Skip to main content
Skip table of contents

Client Certificate Profile (TLS Sample)

Introduction

EJBCA Profiles, Creating certificate & end-entity profiles

Slide Deck: EJBCA Profiles

Overview: This section creates a TLS client certificate & TLS end-entity profile that has 3 key usages: Digital Signature, Key Encipherment, and Client Authentication. This type of certificate will allow digital signing, encrypting data, and authenticating to a VPN for instance.

Slide Reference

Certificate profile properties

End entity profile properties

Both profiles are needed to issue a certificate

Reminder you can visit the Accessing Your Environment page for details on how to connect to your Admin web portal

Creating a Certificate Profile for TLS Client Certificates

  1. Open a browser and access your Admin Web Portal

  2. Click CA Functions >> Certificate Profiles

  3. On ENDUSER click Clone

  4. Enter TLSClientCertificateProfile and click Create from template

  5. Click Edit on the profile TLSClientCertificateProfile

  6. In the Available key algorithms list, select RSA

  7. In the Available bit lengths list, select 2048 bits

  8. In the Signature Algorithm list, select SHA256WithRSA

  9. In the Validity field, enter 2y

  10. For Key Usage make sure that only Digital Signature and Key Encipherment are selected

  11. For Extended Key Usage select Client Authentication

  12. In the Available CAs list, select ManagementCA and Sub CA

  13. Click Save

Creating an End Entity Profile for TLS Client Certificates

  1. Open a browser and access your Admin Web Portal

  2. Click RA Functions >> End Entity Profiles

  3. In the Add End Entity Profile field, enter TLSClientEndEntityProfile and click Add Profile

  4. Select TLSClientEndEntityProfile and click Edit End Entity Profile

  5. For End Entity E-mail deselect the check box

  6. In the Subject DN Attributes list, select O, Organization and click Add

  7. In the O, Organization field:

    • Enter the text PrimeKey Solutions AB

    • Select Required

    • Deselect Modifiable

  8. In the Subject DN Attributes list, select C, Country (ISO 3166) and click Add

  9. In the C, Country (ISO 3166) field:

    • Enter the text SE

    • Select Required

    • Deselect Modifiable

  10. In the Default Certificate Profile list, select TLSClientCertificateProfile

  11. In the Available Certificate Profiles list, select TLSClientCertificateProfile

  12. In the Default CA list, select Sub CA

  13. In the Available CAs list, select ManagementCA and Sub CA

  14. In the Default Token list, select P12 file

  15. In the Available Tokens list, select User Generated, P12 file, BCKFS file, JKS file, and PEM file

  16. Click Save


JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close