Enigma Bridge PKI uses EJBCA as the PKI engine. The security of the PKI engine is paramount for security and trustworthiness of your certificates. One of the strongest authentication mechanisms is based on client-side HTTPS authentication and this mechanism is used by EJBCA as the default one.


Users have to install their client authentication keys before they can connect to the PKI web interface. The key is generated automatically by the installation script. You have to download it and install on your management "console" (i.e., your laptop).


Steps to complete first:

  1. Start Amazon Enigma Bridge PKI instance
  2. Connect to AMI instance via Putty SSH client software
  3. Initialize the EB PKI system
What you need:
  1. domain name of your new PKI system
  2. password for the 'ejbca-admin.p12' file - this was displayed at the end of the EB PKI initialization (the previous step)
  3. optional: fingerprint of your server to verify it when connecting to it with WinSC 

Procedure
Download A Key-File From the Enigma Bridge PKI Instance
  1. Simple but non-GUI - command "scp", if available or "pscp" - part of the Putty application - we leave this option for geeks
  2. GUI option - WinSCP
  3. Download WinSCP from https://winscp.net/eng/download.php
  4. Install as usual on your Windows computer
  5. Start WinSCP by selecting it from a list of installed applications
  6. Enter the domain name <yourPKI>.pki.enigmabridge.com as "Host name".
    5FxKv_EEeuv0rEa7HFuAwS0Ox_MyDX0CuA.png
  7. Select path to *.ppk private AMI instance authentication key. 

  8. Save connection details in WinSCP by 'Save' button for later use.

    DPUii_DjSAg55znJt50a7DAVZ0W-sHFpYw.png



  9. Click 'Login' button to connect to AMI instance.

    fqVDrk_euNC4XJXh-1xtUA0DP15-PDVDOA.png


  10. If required, verify server's fingerprint and click confirm with the 'Yes' button if fingerprints match.

    FRqfUhknwu6ORwTY3Rw7tZSGS_rBWCkhPQ.png

  11. Once logged-in to your PKI system, find the 'ejbca-admin.p12' file in the "/root" folder and copy it to your computer.

    brzr86o3veiHbfu5p7KyA9EkjqkX1Fh-EA.png

  12. at this point, you have the authentication key-file on your computer. The next step is to import it to your operating system.

Import EJBCA client certificate for management

  1. Find the downloaded 'ejbca-admin.p12' file and open it (e.g., with double-click on its name in Windows Explorer).
  2. Keep store location 'Current user' and click 'Next' button.

    QfSC_sOcVz-jgRw1qwJu2jMk740Tjqq40A.png


  3. Click 'Next' button to continue with import.

    -vNJnlDnpDTUcb_jIe2vJtvK7l_tbsK5Ig.png

  4. Insert password for key import obtained during AMI instance setup.

    ZJHKVyp4jMQjbqkVyxk1dowJgMltYcfo0A.png


    Ee53MnavHrjyM556CI9d2w18RfxGpCUDoA.png


  5. Keep option 'Automatically select the certificate store...' and click 'Next' button.

    L5ockFr6oQv7mNUKzlWH3GBEaOo1jTGy3w.png


  6. Complete import of certificate by clicking 'Finish' button

    vT5FP9Sfuq9VBhkiteS2UTTYQjXHhjq5Eg.png


  7. As you know where the key file came from, we can confirm security warning when importing the new Certification authority (CA) certificate by clicking "Yes".

    c9OJLdA3OuMolPAPQcnmxm1PpKpYX0nE2A.png



  8. Delete the 'ejbca-admin.p12' file as it is not needed any more. (remove it from Thrash as well)
  9. Your client authentication certificate is now installed in your local certificate store and usable by common browsers like MS Internet Explorer, MS Edge, Google Chrome etc.
  10. Mozilla Firefox uses own certificate store - if you use Firefox, please import certificate via
    Firefox→Preferences→Advanced→Certificates→View certificates→Import

Access your PKI Frontend (demonstrating with MS Edge browser)
  1. Start MS Edge or Google Chrome browser and type URL obtained during the PKI initialization
     https://bristol4.pki.enigmabridge.com:8443/ejbca/adminweb/ 
  2. Confirm use of TLS certificate for client authentication by clicking 'OK' button

    TpzGMVoGBpilRe3H0qusdCMi7go6SIWKtQ.png

  3. Confirm access to the private key of this TLS certificate.

    Gf8aG6d86fDrMRp865HTlUjox9Gk_AflQg.png

  4. Finally, you should see the front-end of your PKI system as the administrator.

    yre7AxDcFLsYLDM7c0g2nriLbdf-6ZGvtQ.png