不错的,完全java实现。
如果不用ejb多好啊!
据说由于模型太过复杂。
很多人望而却步。
--------------------------------
想翻译ejbca的使用说明manual.xml。
不知能否完成。
现在完成10%!
---------------------------
User guide
EJBCA is a fully functional Certificate Authority built in Java. Based on J2EE technology it constitutes a robust, high performance and component based CA. Both flexible and platform independent, EJBCA can be used standalone or integrated in any J2EE application.
EJBCA 是java实现的全功能的CA。它具有的特点是:基于J2EE、功能强大、高性能、组建化、简单、不依赖平台等特点。EJBCA可以单独使用,也可以和任何J2EE应用整合在一起。
The EJBCA Homepage can be found at http://ejbca.sourceforge.net/. Information about contacting the EJBCA team, contributing to EJBCA, etc can be found through the Homepage.
关于EJBCA的信息可以在主页http://ejbca.sourceforge.net/看到。
More documentation can also be found on the homepage and on the documentation site http://docs.primekey.se/.
可以通过http://docs.primekey.se/获得更多的文档信息。.
EJBCA is completely written in Java and should as such run on any platform where a J2EE server runs. Development and testing is performed on Linux and Windows platforms.
EJBCA完全用Java编写。可以在所有J2EE平台上运行. 开发和测试是在 Linux 和 Windows 平台上进行的。
Security is discussed below in the chapter about configuration and in Security。
在下面的章节中讨论配置及安全的问题。
Please take a minute to thorougly consider the security implications and make sure you know what you are doing when you are setting up a CA.
请用几分钟时间彻底的了解安全方面的内容。以能确保您在安装CA时知道自己应该怎样做。
If running on Linux, you should consider using the sample firewall script provided in 'ejbcafirewall.sh'. If running on Windows, a similar aproach should be taken with firewall software/hardware.
如果运行在Linux,您可以考虑使用EJBC提供的样例脚本。如果在Windows平台运行,应当在软件或硬件上执行相似的操作。
See doc/RELEASE_NOTES and UPGRADE for information about upgrading from an earlier version of EJBCA.
请参考doc/RELEASE_NOTES和UPGRADE以获得如何更新到最新版本的方法。
Note: EJBCA makes use of strong crypto and keystore passwords longer than 7 characters. For this to work you must install the 'Unlimited Strength Jurisdiction Policy Files' for JDK. The policy files can be found at the same place as the JDK download at java.sun.com. Further information on this can be found in the Sun documentation on the JCE.
注意:EJBCA使用强密码,并且keystore密码大于7个字符。由于这个原因,请在JDK中安装'非受限密码策略文件'('Unlimited Strength Jurisdiction Policy Files'). 策略文件可以在java.sun.com 下载。更多的信息请参SUN的JCE文档。
Needed to build and run are:
需要的软件及版本如下:
JDK 1.4.x or 1.5.x
JDK 1.4.x或1.5.x
Unlimited Strength Jurisdiction Policy Files for your JDK
JDK的非受限的密码策略文件
JBOSS >=4.0.3 (最新的版本是JBoss 4.0.4)
Ant >= 1.6.5 to build (http://jakarta.apache.org/ant/)
Apache Myfaces 1.1 JSF libraries (included in JBoss >=4.0.3), without this you can still run EJBCA but with limited functionality in the adminGUI.
Apache Myfaces 1.1 JSF libraries (被包含在JBoss 4.0.3以上的版本), 没有JSF,您仍然可以使用EJBCA,但是在使用adminGUI时会受到限制.
EJBCA can also run on other application servers, see doc/howto/HOWTO-Appserver.txt for details.
EJBCA 也可以运行在其他应用服务中,详细信息请参考doc/howto/HOWTO-Appserver.txt。
Set the environment variable JBOSS_HOME to the directory where JBoss's root is (/jboss-version). This is done so the deploy script will know where files are to be copied, they are copied to the directory $JBOSS_HOME/server/default/deploy.
为了让部署脚本知道把文件拷贝到什么地方,请设置环境变量JBOSS_HOME为JBoss's的根目录(如/jboss-version)。那些文件将被拷贝到$JBOSS_HOME/server/default/deploy.
Windows/Unix: When we describe command line commands below we use unix notation, e.g. 'ejbca.sh' for the executable command files. The same command files are available for windows as cmd-files, e.g. 'ejbca.cmd.'
Windows/Unix: 下面描述的命令行是以unix为例,比如 'ejbca.sh'. 相似的命令行文件在windows下如'ejbca.cmd.'
Java 1.5.0
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0
Java Cryptography Extension (JCE) 非受限的密码策略文件5.0
http://java.sun.com/j2se/1.5.0/download.jsp
Java 1.4.2
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 1.4.2
Java Cryptography Extension (JCE) 非受限的密码策略文件1.4.2
http://java.sun.com/j2se/1.4.2/download.html
If you are only testing EJBCA at this stage and is not setting up a production environment, you can skip this step.
如果您仅仅是测试EJBCA,并且不是作为生产环境安装,可以跳过这一步骤。
Now when everything is prepared, there are a few things to configure before starting JBOSS and running everything in a production environment.
如果上面的都准备好了,在运行JBOSS和运行生产环境前还需要进行一些配置。
In a production environment you should use something like the following structure:
在生产环境应该使用象下面列出的结构:
Go through the install process creating an AdminCA. Use a simple DN. This CA is only used to issue the initial superadmin certificate. Not published in LDAP.
在安装过程中建立一个AdminCA. 使用一个简单的 DN. 这个 CA 仅仅是在初始化时用来发行超级管理员证书. 不会在LDAP中发行.
Once installed, create all your REAL CAs using the admin-GUI. Now you can use the certificate profiles etc that you like. These certificates can be published in LDAP. See HOWTO-multiplecas.txt for a detailed configuration guide.
安装结束后,可以使用 admin-GUI创建真实的CA. 现在您就可以使用证书的各项好处了。证书可以发布到LDAP中. 请参考 HOWTO-multiplecas.txt 以获得更多的配置向导。
In a production environment you should use something else than the default Hypersonic database that comes with JBoss for the reasons:
在生产环境中您应该使用其他的数据库(默认的是JBoss自带的Hypersonic database),原因如下:
Hypersonic does not support full SQL, in particular ALTER statements. When a new version of EJBCA is released we can not create scripts that updates the database if some tables changed. This will make upgrades much much harder.
Hypersonic database是运行在内存中,那意味着运行时消耗更多的内存。一旦成为CA后,会有大量的证书数据。
For information about installing JDBC drivers for other databases, see the document
如何为其他数据库安装JDBC驱动,请参考 'doc/howto/HOWTO-database.txt'。
The memory parameters for Java is by default configured very low, for JBoss it is set by default to allow a maximum memory usage of 128mb, which is way too low. We recomend that you configure your java memory arguments to at least '-Xms128m -Xmx512m'. For JBoss this is done in JBOSS_HOME/bin/run.conf where the line:
Java内存参数的默认值非常小,Jboss的默认允许的最大内存是128mb, 这个也太小。强烈建议您配置Java的内存参数为'-Xms128m -Xmx512m'. 要配置JBoss请修改JBOSS_HOME/bin/run.conf中的行:
JAVA_OPTS="-server -Xms128m -Xmx128m"
改变为下面的:
JAVA_OPTS="-server -Xms128m -Xmx512m"
Note that the installation must be done with a user with privileges to write to JBOSS_HOME and subdirs.
注意:安装者必须拥有JBOSS_HOME及其子目录的读写权限。
1)Set the environment variable JBOSS_HOME to where your JBoss is installed, example /opt/jboss-4.0.2 or C:\jboss-4.0.3SP1.
1)设置环境变量JBOSS_HOME到JBoss安装目录, 例如 /opt/jboss-4.0.2 or C:\jboss-4.0.3SP1.
2) Copy conf/ejbca.properties.sample to conf/ejbca.properties and customize if needed. The default values works fine for a test installaton.
2)如果需要改变,请重命名conf/ejbca.properties.sample为conf/ejbca.properties并修改之。里面的默认值是会很好的工作在测试安装中。
If you are using JBoss < 4.0.3 you must configure the property web.jsfimpl in conf/web.properties.
如果使用的JBoss版本小于4.0.3,您必须在conf/web.properties中配置 web.jsfimpl。
Customize the CA properties if you need to do so. For production use you need to do this, don't forget to edit passwords to be secure and secret. Keep conf/ejbca.properties as secret as possible. DO NOT forget the passwords, if you need to re-install the software sometime.
如果需要的话,请修改CA的属性文件。 在生产环境您需要这样做,但请不要忘记编辑密码,并且保证密码是安全的和秘密的。尽可能的使conf/ejbca.properties安全。如果您以后需要再次安装软件,请不要忘记密码。
Customize the database if needed but easiest thing is to keep the default as it is, it will use the JBoss embedded HSQLDB and everything will be easier for you. For production use you should use a real database instead of the embedded one.
数据库的配置值会很好的工作,但是也可以根据需要进行改变。默认是使用JBoss的嵌入式数据库HSQLDB。在生产环境中应当改变那些值,用好的数据库代替嵌入式数据库。
Small note, in the ca.dn you can not use DC components for the initial CA, you can create CAs using DC components later on once the admin GUI is up and running.
小提示:不必为初始化时的CA设置DC components(在ca.dn中)。以后可以admin GUI创建CA,并设置DC components。
3) Open a console and type 'ant bootstrap' it will compile, jar, war, ear everything and deploy it to JBoss.
3) 打开控制台,并且键入'ant bootstrap',将会编译 jar, war, ear等其他内容,并且部署到JBoss。
4) Open a console (terminal) and start JBoss. You can start JBoss with 'ant j2ee:run' from EJBCA_HOME or the normal command 'run.sh/cmd' from JBOSS_HOME/bin. You should see JBoss picking up everything and deploying the ear without errors.
4) 打开控制台(终端),并且运行JBoss。可以在EJBCA_HOME使用'ant j2ee:run'启动 JBoss。也可以在JBOSS_HOME/bin中运行'run.sh/cmd'来启动JBoss。这时可以看到JBoss的启动信息,并且部署ear(没有输出错误信息)。
5) Type 'ant install' it will generate all certificates, keys, etc needed to run with an initial CA. You will find admin keys in ${ejbca.home}/p12. (do not delete those files!)
5) 键入'ant install' 可以生成初始CA需要的所有证书、密钥等。生成的文件保存在${ejbca.home}/p12中。(不要删除那些文件!)
tomcat.jks is for the servlet container (don't bother with it)
tomcat.jks是供servlet容器使用的,不要修改它。
superadmin.p12 should be imported in your browser, that's your administration certificate.
superadmin.p12是超级管理员的证书,需要导入到浏览器中。
You will need administrative privileges (e.g. root) for the CA-certificate to be installed in Javas trust-keystore ($JAVA_HOME/jre/lib/security/cacerts, default pwd 'changeit'). If you don't have root permission now, you can do it manually later after step 9. It's important so don't forget!
您需要CA-certificate 的管理权限,比如root。在Javas trust-keystore ($JAVA_HOME/jre/lib/security/cacerts,默认密码是'changeit')中设置了这种权限。如果没有root权限,可以按照第九部手工设置。这是很重要,千万不要忘记!
6) Stop JBoss (ctrl+c or whatever)
6) 停止JBoss (使用ctrl+c 或者其他方法)
7) type 'ant deploy', this will deploy everything again and configure the servlet container with the keystore file (this is why we needed to stop the container). If you want to use jboss specific service for automatic creation of the CRL:s you should enable this option in ejbca.properties.
7)执行'ant deploy',可以重新进行部署,并且为servlet容器配置keystore文件(这就是为什么要停止容器的原因).如果需要JBoss的功能进行自动生成CRL,需要在ejbca.properties中打开这个选项.
8) Import the certificate from EJBCA_HOME/p12/superadmin.p12 in your web browser. This is the super administrators certificate used to access the admin GUI. Other administrators with specific privileges can be created later on. The default password for superadmin.p12 is ejbca, and is configured in ejbca.properties.
8)将EJBCA_HOME/p12/superadmin.p12导入浏览器。它是admin GUI 的超级管理员证书。其他管理员的权限可以在以后创建。默认超级管理员证书(superadmin.p12)密码是ejbca,这个密码是在ejbca.properties中配置的。
9) Start JBoss again and go to https://localhost:8443/ejbca/ to access the admin-GUI, or http://localhost:8080/ejbca for the public pages.
9)再次启动JBoss,并且访问https://localhost:8443/ejbca/进入admin-GUI,或者访问http://localhost:8080/ejbca进入公共页面。
If you did not have root permission and get an error during installation step 5, you can install the root certificate afterwards with the following commands, WITH the right permissions:
如果没有root权限,并且在第五部安装过程中出现问题。请按照下面的步骤安装root权限(需要相关的权限):
ant javatruststore
For example on Ubuntu you can run:
For example on Ubuntu you can run:
sudo ant javatruststore
sudo ant javatruststore
What this does in the background are the following commands. You do not have to run these command manually.
下面的命令是在后台运行的,不必手工运行他们。
bin/ejbca.sh ca getrootcert AdminCA1 ca.crt -der keytool -import -trustcacerts -alias AdminCA1 -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file ca.crt
where AdminCA1 is the CA name as configured in conf/ejbca.properties (default is AdminCA1). You must stop and start JBoss after doing this.
AdminCA1是配置在conf/ejbca.properties中的默认CA名。在改变那些值后必须从新启动JBoss。
You can use this command to install the certificate of any CA in the java truststore by giving an argument:
通过给定参数,可以安装任何CA证书到java truststore中:
ant javatruststore -Dca.name=MyCaName
In the directory doc/howto in the distribution there are additional howtos for some specific plattforms and configurations.
在doc/howto目录中记录了如何在特定的平台上进行配置的方法。
If you want to run a thorough test of your new CA, run the automated tests with 'ant test:run'. To run the tests you must copy the file lib/ext/junti-1.5.8 to ANT_HOME/lib.
通过运行'ant test:run'可以对新的CA进行完全彻底的测试。在这之前需拷贝lib/ext/junti-1.5.8到ANT_HOME/lib目录下。
NOTE: After running tests with 'ant test:run', you might consider deleting the database since some leftovers are left in the database. The tests will create and revoke some test certificates, so afterwards your CRLs will be populated with a few entries. 'ant test:run' should not be run on a production system, only to test the installation.
注意:在运行测试程序'ant test:run'之后,需要考虑删除数据库中的遗留数据。测试程序会建立并且废弃一些证书,在CRL中也会包含一些证书实体。'ant test:run'不是运行在生产环境,仅仅测试安装。
NOTE! Don't forget to configure JBoss for security! See security. Security is CRITICAL for a CA.
注意!不要忘记进行JBoss的安全配置! 请参考security。对于CA来说安全是一个很重要的问题。
There are additional documentation and administrative tutorial movies at http://docs.primekey.se/
其他的文档和管理教程可以在http://docs.primekey.se/上得到。
You can administrate EJBCA using a web browser and the admin-GUI, this is the easiest way. The admin-GUI requires SSL with authentication using client certificate, i.e. strong authentication.
可以使用admin-GUI 对EJBCA进行管理,这是很简单的。admin-GU需要和客户端进行SSL认证,也就是strong authentication.
You can also use the command line interface (cli) which is called by 'bin/ejbca.sh'. If you call ejbca.sh you get a list of available commands, and you can get help for all commands by calling them without arguments, i.e:
您可以使用命令行脚本(cli)'bin/ejbca.sh'.如果运行ejbca.sh脚本可以获得一个可用的命令列表。如果不用参数,可以获得所有的命令帮助。比如:
bin/ejbca.sh ca bin/ejbca.sh ra adduser etc etc
The SSL certificate used for SSL in JBoss (SSL is used for the admin-GUI) is stored in JBOSS_HOME/server/default/conf/keystore.jks. The default validity time for the SSL certificate is two years. When this expire, you must generate a new one.
JBoss (在admin-GUI中使用SSL) 中使用的证书信息保存在JBOSS_HOME/server/default/conf/keystore.jks。默认的有效期是两年。失效后,必须产生一个新的。
You can do this throught the admin-GUI by:
这些可以通过admin-GUI完全作到,请按照下述步骤:
Go to 'List/Edit End Entities' and search for user 'tomcat'.
进入 'List/Edit End Entities',并且查找'tomcat'用户.
'Edit_End_Entity' and set the 'Password' to the same as httpsserver.password in your conf/ejbca.properties and 'Status' to 'New'.
在'Edit_End_Entity'中设置'Password'为和conf/ejbca.properties中一样,并且设置'Status'为'New'.
Open up a command line in EJBCA_HOME and run 'bin/ejbca.sh batch'.
在EJBCA_HOME中打开命令行,并且运行'bin/ejbca.sh batch'.
Copy EJBCA_HOME/p12/tomcat.jks to JBOSS_HOME/server/default/conf/keystore.jks, or run 'ant deploy'. Ant deploy will do some other things as well, so if you are not sure, just copy the file.
拷贝 EJBCA_HOME/p12/tomcat.jks到JBOSS_HOME/server/default/conf/keystore.jks, 或者运行'ant deploy'. Ant将会很好的部署剩余部分。如果你不能确定,就需要简单的拷贝文件。
重启JBoss.
You can also do everything using the CLI:
使用命令行可以做许多事情:
bin/ejbca.sh ra setuserstatus tomcat 10
bin/ejbca.sh ra setclearpwd tomcat <password from httpsserver.password>
bin/ejbca.sh batch
cp p12/tomcat.jks $JBOSS_HOME/server/default/conf/keystore.jks
Restart JBoss.
After installation, that creates a default admin CA you can create more CAs using the admin GUI.
在安装后会建立一个默认的admin CA,您可以使用admin GUI建立更多的CA。
Your CAs can be either root CAs, subordinate CAs to another CA in EJBCA or subordinate CAs to an external CA. The initial admin CA is a RootCA.、
Your CAs can be either root CAs, subordinate CAs to another CA in EJBCA or subordinate CAs to an external CA. The initial admin CA is a RootCA.
You can also use the command line interface (cli) 'bin/ejbca.sh ca init' to create new CAs, although a better idea is to do it from the Admin GUI. Ex: 'bin/ejbca.sh ca init TestRoot "C=SE,O=PrimeKey,CN=EJBCA" 2048 365 2.5.29.32.0' will create a root CA with the DN 'C=SE,O=PrimeKey,CN=EJBCA'. The keylength is 2048 bit (RSA) and the validity of the root certificate is 365 days. Quote the DN so it is treated as one argument.
可以使用命令行'bin/ejbca.sh ca init'脚本创建新的CA,虽然通过Admin GUI是一个更好的办法。这不包括: 'bin/ejbca.sh ca init TestRoot "C=SE,O=PrimeKey,CN=EJBCA" 2048 365 2.5.29.32.0',这行命令将会创建一个DN为'C=SE,O=PrimeKey,CN=EJBCA'的根root,密钥的 为2048位 bit (RSA),有效期是365天。使用引号可以使DN作为一个参数进行处理。
PKIX requires that a CRL always is available even if it is empty. When creating a new CA the CA certificate is stored and published (if any Publishers are configured), and the initial CRL is created and stored/published.
PKIX需要一个CRL,虽然他可以是空的。创建一个新的CA后,CA证书会被存储并且发布(如果Publishers被配置),初始的 CRL也被创建,并且被存储在stored/published.
使用admin GUI可以创建子CA,不能使用命令行创建。
待续.....................
如果不用ejb多好啊!
据说由于模型太过复杂。
很多人望而却步。
--------------------------------
想翻译ejbca的使用说明manual.xml。
不知能否完成。
现在完成10%!
---------------------------
User guide
EJBCA is a fully functional Certificate Authority built in Java. Based on J2EE technology it constitutes a robust, high performance and component based CA. Both flexible and platform independent, EJBCA can be used standalone or integrated in any J2EE application.
EJBCA 是java实现的全功能的CA。它具有的特点是:基于J2EE、功能强大、高性能、组建化、简单、不依赖平台等特点。EJBCA可以单独使用,也可以和任何J2EE应用整合在一起。
The EJBCA Homepage can be found at http://ejbca.sourceforge.net/. Information about contacting the EJBCA team, contributing to EJBCA, etc can be found through the Homepage.
关于EJBCA的信息可以在主页http://ejbca.sourceforge.net/看到。
More documentation can also be found on the homepage and on the documentation site http://docs.primekey.se/.
可以通过http://docs.primekey.se/获得更多的文档信息。.
EJBCA is completely written in Java and should as such run on any platform where a J2EE server runs. Development and testing is performed on Linux and Windows platforms.
EJBCA完全用Java编写。可以在所有J2EE平台上运行. 开发和测试是在 Linux 和 Windows 平台上进行的。
Security is discussed below in the chapter about configuration and in Security。
在下面的章节中讨论配置及安全的问题。
Please take a minute to thorougly consider the security implications and make sure you know what you are doing when you are setting up a CA.
请用几分钟时间彻底的了解安全方面的内容。以能确保您在安装CA时知道自己应该怎样做。
If running on Linux, you should consider using the sample firewall script provided in 'ejbcafirewall.sh'. If running on Windows, a similar aproach should be taken with firewall software/hardware.
如果运行在Linux,您可以考虑使用EJBC提供的样例脚本。如果在Windows平台运行,应当在软件或硬件上执行相似的操作。
See doc/RELEASE_NOTES and UPGRADE for information about upgrading from an earlier version of EJBCA.
请参考doc/RELEASE_NOTES和UPGRADE以获得如何更新到最新版本的方法。
Note: EJBCA makes use of strong crypto and keystore passwords longer than 7 characters. For this to work you must install the 'Unlimited Strength Jurisdiction Policy Files' for JDK. The policy files can be found at the same place as the JDK download at java.sun.com. Further information on this can be found in the Sun documentation on the JCE.
注意:EJBCA使用强密码,并且keystore密码大于7个字符。由于这个原因,请在JDK中安装'非受限密码策略文件'('Unlimited Strength Jurisdiction Policy Files'). 策略文件可以在java.sun.com 下载。更多的信息请参SUN的JCE文档。
Needed to build and run are:
需要的软件及版本如下:
JDK 1.4.x or 1.5.x
JDK 1.4.x或1.5.x
Unlimited Strength Jurisdiction Policy Files for your JDK
JDK的非受限的密码策略文件
JBOSS >=4.0.3 (最新的版本是JBoss 4.0.4)
Ant >= 1.6.5 to build (http://jakarta.apache.org/ant/)
Apache Myfaces 1.1 JSF libraries (included in JBoss >=4.0.3), without this you can still run EJBCA but with limited functionality in the adminGUI.
Apache Myfaces 1.1 JSF libraries (被包含在JBoss 4.0.3以上的版本), 没有JSF,您仍然可以使用EJBCA,但是在使用adminGUI时会受到限制.
EJBCA can also run on other application servers, see doc/howto/HOWTO-Appserver.txt for details.
EJBCA 也可以运行在其他应用服务中,详细信息请参考doc/howto/HOWTO-Appserver.txt。
Set the environment variable JBOSS_HOME to the directory where JBoss's root is (/jboss-version). This is done so the deploy script will know where files are to be copied, they are copied to the directory $JBOSS_HOME/server/default/deploy.
为了让部署脚本知道把文件拷贝到什么地方,请设置环境变量JBOSS_HOME为JBoss's的根目录(如/jboss-version)。那些文件将被拷贝到$JBOSS_HOME/server/default/deploy.
Windows/Unix: When we describe command line commands below we use unix notation, e.g. 'ejbca.sh' for the executable command files. The same command files are available for windows as cmd-files, e.g. 'ejbca.cmd.'
Windows/Unix: 下面描述的命令行是以unix为例,比如 'ejbca.sh'. 相似的命令行文件在windows下如'ejbca.cmd.'
Java 1.5.0
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0
Java Cryptography Extension (JCE) 非受限的密码策略文件5.0
http://java.sun.com/j2se/1.5.0/download.jsp
Java 1.4.2
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 1.4.2
Java Cryptography Extension (JCE) 非受限的密码策略文件1.4.2
http://java.sun.com/j2se/1.4.2/download.html
If you are only testing EJBCA at this stage and is not setting up a production environment, you can skip this step.
如果您仅仅是测试EJBCA,并且不是作为生产环境安装,可以跳过这一步骤。
Now when everything is prepared, there are a few things to configure before starting JBOSS and running everything in a production environment.
如果上面的都准备好了,在运行JBOSS和运行生产环境前还需要进行一些配置。
In a production environment you should use something like the following structure:
在生产环境应该使用象下面列出的结构:
Go through the install process creating an AdminCA. Use a simple DN. This CA is only used to issue the initial superadmin certificate. Not published in LDAP.
在安装过程中建立一个AdminCA. 使用一个简单的 DN. 这个 CA 仅仅是在初始化时用来发行超级管理员证书. 不会在LDAP中发行.
Once installed, create all your REAL CAs using the admin-GUI. Now you can use the certificate profiles etc that you like. These certificates can be published in LDAP. See HOWTO-multiplecas.txt for a detailed configuration guide.
安装结束后,可以使用 admin-GUI创建真实的CA. 现在您就可以使用证书的各项好处了。证书可以发布到LDAP中. 请参考 HOWTO-multiplecas.txt 以获得更多的配置向导。
In a production environment you should use something else than the default Hypersonic database that comes with JBoss for the reasons:
在生产环境中您应该使用其他的数据库(默认的是JBoss自带的Hypersonic database),原因如下:
Hypersonic does not support full SQL, in particular ALTER statements. When a new version of EJBCA is released we can not create scripts that updates the database if some tables changed. This will make upgrades much much harder.
Hypersonic database是运行在内存中,那意味着运行时消耗更多的内存。一旦成为CA后,会有大量的证书数据。
For information about installing JDBC drivers for other databases, see the document
如何为其他数据库安装JDBC驱动,请参考 'doc/howto/HOWTO-database.txt'。
The memory parameters for Java is by default configured very low, for JBoss it is set by default to allow a maximum memory usage of 128mb, which is way too low. We recomend that you configure your java memory arguments to at least '-Xms128m -Xmx512m'. For JBoss this is done in JBOSS_HOME/bin/run.conf where the line:
Java内存参数的默认值非常小,Jboss的默认允许的最大内存是128mb, 这个也太小。强烈建议您配置Java的内存参数为'-Xms128m -Xmx512m'. 要配置JBoss请修改JBOSS_HOME/bin/run.conf中的行:
JAVA_OPTS="-server -Xms128m -Xmx128m"
改变为下面的:
JAVA_OPTS="-server -Xms128m -Xmx512m"
Note that the installation must be done with a user with privileges to write to JBOSS_HOME and subdirs.
注意:安装者必须拥有JBOSS_HOME及其子目录的读写权限。
1)Set the environment variable JBOSS_HOME to where your JBoss is installed, example /opt/jboss-4.0.2 or C:\jboss-4.0.3SP1.
1)设置环境变量JBOSS_HOME到JBoss安装目录, 例如 /opt/jboss-4.0.2 or C:\jboss-4.0.3SP1.
2) Copy conf/ejbca.properties.sample to conf/ejbca.properties and customize if needed. The default values works fine for a test installaton.
2)如果需要改变,请重命名conf/ejbca.properties.sample为conf/ejbca.properties并修改之。里面的默认值是会很好的工作在测试安装中。
If you are using JBoss < 4.0.3 you must configure the property web.jsfimpl in conf/web.properties.
如果使用的JBoss版本小于4.0.3,您必须在conf/web.properties中配置 web.jsfimpl。
Customize the CA properties if you need to do so. For production use you need to do this, don't forget to edit passwords to be secure and secret. Keep conf/ejbca.properties as secret as possible. DO NOT forget the passwords, if you need to re-install the software sometime.
如果需要的话,请修改CA的属性文件。 在生产环境您需要这样做,但请不要忘记编辑密码,并且保证密码是安全的和秘密的。尽可能的使conf/ejbca.properties安全。如果您以后需要再次安装软件,请不要忘记密码。
Customize the database if needed but easiest thing is to keep the default as it is, it will use the JBoss embedded HSQLDB and everything will be easier for you. For production use you should use a real database instead of the embedded one.
数据库的配置值会很好的工作,但是也可以根据需要进行改变。默认是使用JBoss的嵌入式数据库HSQLDB。在生产环境中应当改变那些值,用好的数据库代替嵌入式数据库。
Small note, in the ca.dn you can not use DC components for the initial CA, you can create CAs using DC components later on once the admin GUI is up and running.
小提示:不必为初始化时的CA设置DC components(在ca.dn中)。以后可以admin GUI创建CA,并设置DC components。
3) Open a console and type 'ant bootstrap' it will compile, jar, war, ear everything and deploy it to JBoss.
3) 打开控制台,并且键入'ant bootstrap',将会编译 jar, war, ear等其他内容,并且部署到JBoss。
4) Open a console (terminal) and start JBoss. You can start JBoss with 'ant j2ee:run' from EJBCA_HOME or the normal command 'run.sh/cmd' from JBOSS_HOME/bin. You should see JBoss picking up everything and deploying the ear without errors.
4) 打开控制台(终端),并且运行JBoss。可以在EJBCA_HOME使用'ant j2ee:run'启动 JBoss。也可以在JBOSS_HOME/bin中运行'run.sh/cmd'来启动JBoss。这时可以看到JBoss的启动信息,并且部署ear(没有输出错误信息)。
5) Type 'ant install' it will generate all certificates, keys, etc needed to run with an initial CA. You will find admin keys in ${ejbca.home}/p12. (do not delete those files!)
5) 键入'ant install' 可以生成初始CA需要的所有证书、密钥等。生成的文件保存在${ejbca.home}/p12中。(不要删除那些文件!)
tomcat.jks is for the servlet container (don't bother with it)
tomcat.jks是供servlet容器使用的,不要修改它。
superadmin.p12 should be imported in your browser, that's your administration certificate.
superadmin.p12是超级管理员的证书,需要导入到浏览器中。
You will need administrative privileges (e.g. root) for the CA-certificate to be installed in Javas trust-keystore ($JAVA_HOME/jre/lib/security/cacerts, default pwd 'changeit'). If you don't have root permission now, you can do it manually later after step 9. It's important so don't forget!
您需要CA-certificate 的管理权限,比如root。在Javas trust-keystore ($JAVA_HOME/jre/lib/security/cacerts,默认密码是'changeit')中设置了这种权限。如果没有root权限,可以按照第九部手工设置。这是很重要,千万不要忘记!
6) Stop JBoss (ctrl+c or whatever)
6) 停止JBoss (使用ctrl+c 或者其他方法)
7) type 'ant deploy', this will deploy everything again and configure the servlet container with the keystore file (this is why we needed to stop the container). If you want to use jboss specific service for automatic creation of the CRL:s you should enable this option in ejbca.properties.
7)执行'ant deploy',可以重新进行部署,并且为servlet容器配置keystore文件(这就是为什么要停止容器的原因).如果需要JBoss的功能进行自动生成CRL,需要在ejbca.properties中打开这个选项.
8) Import the certificate from EJBCA_HOME/p12/superadmin.p12 in your web browser. This is the super administrators certificate used to access the admin GUI. Other administrators with specific privileges can be created later on. The default password for superadmin.p12 is ejbca, and is configured in ejbca.properties.
8)将EJBCA_HOME/p12/superadmin.p12导入浏览器。它是admin GUI 的超级管理员证书。其他管理员的权限可以在以后创建。默认超级管理员证书(superadmin.p12)密码是ejbca,这个密码是在ejbca.properties中配置的。
9) Start JBoss again and go to https://localhost:8443/ejbca/ to access the admin-GUI, or http://localhost:8080/ejbca for the public pages.
9)再次启动JBoss,并且访问https://localhost:8443/ejbca/进入admin-GUI,或者访问http://localhost:8080/ejbca进入公共页面。
If you did not have root permission and get an error during installation step 5, you can install the root certificate afterwards with the following commands, WITH the right permissions:
如果没有root权限,并且在第五部安装过程中出现问题。请按照下面的步骤安装root权限(需要相关的权限):
ant javatruststore
For example on Ubuntu you can run:
For example on Ubuntu you can run:
sudo ant javatruststore
sudo ant javatruststore
What this does in the background are the following commands. You do not have to run these command manually.
下面的命令是在后台运行的,不必手工运行他们。
bin/ejbca.sh ca getrootcert AdminCA1 ca.crt -der keytool -import -trustcacerts -alias AdminCA1 -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit -file ca.crt
where AdminCA1 is the CA name as configured in conf/ejbca.properties (default is AdminCA1). You must stop and start JBoss after doing this.
AdminCA1是配置在conf/ejbca.properties中的默认CA名。在改变那些值后必须从新启动JBoss。
You can use this command to install the certificate of any CA in the java truststore by giving an argument:
通过给定参数,可以安装任何CA证书到java truststore中:
ant javatruststore -Dca.name=MyCaName
In the directory doc/howto in the distribution there are additional howtos for some specific plattforms and configurations.
在doc/howto目录中记录了如何在特定的平台上进行配置的方法。
If you want to run a thorough test of your new CA, run the automated tests with 'ant test:run'. To run the tests you must copy the file lib/ext/junti-1.5.8 to ANT_HOME/lib.
通过运行'ant test:run'可以对新的CA进行完全彻底的测试。在这之前需拷贝lib/ext/junti-1.5.8到ANT_HOME/lib目录下。
NOTE: After running tests with 'ant test:run', you might consider deleting the database since some leftovers are left in the database. The tests will create and revoke some test certificates, so afterwards your CRLs will be populated with a few entries. 'ant test:run' should not be run on a production system, only to test the installation.
注意:在运行测试程序'ant test:run'之后,需要考虑删除数据库中的遗留数据。测试程序会建立并且废弃一些证书,在CRL中也会包含一些证书实体。'ant test:run'不是运行在生产环境,仅仅测试安装。
NOTE! Don't forget to configure JBoss for security! See security. Security is CRITICAL for a CA.
注意!不要忘记进行JBoss的安全配置! 请参考security。对于CA来说安全是一个很重要的问题。
There are additional documentation and administrative tutorial movies at http://docs.primekey.se/
其他的文档和管理教程可以在http://docs.primekey.se/上得到。
You can administrate EJBCA using a web browser and the admin-GUI, this is the easiest way. The admin-GUI requires SSL with authentication using client certificate, i.e. strong authentication.
可以使用admin-GUI 对EJBCA进行管理,这是很简单的。admin-GU需要和客户端进行SSL认证,也就是strong authentication.
You can also use the command line interface (cli) which is called by 'bin/ejbca.sh'. If you call ejbca.sh you get a list of available commands, and you can get help for all commands by calling them without arguments, i.e:
您可以使用命令行脚本(cli)'bin/ejbca.sh'.如果运行ejbca.sh脚本可以获得一个可用的命令列表。如果不用参数,可以获得所有的命令帮助。比如:
bin/ejbca.sh ca bin/ejbca.sh ra adduser etc etc
The SSL certificate used for SSL in JBoss (SSL is used for the admin-GUI) is stored in JBOSS_HOME/server/default/conf/keystore.jks. The default validity time for the SSL certificate is two years. When this expire, you must generate a new one.
JBoss (在admin-GUI中使用SSL) 中使用的证书信息保存在JBOSS_HOME/server/default/conf/keystore.jks。默认的有效期是两年。失效后,必须产生一个新的。
You can do this throught the admin-GUI by:
这些可以通过admin-GUI完全作到,请按照下述步骤:
Go to 'List/Edit End Entities' and search for user 'tomcat'.
进入 'List/Edit End Entities',并且查找'tomcat'用户.
'Edit_End_Entity' and set the 'Password' to the same as httpsserver.password in your conf/ejbca.properties and 'Status' to 'New'.
在'Edit_End_Entity'中设置'Password'为和conf/ejbca.properties中一样,并且设置'Status'为'New'.
Open up a command line in EJBCA_HOME and run 'bin/ejbca.sh batch'.
在EJBCA_HOME中打开命令行,并且运行'bin/ejbca.sh batch'.
Copy EJBCA_HOME/p12/tomcat.jks to JBOSS_HOME/server/default/conf/keystore.jks, or run 'ant deploy'. Ant deploy will do some other things as well, so if you are not sure, just copy the file.
拷贝 EJBCA_HOME/p12/tomcat.jks到JBOSS_HOME/server/default/conf/keystore.jks, 或者运行'ant deploy'. Ant将会很好的部署剩余部分。如果你不能确定,就需要简单的拷贝文件。
重启JBoss.
You can also do everything using the CLI:
使用命令行可以做许多事情:
bin/ejbca.sh ra setuserstatus tomcat 10
bin/ejbca.sh ra setclearpwd tomcat <password from httpsserver.password>
bin/ejbca.sh batch
cp p12/tomcat.jks $JBOSS_HOME/server/default/conf/keystore.jks
Restart JBoss.
After installation, that creates a default admin CA you can create more CAs using the admin GUI.
在安装后会建立一个默认的admin CA,您可以使用admin GUI建立更多的CA。
Your CAs can be either root CAs, subordinate CAs to another CA in EJBCA or subordinate CAs to an external CA. The initial admin CA is a RootCA.、
Your CAs can be either root CAs, subordinate CAs to another CA in EJBCA or subordinate CAs to an external CA. The initial admin CA is a RootCA.
You can also use the command line interface (cli) 'bin/ejbca.sh ca init' to create new CAs, although a better idea is to do it from the Admin GUI. Ex: 'bin/ejbca.sh ca init TestRoot "C=SE,O=PrimeKey,CN=EJBCA" 2048 365 2.5.29.32.0' will create a root CA with the DN 'C=SE,O=PrimeKey,CN=EJBCA'. The keylength is 2048 bit (RSA) and the validity of the root certificate is 365 days. Quote the DN so it is treated as one argument.
可以使用命令行'bin/ejbca.sh ca init'脚本创建新的CA,虽然通过Admin GUI是一个更好的办法。这不包括: 'bin/ejbca.sh ca init TestRoot "C=SE,O=PrimeKey,CN=EJBCA" 2048 365 2.5.29.32.0',这行命令将会创建一个DN为'C=SE,O=PrimeKey,CN=EJBCA'的根root,密钥的 为2048位 bit (RSA),有效期是365天。使用引号可以使DN作为一个参数进行处理。
PKIX requires that a CRL always is available even if it is empty. When creating a new CA the CA certificate is stored and published (if any Publishers are configured), and the initial CRL is created and stored/published.
PKIX需要一个CRL,虽然他可以是空的。创建一个新的CA后,CA证书会被存储并且发布(如果Publishers被配置),初始的 CRL也被创建,并且被存储在stored/published.
使用admin GUI可以创建子CA,不能使用命令行创建。
待续.....................
1074
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
