EJBCA RA Introduction

EJBCA Registration Authority (RA)

Note that this documentation describes the new Peer Connector based External RA.

The new EJBCA RA includes a graphical user interface for administrators and users and is actually a generic RA, but with capabilities to operate in an external polling mode.

RA Concepts

Approving ActionsThe mechanism for requiring Administrators to approve actions before they are executed.
Certificate Authority (CA)A CA issues certificates to, and vouches for the authenticity of entities. The level of trust you can assign to a CA is individual, per CA, and depends on the CAs Policy (CP) and CA Practices Statement (CPS).
EJBCAPKI software suite, includes both CA, VA and RA.
Peer SystemsA mechanism for connections initiated from the CA to the RA (or VA), where messages for control and operations are passed.
Registration Authority (RA)Registration Authority, can be run as part of the CA or as a separate service.
RA UserA User that makes a certificate request on the RA, the user may have to wait for an RA Admin to approve the request.
RA AdminAn Administrator that approves requests made by RA Users.

Validation Authority (VA)

A VA is responsible for providing information on whether certificates are valid or not. There can be one or more VAs connected to each CA in the PKI.

Security Features

Note the following security features of the Peer Connector based External RA:

  • In polling mode:
    • TLS Connection is established from the CA to the RA with only firewall friendly outgoing connections from the CA.
    • The CA will never fetch and process more requests than a configured upper limit preventing DDoS of the RA nodes from taking down the CA nodes.
  • Mutually authenticated TLS connection.

  • JSF 2.0 based Web UI, including Content Security Policy, protection against XSS, CSRF and other attacks.

  • Filtered error messages from the CA, only shows non-sensitive information in the RA UI.

  • Secure object transfer between RA and CA.

  • Location aware authorization. The authorization towards the CA is a combination of the Users authorization, and the RA servers so you can limit what RAs in different groups can be used for.

External Polling Mode

For security reasons, it is often preferred to deny all inbound traffic to the CA installation and instead let the CA fetch and process information from an external RA. The EJBCA RA does this using Peer Connectors. For more information, see Peer Systems.

Also note that the EJBCA RA works equally well locally, directly on the CA.