"TL;DR This guide shows how to enable CMP on an EJBCA Community server and how to perform certificate enrollment (Init + Confirm), renewal, and revocation from a Scala backend. Two client examples are included: one using Play's WSClient and another using Java 11 HttpClient. Production tips include using AWS S3 + KMS to back up and protect private keys. EJBCA Community Edition (latest Community release you can get; this guide uses HTTP CMP endpoints)."
"Java 11+ (server & client). Scala 2.13+ or 3.x and Play Framework 2.8+ if using Play example. BouncyCastle (bcprov, bcpkix) for CMP and ASN.1 helpers. build.sbt (minimal): Note: adjust versions to match your project. 2 EJBCA: enable CMP (HTTP) endpoint quick steps Log into EJBCA Admin GUI. Create/identify the CA you want to enroll certificates against. In System Configuration -> CMP (or similar, depending on version): Add/enable an alias for HTTP CMP (e.g. cmpiam) and set a shared secret for password/mac."
"Ensure the CA has CMP enabled and the alias maps to it. You may need to trust the server certificate chain on your client. Minimal application.conf: Production: do NOT put secrets in plaintext. Use your secret manager. In production we used AWS KMS + S3 to encrypt and backup PKCS#12 files. I removed that from the runnable example to keep the guide focused and reproducible."
Enable HTTP CMP on EJBCA Community by adding an HTTP CMP alias, mapping it to the CA, and setting a shared secret for PKMAC. Use Java 11+ and Scala 2.13+/3.x (Play Framework 2.8+ optional) with BouncyCastle libraries for CMP and ASN.1 handling. Implement CMP Init + Confirm for enrollment, and support renewal and revocation flows in the backend. Two client examples can use Play WSClient or Java 11 HttpClient. In production, protect private keys and secrets with a secret manager; recommended backup/encryption uses AWS KMS combined with S3 for PKCS#12 files.
Read at medium.com
Unable to calculate read time
Collection
[
|
...
]