EJBCA Cloud AWS
- AWS Launch Guide
Quick Start Guide
- Create Crypto Tokens
- Create Root CA Certificate Profile
- Create Issuing CA Certificate Profile
- Create Certificate Authorities
- Create User and Workstation Profiles
- Create End Entity Profiles
- Request Certificate
- Create Another Administrator Account
- Import Certificate to Mozilla Firefox
- Configure Health Checks
- Create CRL Updater Service
- AWS Backup Guide
- AWS Restore and Upgrade Guide
- AWS TLS Certificate Generation Guide
- AWS RA Configuration and Administration Guide
- AWS VA Configuration and Administration Guide
- AWS Cluster Configuration Guide
AWS CloudHSM Integration Guide
- Multiple Crypto Tokens with AWS CloudHSM
- 1 - Create CloudHSM Cluster
- 2 - Use OpenSSL to Validate the HSM
- 3 - Initialize the CloudHSM
- 4 - Assigning the Security Group to the EJBCA Instance
- 5 - Configure the cloudhsm-client
- 6 - PKCS11 PIN
- 7 - Activate the Cluster
- 8 - Create a CloudHSM Crypto User
- 9 - Create a Keystore in the HSM with clientToolBox
- 10 - Test with EJBCA ClientToolbox
- 11 - Create a CryptoToken in EJBCA
- Appendix A - Restoring an HSM Backup to a New Instance
- Appendix B - Troubleshooting HSM Issues
AWS Certificate Manager Integration Guide
- Provisioning an EJBCA Instance and setting up CloudHSM
- Create Root CA Keys
- Create CloudHSM Crypto Token for Root CA
- Create the Root and Issuing CA Certificate Profiles
- Create End Entity Sub CA Profile
- Create Root CA that uses the CloudHSM Crypto Token
- Create AWS ACM Certificate Authority CSR
- Add ACM PCA End Entity
- Generate the ACM PCA Certificate for AWS
- Fulfill the Pending ACM PCA Certificate Request
- How to Create Support Package
EJBCA Cloud Azure
- Azure Launch Guide
- Azure Backup Guide
- Azure Restore and Upgrade Guide
- Azure TLS Certificate Generation Guide
- Azure RA Configuration and Administration Guide
- Azure VA Configuration and Administration Guide
- Azure Cluster Configuration Guide
- How to Create Azure Support Package
EJBCA RA Introduction
EJBCA Registration Authority (RA)
Note that this documentation describes the new Peer Connector based External RA.
The new EJBCA RA includes a graphical user interface for administrators and users and is actually a generic RA, but with capabilities to operate in an external polling mode.
|Approving Actions||The mechanism for requiring Administrators to approve actions before they are executed.|
|Certificate Authority (CA)||A CA issues certificates to, and vouches for the authenticity of entities. The level of trust you can assign to a CA is individual, per CA, and depends on the CAs Policy (CP) and CA Practices Statement (CPS).|
|EJBCA||PKI software suite, includes both CA, VA and RA.|
|Peer Systems||A mechanism for connections initiated from the CA to the RA (or VA), where messages for control and operations are passed.|
|Registration Authority (RA)||Registration Authority, can be run as part of the CA or as a separate service.|
|RA User||A User that makes a certificate request on the RA, the user may have to wait for an RA Admin to approve the request.|
|RA Admin||An Administrator that approves requests made by RA Users.|
Validation Authority (VA)
A VA is responsible for providing information on whether certificates are valid or not. There can be one or more VAs connected to each CA in the PKI.
Note the following security features of the Peer Connector based External RA:
- In polling mode:
- TLS Connection is established from the CA to the RA with only firewall friendly outgoing connections from the CA.
- The CA will never fetch and process more requests than a configured upper limit preventing DDoS of the RA nodes from taking down the CA nodes.
Mutually authenticated TLS connection.
JSF 2.0 based Web UI, including Content Security Policy, protection against XSS, CSRF and other attacks.
Filtered error messages from the CA, only shows non-sensitive information in the RA UI.
Secure object transfer between RA and CA.
- Location aware authorization. The authorization towards the CA is a combination of the Users authorization, and the RA servers so you can limit what RAs in different groups can be used for.
External Polling Mode
For security reasons, it is often preferred to deny all inbound traffic to the CA installation and instead let the CA fetch and process information from an external RA. The EJBCA RA does this using Peer Connectors. For more information, see Peer Systems.
Also note that the EJBCA RA works equally well locally, directly on the CA.