As great as the progress has been in PKI tooling, there are still some situations which require a hands-on approach to deploying and establishing certificates and storing their associated private keys. Sometimes involving tasks that must be performed by system administrators rather than developers so having to edit Java programs might not be the best choice.

The following how-to guides provide examples for creating certificates using the Bouncy Castle APIs and EJBCA and creating certification requests and saving and encrypting private keys using the Bouncy Castle APIs for Java and Kotlin.

Audience and Prerequisites

To take full advantage of the guides, you need a background in Java development. The guides suit developers who are beginners up to intermediate in terms of their experience with PKI and cryptography.  

We recommend having a machine set up that can compile and run both Java and Kotlin programs. ​Optionally, it is also a good idea to have access and experience with an IDE such as Eclipse or IntelliJ with a Kotlin plugin installed for good measure. 

Training - PKI at the Edge

The guides can be used separately or to complement the training PKI at the Edge which introduces useful concepts and provides additional context.

The PKI at the Edge training shows how to use the Bouncy Castle APIs for generating certificates and certification requests, including for EJBCA. The training also looks at Kotlin DSL as a scripting language to enable people who do not typically regard themselves as programmers to perform some of the basic tasks as well.  


After completing the training, you will be able to:  

  • Determine the right key strengths for the security level you need  
  • Have a basic understanding of standard certificate request protocols and the relative security of some asymmetric algorithms 
  • Determine what type of certification request is appropriate for your key pair 
  • Create certification requests using the Bouncy Castle APIs for Java and Kotlin 
  • Create certificates using the Bouncy Castle APIs and EJBCA 
  • Save and encrypt private keys using the Bouncy Castle APIs for Java and Kotlin 
  • Use KeyStores and understand their limitations in certified environments

Try out EJBCA

EJBCA Community Edition Docker Container

EJBCA Community is available for immediate deployment from Docker Hub, allowing you to get a test PKI up and running quickly.

To learn how to get started with EJBCA Community as a Docker container, see Quick Start Guide - Start EJBCA Container.

Free Trial Version of EJBCA on AWS

This video tutorial walks you through the steps of setting up a free trial version of EJBCA on AWS and demonstrates how to subscribe and get started in the Amazon Web Services (AWS) Marketplace.


AWS FREE TRIAL Try one unit of this product for 30 days. There will be no software charges for that unit, but AWS infrastructure charges still apply. Free Trials will automatically convert to a paid subscription upon expiration and you will be charged for additional usage above the free units provided.

The tutorial is the first part of the EJBCA DevSecOps with Ansible pre-workshop preparations Connecting an Ansible Controller to EJBCA Cloud in AWS. For more information and to sign up for the workshop, refer to EJBCA DevSecOps with Ansible – a PrimeKey Tech Days 2021 workshop.