Skip to content

Client authentication certificate and root certificate chain for CA connectors

Introduction

When setting up a certificate authority (CA) connector, you need to provide the following to TLS Protect Cloud:

  • The root certificate that validates the certificate used by your site.
  • A single PEM file that contains the client authentication certificate and private key in PEM format.

This topic will help you understand where to get these files.

To export the root certificate (an example for EJBCA)

This will give you the root certificate that shows your CA's certificate can be trusted.

Browser-specific steps

These steps are based on using Firefox, a supported browser for TLS Protect Cloud. Your steps may vary depending on your browser and operating system.

  1. Open the administration site for EJBCA in a browser such as Firefox.
  2. In the address bar, click the security icon (lock icon).
  3. Click Connection Secure.
  4. Click More Information.
  5. Click View Certificate. The site's certificate and the certificate it chains to are displayed from left to right order. You don't need the CA's certificate; you need the next level up in the chain. There may be several levels of chaining. For example, at the time of publishing, Google.com has four levels, and Venafi.com has three. There will be at least two, likely more.
  6. Click the second tab (from the left).

    If there are only two tabs, then this will also be the last tab.

  7. Scroll down to the Miscellaneous section, then click to Download in PEM (cert) format.

  8. Make note of where the certificate is downloaded, as you'll need it when you set up the EJBCA's CA connector settings in TLS Protect Cloud.

About the client authentication certificate and private key in PEM format

When using EJBCA, you were required to generate a client authentication certificate when you installed the EJBCA software on your server. Without this client authentication certificate, you can't log in to the admin console.

You will upload the PEM file containing the client authentication certificate (which needs to include the unencrypted private key) to TLS Protect Cloud during the configuration of the custom certificate authority settings.

If you don't have the certificate in PEM format (but it is in a format like P12), you can convert the P12 certificate to PEM format.

You can also create additional authentication credentials for each of the CAs listed in the EJBCA server's list of CAs on the CA Activation page. This may be helpful in a case where you don't want to use the super admin client authentication certificate in TLS Protect Cloud.

For specific details on this process, we recommend searching the EJBCA documentation (or YouTube) for how to issue TLS client certificates with EJBCA.

What's next?

With the client authentication certificate and the root certificate saved to your device, you're ready to create a CA connector.