Professional Documents
Culture Documents
Online Help
Ver: 3.4.0
2019-08-13
Copyright ©2019 PrimeKey Solutions
Published by PrimeKey Solutions AB
Lundagatan 16
171 63 Solna
Sweden
Notice of Rights
All rights reserved. No part of this book may be reproduced or transmitted in any form by any means,
electronic, mechanical, photocopying, recording, or otherwise, without the prior written permission of the
publisher. For more information on getting permission for reprints and excerpts, contact sales@primekey.com
Notice of Liability
The information in this book is distributed on an “As Is” basis without warranty. While every precaution has
been taken in the preparation of the book, neither the authors nor PrimeKey shall have any liability to any
person or entity with respect to any loss or damage caused or alleged to be caused directly or indirectly by
the instructions contained in the book or by computer software and hardware products described in it.
Trademarks
Many of the designations used by manufacturers and sellers to distinguish their products are claimed as
trademarks. Where those designations appear in this book, and PrimeKey was aware of a trademark claim,
the designations appear as requested by the owner of the trademark. All other product names and services
identified throughout this book are used in editorial fashion only and for the benefit of such companies with
no intention of infringement of the trademark. No such use, or the use of any trade name, is intended to
convey endorsement or other affiliation with this book.
Contents
I Preamble 1
1 Release Notes 2
2 Introduction 4
2.1 Audience . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.1 Styling Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
2.1.2 Daily operations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
II Appliance Installation 7
5 Initial Set-up 14
5.1 External Erase and Factory Reset . . . . . . . . . . . . . . . . . . . . . . . . 15
5.2 One Time Password and SSL Fingerprint . . . . . . . . . . . . . . . . . . . . 16
5.3 Changing the IP Address of the PKI Appliance . . . . . . . . . . . . . . . . . 17
5.4 Connecting to the PKI Appliance . . . . . . . . . . . . . . . . . . . . . . . . 18
5.5 Logging in for the first time . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.6 Fresh Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.7 Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
5.8 Date and Time Settings (NTP) . . . . . . . . . . . . . . . . . . . . . . . . . 24
5.9 Management CA Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
5.10 Security Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.10.1 Domain Master Secret . . . . . . . . . . . . . . . . . . . . . . . . . 26
5.10.2 Appliance Security Level . . . . . . . . . . . . . . . . . . . . . . . . 26
5.10.3 PKCS#11 Slot Configuration . . . . . . . . . . . . . . . . . . . . . . 27
5.10.4 Audit Log Storage . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.10.5 HSM FIPS Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.11 Confirm . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
5.12 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
5.12.1 Get PKCS#12 key store . . . . . . . . . . . . . . . . . . . . . . . . 32
5.12.2 Using legacy browser enrollment . . . . . . . . . . . . . . . . . . . . 35
5.12.3 Get certificate from CSR . . . . . . . . . . . . . . . . . . . . . . . . 37
5.13 Finalize Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
7 Connect to cluster 44
III WebConf 45
8 WebConf 46
8.1 Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
8.2 Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
8.2.1 NTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
8.2.2 DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
8.2.2.1 Fully Qualified Domain Name (FQDN) . . . . . . . . . . . 48
8.3 Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
8.3.1 TLS certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
8.3.1.1 Server side TLS certificates . . . . . . . . . . . . . . . . . . 48
8.3.1.2 Client side TLS certificates . . . . . . . . . . . . . . . . . . 49
8.3.1.3 Trust CA certificates for client authentication . . . . . . . . 49
8.3.2 PKI Appliance Management Accounts . . . . . . . . . . . . . . . . . 49
Use-Case: Create a new TLS server side certificate for Application Interface . 50
Use-Case: Upload a new trusted CA for TLS authentication and new super-
admin certificate for Management Interface . . . . . . . . . . . . . . 58
Use-Case: Configure a new trusted CA for TLS authentication and new su-
peradmin certificate for Application Interface . . . . . . . . . . . . . 62
8.4 HSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
8.4.1 Changing HSM PKCS#11 slot authentication codes . . . . . . . . . 65
8.4.1.1 Switching from generated to manually entered authentica-
tion code . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
8.4.1.2 Changing a manually entered authentication code . . . . . . 65
8.4.1.3 Switching to auto-generated authentication code . . . . . . 65
8.4.2 Backup Key Share Smart Card Handling . . . . . . . . . . . . . . . . 67
8.4.2.1 Make a one-to-one copy of a smart card . . . . . . . . . . . 67
8.4.2.2 Change the PIN of the backup key share on a smart card . . 67
8.4.3 Download protected HSM export . . . . . . . . . . . . . . . . . . . . 67
8.4.4 Cluster Key Synchronization Packages . . . . . . . . . . . . . . . . . 67
8.5 Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
8.6 Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
8.7 Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
8.7.1 Syslog shipping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
8.7.2 SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
8.8 Platform . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
8.8.1 Applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
8.8.2 Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
8.8.3 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
8.8.4 Platform Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
8.8.4.1 SSH public key . . . . . . . . . . . . . . . . . . . . . . . . 75
8.8.4.2 Password authentication . . . . . . . . . . . . . . . . . . . 75
8.8.5 Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
IV Advanced 77
9 HA Setup 78
9.1 Scope of availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
9.1.1 How it works . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78
9.1.2 Synchronization of key material . . . . . . . . . . . . . . . . . . . . . 78
9.1.2.1 Pre-cluster setup generation of keys . . . . . . . . . . . . . 78
9.1.2.2 Post-cluster setup generation of keys . . . . . . . . . . . . . 79
Use-Case: Synchronize key material . . . . . . . . . . . . . . . . . . . . . . 79
9.1.3 Network topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
9.1.4 Cluster traffic security considerations . . . . . . . . . . . . . . . . . . 80
9.2 Continuous service availability . . . . . . . . . . . . . . . . . . . . . . . . . . 80
9.3 Levels of availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
9.3.1 Stand alone instance . . . . . . . . . . . . . . . . . . . . . . . . . . 80
9.3.2 Hot stand-by with manual fail-over . . . . . . . . . . . . . . . . . . . 80
9.3.3 High availability with automatic fail-over . . . . . . . . . . . . . . . . 81
9.4 High Availability . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
Use-Case: Setting up a 2 node cluster from scratch . . . . . . . . . . . . . . 81
Use-Case: Setting up a 3 node cluster from scratch . . . . . . . . . . . . . . 82
Use-Case: Extending a cluster from n to n+1 nodes . . . . . . . . . . . . . . 82
9.5 Backup, Restore and Update . . . . . . . . . . . . . . . . . . . . . . . . . . 83
9.5.1 Backing up a cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
9.5.2 Restoring a cluster from backup . . . . . . . . . . . . . . . . . . . . 83
9.5.3 Updating the software (firmware/applications) on a cluster . . . . . . 84
Use-Case: Software update on a three node cluster from 2.2.0 to 2.3.0 84
9.6 Controlled full cluster shutdown and startup . . . . . . . . . . . . . . . . . . 85
9.6.1 Shutting down the cluster in controlled manner . . . . . . . . . . . . 85
9.6.2 Starting a fully shutdown cluster . . . . . . . . . . . . . . . . . . . . 85
9.7 Operational Caution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Use-Case: Changing the IP Address of the Application Interface of a
node in a three node cluster . . . . . . . . . . . . . . . . . 86
Replacing a failed cluster node . . . . . . . . . . . . . . . . . . . . . . . . . 87
Part I
Preamble
1 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
1. RELEASE NOTES Ver: 3.4.0
Chapter 1
Release Notes
The PrimeKey Appliance team is proud to announce the 3.4.0 release. This
release brings major updates for EJBCA and SignServer. Besides of that, another
round of improvements under the hood of the PKI Appliance have been introduced.
Furthermore with this release we are introducing basic IPv6 connectivity,
services running on the Appliance can now be reached over IPv6.
New features:
* EJBCA Enterprise 7.2.1: Please check out the EJBCA release notes:
https://download.primekey.se/docs/EJBCA-Enterprise/7_2_1/
EJBCA_7.2.1_Release_Notes.html
* SignServer 5.1.0.Final: Find more information at
https://download.primekey.com/docs/SignServer-Enterprise/5.1.0.Final/
SignServer_5.1_Release_Notes.html
* IPv6 can be configured on the management and application interfaces through
WebConf. After that the WebConf, EJBCA and SignServer will available via
IPv6.
Please note that the following constraints apply to IPv6 connectivity:
* IPv6 connectivity is optional and disabled by default.
* Outgoing PeerConnectors cannot use IPv6.
* Cluster connections over IPv6 are not implemented at the moment.
* The initial installation of the Appliance has to be performed using IPv4,
IPv6 addresses cannot be configured using the front display.
* If SSH access is enabled and IPv6 is configured on the management
interface, SSH access via IPv6 is possible (even using link local
addressing).
* HTTP connections through link local addresses are blocked by the firewall.
2 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
1. RELEASE NOTES Ver: 3.4.0
Changes:
* After upgrading to 3.4.0 (or higher) it is not possible to downgrade to
versions lower than 3.4.0. If a downgrade is required, please contact
support.
* WebConf sessions are now tracked using a cookie, not using a URL parameter.
* Feedback for smart card operations (e.g. change PIN) have been improved.
3 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
2. INTRODUCTION Ver: 3.4.0
Chapter 2
Introduction
This manual provides an in depth understanding of the public key infrastructure (PKI) prod-
ucts and services provided by PrimeKey and is intended to serve as a guide to understanding
and implementing PKI as a product and service within the PKI Appliance.
2.1 Audience
This guide is intended for use by Information Technology (IT) professionals with an interest
in implementing the PKI products provided by PrimeKey in their environment using the
PKI Appliance. The guide is presented in a structured manner so that it begins with an
introduction to the subject and progressively moves into more deeper technical topics. This
allows the guide to be useful for a wide variety of personnel from managers to integrators.
The lowest common denominator between the various groups of audiences is the shared
interest in implementing PKI using PrimeKey products.
• Options from popup menus or values that can be choosen like RSA 2048
• Links in the GUI that need to be selected/clicked upon are displayed in blue like:
Search End Entities.
• Values that has to provided in text fields are presented as: a new value.
• Group titles or GUI text that is not selectable is represented as: RA Functions.
• Informative messages provide additional explanation of the steps being performed, or
the configuration being applied. For example:
4 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
2. INTRODUCTION Ver: 3.4.0
• Warning messages are used to draw the attention to a critical or sensitive step that
has to be performed, or to critical piece of information that has to be provided. For
example:
• Shell listings are used to specify commands that should be run on a server in a terminal,
by a specific operating system user. For example:
Run as user
df -h
i Unless the instructions explicitly state so, do not deviate from the instruc-
tion order. All steps should be performed in the sequence that they are
outlined in. Do not jump back and forth between different exercises, unless
the instructions explicitly state so.
5 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
3. PKI APPLIANCE OVERVIEW Ver: 3.4.0
Chapter 3
3.1 Description
EJBCA Enterprise Appliance is a PKI-in-a-box and combines the flexibility, reliability and
feature set of EJBCA Enterprise software, with a secure technology stack and enterprise-
grade hardware including a FIPS 140-2 Level 3 certified HSM. Through the combination of
built in CA, RA and VA functionality and a variety of interfaces like OCSP, CMP, SCEP and
WebServices, EJBCA Enterprise Appliance provides a unique turn-key PKI solution.
EJBCA Enterprise Appliance is based on an unified and controlled technology stack which
reduces technical risks for the entire PKI project and reduces patch management efforts
during operation. Simplified management and maintenance workflows lower the setup time
and operational costs and reduce the TCO.
High flexibility, performance, support for high-availability and load-balancing make the EJBCA
Enterprise Appliance suitable for critical infrastructure setups within commercial and gov-
ernmental organization of all sizes.
As of version 2.4.0 the EJBCA Enterprise Appliance (or PKI Appliance) exists in three
different product sizes, designated as S, M or L. Previous unlabeled versions are equivalent
to the M size. While the L version takes advantage of recently available bigger hard disks
to provide for more database space, the S version is a highly reduced version with smaller
database size and also a reduced speed HSM.
6 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
Ver: 3.4.0
Part II
Appliance Installation
7 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
4. PKI APPLIANCE UNBOXING Ver: 3.4.0
Chapter 4
Congratulations! You have obtained the PKI Appliance from PrimeKey Solutions AB.
Illustrated below are the items that can be found while unboxing the PKI Appliance package.
• Four mains cables, one pair for each Europe and American standard.
• A Packing List
8 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
4. PKI APPLIANCE UNBOXING Ver: 3.4.0
You will find 4 cables and rack mount sliding rails (see fig. 4.2).
9 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
4. PKI APPLIANCE UNBOXING Ver: 3.4.0
Also there is a PIN pad with 10 smart cards (see fig. 4.3).
Finally the second layer reveals the packed PKI Appliance as shown in figure 4.4.
10 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
4. PKI APPLIANCE UNBOXING Ver: 3.4.0
4.3 Overview
4.3.1 Front View
1. Four bays for customer serviceable hard disks (Solid State Disks, SSD) for database,
RAID1, two disks are provided
2. SSD Slot 0
3. SSD Slot 1
7. Status LED row: Power (green), Hard Disk (red), Info (yellow)
8. Front display for status information and IP address configuration with menu buttons:
Up, Down, Enter, Cancel
11 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
4. PKI APPLIANCE UNBOXING Ver: 3.4.0
7. Hardware Security Module (HSM). USB and serial interface to be not used
12 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
4. PKI APPLIANCE UNBOXING Ver: 3.4.0
2. Make sure the serviceable hard disks are sitting properly in their bay
13 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
Chapter 5
Initial Set-up
The initial setup of the PKI Appliance transfers the device from the delivery state to a
production setup by configuring all components of the system. The initial setup routine
requires four steps:
• Setting the initial management IP address using the control panel at the front
• Obtaining the One Time Password (OTP) from the display to access WebConf
We recommend to not yet connect the network cables. As a general rule of precaution,
we suggest that you first configure the IP addresses before connecting the PKI Appliance to
your network. Any previously configured IP address or the default IP addresses could already
be assigned to another network device in your network and thus disrupt service.
The network interfaces are:
• To the very left, next to a pair of USB connections, you will find a single network
socket which is not in service. To be not used. Never.
• Of the two network ports next to each other, the left one is the interface for the
Application Interface. It’s default IP address is 192.168.5.161.
• The right one of the two network ports is the Management Interface, which defaults
to 192.168.5.160.
14 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
• you need to make sure that possibly secret data needs to be erased or
The following steps describe the procedure to perform a Factory Reset with the PKI
Appliance:
! The next step is a definite action. All sensitive data will immediately be
erased from the HSM. The only possibility to restore the data is from a
backup (if one exists) and Backup Key Share smart cards, where required.
1. On the back of the PKI Appliance there is a hole underneath the integrated Hardware
Security Module (HSM) with a hidden button (see figure 5.1). This is the button
for External Erase. Press that button for one second using a pen while the machine
is powered, switched on, finished booting and make sure you hear a confirmation
sound that should be played within 15 seconds (but might take up to ten minutes
under certain circumstances, e.g. if you slipped off the button and pressed it a second
time).
15 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
i It is ensured that the HSM deletes the data as soon as the button is pressed.
Under certain circumstances (as described above), the feedback (audible
and PKI Appliance front display) might take longer.
2. If the machine acknowledged that you pressed the button either by the audible feedback
or by the message on the front panel display, you will have to reboot the PKI Appliance
to actually execute the Factory Reset by briefly pressing the power button on the front
panel and then confirming the reboot via the display buttons. The machine will reboot
and clear all configuration files. It should be clearly stated that a clean shutdown and
boot is required for the configuration to be deleted. A hard power fail will not do.
3. After rebooting, the PKI Appliance display should show a cycle of the current Man-
agement Interface IP address, the initial TLS fingerprint, some additional information
like software version and the One Time Password. Seeing the One Time Password is
proof that the Factory Reset was successfull.
The shortened TLS fingerprint indicated on the display shows the first characters of the
fingerprint of the TLS certificate used to secure the connection from your web browser to
the PKI Appliance WebConf (see figure 5.3). The WebConf will ask you to compare this
fingerprint with the fingerprint of the TLS certificate presented to you by the browser to
make sure that you are accessing the right machine.
16 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
If the default IP address of the Management Interface of the PKI Appliance does not
match your network configuration, you can easily change it according to your needs. However,
it is preset to have a network prefix of /24 (resulting in a subnet mask of 255.255.255.0 ).
Pressing the "OK" button when the IP address is shown will allow you to change the IP
address (see figure 5.5). The IP address will be presented with leading zeroes. The cursor
will start at the first digit of the first byte of the IP address. You can abort this operation
at any time by pressing the x button.
17 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
1. use the up and down buttons to adjust the digit to your target IP address.
5. when confirming the last digit with the v button, the display will ask you to confirm
the IP address. This time, the IP address will be shown without leading zeroes.
The chosen IP address will be committed. Please note that this operation can take up to
10 seconds. After that time, it is safe to connect the first network cable to the Management
Interface (the right one, as seen from behind).
i The WebConf is designed and tested to work with Firefox 26.0+. Other
browsers like Chrome or Safari are working but are not officially supported
and you may observe minor incompatibilities. Internet Explorer is currently
not officially supported and depending on the version you might not be able
to finish the configuration process successfully.
1. Navigate your browser to the IP address of the Management Interface of the PKI
Appliance. A simple web page will instruct you to connect through TLS (see figure
5.6).
2. Follow that link and your browser will respond with a TLS warning because the servers
18 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
TLS certificate is not signed from any CA your browser knows already (see figure 5.7).
5. Untick Permanently store this exception if you plan to install the machine now. The
certificate will be regenerated during installation and the permanently stored certificate
would be obsolete. Confirm the Security Exception by clicking Confirm Security Exception
(see figure 5.8).
19 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
Figure 5.9: Instruction to compare and confirm the TLS certificate fingerprint
7. Check the fingerprint of the TLS certificate and compare the first characters to the
fingerprint shown on the display of the PKI Appliance.
(a) Click the little padlock icon in the address bar of your browser (see figure 5.10).
20 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
(c) Click on View Certificate . You will be shown the SHA1 fingerprint. The
fingerprint should correspond as much as was visible on the display (see figures
5.12 and 5.3).
21 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
8. If the two fingerprints match, then you can be sure to be connected to the correct
machine. Click The fingerprints are the same as in 5.9.
22 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
1. Fresh install
3. Connect to cluster
For now we will do a fresh install, so click the Next button below Fresh install (see
figure 5.14)
23 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
to be the Application Interface, through which the operational payload will be routed. It’s
perfectly fine to set up two separate networks if you want to separate those tasks. For the
time being, the Management Interface IP address has been configured at the front panel
display and is preset to have a network prefix of /24 (subnet mask 255.255.255.0). On the
application network however, you are free to chose the IP address, network prefix and
default gateway. You will also be asked to enter the designated hostnames, if you plan to
make the PKI Appliance available through DNS name resolution.
After the installation, you will be given the possibility to change the IP address of the
Management Interface.
To confirm the configuration and proceed to the next step, click on Next: Time (see
figure 5.15).
24 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
time source. If you plan to build a cluster, you have to use NTP.
! In case that you will use NTP this is the right time to do it! If you configure
it later and there is a difference between the NTP server and current system
time, the synchronization will not happen directly. It can take up to several
hours.
If you have already an TLS PKI somewhere, you can opt to not generate a new Man-
agement CA but use an existing Management CA. You will be prompted to upload the
PEM-encoded CA certificate. In case you need the Management CA to be created now, you
will be asked to configure it:
25 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
– SHA1withRSA
– SHA256withRSA
– SHA256withECDSA
– RSA 1024
– RSA 2048
– RSA 4096
26 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
This option defines if and how many smart cards shall be used to protect the HSM key
material. As an example, if 2 out of 3 Backup key share cards is chosen, you will be
asked to insert 3 smart cards during installation where on each a share of a symmetric key
(the Backup Key ) will be stored. The symmetric key will be used to encrypt the backups.
As the Backup Key is also securely stored on the HSM you will not need to provide the
smart cards for every backup operation. Should it be necessary to restore the PKI Appliance
from a backup you will need to provide 2 of the initially created 3 smart cards to import
the Backup Key into the HSM to decrypt and import the backup data. Likewise for the
3 out of 5 Backup key share smart cards scenario.
For low security or testing scenarios it is also possible to operate the PKI Appliance with-
out smart cards and use software based keys which are stored on the PKI Appliance instead.
In this case, any backup of cryptographic keys (from the HSM) will not be additionally se-
cured by the Backup Key Share smart cards, but only by the Domain Master Secret, that
encrypts all data in a backup file.
27 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
activation for PKCS#11 slots is not available with HSM FIPS Mode, see below.)
5.11 Confirm
It is highly recommended that you double check everything on this summary page. You
might even want to print this page. If you spot an error, you can easily navigate backwards
with the Previous buttons or use the breadcrumbs at the top of the screen.
i In case you have decided to use smart cards for your setup, please make sure
that the PIN pad included in the delivery is connected to one of the USB
ports in the front of the PKI Appliance and you have a sufficient amount
of smart cards at hand. The smart cards are delivered with the default PIN
"123456". You will be given an opportunity to change the PIN of a smart
card after installation has finished, see chapter 8.4.2.2 on page 67
When you are ready to continue the installation click on Begin installation . The
installation will take a few minutes (see figure 5.19).
28 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
5.12 Installation
The installation process will take a few minutes. During this time you can follow the installa-
tion and configuration steps shown below the progress bar which will include the configuration
of the HSM, the database and the applications, like EJBCA.
i In the case you have decided to use smart cards, please mind the output
from the PIN pad during the installation process which will request you to
insert the smart cards and enter the PIN. You will be asked to enter the
smart cards in two steps using the k out of n schema:
1. Key generation: Insert all (n) smart cards you have chosen to use,
always providing the PIN.
2. Key import (to HSM): Insert again the amount of smart cards that
is needed to restore the Backup Key (k)
29 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
At the end of the installation, you will find the following screen (see figure 5.20).
30 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
To manage the PKI Appliance you need to get a client side SuperAdmin TLS certificate
issued by the Management CA that can be used from your browser. This certificate will be
your one and only authentication to the system, unless you configure other access meth-
ods. Configuration of further users and other authentication methods are described in the
WebConf chapter (see page 48).
Select the option that suits your current client environment.
1. Get PKCS#12 key store: The SuperAdmin certificate and corresponding key pair is
generated on the PKI Appliance and manually imported into the browser.
2. Using legacy browser enrollment: The SuperAdmin key pair is generated in the
browser and the SuperAdmin certificate is automatically imported into the browser.
3. Get certificate from CSR: The SuperAdmin key pair is generated outside the browser
context and the SuperAdmin certificate will be created from a Certificate Signing
Request.
The certificate and corresponding key pair is a vital component of your system. You
need to protect and backup it with the same care that you apply to the backups and data
of the PKI Appliance itself: Anyone in possession of this certificate can manipulate your
installation. Without this certificate, you have no access whatsoever to the PKI Appliance.
31 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
32 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
Next, press Get SuperAdmin PKCS#12 key store (see figure 5.22). A new tab
will open.
33 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
In the newly opened tab, select a Key Specification matching your organization’s security
requirements an click Enroll (see figure 5.23). You will be prompted to save .p12-file.
Download it to the local machine.
Close the newly opened tab. Back in the installation wizard tab (see figure 5.22), make
a note of the PKCS#12 protection password. Use your browser’s proprietary mechanism for
importing the .p12-file using the PKCS#12 protection password before proceeding.
Once the P12 has been successfully imported, click Finalize installation .
34 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
Click that link labeled Get SuperAdmin certificate (see figure 5.25). A new tab will
open.
35 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
In the newly opened tab, click Enroll . Your browser will then generate a key pair,
request the certificate from the Management CA and automatically install the certificate in
your browser (see figure 5.26). Confirm the popup and close the tab.
Back in the installation wizard tab (see figure 5.25), click Finalize installation .
36 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
37 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
Make a note of Enrollment username and Enrollment code. Click that link labeled
Go to SuperAdmin enrollment page (see figure 5.28). A new tab will open.
38 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
In the newly opened tab, enter Enrollment username and Enrollment code from the
previous page. Select or paste the certificate signing request you want to use to issue the
initial SuperAdmin certificate. Click OK . (See figure 5.29.)
39 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
Download the certificate (see figure 5.30) and install it (using some proprietary method).
Close the tab when done.
Back in the installation wizard tab (see figure 5.25), click Finalize installation .
40 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
5. INITIAL SET-UP Ver: 3.4.0
Due to the inner workings of the PKI Appliance, configuration changes only
get persisted after approximately one hour (or when the machine is properly shut
down/rebooted), leading to lost configuration in case of a power outage right
after installation. This might be relevant if you are running a test installation on
your desk or in a test lab.
41 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
6. RESTORE FROM BACKUP Ver: 3.4.0
Chapter 6
A backup file can only be restored to a fresh and unprovisioned machine. You will need the
backup file on a Network File System (NFS) share, the Domain Master Secret that you spec-
ified when installing the first machine of your environment and the smart cards depending
on your chosen Appliance Security Level (please refer to the chapter 5.10.1 on page 26 and
the following chapter for more information about the Domain Master Secret, the Appliance
Security Level and the smart cards).
i Relating to the S-M-L product size variations, please be aware that you
can only restore a backup to a matching or bigger product size version.
Example: A backup from a model M product size can only be restored to a
hardware of M or L product size.
i With version 2.4.0 and newer, the PKI Appliance will not be able to restore
from backup data created on a PKI Appliance with versions older than 2.2.0.
42 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
6. RESTORE FROM BACKUP Ver: 3.4.0
• Unless the PKI Appliance has been configured with a low Appliance Security Level (for
demo and testing), you will need the PIN pad, the persons with the smart cards and
they will need to know their PINs.
1. Switch on the the PKI Appliance and wait for it to finish booting, this will take about
5 minutes.
3. Take note of the One Time Password (OTP) and the TLS Fingerprint.
5. Navigate your firefox browser to the configured IP address and log in using the One
Time Password.
6. In the installation menu chose „restore from backup“ and enter the connections details
of your NFS server where your backup is stored.
7. The restoration of the backup can take up to several hours depending on the size of your
backup. The restore procedure might request you to connect a PIN pad and provide
the backup protection smart cards in case your initial system had been configured to
use those.
8. After finishing the restore procedure you will be asked to reboot the system. This is
the moment where you can safely connect the second network cable to the Application
Interface if you have not yet. Keep in mind that after the system has been rebooted it
will have the restored configuration including IP address, SuperAdmin certificates etc.
43 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
7. CONNECT TO CLUSTER Ver: 3.4.0
Chapter 7
Connect to cluster
A fresh and unprovisioned PKI Appliance can be added to a cluster or can be connected
to another standalone PKI Appliance to start your cluster. You have to start the procedure
either on any node that is already part of the cluster or on the standalone machine that
is already installed respectively. When starting the procedure on that node, you’ll be given
instructions to download a so called cluster bundle. This cluster bundle will then be needed
when going through this part of the wizard. You will also need the Domain Master Secret
that you specified when installing the first machine of your environment and a copy of the
Backup key share smart cards that were created when installing the first machine of your
environment (please refer to the chapter 5.10.1 on page 26 and the following chapter for
more information about the Domain Master Secret, the Appliance Security Level and the
smart cards).
i Relating to the S-M-L product size variations, please be aware that you
should not mix product size variants in a cluster. Since a filled hard disk
makes the database stop working, the smallest node of your setup will stop
working (and thus reduce redundancy) first.
It is recommended to read the chapter 9 (page 78) in this document if you are changing
a standalone setup to a multi-node cluster or extending an existing cluster with additional
nodes.
After logging in to the PKI Appliance using the One Time Password from the front panel
display and chosing to connect to a cluster, you will be guided through a short wizard.
44 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
Ver: 3.4.0
Part III
WebConf
45 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
Chapter 8
WebConf
The WebConf is the web based user interface for managing the base functionality of the PKI
Appliance. The functions are sorted under different tabs (described below) and by selecting
a tab, contextual help for the selected functionality is shown to the right.
8.1 Status
This view shows you information about the overall status of your installation (see figure 8.1).
From the status page you can expect to get a rough overview of the health status of
your PKI Appliance.
8.2 Network
In this view you can configure networking for the PKI Appliance (see figure 8.2). The
PKI Appliance has two network interfaces. One for administration (where you are currently
46 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
connected to) and one for exposing the running applications as a service.
The network address range for each interface is configured using the IP prefix, but is
shown as both Netmask and Network for convenience. Gateway is the default gateway for
traffic to hosts that are not included in any of the interfaces’ network address ranges. Only
IPv4 is currently supported.
After applying the settings there will be a short delay before the UI is reachable again.
If you have changed the management IP address, make sure that you reconnect to the
specified address after the change.
8.2.1 NTP
Network Time Protocol (NTP) can be configured to always keep the clock of the PKI Ap-
pliance in sync with a well known time source. It is recommended to use multiple trusted
time sources whenever possible. NTP servers are accessed through the Management Inter-
face. An example could be the NIST NTP server: 129.6.15.29 NTP is required for cluster
operation. Please note: Enabling NTP by adding NTP servers will not change/correct the
time instantly. The PKI Appliance clock will be migrated to the time of the NTP source
very gently to not disturb operations. Depending on how far off the clock is, a reboot of the
PKI Appliance might or might not speed up the clock migration.
8.2.2 DNS
Domain Name System (DNS) servers can be configured to enable host lookup by hostname
instead of IP address. This should only point to a trusted name servers to avoid that the
PKI Appliance communicates with malicious hosts. DNS servers are accessed through the
Application Interface. An example of an untrusted DNS server (OpenDNS) you can use for
testing is: 208.67.222.222
47 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
8.3 Access
In this view you can manage how the PKI Appliance can be accessed (see figure 8.3).
48 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
3. Send the CSR to your CA together with the information you would like to have in the
certificate. Note that some implementations (e.g. Java) require a matching IP address
or DNS entry in the certificate.
4. Upload the issued certificate in PEM format with full certificate chain.
Note that the information in the CSR isn’t set to anything useful. This is the nor-
mal EJBCA way of doing things, where the information inside the CSR is not trusted and
overridden by whatever values the RA officer finds acceptable.
49 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
The match value in case of client TLS certificates is the entire Subject Distinguisher
Name (e.g. "CN=SuperAdmin,O=PrimeKey Labs C,C=DE") of the certificate.
For shared secret authentication, the value is the shared secret. We would strongly
discourage the use of shared secret authentication and this option might disappear in future
releases of the PKI Appliance.
Use-Case: Create a new TLS server side certificate for Application Interface
In this exercise we will create a new server TLS certificate for the Application Interface using
WebConf.
First we will check which is the present TLS certificate that is used.
2. Click on the icon where is located before the URL (see figure 8.4) and press More information
.
50 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
4. Various information about the certificate are displayed. Among them is also CN with
the value node1-tls-app (see figure 8.6).
Now we will create a new TLS server certificate for the Application Interface.
1. Navigate to the tab ACCESS in WebConf
51 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
3. New options will appear (see figure 8.8) and we will create a CSR with Create CSR
52 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
4. At that point we can download CSR with Download CSR (see figure 8.9).
5. Now we’ll use EJBCA Admin pages. In RA Functions press Search End Entities. .
In Search end entity with username write tls_app. The result shows in figure 8.10
6. Click Edit End Entity. A popup window will appear.
53 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
10. and at last set Token to User Generated (see figure 8.12).
54 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
12. Under Enroll open Create Certificate from CSR (see figure 8.13).
16. and as Result type choose PEM - full certificate chain (see figure 8.14)
17. Press OK .
55 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
18. At that point we’ll save the pem file with name node1tlsappnew.pem (see figure 8.15)
19. Navigate to WebConf to Access tab. As you see in fig. 8.9, we can Browse... for
Next chain: and upload node1tlsappnew.pem.
20. It is the time to activate the certificate chain to the server with Activate new cert
(see figure 8.16). The procedure will take a while until the new TLS certificate will be
active (see figure 8.17).
56 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
21. We can verify that the server is using the new certificate by refreshing application
pages. We will be asked to confirm the new connection (see figure 8.18). Once this is
done, we can see the new certificate as shown on fig. 8.4.
57 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
22. When we verify the certificate that is used for the TLS connection, we can see that it
is the one we created, with the new CN node1-tls-app-new as in fig 8.19.
From now on each time we login to the Application Interface the new TLS certificate
will be used.
Use-Case: Upload a new trusted CA for TLS authentication and new super-
admin certificate for Management Interface
In this exercise we will change the client certificate and update the trusted CA for Manage-
ment Interface using WebConf.
The new superuser certificate has to be issued from the same CA (MyCustomCA) that we will
install for TLS authentication. First we have to provide the information about the certificate
(MyUsername.pem) that will be used as superuser.
1. Open the WebConf and navigate to Access tab (see fig. 8.20)
58 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
Run as <user>
i In the subject value slashes (/) have to be replaced with commas (,)
59 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
Figure 8.21: WebConf Access add a new client certificate for TLS authorization
4. Under Trusted CAs for TLS client authentication section we will Browse.. for
the MyCustomCA-chain.pem file (see fig. 8.22).
! It has to be the whole chain from the issuer CA of the client certificate up
to the trusted RootCA.
60 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
7. When update is done, the new trusted configuration is used for authentication in the
Management Interface (see fig. 8.24).
61 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
1. Open the EJBCA admin web and navigate to Certification Authorities tab and use
Import CA certificate... (see fig. 8.25) to upload all CA certificates that belong to
the new trust chain. In our paradigm it is MyTrustedRootCA and MyTrustedSubCA.
62 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
2. Open Administrator Roles link and click Administrators next to Super Adminis-
trator Role as shown in fig. 8.26
63 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
3. Check the Subject DN of the client certificate which will be used to authenticate using
openssl
Run as <user>
serial=2b4306acbf69224
4. Use the following values (see fig. 8.27) and press Add :
• CA: MyTrustedSubCA
• Match with: X.509: Certificate serial number (Recommended)
• Match type: Equal, case sens.
• Match value: 2b4306acbf69224
Figure 8.27: Configure the serial number of the trusted certificate in EJBCA
Now EJBCA is configured to use this certificate. But the last step is to configure We-
bConf so the Application Interface will also authenticate MyTrustedSubCA-chain.pem
5. Follow the same process but for the Application Interface in analogous ways as de-
scribed in Use-Case: Upload a new trusted CA for TLS authentication and new super-
admin certificate for Management Interface.
8.4 HSM
The Hardware Security Module (HSM) configuration allows you to change the authentication
codes of the PKCS#11 slots, change the PIN of Backup Key Share Smart Cards, make one-
to-one copies of backup protection cards, change the PIN of user credentials on smart cards
64 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
(for slot activation), download a full (protected) backup of the HSM’s key material or handle
HSM key synchronization across a cluster.
Please note that the figure 8.28 shows some functionality that might not be available,
according to your setup.
65 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
Pros: Highly available. Authentication code is very hard to brute force. Authentication code
cannot be disclosed by administrators.
Cons: Possible to extract given physical access to the machine (theft of the PKI Appliance
could not rule out that the key material of the slot could not be freely accessed).
66 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
8.4.2.2 Change the PIN of the backup key share on a smart card
This allows you to change the PIN of the backup key share on a smart card. This should
absolutely be done with each of the Backup Key Share smart cards. This is the easiest
possibility to prevent a mixup or accidental overwriting of the contents of a smart card. This
function can also be used if the card is being assigned to another person of the company.
This function can also be used on a smart card that comes originally from another PKI
Appliance.
There is also a similar functionality offered to change the PIN of a PKCS#11 Slot User
on a smart card, given that you have choosen to additionally secure your PKCS#11 slots
with smart card authentication.
67 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
not synchronize automatically. Hence, you will have to manually distribute this new key data
by downloading a Key Synchronization Package on the Node where you created the new
CA and uploading it to each of the other nodes. The applications (EJBCA, SignServer) will
automatically be restarted, so that the key material can be used. See also Chapter 9 on page
79 for a more detailed description of the workflow.
8.5 Backup
Backups are entire snapshots of the system at a specific point in time. This will guarantee
that you can go back to a stable state in case of disaster.
68 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
Deleting backup
! Reload the list of backups and press the Delete button for the backup
you want to remove.
i Backups can be automated to run once per day, once per week or once
per month. Taking a backup will put some load on the system, so it is
recommended to pick a time where you expect little usage. Be sure to save
your settings.
69 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
8.6 Cluster
This view gives you an overview of the cluster or rather this nodes’ view of it. You can also
configure cluster settings. (see figure 8.34).
Please refer to the chapter 9 HA Setup (see page 78) for further information on how to
extend your system to a cluster with multiple nodes.
8.7 Monitoring
In this view you can configure monitoring (SNMP and remote syslog) for the PKI Appliance
(see figure 8.35).
70 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
8.7.2 SNMP
You can activate snmp access to the PKI Appliance by checking this button. All snmp
requests are combined in the "public" community. Now the PKI Appliance will answer to the
two standard MIBS SNMPv2-MIB and HOST-RESOURCES-MIB. Additionaly the following
parameters can be accessed with the following OIDs:
OID
Example Value Value
.1.3.6.1.4.1.22408.1.1.2.1.2.118.109.1
Status of all VMs, 0 if all are running, 1 otherwise 0
.1.3.6.1.4.1.22408.1.1.2.1.3.99.112.117.1
Temperature of the CPU 27
.1.3.6.1.4.1.22408.1.1.2.1.4.118.100.98.49.1
Database usage in % 2
.1.3.6.1.4.1.22408.1.1.2.1.4.118.100.98.50.1
1 if space for db exceeds 80% usage, 0 otherwise 0
.1.3.6.1.4.1.22408.1.1.2.1.4.102.97.110.49.1
rpm of cpu fan 1025
.1.3.6.1.4.1.22408.1.1.2.1.4.102.97.110.50.1
rpm of system fan 1 1126
.1.3.6.1.4.1.22408.1.1.2.1.4.102.97.110.51.1
rpm of system fan 2 1028
.1.3.6.1.4.1.22408.1.1.2.1.4.102.97.110.52.1
rpm of system fan 3 982
.1.3.6.1.4.1.22408.1.1.2.1.4.102.97.110.53.1
0 if cpu fan ok, 1 otherwise 0
.1.3.6.1.4.1.22408.1.1.2.1.4.102.97.110.54.1
0 if system fans are ok, 1 otherwise 0
.1.3.6.1.4.1.22408.1.1.2.1.5.108.111.97.100.49.1
Load average of the system. Intervals are 1 min, 5 min, 15 min 0.19 0.10 0.06
.1.3.6.1.4.1.22408.1.1.2.1.5.108.111.97.100.50.1
Load average of the system. Intervals is 1 min 0.19
.1.3.6.1.4.1.22408.1.1.2.1.5.108.111.97.100.51.1
Load average of the system. Intervals is 5 min 0.10
.1.3.6.1.4.1.22408.1.1.2.1.5.108.111.97.100.52.1
Load average of the system. Intervals is 15 min 0.06
.1.3.6.1.4.1.22408.1.1.2.1.5.114.97.105.100.49.1
Status of RAID, 0 if clean or active, 1 otherwise 0
71 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
.1.3.6.1.4.1.22408.1.1.2.1.5.114.97.105.100.50.1
Status of RAID as string clean
.1.3.6.1.4.1.22408.1.1.2.1.5.114.97.105.100.51.1
Devices in RAID Total Devices : 2
.1.3.6.1.4.1.22408.1.1.2.1.5.114.97.105.100.52.1
Devices in RAID as int 2
.1.3.6.1.4.1.22408.1.1.2.1.5.114.97.105.100.53.1
Devices active in RAID Raid Devices : 2
.1.3.6.1.4.1.22408.1.1.2.1.5.114.97.105.100.54.1
Devices active in RAID as int 2
.1.3.6.1.4.1.22408.1.1.2.1.7.118.101.114.115.105.111.110.1
Version of PKI Appliance PrimeKeyAppliance.2.3.0
.1.3.6.1.4.1.22408.1.1.2.1.8.99.108.117.115.116.101.114.49.1
Local node ID 1
.1.3.6.1.4.1.22408.1.1.2.1.8.99.108.117.115.116.101.114.50.1
Db cluster size 3
.1.3.6.1.4.1.22408.1.1.2.1.8.99.108.117.115.116.101.114.51.1
Currently active nodes in db cluster 3
.1.3.6.1.4.1.22408.1.1.2.1.8.99.108.117.115.116.101.114.52.1
Local db cluster (galera) state 4
.1.3.6.1.4.1.22408.1.1.2.1.8.99.108.117.115.116.101.114.53.1
Local db cluster (galera) state as string Synced
.1.3.6.1.4.1.22408.1.1.2.1.8.99.108.117.115.116.101.114.54.1
Last transaction ID 208
.1.3.6.1.4.1.22408.1.1.2.1.8.104.101.97.108.116.104.101.49.1
EJBCA healthcheck as raw string ALLOK
.1.3.6.1.4.1.22408.1.1.2.1.8.104.101.97.108.116.104.101.50.1
EJBCA healthcheck returns 0 for "ALLOK", 1 otherwise 0
.1.3.6.1.4.1.22408.1.1.2.1.8.104.101.97.108.116.104.115.49.1
Signserver healthcheck as raw string ALLOK
.1.3.6.1.4.1.22408.1.1.2.1.8.104.101.97.108.116.104.115.50.1
Signserver healthcheck returns 0 for "ALLOK", 1 otherwise 0
.1.3.6.1.4.1.22408.1.1.2.2.4.104.115.109.49.1
Status of HSM as string STATUS_is_OPER
.1.3.6.1.4.1.22408.1.1.2.2.4.104.115.109.50.1
Enum of Status of HSM 0
.1.3.6.1.4.1.22408.1.1.2.2.4.104.115.109.51.1
Status of HSM, 0 if operational, 1 otherwise 0
72 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
.1.3.6.1.4.1.22408.1.1.2.2.4.104.115.109.52.1
Battery voltage of HSM 3.100 V
.1.3.6.1.4.1.22408.1.1.2.2.4.104.115.109.53.1
Battery state, 0 if ok, 1 otherwise (eg. low voltage) 0
.1.3.6.1.4.1.22408.1.1.2.2.4.104.115.109.55.1
Battery voltage of external HSM battery 3.272 V
.1.3.6.1.4.1.22408.1.1.2.2.4.104.115.109.56.1
Battery state, 0 if ok or absent, 1 otherwise (eg. low voltage) 0
.1.3.6.1.4.1.22408.1.1.2.2.4.104.115.109.54.1
Serial Number of HSM CS445661
.1.3.6.1.4.1.22408.1.1.2.1.6.109.97.105.110.116.49.1
Maintenance State as int, 0 if operational, 1 if offline or 2 if 0
maintenance
.1.3.6.1.4.1.22408.1.1.2.1.6.109.97.105.110.116.50.1
Maintenance State as string Operational
Alternatively all OIDs can be reached by the following three snmpwalk commands (replace
the ip address with the one of your system):
8.8 Platform
In this view you can see the applications running on the PKI Appliance, update the firmware
and perform basic troubleshooting.
8.8.1 Applications
This gives you an overview of the applications that are installed on your platform, along with
their access URLs.
8.8.2 Updates
The WebConf allows to update the software of the PKI Appliance over network.
Special care needs to be applied if a cluster or one of its nodes is supposed to be upgraded
to a newer version. Please refer to chapter 9 HA Setup (page 78) for general information
73 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
about Clustering/High Availability Setup and 9.5.3 (page 84) for very detailed information
on how to update a cluster.
Starting with version 2.2.0, the PKI Appliance firmware is to be updated separately from
the applications installed on the platform of the PKI Appliance. You are supposed to upgrade
both the firmware and the application, starting with the firmware.
Versions older than 2.2.0 cannot be updated to anything newer through this WebConf
function. Please contact PrimeKey Support or your local PrimeKey Partner to obtain help
with upgrading your PKI Appliance to 2.2.0 and beyond.
Update Firmware
Select the desired firmware update file by pressing the Install Firmware button next to
the file name. This will trigger a background job of the update process. It will take a while,
so return to this view later to check if the update has finished. During the update the PKI
74 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
Appliance will stay fully operational. The updated firmware will not be used until the system
is rebooted.
Update Application
To update a COS application select the desired update file by pressing the Install Application
button next to the file name. This will trigger a background job of the update process. It
will take a while, so return to this view later to check if the update has finished. During
the update the PKI Appliance will be set into maintenance and the application will be not
available. The update will be used when the update process is finished.
8.8.3 Troubleshooting
The Troubleshooting section provides basic power-cycle functionality and shows the PKI
Appliance state including a list of reasons for maintenance and the functionality to set the
PKI Appliance Offline.
Starting with version 2.4.0, the PKI Appliance will have no default password configured
for access anymore. This implies that you will have to set up your way of authentication if
you need access the platform. Please be aware that your SSH client will still ask you for a
password (and thus make it look like there is *some* password set up) if there is no cleartext
password defined. Defining either SSH public key or root password for SSH access will only
be possible after you enabled SSH.
75 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
8. WEBCONF Ver: 3.4.0
8.8.5 Support
The Support section provides access to already created ’Support Packages’ and the ability
to create new ’Support Packages’ manually. In addition an e-mail address is provided if you
need to get in contact with professional support for the PKI Appliance.
76 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
Ver: 3.4.0
Part IV
Advanced
77 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
9. HA SETUP Ver: 3.4.0
Chapter 9
HA Setup
78 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
9. HA SETUP Ver: 3.4.0
complete key material on installation and no additional manual key synchronization will be
necessary.
2. On Node 1: Go to the HSM tab of the PKI Appliance WebConf and download a "Clus-
ter Key Synchronization Package" by clicking Download protected HSM backup
.
3. On Node n: Go to the HSM tab of the PKI Appliance WebConf and upload the
package.
Since node 1 has higher database quorum vote weight, it is generally advised to generate
the keys there to avoid a reboot and potential downtime in a two node setup.
79 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
9. HA SETUP Ver: 3.4.0
A cluster node will never forward traffic between two other nodes to avoid networking
loops. Compared to using the spanning tree protocol (STP), this means that a broken
network connection between two nodes will not trigger any downtime of other connections.
If you prefer the dynamic loop prevention behaviour, you could add managed switches in
front of the Application Interfaces of the PKI Appliances. Please note that if the network
topology change prevents network traffic between the nodes for too long, your cluster nodes
might stop operation and require manual interaction. Rapid Spanning Tree Protocol (RSTP)
might be an interesting alternative to STP in this case.
80 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
9. HA SETUP Ver: 3.4.0
To avoid data loss, the manual interaction is required and the second node should only
be Forced into Active if the first node really is dead and will be replaced.
2. If possible, generate all keys in the HSM that will be used during the installations
life-time to avoid manual key synchronization later.
3. Go to the Cluster subtab Configuration on the initial node in the PKI Appliance
WebConf and add a connection to where the next node’s Application Interface will be.
4. From the same subtab, download the setup bundle for the second node.
5. Factory reset the second node and connect to the web based installer
7. At this point, both network cables need to be connected to the second node. Start
the installation procedure.
8. After installation completes, you should be able to manage the new node using the
same credentials as the first one.
If the first node has been used for a while before the second node was connected, you
might need to wait until the data is fully synchronized, even after the cluster connection has
completed. When the Local node state in the WebConf’s Status tab shows Active, the
node is ready for use.
81 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
9. HA SETUP Ver: 3.4.0
2. If possible, generate all keys in the HSM that will be used during the installations
life-time to avoid manual key synchronization later.
3. Go to the Cluster subtab Configuration on the initial node in the PKI Appliance
WebConf and add the two connections to where the next nodes’ Application Interface
will be.
4. From the same subtab, download the setup bundle for the two new nodes.
5. Factory reset the second node and connect to the web based installer
6. Select Connect to cluster and upload the setup bundle for node 2.
7. At this point, both network cables need to be connected to node 2. Start the instal-
lation procedure.
8. After installation completes, you should be able to manage the new node using the
same credentials as the first one.
9. Even if a full synchronization between the first and second node is still running at this
point, you can proceed with the cluster connection of the third node.
10. Factory reset the third node and connect to the web based installer
11. Select Connect to cluster and upload the setup bundle for node 3.
12. After installation completes, you should be able to manage the new node using the
same credentials as the first one.
If the first node has been used for a while before the two new nodes were connected, you
might need to wait until the data is fully synchronized, even after the cluster connection has
completed. When the Local node state in the WebConf’s Status tab shows Active, a node
is ready for use.
2. From the same subtab on one of the nodes, download the setup bundle for the new
node (n+1).
3. Factory reset the new node (n+1) and connect to the web based installer
82 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
9. HA SETUP Ver: 3.4.0
When the Local node state in the WebConf’s Status tab shows Active, the new node is
ready for use.
83 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
9. HA SETUP Ver: 3.4.0
After reboot, the WebConf will be reachable and operational, but the database will refuse
to start up in this situation, hence the applications will not yet be operational. The button
Force into Active that the WebConf offers should be used in this scenario to force the
cluster to continue operations from the restored data set.
84 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
9. HA SETUP Ver: 3.4.0
5. After the cluster node has been rebooted, check that the node is operating correctly.
6. After you asserted that this node is up and running, verify that the entire cluster is in
good shape, i.e. that all of the cluster nodes of your cluster confirm that your cluster
is back up and running with redundancy.
7. Announce this cluster node to be operational back again or whatever you need to undo
from step 3.
8. Continue with updating your cluster by applying the same steps on the next cluster
node, restarting at step 1.
2. Wait a minute after all nodes have started to see if the cluster automatically becomes
Active.
3. If manual intervention is needed, select the node with the highest Last Transaction ID
and use Force into Active on this node (and only this node).
4. Wait until all N nodes are fully started and database status is Active on each node.
85 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
9. HA SETUP Ver: 3.4.0
2. You might also want to make a last manual backup of the PKI Appliance.
3. We’ll assume here that you have announced this cluster node as being not operational
(e.g. disabled in a frontend load balancer) for the time of the change.
4. Now start the actual change by changing the Application Interface IP address on the
cluster node in WebConf, see chapter 8.2 Network on page 46.
5. Navigate your browser to the Cluster Configuration subtab of the WebConf on all of
the other cluster nodes.
6. Wait for the cluster node to appear offline/not connected in the cluster connections
table, the IP address should now be in an editable input field.
7. On every of the other cluster nodes, correct the application IP address of the cluster
node in the cluster table.
8. Confirm the operation by hitting Apply . It could be that you have to wait a couple
of seconds before you are allowed to click that button.
86 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
9. HA SETUP Ver: 3.4.0
9. After the cluster reconfiguration has finished, all cluster nodes should be connected to
all of the other cluster nodes.
10. When everything works as expected, you should not forget to bring back the node into
the load balancer.
87 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
10. SMART CARD HANDLING Ver: 3.4.0
Chapter 10
10.1 Introduction
Smart cards are, essentially, Hardware Security Modules (HSM). They might also be called
’chip cards’ or ’integrated circuit cards’. SIM cards in cellular mobile phones are also smart
cards. The smart cards that come with the PKI Appliance are preprogrammed cards with the
TCOS operating system (TeleSec Chipcard Operating System) and are, as can easily be seen,
branded by the manufacturer of the HSM that we incorporate in the PKI Appliance. Smart
cards can store some amount of information, organized in sets of so called ’slots’. The data
sets can be configured to be protected with a Personal Identification Number (PIN) or not.
Also, the slots can have different PINs. This principle of different data across different slots
is the foundation of the PKCS#11 standard. The principle of having the card (ownership)
and the PIN (knowledge) is the foundation of Two-Factor Authorization.
88 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
10. SMART CARD HANDLING Ver: 3.4.0
this case, since all of the functions that we want to use of these smart cards always require
a PIN to be entered). The vendor of the HSM that we incorporate recommends the Model
"cyberJack e-com" from "Reiner SCT". The PIN Pad needs to be connected to one of the
USB ports of the PKI Appliance. The PKI Appliance itself has two USB ports to the front
and two to the back that can be used. Additionally, the HSM that we integrate into the PKI
Appliance has a USB port on the back on its own. This USB port cannot be used for our
and your PIN Pad purposes. There is currently no possibility to use this PIN Pad for PKI
Appliance purposes connected to your workstation/web browser.
89 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
10. SMART CARD HANDLING Ver: 3.4.0
is encrypted with this Backup Key. This is why you need to have these smart cards at hand
if you want to restore a backup: The Backup Key that encrypts the backup files needs to
be uploaded to the HSM first. If you configure an PKI Appliance to be a node of a cluster,
you also need to have the smart cards at hand, since we initially load the HSM. The Backup
Key is spread across these smart cards using a quorum, see next section.
Please be aware that a Backup Key share cannot be restored if it has been
overwritten by mistake. This is a good reason to change the PIN of a smart card
right after a successful installation to prevent any mixup or mistake. Another
good practice might be to create copies of backup key share smart cards to be
stored in a safe place. Also it might be worth noting that the Backup Key cannot
be changed after installation; this would invalidate all existing backup files.
It shall be stated that the user credentials on a user smart card used for
PKCS#11 slot activation can not be copied one-to-one, unlike the backup key
share on a smart card.
90 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
10. SMART CARD HANDLING Ver: 3.4.0
In the case of the PrimeKey PKI Appliance, the software generates a 32 bytes long AES
key (symmetric cryptography) and offers the choices of ’2 out of 3’ and ’3 out of 5’. While
the latter obviously represents a higher applied security, please bear in mind that it implies
that you strictly need to have three of those 5 smart card owners available for a disaster
recovery, even if service availability agreements force you to bring the system back to life at
5 ’o clock on a sunday morning. This is often called the "Person Is There Always" scenario.
• Preamble
1. After plugging in the PIN Pad, the display will read something like the following:
REINER SCT
cyberJack e-com
This text will vanish with any PIN Pad operation, therefore, if you have multiple
PIN Pad operations in one session, the display screen might be entirely blank if
you start this operation.
• Key generation: At first, a new Backup Key needs to be generated and the Backup
Key Shares need to be written to the smart cards.
2. Shortly after starting the installation (as in 5.12 on page 29), the PIN Pad will
read:
Write New Key
press OK/Cancel
This is only the notification that we are now going to write a new key / key
shares to the smart cards. Any former Backup Key Share on these smart cards
will be overwritten. A smart card cannot store more than one Backup Key Share.
A smart card cannot be used to save two different Backup Key Shares for two
different PKI Appliance environment. Every node in a cluster uses the same
91 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
10. SMART CARD HANDLING Ver: 3.4.0
Backup Key, thus any set of Backup Key Share smart cards will work with every
node in a cluster.
3. As soon as you acknowledge this by hitting the green OK button, procedure will
continue with:
Insert 1. card
press OK/Cancel
This is the instruction that the first of the smart cards should be inserted.
4. You should proceed by inserting the first smart card of the set and pressing the
green OK button again. The next message of the display will be:
Enter PIN
******
Those asterisks appear for every digit of the PIN you enter. The PIN of a fresh
an unused smart card delivered with the PKI Appliance is ’123456’ until it has
been manually changed (see chapter 8.4.2.2 on page 67). The fact that you have
to enter the PIN only once is an indication that you are not defining the PIN
(setting the PIN or changing the PIN), but only authenticating (proving you are
the legitimate owner of the smart card). You can restart the entry of the PIN
by pressing the yellow Clear button or you can abort the entire operation with
the red Cancel button. If you confirm with the green OK button, there will be a
short screen indicating some ongoing operation. Do not remove the smart card
while this operation is lasting.
5. After the short screen indicating the ongoing operation, you’ll see this:
Insert 2. card
press OK/Cancel
This is the instruction that the second smart card of the set should be inserted.
A smart card should not be removed from the PIN Pad before the display clearly
shows that it is asking for the next smart card.
6. First, remove the smart card that is in the PIN Pad rand insert the second of the
smart cards and continue by pressing the green OK button
Enter PIN
******
This is where you enter the PIN of the second smart card.
7. After the short screen indicating the ongoing operation, you’ll see this:
92 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
10. SMART CARD HANDLING Ver: 3.4.0
Insert 3. card
press OK/Cancel
This is the instruction that the third smart card of the set should be inserted.
8. Insert the third of the smart cards and continue by pressing the green OK button
Enter PIN
******
This is where you enter the PIN of the third smart card
• Key Reading:
9. After the Backup Key has been generated and the shares have been written onto
the smart cards, the Backup Key needs to be loaded into the HSM, therefore the
Backup Key needs to be reconstructed by reading it from the smart cards. Since
the Backup Key is based on the quorum of ’3 out of 5’ or in this example ’2 out
of 3’ (see 10.4), the complete Backup Key can be reconstructed by reading only
2 smart cards (or 3 smart cards in the scenario of ’3 out of 5’). In consequence,
it does not matter in which order the cards are read.
Read New Key
press OK/Cancel
This is the notification that we are now going to read the new key / key shares
from the smart cards.
10. If you acknowledge this by hitting the green OK button, procedure will continue
with:
Insert 1. card
press OK/Cancel
This is the instruction that the first of the smart cards should be inserted. When
reading back in the key in the ’2 out of 3’ scenario, any two Backup Key Share
smart cards will do (as long as you insert two different smart cards rather than
inserting the same smart card twice), although the display will ask for the ’1.’ and
’2.’. In consequence, the first smart card to read the key can be the third smart
card the was written to. So, for convenience, you can leave the smart card in the
device and enter its appropriate PIN.
11. You should proceed by pressing the green OK button again. The next message
of the display will be:
Enter PIN
******
93 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
10. SMART CARD HANDLING Ver: 3.4.0
This is where you enter the PIN. If you confirm with the green OK button, there
will be a short screen indicating some ongoing operation.
12. After the short screen indicating the ongoing operation, you’ll see this:
Insert 2. card
press OK/Cancel
This is the instruction that the second smart card of the set should be inserted,
which again can be any other of the smart cards.
13. Insert the next smart card and continue by pressing the green OK button
Enter PIN
******
This is where you enter the PIN. After confirming this with the green OK button,
this operation is completed.
• running into a timeout (a timeout message will not be visible on the PIN Pad
display, only in WebConf)
• entering a wrong PIN for one smart card three times in a row (the smart card will
be blocked)
• failing to enter two different smart cards for the "Key Reading" part of the sequence
(3 cards in case of the ’3 out of 5’ scenario)
• inserting a smart card different than the smart cards delivered by PrimeKey
Any reason for the sequence of installation to abort will result in the machine to
be in an inconsistent state. You will have to do a full Factory Reset as described
in chapter 5.1 on page 15 and restart the installation process.
94 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
10. SMART CARD HANDLING Ver: 3.4.0
recovery site, for example. You should create a backup set of the Backup Key share smart
cards. Please keep in mind that the Backup Key share smart cards should never be kept
close to the backup of the PKI Appliance. Since each card is unique, this function cannot
be used to recover lost cards in card set. However, if for whatever reason you need a ’2 out
of 2’ scenario, this function allows you to copy the data form the second smart card to the
third smart card, effectively overwriting the Backup Key share on the third smart card.
10.6.2 Change the PIN of the backup key share on a smart card
This allows you to change the PIN of the backup key share on a smart card. This should
absolutely be done with each of the Backup Key Share smart cards. This is the easiest
possibility to prevent a mixup or accidental overwriting of the contents of a smart card. This
function can also be used if the card is being assigned to another person of the company.
This function can also be used on a smart card that comes originally from another PKI
Appliance.
95 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
11. PKCS#11 SLOT SMART CARD ACTIVATION Ver: 3.4.0
Chapter 11
11.1 Introduction
All sensitive cryptographic material of the PKI Appliance is stored on a Hardware Secu-
rity Module (HSM). This HSM protects your key material against physical attacks. The
keys required by the PKI Appliance and your infrastructure are organized in so-called slots,
commonly used with the cryptographic API PKCS#11. To operate on these keys, these
slots must be activated with some authentication code. Depending on your requirements
for availability, usability and security, you can select whether those authentication codes
should be stored on the PKI Appliance or not. This can be chosen per slot. Slots with
stored authentication codes can be auto-activated for immediate availability. The generated
and automatically stored authentication codes are of very high quality. This choice can be
changed even later during the operation of the PKI Appliance.
If even manually entered authentication codes do not meet the security requirements, there
is an option for a two-factor authorization: It is possible to additionally require an activation
with smart cards for one or more slots. This choice has to be done during installation.
11.2 Installation/Configuration
PKCS#11 slot smart card activation can be enabled per slot but only during the installation
of the PKI Appliance. To do so, untick (Automatically generated) Authentication
Code for the slot you want to give more security. You will then be given the possibility to tick
Smart card activated for that slot. Then you will see some more options available for the
general slot smart card activation settings. You still have to define an authentication code
per slot. You can either chose something trivial like 1234 since you are relying to external
secrets anyways, or you can make it even more secure by defining a real secret authentication
code which will be required additionally upon activation.
96 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
11. PKCS#11 SLOT SMART CARD ACTIVATION Ver: 3.4.0
! Unlike the backup key share on the smart cards, the user credentials can not
be copied from card to card. A lost, broken or blocked smart card can not
be replaced. Therefore the PKI Appliance offers to create sufficient copies,
once and for all.
The default setting of the PKI Appliance is to create 2 smart cards with the same user
credential.
11.2.4 Procedure
For every slot activation user that has been chosen, the following procedure will first run
during the installation:
• For every copy that has been chosen, the user credentials will be written to a smart
card. It is required to enter the PIN (default PIN on delivery: 123456 ) and acknowledge
with "OK".
• The user credentials (only public key) are read into the HSM, it will only be required
to press the OK button.
After the installation, it is strongly advised to change the PINs of the smart cards through
the WebConf.
97 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
11. PKCS#11 SLOT SMART CARD ACTIVATION Ver: 3.4.0
! The user cards will always be required in ascending order, always starting
with User 1.
Whenever some PKCS#11 slot activation with smart card goes wrong, the internal PKI
Appliance mechanism will restart all applications, which in turn requires that all slots need
to be activated again.
98 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
11. PKCS#11 SLOT SMART CARD ACTIVATION Ver: 3.4.0
99 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
12. AUDIBLE FEEDBACK Ver: 3.4.0
Chapter 12
Audible Feedback
For an improved feedback, the PrimeKey PKI Appliance has the functionality of issuing some
status sound tunes in situations where we found it helpful in our own testing.
Following a list of the sounds that the machine might do:
• BIOS startup sound: The BIOS (Basic Input Output System, an archaic bootloader to
the x86-architecture) of the PKI Appliance does also try to give some status information
through a series of short high and low-pitched beeps very soon after switching on the
machine.
• Booting Done: The PKI Appliance has an overall boot time of about 5 minutes before
any configuration can take place, during which a boot progress is shown to the front
panel display as well as the WebConf. The PKI Appliance announces the end of this
boot period with a 3-tone sound similar to a short fanfare; ta-ta-taaa.
• Factory Reset: If the concealed Factory Reset button has been pressed (see chapter 5.1
on page 15), the machine will acknowledge this with a 4-tone sound similar to an alarm
sound; low-high-low-high. Usually, you should be able to hear this quittance whithin
5 to 15 seconds after hitting the concealed button. Under certain circumstances, such
as if you press that button twice in a very short timespan of only a few seconds, it may
take up to several minutes for the system to detect this condition. You should not try
to reboot the system before having gotten any acknowledgement about the pressed
Factory Reset button.
• PIN Pad Interaction: Ever since version 2.2.0 of the PKI Appliance, there is a small
sound to raise your attention to the PIN pad. For some operations, you have only
about 15 seconds to insert the correct smart card and enter the right PIN to it. The
PKI Appliance will also try to give you a hint on which smart card operation is required
by a short message on the PKI Appliance physical front display. The message will be
visible only shortly though. During Wizard operations like installation, restoring of a
backup or adding this PKI Appliance to an existing cluster, there will be more ample
explanations in your browser. This sound is a short double; bee-beep.
100 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
12. AUDIBLE FEEDBACK Ver: 3.4.0
• The machine has more audible feedback for internal uses of manufacturing and testing.
101 (105)
PKI Appliance
Online Help – Public Key Infrastructure by PrimeKey
13. APPENDIX DOCUMENTS Ver: 3.4.0
Chapter 13
Appendix Documents
102 (105)
PKI Appliance
by PrimeKey
PKI Appliance
Model specification
Model Specification
Enterprise & Prime Enterprise & Prime Enterprise & Prime Enterprise & Prime
LFS* LFS* LFS* LFS*
Protocols & API’s
OCSP - - -
SCEP - -
CMP - -
PrimeKey PKI Appliance is the easiest and most efficient way to EST - -
WebServices API -
deploy and manage an enterprise PKI system. With a pre-packaged
REST API - -
solution you are quickly up and running without the hassles of CLI
Key Features
complex installation and integration procedures. Certificate Capacity <100 8M 20 M N/A
Secure & Automated Backup
Mechanism
PrimeKey PKI Appliance offers a complete feature set and support for CMP v2 RFC 4210, SCEP, EST. Certificate 2 Factor Authentication
needed to operate a full blown, highly available PKI. It is data is synchronized in real-time between CA and VA, FIPS 140/2 Level 3 validated HSM
based on PrimeKey EJBCA Enterprise, with easy to use and between CA and RA instances via dedicated secure inside
management functions, high-performance hardware and channels called Peer Systems. Dedicated Mng & App Interfaces
a built-in FIPS 140-2 Level 3 certified Hardware Security Clustering -
Module (HSM). Large
Dual power supply
The largest model of PKI Appliance includes all
SNMP, Syslog, Audit Log
Depending on the requirements PrimeKey offers four functionality you find it the two previous models and an
Accessories
different PKI appliance models to address different extended capacity when it comes to certificate storage.
SmartCards 10 10 10 -
needs. PKI Appliance Large supports 20 million certificates.
PinPad Reader - 1 1 -
External Battery adapter Optional Optional Optional
Small Validation Authority (VA)
Performance (opp/sec) Cert. issuance Responses
PKI Appliance Small includes EJBCA Enterprise with a The PKI Appliance VA model includes support for
Audit log on/off Audit log off
core library for Certificate Authority (CA) functionality CRL distribution and OCSP. Revocation information
RSA 1024 SHA 1 with RSA 5/30 28/101 28/101 450
for an unlimited number of CAs. EJBCA Enterprise is synchronized in real-time between CA and VA via
RSA 2048 SHA 256 with RSA 1/10 26/79 26/79 80
is certified with Common Criteria EAL 4+. The Small dedicated secure channels called Peer Connectors.
RSA 4096 SHA 512 with RSA 0,5/0,5 9/11 9/11 11
model supports operating multiple, independent PKI Utilizing dedicated VA Appliances can massively
EC secp256r1 SHA256withECDSA 5/43 25/98 25/98 490
hierarchies within one installation and a Registration increases security of an infrastructure as it is best
EC secp384r1 SHA384withECDSA 4/21 24/95 24/95 380
Authority (RA) with role based access control and placed in the DMZ and isolated from the CA Appliances
EC secp521r1 SHA512withECDSA 3/9 23/88 23/88 190
approval mechanisms. PKI Appliance Small is ideal for allowing only one way secure connections from CA to VA
Technical specifications
an offline Root CA in a PKI deployment. instances.
Form Factor 2U
Dimensions 88,4 x 430 x 633mm (3 1/2 x 17 x 25 inch)
Medium
Weight 12,5kg (27.5lb)
In addition to the functionality of PKI Appliance
Operational Environment +10°C - +50°C (+50°F - 122°F)
Small, the Medium model also includes highly flexible
Storage Environment -10°C +55°C (+14°F - 131°F)
integration interfaces based on web services, REST API
Safety Agency Approval CE, RoHS, FCC
Power Supply Dual 500W
AC Power 110/240V, 50/60Hz
Power Cosumption typ. 80W, max 135W
For testing purposes, it is possible to run CA, VA and RA on one singe instance of the appliance
© PrimeKey Solutions AB
All rights reserved
sales@primekey.com
+46 873 561 01
www.primekey.com