Achieving E2E Certificate Management with Keyfactor and EJBCA

The concept of machine identity management has exploded over the last year — and for a good reason. Organizations now have more elements like cryptographic keys, X.509 certificates, and other credentials that they need to manage to establish digital trust between identities and machines, including IoT devices, virtual machines, containers, etc.

In fact, machine identity management has become so important that it made Gartner’s list of the Top Security and Risk trends for 2021. Specifically, Gartner has advised that machine identity management needs to be a focus as organizations continue to scale their digital certificates, noting that organizations using X.509 certificate management tools can reduce certificate-related outages by 90% and cut time spent managing these issues in half.

Recognizing this importance, what steps can your organization take in response? We sat down with Eric Mizell, VP of Engineering at Keyfactor, and Alex Gregory, VP of Marketplace Products at Keyfactor, to determine what it takes to achieve end-to-end certificate management with Keyfactor Command and PrimeKey EJBCA.

Here are the highlights of our discussion.

Before we dig into how exactly Keyfactor and PrimeKey can support end-to-end certificate management, it’s essential to understand why this combination is uniquely poised to solve this problem. The answer to this question comes down to a combination of platform capabilities and subject matter expertise.

Keyfactor and PrimeKey merged in the summer of 2021, bringing together comprehensive and highly scalable solutions for machine identity management (covering everything from SSH keys to SSL and TLS certificates) and enterprise PKI. This combination creates an end-to-end platform with best-in-class management and automation capabilities that can issue certificates at scale.

At the same time, the combined Keyfactor and PrimeKey teams bring over 20 years of experience in the space. Keyfactor has spent more than two decades leading PKI consulting initiatives, while PrimeKey has had the market-leading open-source PKI and CA since 2001. This experience positions the joint team to support enterprise security teams and IoT teams handling security during the manufacturing and production processes.

EJBCA is a high horsepower, scalable certificate authority. It supports unlimited PKI hierarchies per server, meaning the only reason you need to add more servers is to increase the footprint of your PKI. 

And doing so is easy: All it takes is adding EJBCA nodes behind a load balancer on a highly available database with a good HSM configuration to achieve some truly incredible scale when it comes to certificate issuance.

Equally important, EJBCA is easy to consume, with three different options depending on your needs: 

• • EJBCA SaaS: The PrimeKey and Keyfactor team hosts, manages, and operates everything for you. This approach gives you the full horsepower of EJBCA, allowing you to configure everything from the keys and CAs to the names and profiles and everything else within EJBCA — all without having to worry about any of the infrastructure.
  • EJBCA Cloud: Offered as a subscription through the AWS or Microsoft Azure marketplace that runs EJBCA through a virtual machine in your environment. This approach gives you all of the pre-configured knowledge of what it takes to package EJBCA so you can scale, architect, build and patch it as needed to control every aspect of your PKI.
  • Software client: Prepackages EJBCA onto a virtual machine that you can run on premise or a hardware appliance that has a built-in HSM pre-configured by PrimeKey.

Once you start creating certificates, you need to manage them throughout their lifecycle, which is where Keyfactor Command comes into play.

Keyfactor Command supports certificate lifecycle automation, providing the necessary visibility to identify all the certificates in your environment and keep an inventory of CAs, certificate stores, application servers, and so on. This visibility can support risk assessments, such as understanding which certificates are about to expire and the potential weaknesses that exist around self-signed certificates. Keyfactor Command also allows you to create alerts for certain risk points, like when certificates are about to expire and need to be renewed to avoid an outage.

Keyfactor Command supports everything from auto-enrollment for certificates to auto-provisioning for application servers, load balancers, firewalls and more.  Keyfactor’s automation avoids error-prone processes and the all too common situation in which security teams miss a server when renewing these certificates.

Importantly, Keyfactor Command also has strong API integration points into any CA. These integrations provide a real-time inventory of all the certificates that exist in an environment and support functionality like enrolling, revoking, and provisioning certificates automatically. Notably, it does so all through one interface to create a single point of visibility and management.

Integrating Keyfactor Command and EJBCA delivers numerous benefits. It helps simplify PKI by making programs highly scalable and automates the entire management process to support crypto agility. It also provides unprecedented levels of visibility by allowing you to tie into any number of public and private CAs and reduces risk by helping your entire organization (including DevOps teams) move fast in a secure way.

Let’s take a look at exactly how this all comes together.

To start, let’s say you have multiple PKI hierarchies within EJBCA and that your root CA, including its crypto token, is offline. This means those keys will be stored in your HSM. You can access those keys to use them for signing by entering your password into the HSM. 

Once you get access to the keys, you can use them for signing. In this case, let’s add a CA called “Keyfactor Webinar Issuing CA.” We have many different ways to sign that CA: We can create a self-signed CA (which is typically not something you want to do), use an external CA (which is usually best for offline root CAs), or you can use a root CA for your PKI (which we will do for this example).

Before we sign the CA, we have to set some parameters. First, let’s make it “active” as an issuing CA for 15 years. Next, we need to set up a CRL. In this case, we’ll do a three-day CRL with a one-day overlap, which allows us to have a few different CRLs in flight while still controlling exactly how many are live.

Once those parameters are set, clicking “create” in the platform will get the root CA to sign the new issuing CA, giving us a new PKI hierarchy. 

This process only takes a few seconds, and once the new issuing CA is created, we no longer need the root CA online. As a best practice, you should always keep the root CA offline unless it’s needed to create a new issuing CA.

Once we have our issuing CA, we can think through protocols and APIs. EJBCA offers significant protocol support: From ACME to auto-enrollment configuration, it can integrate with your Active Directory domain and issue certificates to users with computers through native auto-enrollment protocols. The great thing about this setup is the flexibility to enable and disable protocols on the fly.

Now we can start to issue new certificates. The integration with Keyfactor Command means that Keyfactor will see any new certificate and key created through EJBCA.

Let’s use a web server profile to issue a key pair called “Keyfactor Webinar.” We can configure all the DN attributes we want, like OU, organization, qualit, etc. We can also give it a username and enrollment code.

Visibility is king in the world of PKI, and that’s where Keyfactor Command’s dashboard that displays high-level information becomes so important. It shows details like which certificates are active, which are expiring soon, where certificates are located, and which ones might need revocation.

Additionally, you can click on each certificate to drill down on more details.

Keyfactor Command can also group certificates into collections, allowing different groups to customize their dashboard so they only see their certificates and the information they care about. We can also group certificates by CA, for example to see all the certificates issued through EJBCA.

We can actually use any search parameters, including certificate attributes, metadata or key length, to build collections. Perhaps best of all, the search works in plain English so that no one has to worry about writing a query.

Keyfactor is CA agnostic, meaning it can pull in all of this data from any public or private CA. As a result, this should be an ongoing process so that we always have the latest and greatest inventory of the certificates that exist in our environment and the pertinent details on each one. The best way to do this is to set rules for incremental scans to capture new certificates and updates on information to existing ones.

This incremental inventory is important as we continue issuing certificates. With the combination of Keyfactor Command and EJBCA, we can even automate that process to a certain extent by giving different groups of users permissions to issue certificates from an issuing CA or we can add an issuing CA to a certificate store for an even more automated process.

Along the way, the combined power of Keyfactor Command and EJBCA will simplify the entire process by automating critical efforts and providing deep visibility into the entire PKI program.

Are you interested in learning more about the combined power of Keyfactor Command and PrimeKey EJBCA? Click here to watch the entire webinar, including a demo, on how the two solutions integrate to support end-to-end certificate management.