Windows Desktop MFA - Validate EJBCA configuration

This guide will show you how to troubleshoot or validate Windows Desktop MFA - EJBCA configuration.

Windows Desktop MFA - EJBCA Configuration
This guide will show how to set up and configure Windows and EJBCA for Windows SmartCard Logon. 💡Note that the screenshots in this guide were taken from EJBCA Version 7.11.0.1, v3.0. If you are using a different version of EJBCA or require assistance, please get in

API User for ReST API authentication

A separate EJBCA user (End Entity) with limited privileges improves the overall security posture of EJBCA deployment. The following options will provide you the detail on the bare minimum Options in Roles and Access Rules in EJBCA to be chosen for the API user created.

  • Login to EJBCA Administration GUI
  • Navigate to System Functions -> Roles and Access Rules
  • Add a new Role or any existing role you want to use
  • For the bare minimum, Access Rules required
  • Click Save
  • Click Advanced Mode Choose the options as shown below
  • Click Save
  • Click Members
  • In the example below ApiUser is the End Entity created. IdemeumCA is the CA for which User Certificate needs to be enrolled

Validate user enrollment

This step validates

  • API keystore and password used for authentication meet the desired expectation for enrolling the user cert.
  • Able to generate user cert for the profiles configured
  • The end entity used for API authentication has the right Role access

Pre-requisites:
Download and install Java. Please click here to download

java -jar erce-0.0.6.jar enroll genkeys --endentityprofile=MSSmartCardLogon --certificateprofile=MSSmartCardLogon --ca= --subjectaltname="upn=testuser@" --subjectdn="CN=testuser" --username=testuser --password=testuser --keyalg=RSA --keyspec=2048 --authkeystore= --hostname= -akp

Command output:

 End entity with username testuser has succesfully been enrolled

The above command will generate an testuser end entity/user in EJBCA.


Validate end-entity certificate in Domain Controller

This step validates the end entity/user-generated in the previous step is valid when the same cert is presented to the domain controller during virtual smart card logon.

  • Login to EJBCA Administration GUI
  • Navigate RA Functions -> Search End Entities
  • Search end entity with username enter testuser
  • Click Search
  • Click View next to Certificates
  • Click Download to Firefox which downloads .cer file
certutil -urlfetch -verify -seconds <.cer file>

If there is an error in the revocation check, please try reaching the CRL distribution endpoint and make sure you can download CRL.

Command output:

Verified Issuance Policies: None
Verified Application Policies:
	1.3.6.1.5.5.7.3.2 Client Authentication
	1.3.6.1.4.1.311.20.2.2 Smart Card Logon
Cert is an End Entity certificate
Leaf certificate revocation check passed
CertUtil: -verify command completed successfully.

Other useful commands

  • Command to verify API keystore certificate is valid by comparing issuer and subject against server certificate.

Command 1:

openssl s_client -connect <hostname:port> | openssl x509 -noout -issuer -subject -purpose

Command 2:

openssl pkcs12 -in <p12 file API keystore> -clcerts -out cc.pem && openssl x509 -in cc.pem -noout  -issuer -subject -purpose


The issuer should match, and the subject in case of Command 2 should match the CN of the end entity

As an alternative, you can view and compare cert by temporarily importing them to the Windows Certificate store.