Skip to main content
Skip table of contents

Enable Peer Connector

Key bindings and Peer Connectors

Slide Deck: Key bindings and Peer Connectors

Overview: The second step is to connect to the Peer system.

  1. Identify the system you wish to establish the mTLS connection with.

  2. Import the CA certificates on the VA instance (these certificates are required for subsequent modules).

  3. Capture the CA information using a PING request, and create/modify the VA role.

  4. Verify the connection to the VA.

Steps required to add an external Validation Authority (VA)

Key bindings and Peer connectors establish two things a TRUSTED and ENCRYPTED connection

Configure the certificate used to authenticate to the CA instance

Create a role for the VA

Decide which CA’s data will be available on the VA

Reminder you can visit the Accessing Your Environment page for details on how to connect to your Admin Web portal

Setup Peer Connector

  1. Open a browser and access your Admin Web Portal on the CA instance

  2. Select System Functions >> Peer Systems

  3. Ensure that only the Allow Outgoing connections option is selected

  4. Click Add

  5. In the Name field, enter PeerConnector

  1. In the URL field, change the IP address to the OCSP server hostname: https://va.keyfactor.training/ejbca/peer/v1

if no DNS is available, ensure that the VA is accessible by adding a host record to the CA /etc/hosts file
This has already been done for you.

  1. In the Authentication Key Binding drop-down list, select SubCAAuthKeyBinding

  2. Click Create

Export the Sub CA and Root CA

  1. Open a browser and access your Admin Web Portal on the CA instance

  2. Under CA Functions >> CA Structure & CRLs

  1. Under the section Details of Certificate Chain for CA: Sub CA, click Download PEM file under Subordinate CA, level 1

Ensure to download the file for the Sub CA and not its root certificate

  1. Under the section Details of Certificate Chain for CA: Root CA, click Download PEM file

Import the Sub CA and Root CA to the VA

Reminder you can visit the Accessing Your Environment page for details on how to connect to your Admin web portal for your VA instance

You will be prompted to choose a certificate when logging into the VA for the first time. Select the superadmin certificate, select one of 3 options for the session duration (once, permanently, or for this session).

  • Once means, you’ll get prompted everytime you access the VA for a certificate,

  • Permanently means your choice will be remembered, and will not be prompted again, and

  • For this session, means as long as this window is open you will not be prompted again.

Screenshot 2025-06-19 at 11.31.19 AM.png

  1. Open a browser and access your Admin Web Portal on the VA instance

  2. Click CA Functions >> Certification Authorities

  3. Click Import CA certificate...

  4. In the The name this CA will be given field, enter Sub CA

  1. Click Browse, click Downloads to locate the Sub CA certificate, this should be named SubCA.cacert.pem, click Select

  1. Click Import CA certificate

  2. Click Import CA certificate...

  3. In the The name this CA will be given field, enter Root CA

  1. Click Browse, click Downloads to locate the Root CA certificate, this should be named RootCA.cacert(1).pem, click Select.
    NOTE: The file was downloaded in the previous labs, the (1) will be appended to the filename. If it was the first time being downloaded it would not have the (1).

  1. Click Import CA certificate

Enable the Peer connectors

  1. Click System Functions >> Peer Systems

  2. Enable the Allow incoming connections option

  3. Clear the Allow outgoing connections option

Make a ping from the CA

  1. Open a browser and access your Admin Web Portal on the CA instance

  2. Click System Functions >> Peer Systems

  3. Click Ping next to the PeerConnector peer connector

  4. Confirm the text Unable to connect to peer. status code: 401, reason phrase: Unauthorized is displayed

Authorizing User on the VA

  1. Open a browser and access your Admin Web Portal on the VA instance

  2. Click System Functions >> Peer Systems

  3. Under incoming connections, confirm there is an attempted connection from the CA

  4. Click Create Role

  5. In the Role list, select Create new role

  6. Click Select

  7. Select the following options:

    1. CAs: Check the box for:

      1. "Access ManagementCA"

      2. "Access Root CA", and

      3. "Access Sub CA"

    2. Publishing: Check the box for:

      1. Publish certificate,

      2. Compare certificate synchronization status and

      3. Publish CRL

  8. Click Create New Role

Check the Connection on the CA

  1. Open a browser and access your Admin Web Portal on the CA instance

  2. Click System Functions >> Peer Systems

  3. Click Ping next to the PeerConnector peer connector again

  4. Confirm there is a similar response stating Responded to ping request within 33 ms, this will prove the peer connector is working

? Question and Answers ?

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close