- Hardware Appliance Unboxing
- Initial Set-up
- Restore from Backup
- Connect to Cluster
- Using External CA for Installation
- Basic Hardware Operations
- WebConf - Configurator of Hardware Appliance
- Certificates and Trusted CAs
- Setting up a Validation Authority (VA)
- HA Setup
- PKCS#11 Slot Smart Card Activation
- EJBCA Administration
- Certificate Life Cycle Management
Creating CA Hierarchy
- Step 1: Create the RootCA
- Step 2: Create Certificate Profile for SubCAs
- Step 3: Create End Entity Profile for SubCAs
- Step 4: Import RootCA as External CA in Node A
- Step 5: Create SignCA as SubCA in Node A
- Step 6: Create AuthCA as SubCA in Node A
- Step 7: Create SSLCA as SubCA in Node A
- Step 8: Create Certificate Profiles for End Entities that use the SubCAs
- Step 9: Create End Entity Profiles for SubCAs
- Step 10: Create End Entities that use the SubCAs
- Managing End Entities
- Creating Java Truststore
- Check for Weak Debian Keys
- Hardware Appliance 3.5.4 Release Notes
- Hardware Appliance 3.5.3 Release Notes
- Hardware Appliance 3.5.2 Release Notes
- Hardware Appliance 3.5.1 Release Notes
- Hardware Appliance 3.5.0 Release Notes
- PKI Appliance 3.4.5 Release Notes
- PKI Appliance 3.4.4 Release Notes
- PKI Appliance 3.4.3 Release Notes
PKI Appliance 3.4.2 Release Notes
PKI Appliance 3.4.1 Release Notes
- Release Notes Summary
- Hardware Appliance 3.5.X Upgrade Notes
Step 4: Import RootCA as External CA in Node A
Implementation of PKI infrastructure that is described in the current guide has an online and one offline EJBCA Hardware Appliance. Now that RootCA is setup, there is the possibility to install it in the one that is online. The reasons to do it are:
- It is easy to understand the logical hierarcy when navigating to Certification Authorities. There you can see that the SubCAs are installed locally but also that there is a ROOTCA which signed them, having the indication External CA. This means that is installed in the offline EJBCA Hardware Appliance.
- When CSRs are created and have to be signed by RootCA, no other import is needed (RootCAs certificate). The chain is auto generated.
- When you do certificate enrollment from a CSR you just need to set PEM - Certificate only as Result type.
To import RootCA’s certificate in the EJBCA Hardware Appliance that is online, proceed as follows:
- In Public Web of node B, where the RootCA is installed, open Retrieve > Fetch CA Certificates.
In the section CA:RootCA, you will find the the options for downloading CA certificate or CA certificate chain:Fetch RootCA certificate
- Select the option Download as PEM for CA certificate chain.
Save the file:Save RootCA pem file
- Navigate to Certification Authorities in EJBCA Hardware Appliance node A where the pem file will be imported.
- Click Import CA certificate...
- Enter RootCA in the field The name this CA will be given
- Browse for the file RootCA-chain.pem.
Click Import CA certificate.Import RootCA as External CA