EJBCA Cloud AWS
- AWS Launch Guide
Quick Start Guide
- Create Crypto Tokens
- Create Root CA Certificate Profile
- Create Issuing CA Certificate Profile
- Create Certificate Authorities
- Create User and Workstation Profiles
- Create End Entity Profiles
- Request Certificate
- Create Another Administrator Account
- Import Certificate to Mozilla Firefox
- Configure Health Checks
- Create CRL Updater Service
- AWS Backup Guide
- AWS Restore and Upgrade Guide
- AWS TLS Certificate Generation Guide
- AWS RA Configuration and Administration Guide
- AWS VA Configuration and Administration Guide
AWS Cluster Configuration Guide
- Cluster AWS Operating Environment
- Multi Node Clusters
- Cluster Security Groups
- Clustering with RDS Database
- Clustering with Galera on Local Nodes
AWS CloudHSM Integration Guide
- Multiple Crypto Tokens with AWS CloudHSM
- 1 - Create CloudHSM Cluster
- 2 - Use OpenSSL to Validate the HSM
- 3 - Initialize the CloudHSM
- 4 - Assigning the Security Group to the EJBCA Instance
- 5 - Configure the cloudhsm-client
- 6 - PKCS11 PIN
- 7 - Activate the Cluster
- 8 - Create a CloudHSM Crypto User
- 9 - Create a Keystore in the HSM with clientToolBox
- 10 - Test with EJBCA ClientToolbox
- 11 - Create a CryptoToken in EJBCA
- Appendix A - Restoring an HSM Backup to a New Instance
- Appendix B - Troubleshooting HSM Issues
AWS Certificate Manager Integration Guide
- Provisioning an EJBCA Instance and setting up CloudHSM
- Create Root CA Keys
- Create CloudHSM Crypto Token for Root CA
- Create the Root and Issuing CA Certificate Profiles
- Create End Entity Sub CA Profile
- Create Root CA that uses the CloudHSM Crypto Token
- Create AWS ACM Certificate Authority CSR
- Add ACM PCA End Entity
- Generate the ACM PCA Certificate for AWS
- Fulfill the Pending ACM PCA Certificate Request
- AWS S3 Publisher Configuration Guide
- AWS KMS Configuration Guide
- How to Create Support Package
- EJBCA Cloud AWS VA
EJBCA Cloud Azure
- Azure Launch Guide
- Azure Backup Guide
- Azure Restore and Upgrade Guide
- Azure TLS Certificate Generation Guide
- Azure RA Configuration and Administration Guide
- Azure VA Configuration and Administration Guide
- Azure Cluster Configuration Guide
- Azure Key Vault Integration Guide
- How to Create Azure Support Package
- EJBCA Cloud Release Notes
The following describes how to integrate the EJBCA AWS instance with the AWS Key Management Service (KMS) and create keys in AWS KMS for use with an EJBCA CA.
AWS User Creation
To create a user that can access the KMS from the EJBCA host, do the following:
- Sign in to the AWS console, select the Services drop-down and search for "IAM".
- Select Users and then Add User.
- Specify the following to add a user:
- Add a user with the name of "ejbca_kms" or any name you choose that describes the usage.
- Select Programatic access to allow the user to access the KMS API, but not log into the AWS console.
- Select Attach existing policies directly under Set permissions and then click Create policy.
- In the opened browser tab Create policy, search for KMS in the product search field and select KMS.
- Select the following permissions from the Access level selection:
- Under Resources, select Any for both alias and key resources.
- Click Review policy.
- In the Create policy screen, specify a Name and Description for the policy and click Create policy.
- A confirmation message confirms the successful creation of the policy.
- Go back to the Add user tab and click the refresh button.
- Search for the policy created above and select it.
- Click Next to add tags if desired through step 5 to Create user. A successful creation message displays the Access key ID and the Shared access key. Note these credentials down or download the .csv file with the credentials since the Access key ID and the Shared access key will later be used in the EJBCA Crypto Token to access the KMS.
Note that the following configuration is supported as of EJBCA 7.4.0.
To configure EJBCA, do the following:
Edit the /opt/ejbca/conf/web.properties file and uncomment the following property (on EJBCA Enterprise Cloud from the AWS Marketplace this is done for you):
If you are running EJBCA Enterprise software, redeploy.
ant clean deployear
Click Create new in the EJBCA Crypto Token screen and select AWS KMS as the Type.
- Enter the credentials for the user, including the region the KMS resides in, and use the following attributes:
- Authentication code: IAM Users Secret access key
- Region: The region the KMS keys will reside
- Access KeyID: IAM users Access key ID
- Enable Auto-activation to allow the Crypto Token to activate on system restart (for an issuing CA for example).
- When it successfully connects to the KMS, the notification Crypto Token created successfully is displayed at the top of the page.
- Generate the following keys for an EJBCA CA:
- Go to the KMS console and confirm that the keys created in EJBCA are listed.