Changing Client Certificate and Trusted CA for Application Interface

In this exercise we will change the client certificate and update the trusted CA for Application Interface using WebConf. First we will configure EJBCA and then WebConf.

The new superuser certificate has to be issued from the same CA (MyTrustedSubCA signed by MyTrustedRootCA) that we will install for TLS authentication. First we have to provide the information about the certificate (MyClientAuthenticationCertificate.pem) that will be used as superuser.

  1. In EJBCA Admin Web > Certification Authorities, click Import CA certificate and upload the CA certificates MyTrustedRootCA and MyTrustedSubCA.

    Import new trusted CAs as External ones in EJBCA
  2. Select Administrator Roles and click Administrators next to the Super Administrator Role.

    Add a new trusted client certificate as superadmin in EJBCA
  3. Check the SubjectDN of the client certificate used to authenticate using openssl.
    Run the following command as 'user':

    > openssl x509 -in MyClientAuthenticationCertificate.pem -serial -\


  4. In the Edit Administrators page, specify the following and then click Add:

    • CA: MyTrustedSubCA
    • Match with: X.509: Certificate serial number (Recommended)
    • Match type: Equal, case sens.
    • Match value: 2b4306acbf69224

    Configure the serial number of the trusted certificate in EJBCA

    EJBCA is now configured to use this certificate and the last step is to configure WebConf to allow the Application Interface to also authenticate MyTrustedSubCA-chain.pem

  5. Follow the same process but for the Application Interface as described in Changing Client Certificate and Trusted CA for Management Interface