The first step is to find us in the AWS Marketplace. Once you've chosen the AMI size and confirmed other configuration options as required by AWS, you will have a new EC2 instance running.


The next step is configuration. At the moment, the installation is implemented for ssh connections. As such you have to login to the new EC2 instance via ssh as described in an Amazon article "Connecting to your Linux Instance using SSH". In most cases, you just run a command:

> ssh -i <file with your private key> ec2-user@<url of the new instance>


Once logged in, you change your username and initialize the PKI with commands:

> sudo ebaws

> init


This is an example of what you will see:

[ec2-user@ip-172-31-41-79 ec2-user]# ebaws
--------------------------------------------------------------------------------
    Enigma Bridge AWS command line interface.
    For help, type usage

    init - initializes the EJBCA instance
--------------------------------------------------------------------------------
$> init
Going to initialize the EB identity
WARNING! This is a destructive process!
WARNING! The previous installation will be overwritten.

Do you really want to proceed? (Y/n): y
Please enter your email address [empty]: dusan@enigmabridge.com
Is this email correct? "dusan@enigmabridge.com" (Y/n):y

Total memory in the system is low: 995 MB, installation requires at least 2GB
New swap file will be installed in /var
Do you really want to proceed? (Y/n): y
1024+0 záznamů přečteno
1024+0 záznamů zapsáno
1 073 741 824 bajtů (1,1 GB) zkopírováno, 77,3837 s, 13,9 MB/s

New swap file was created /var/swap_0000.bin 995 MB and activated

/usr/local/lib/python2.7/site-packages/OpenSSL/rand.py:58: UserWarning: implicit cast from 'char *' to a different pointer type: will be forbidden in the future (check that the types are as you expect; use an explicit ffi.cast() if they are correct)
  result_code = _lib.RAND_bytes(result_buffer, num_bytes)

New domains registered for this host:
  - rm1.pki.enigmabridge.com
  - romford1.pki.enigmabridge.com

New configuration was written to: /etc/enigma/config.json

SoftHSMv1 configuration has been backed up to: None
New SoftHSMv1 configuration has been written to: /etc/softhsm.conf

SoftHSMv1 initialization: The token has been initialized.

Going to install EJBCA
  This may take 5-15 minutes, please, do not interrupt the installation
  and wait until the process completes.

- Updating settings
- Restarting JBoss, please wait...
- Cleaning JBoss environment (DB backup)
........................
- Restarting JBoss, please wait...
...
- Deploying EJBCA
............................ (8 lines of dots)
- Installing EJBCA
............................. (5 lines of dots)
EJBCA installed successfully.

Going to generate EnigmaBridge keys in the crypto token:
..................
EnigmaBridge tokens generated successfully
You can use these newly generated keys for your CA or generate another ones with:
  sudo -E -H -u jboss /opt/ejbca_ce_6_3_1_1/bin/pkcs11HSM.sh generate /usr/lib64/softhsm/libsofthsm.so 2048 signKey 0
  sudo -E -H -u jboss /opt/ejbca_ce_6_3_1_1/bin/pkcs11HSM.sh generate /usr/lib64/softhsm/libsofthsm.so 2048 defaultKey 0
  sudo -E -H -u jboss /opt/ejbca_ce_6_3_1_1/bin/pkcs11HSM.sh generate /usr/lib64/softhsm/libsofthsm.so 1024 testKey 0

Adding EnigmaBridge crypto token to EJBCA:

EnigmaBridgeToken added to EJBCA

Installing LetsEncrypt certificate for: rm1.pki.enigmabridge.com
....
Certbot command failed: sudo -E -H /usr/local/bin/certbot certonly --standalone --text -n --agree-tos --email support@enigmabridge.com  -d "rm1.pki.enigmabridge.com"
For more information please refer to the log file: /tmp/certbot.log

Download p12 file /home/ec2-user/ejbca-admin.p12
e.g.: scp ec2-52-211-204-100.eu-west-1.compute.amazonaws.com:/home/ec2-user/ejbca-admin.p12 .
Export password: lX0gU8dOZAutOIjO


Once you import p12 file to your browser you can connect to the admin interface at
https://rm1.pki.enigmabridge.com:8443/ejbca/adminweb/
https://ec2-52-211-204-100.eu-west-1.compute.amazonaws.com:8443/ejbca/adminweb/



When the configuration completes, you need to install authentication keys as the PKI system requires strong client authentication. Details of the key and how to obtain it are shown in the ssh console - see the bold blue lines above.


The web interface of the PKI is available at your new domain, which is automatically re-assigned to the correct IP address each time you re-boot the EC2 instance. It is https://rm1.pki.enigmabridge.com:8443/ejbca/adminweb/ in this example.