Replacing a Microsoft CA with EJBCA

Export the MS CA key and import it into EJBCA

We use the built-in functionality to backup a MS CA. This will give us a PKCS#12 that we can import in EJBCA.

  • Start a new "mmc" and add the "Certificate Authority" snap-in. Right-click the CA to export → All tasks → Back up CA..
  • Follow the wizard and select "Private key and CA certificate", somewhere to store the p12-file and a password.
  • Copy the p12-file to the EJBCA machine.
  • Run
$EJBCA_HOME/bin/ejbca.sh ca importca "MS CA v1" /path/mscakey.p12

The CA should now appear in the EJBCA Admin GUI.

Import existing certificates into EJBCA

Importing certificates one at the time

  • Certificate can be exported from the CA-snapin by opening each certificate and clicking "copy to file..".
  • Convert the certificate to PEM format with openssl
openssl x509 -in certificate.crt -inform DER -out certificate.pem -outform PEM
  • Import to EJBCA with
$EJBCA_HOME/bin/ejbca.sh ca importcert username password "MS CA v1" status certificate.pem EndEntityProfile CertProfile

However this only suitable if you have a few certificates.

Importing the entire certificate database

The entire certificate database is stored in \window\system32\CertLog\CA-name.edb. Certutil.exe that comes with windows server can be used to dump the different posts from the database.

certutil -schema
shows the name of all possible column to dump.

To dump all certificates with their UPN, TemplateName, Disposition (Issued, Revoked) and the PEM-encoded certificate, type

certutil -view -restrict "GeneralFlags>0" /out "UPN,CertificateTemplate,Disposition,RawCertificate" > certdump.txt

All that we need to do now to pwn the MS CA is use a script that

  • Locates next line that starts with "Row"
  • Parses UPN
  • Parses TempateName
  • Parses certificate status from the Disposition-field
  • writes PEM-certificate to temporary file
  • runs the import-CLI
    • Username: UPN-TempateName
    • Password: foo123
    • Ca name: From the command line of the script. Should be the name of the imported MS CA.
    • status: ACTIVE if issued and REVOKED if revoked
    • filename: the temporary file
    • EndEntityProfile: TemplateName (this of course have to exist.. maybe easily importable from this page)
    • CertificateProfile: TemplateName (this of course have to exist.. maybe easily importable from this page)
  • Start over until there are no more "Row"s

EJBCA comes with such a script. After compiling EJBCA with ant:

cd $EJBCA_HOME/tmp/bin/classes/
java org.ejbca.ui.cli.ImportMSCACertificates /path/certdump.txt "MS CA v1"

Issue certificates for SmartCard Logon, DCs, EFS etc

  • EJBCA and SmartCard Logon is described here and here
  • Autoenroll is described here
  • A index of sample MS certificates can be used for configuring new certificate profiles.
Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-ShareAlike 3.0 License