Step 4: Import RootCA as External CA in Node A

Implementation of PKI infrastructure that is described in the current guide has an online and one offline EJBCA Hardware Appliance. Now that RootCA is setup, there is the possibility to install it in the one that is online. The reasons to do it are:

  • It is easy to understand the logical hierarcy when navigating to Certification Authorities. There you can see that the SubCAs are installed locally but also that there is a ROOTCA which signed them, having the indication External CA. This means that is installed in the offline EJBCA Hardware Appliance.
  • When CSRs are created and have to be signed by RootCA, no other import is needed (RootCAs certificate). The chain is auto generated.
  • When you do certificate enrollment from a CSR you just need to set PEM - Certificate only as Result type.

To import RootCA’s certificate in the EJBCA Hardware Appliance that is online, proceed as follows:

  1. In Public Web of node B, where the RootCA is installed, open Retrieve > Fetch CA Certificates.
  2. In the section CA:RootCA, you will find the the options for downloading CA certificate or CA certificate chain:

    Fetch RootCA certificate


  3. Select the option Download as PEM for CA certificate chain.
  4. Save the file:

    Save RootCA pem file


  5. Navigate to Certification Authorities in EJBCA Hardware Appliance node A where the pem file will be imported.
  6. Click Import CA certificate...
  7. Enter RootCA in the field The name this CA will be given
  8. Browse for the file RootCA-chain.pem.
  9. Click Import CA certificate.

    Import RootCA as External CA