Migration from manual PKI - general advice and help needed

[pandel]

Hi!

I am on my way of migrating a PKI based on the XCA tool (https://hohnstaedt.de/xca/) to EJBCA. At the moment I have my CA (root and intermediate) certs/keys and a whole lot of server certs with their private keys as PEM files, no user certs atm.

The steps which succeeded so far:

• setting up a basic docker-based EJBCA instance
• importing my old root/interm. CA and their keys as PKCS#12 file
• setting up cert/entity profiles
• test generation of end entity certs

So far, so good.

Now, I'd like to import the bunch of server certs I already have with their private keys. From my understanding this should be end entities. But I am not sure how to do that. Everything I find in the documentation is about importing certs, but nothing has been written about importing the private keys accordingly. But a server cert is useless without its associated private key. And I find no information if the PEM files used for the import should contain the private key beside the certificate. And, btw., where can I download a private key separate from the certificate of an end entity?

I admit, perhaps it is no technical problem but me not understanding conceptual things... please, if someone can help, tell me what am I doing or understanding wrong here.

Regards,
Holger

[pandel]

Question:
I went through all the documentation again and found one interesting paragraph about key recovery. Is it possible that I have to use ejbca.sh ra keyrecoveryimport for importing my old cert/key combinations?

[primetomas]

Are you sure you want the private keys stored by the CA? Typically you don't want to store you server private keys on the CA. I can understand how this happens if you generate server side keys and then they are just kep. You can generate keys by the CA in EJBCA as well, but as standard they are not stored. This because they are not needed by the CA, and if the server needs a new cert is should generate a new private key as well.
You basically never have to store server TLS private keys for key recovery.

If you don't really need those private keys, just use "importcerts".

If you are really really sure you need those private keys stored for key recovery purposes, yes you can use keyrecoveryimport.

[pandel]

@primetomas
I absolutely understand what you are trying to say, but in this case I needed the keys for a first start. In the meantime I found out how to import keys via keyrecoveryimport. I am still learning though. After EJBCA is deployed, I will issue new certs for all of my servers and will respect the no-keys-on-CA principle 😁

[primetomas]

Great to hear that you got it working with keyrecoveryimport,