0

# You can also specify different nextUpdate values depending on which certificate profiles the certificate was issued by.
# This only works when you have published using EJBCA 3.9.0 or later, where the certificateProfileId column in the CertificateData table is populated.
# You can find the certificateProfileId (999 in the example below) in the admin GUI.
# If no specific certificateProfileId is specified the default value from ocsp.untilNextUpdate is used.
#ocsp.999.untilNextUpdate = 50

# For HTTP get requests according to RFC5019 we can set HTTP headers in the response to allow caching proxies to cache responses.
# untilNextUpdate is the number of seconds a response will be valid. 0 = disable.
# If this configuration is set, its value will override the global value in case of certificate with a revoked status..
# Default: 0
#ocsp.revoked.untilNextUpdate = 0

# You can also specify different nextUpdate values depending on which certificate profiles the certificate was issued by.
# This only works when you have published using EJBCA 3.9.0 or later, where the certificateProfileId column in the CertificateData table is populated.
# You can find the certificateProfileId (999 in the example below) in the admin GUI.
# If no specific certificateProfileId is specified the default value from ocsp.untilNextUpdate is used.
# If this configuration is set, its value will override the global value in case of certificate with a revoked status..
#ocsp.999.revoked.untilNextUpdate = 50

# For HTTP get requests according to RFC5019 we can set HTTP headers in the response to allow caching proxies to cache responses.
# maxAge is how long a response will be cached, in seconds. Should be less than untilNextUpdate.
# Ignored if untilNextUpdate is disabled. 0 = disable.
# Note that for responses of certificates with unknown status, the HTTP response header "Cache-control" will not contain the max age, but 
# "no-cache, must-revalidate" instead. That is to prevent caching of unknown status.
# Default: 30
#ocsp.maxAge = 30

# You can also specify different maxAge values depending on which certificate profiles the certificate was issued by.
# This only works when you have published using EJBCA 3.9.0 or later, where the certificateProfileId column in the CertificateData table is populated.
# You can find the certificateProfileId (999 in the example below) in the admin GUI.
# If no specific certificateProfileId is specified the default value from ocsp.maxAge is used.
#ocsp.999.maxAge = 100

# For HTTP get requests according to RFC5019 we can set HTTP headers in the response to allow caching proxies to cache responses.
# maxAge is how long a response will be cached, in seconds. Should be less than untilNextUpdate.
# Ignored if untilNextUpdate is disabled. 0 = disable.
# Note that for responses of certificates with unknown status, the HTTP response header "Cache-control" will not contain the max age, but 
# "no-cache, must-revalidate" instead. That is to prevent caching of unknown status.
# If this configuration is set, its value will override the global value in case of certificate with a revoked status.
# Default: 30
#ocsp.revoked.maxAge = 30

# You can also specify different maxAge values depending on which certificate profiles the certificate was issued by.
# This only works when you have published using EJBCA 3.9.0 or later, where the certificateProfileId column in the CertificateData table is populated.
# You can find the certificateProfileId (999 in the example below) in the admin GUI.
# If no specific certificateProfileId is specified the default value from ocsp.maxAge is used.
# If this configuration is set, its value will override the global value in case of certificate with a revoked status.
#ocsp.999.revoked.maxAge = 100

# Specifies OCSP extension oids that will result in a call to an extension class, 
# separate multiple entries with ';'
# For any entry that should be always used, preface with '*' (e.g. *2.16.578.1.16.3.2)
# Leave out if you do not know what this is.
# Example value: 2.16.578.1.16.3.2 (Unid)
# Example value: *1.3.36.8.3.13 (CertHash)
# Default: nothing 
#ocsp.extensionoid=

# Specifies classes implementing OCSP extensions matching oids above, 
# separate multiple entries with ;"
# Leave out if you do not know what this is.
# Example value: org.ejbca.core.protocol.ocsp.OCSPUnidExtension
# Example value: org.ejbca.core.protocol.ocsp.extension.certhash.OcspCertHashExtension
# Default: nothing
#ocsp.extensionclass=

# Datasource for Unid-Fnr mapping OCSP extension. 
# Leave out if you do not know what this is.
# No default value, must be set if the extension is used
#ocsp.uniddatsource=

# Directory containing certificates of trusted entities allowed to query for Fnrs. 
# Leave out if you do not know what this is.
# No default value, must be set if the extension is used
#ocsp.unidtrustdir=

# File containing the CA-certificate, in PEM format, that signed the trusted clients. 
# Leave out if you do not know what this is.
# No default value, must be set if the extension is used
#ocsp.unidcacert=

# Specifies if the OCSP-responder should require signed requests or not.
# If signature is required, the signature certificate must be issued by a CA handled by the OCSP responder.
#
# Default: false
#ocsp.signaturerequired=false

# Timeout setting for the Global OCSP configuration cache. Once the cache has timed out it will be reread from the 
# database.
#
# Default: 30000ms 
#ocspconfigurationcache.cachetime=30000

#------------------- Re-keying used by external OCSP responder------------------------------
# When this feature is enabled a new signing key will automatically be generated a specified time before the certificate of the used key expires.
# A certificate for the new key will be fetched by WS from EJBCA.
# You also need to configure an AuthenticationKeyBinding as client SSL credential. (It will be created for you
# during upgrade to EJBCA 6.0.0 where a client SSL keystore existed previously.)

# Password for rekeying via the servlet. 
# Default: null
#ocsp.rekeying.trigging.password=

# URL to webservice from which the certificate for a newly generated OCSP responder key should be fetched.
# The automatic re-keying feature is disabled if this property is not defined.
# Default: null
#ocsp.rekeying.wsurl = https://milton:8443/ejbca/ejbcaws/ejbcaws

# Specifies how often the signing certificates should be checked. Default value is 3600 seconds, but consider lowering this value if signing certificates are expected
# to be valid less than 24h 
#ocsp.rekeying.update.time.in.seconds=

# Specifies how much safety margin a certificate should have before it's updated, i.e when it should be considered a candidate for renewal. The effective
# validity time for a signing certificate is it's actual validity minus this value. Timer will output warnings if this value is less than the update time.
#
# The default for this value is 24h 
#ocsp.rekeying.safety.margin.in.seconds=

# Limits what hosts may request a manual rekeying via web service. Multiple hosts may be separated with a semicolon. 
# Default: 127.0.0.1
#ocsp.rekeying.trigging.hosts=

#------------------- OCSP Logging settings -------------
# Transaction logging logs summary lines for all OCSP request/responses, which can be used for charging clients if you are running a commercial OCSP service.
# Specifies if transaction logging should be performed from the OCSP responder and formats how that information should be logged yyyy-MM-dd:HH:mm:ss
# Change below to true if you want transaction information to be logged
#
# See the OCSP installation guide for more details on the transaction and audit logging.
#
# Default: false
#ocsp.trx-log = true

# Configure how time of logging in auditlog will be output
# Default: yyyy-MM-dd:HH:mm:ss:z
#ocsp.log-date = yyyy-MM-dd:HH:mm:ss:z

# Configure which time zone will be used for logging
# Default: GMT
#ocsp.log-timezone = GMT

# A pattern for use with ocsp.trx-log-order to replace constants with values during logging
# Default: \\$\\{(.+?)\\}
#ocsp.trx-log-pattern = \\$\\{(.+?)\\}

# Use ocsp.trx-log-order to specify what information should be logged and in what order. You can also configure what characters you want in between
# See OCSP Installation guide for documentation of all parameters.
# Default: ${SESSION_ID};${LOG_ID};${STATUS};${REQ_NAME}"${CLIENT_IP}";"${SIGN_ISSUER_NAME_DN}";"${SIGN_SUBJECT_NAME}";${SIGN_SERIAL_NO};"${LOG_TIME}";${REPLY_TIME};${NUM_CERT_ID};0;0;0;0;0;0;0;"${ISSUER_NAME_DN}";${ISSUER_NAME_HASH};${ISSUER_KEY};${DIGEST_ALGOR};${SERIAL_NOHEX};${CERT_STATUS}
#ocsp.trx-log-order = ${SESSION_ID};${LOG_ID};${STATUS};${REQ_NAME}"${CLIENT_IP}";"${SIGN_ISSUER_NAME_DN}";"${SIGN_SUBJECT_NAME}";${SIGN_SERIAL_NO};"${LOG_TIME}";${REPLY_TIME};${PROCESS_TIME};${NUM_CERT_ID};0;0;0;0;0;0;0;"${ISSUER_NAME_DN}";${ISSUER_NAME_HASH};${ISSUER_KEY};${DIGEST_ALGOR};${SERIAL_NOHEX};${CERT_STATUS}

# Audit logging logs the complete requests and responses, which can be used to trace complete transaction afterwards.
# change ocsp.audit-log to true of you want audit logging turned on
# Default: false
#ocsp.audit-log = true

# A pattern for use with ocsp.audit-order to replace constants with values during logging
# Default: \\$\\{(.+?)\\}
#ocsp.audit-log-pattern = \\$\\{(.+?)\\}

# Use ocsp.audit-log-order to specify what information should be logged and in what order. You can also configure what characters you want in between
# See OCSP Installation guide for documentation of all parameters.
# Default: ocsp.audit-log-order = SESSION_ID:${SESSION_ID};LOG ID:${LOG_ID};"${LOG_TIME}";TIME TO PROCESS:${REPLY_TIME};\nOCSP REQUEST:\n"${OCSPREQUEST}";\nOCSP RESPONSE:\n"${OCSPRESPONSE}";\nSTATUS:${STATUS}
#ocsp.audit-log-order = SESSION_ID:${SESSION_ID};LOG ID:${LOG_ID};"${LOG_TIME}";REPLY TIME:${REPLY_TIME};\nTIME TO PROCESS:${PROCESS_TIME};\nOCSP REQUEST:\n"${OCSPREQUEST}";\nOCSP RESPONSE:\n"${OCSPRESPONSE}";\nSTATUS:${STATUS}

# Set to true if you want transactions to be aborted when logging fails
# This option needs other configuration changes as well, see  "Safer Log4j Logging" in the OCSP install guide for more information
# Default: false
#ocsp.log-safer = true

Installation

Im Wesentlichen sollte man der EJBCA Anleitung folgen. Letztlich erfolgt die Installation mit den Schritten

  • ant deploy
  • ant install

Wichtig: ant install darf erst gestartet werden, wenn in JBoss Log die Zeile

13:55:00,652 INFO  [org.jboss.as.server] (DeploymentScanner-threads - 1) JBAS015859: Deployed "ejbca.ear" (runtime-name : "ejbca.ear")

erscheint. Die success Meldung nach ant deploy ist noch keine Fertigmeldung.

Webserver Zertifikat

Soll ein Reverse Proxy verwendet werden, dann muss das vom EJBCA Installer erzeugte Zertifikat in das Base64 (PEM) gebracht werden. Das erledigt dieses Skript:

#!/usr/local/bin/bash

cd /home/pki/ejbca/p12 || exit 1

WEB_PROPERTIES="/home/pki/ejbca-custom/conf/web.properties"
JAVA_KEYSTORE="tomcat.jks"
PKCS12_KEYSTORE="/tmp/tomcat.p12"
PEM_KEYSTORE="/tmp/tomcat.pem"

umask 077

if [ -f "$PKCS12_KEYSTORE" ]; then
  rm -f "$PKCS12_KEYSTORE"
fi

if [ -f "$PEM_KEYSTORE" ]; then
  rm -f "$PEM_KEYSTORE"
fi

if [ ! -f "$WEB_PROPERTIES" ]; then
  echo "$WEB_PROPERTIES not found"
  exit 1
fi

PASSWORD=`grep "httpsserver\.password" "$WEB_PROPERTIES" | awk -v ORS="" -F= '{print $2}'`

ALIAS=` keytool -list -keystore "$JAVA_KEYSTORE" -storepass "$PASSWORD" | grep 'PrivateKeyEntry' |awk '{print $1}'|cut -d\, -f1`

keytool -importkeystore -alias "$ALIAS" -srckeystore "$JAVA_KEYSTORE" -srcstorepass "$PASSWORD" -destkeystore "$PKCS12_KEYSTORE" -deststoretype PKCS12 -deststorepass "$PASSWORD" -destkeypass "$PASSWORD" -noprompt

openssl pkcs12 -in "$PKCS12_KEYSTORE" -out "$PEM_KEYSTORE" -nodes -passin pass:$PASSWORD

mv "$PEM_KEYSTORE" .
rm -f "$PKCS12_KEYSTORE"

Das Skript beschafft sich alle notwendigen Informationen aus dem Config File web.properties