The PKI infrastructure implementation described in this guide includes an online and an offline EJBCA hardware appliance. Now that RootCA is set up, there is an option to install it on the online appliance. The reasons for this are:

  • The logical hierarchy when navigating to the Certification Authorities is easy to understand. There you can see that the SubCAs are installed locally, but also that there is a ROOTCA that has signed them, which indicates External CA. This means that it is installed in the offline EJBCA Hardware Appliance.
  • When CSRs are created and have to be signed by RootCA, no other import is needed (RootCAs certificate). The chain is auto generated.
  • When you do certificate enrollment from a CSR you just need to set PEM - Certificate only as Result type.

To import RootCA’s certificate in the EJBCA Hardware Appliance that is online, proceed as follows:

  1. Go to the EJBCA Enterprise Administration.
  2. From the sidebar, select RA Web of (Node B), where the RootCA is installed. (The RA Web is listed pretty much at the bottom of the list.)
  3. In the RA Web search CA Certificates and CRLs in the top menu.
  4. Click CA Certificates and CRLs to open.




  5. In the table CA Certificates and CRLs go to the row for RootCA. Here you find the the option for downloading PEM in the column for Certificate chain.

  6. Click PEM.




  7. After the download is complete, Save the file.

  8. Go back to EJBCA Enterprise Administration main page.
  9. From the sidebar, in the CA Functions section, select Certification Authorities (Node A) where the pem file will be imported.
  10. Click Import CA certificate...
  11. Enter RootCA in the field The name this CA will be given
  12. Browse for the file RootCA-chain.pem.
  13. Click Import CA certificate.