Replacing a Microsoft CA with EJBCA

Article moved to

This article has moved into standard documentation at EJBCA Guides.

Export the MS CA key and import it into EJBCA

We use the built-in functionality to backup a MS CA. This will give us a PKCS#12 that we can import in EJBCA.

  • Start a new "mmc" and add the "Certificate Authority" snap-in. Right-click the CA to export → All tasks → Back up CA..
  • Follow the wizard and select "Private key and CA certificate", somewhere to store the p12-file and a password.
  • Copy the p12-file to the EJBCA machine.
  • Run
 $EJBCA_HOME/bin/ ca importca "MS CA v1" /path/mscakey.p12

The CA should now appear in the EJBCA Admin GUI.

Import existing certificates into EJBCA

Importing certificates one at the time

  • Certificate can be exported from the CA-snapin by opening each certificate and clicking "copy to file..".
  • Convert the certificate to PEM format with openssl
 openssl x509 -in certificate.crt -inform DER -out certificate.pem -outform PEM
  • Import to EJBCA with
 $EJBCA_HOME/bin/ ca importcert username password "MS CA v1" status certificate.pem EndEntityProfile CertProfile

However this only suitable if you have a few certificates.

Importing the entire certificate database

The entire certificate database is stored in \window\system32\CertLog\CA-name.edb. Certutil.exe that comes with windows server can be used to dump the different posts from the database.

 certutil -schema
shows the name of all possible column to dump.

To dump all certificates with their UPN, TemplateName, Disposition (Issued, Revoked) and the PEM-encoded certificate, type

 certutil -view -restrict "GeneralFlags>0" /out "UPN,CertificateTemplate,Disposition,RawCertificate" > certdump.txt

All that we need to do now to pwn the MS CA is use a script that

  • Locates next line that starts with "Row"
  • Parses UPN
  • Parses TempateName
  • Parses certificate status from the Disposition-field
  • writes PEM-certificate to temporary file
  • runs the import-CLI
    • Username: UPN-TempateName
    • Password: foo123
    • Ca name: From the command line of the script. Should be the name of the imported MS CA.
    • status: ACTIVE if issued and REVOKED if revoked
    • filename: the temporary file
    • EndEntityProfile: TemplateName (this of course have to exist.. maybe easily importable from this page)
    • CertificateProfile: TemplateName (this of course have to exist.. maybe easily importable from this page)
  • Start over until there are no more "Row"s

EJBCA comes with such a script. After compiling EJBCA with ant:

cd $EJBCA_HOME/tmp/bin/classes/
java org.ejbca.ui.cli.ImportMSCACertificates /path/certdump.txt "MS CA v1"

Issue certificates for SmartCard Logon, DCs, EFS etc

  • EJBCA and SmartCard Logon is described here and here
  • Autoenroll is described here
  • A index of sample MS certificates can be used for configuring new certificate profiles.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License