The following introduces EJBCA RA Management tasks and functions you can perform in the EJBCA RA GUI. For more information, refer to the EJBCA documentation on RA Operations.

Overview

The EJBCA RA UI is the portal for all end entity related operations, from enrolling certificates to administrating access for other RA administrators. The RA can either exist locally on the same instance as the CA, or be proxied to the CA via peers

The RA can be configured to both use certificate authentication or to allow for public access. In either case, the menu items described on this page and its sub-pages will only appear in accordance to the rights set up for that user. Additionally, both the user and the peer connector itself (if using) have their access rights limited to only permitted CAs and role namespaces.

Enrolling Certificates, Creating Key Stores and Retrieving Generated Certificates

The heart of any RA is the ability to enroll for certificates and key stores. The EJBCA RA allows for both having the server generate key stores or simply sign a supplied CSR, and can also be used to pre-configure end entities for the end user to enroll against at a later date. 

Certificate and End Entity Lifecycle Management

Managing certificates is an essential day-to-day task of RA administration. The EJBCA provides a full interface for searching among certificates and end entities in order to find certificates needing renewal, or responding from requests from users to suspend and revoke certificates.

Manage Requests

EJBCA's powerful approvals mechanism is naturally used in the RA as well, though it's limited to enrollment, renewal and revocation operations. The EJBCA RA provides an interface to manage approvals, view other pending approval requests and audit past operations.

CA Certificates and CRLs

The CA Certificates and CRLs screen allows downloading CA certificates and CRLs for CAs that you have access to.

The CAs you can access to are listed in a table displaying the following:

Column

Description

Certificate Authority

Name of Certificate Authority.

CRL

  • Full: Download a full CRL.
  • Delta: Download a deltaCRL if one is available.

Certificate

  • PEM: Download certificate in PEM format.
  • DER: Download certificate in binary format.

Certificate chain

Downloads a certificate chain for a sub CA, the sub CA certificate(s) and root CA certificate:

  • PEM: Download certificate chain in PEM format.
  • JKS: Download certificate chain in a Java Keystore format.
  • PKCS#7: Download certificate chain as a certificate-only binary PKCS#7 (CMS) file.

Browser import

Downloads the CA certificate with headers to trigger a browser import.

Download CA Certificate Fingerprint Sheet

To download a YAML text document with the CA Certificate fingerprints of all CAs you have access to, click Download Fingerprints. This is useful during a key ceremony and eliminates the need for downloading CA certificates and computing the fingerprints manually using a third-party tool such as OpenSSL. The fingerprint is computed using SHA-256.

Download CA Certificate Bundle

To download a compressed zip file containing the CA certificates of all CAs you have access to, click Download Certificate Bundle. The certificates in the bundle are provided in binary format (DER).

Role Management

In order to allow for Managed PKI setups using the EJBCA RA, the RA makes full use of access rights and role namespaces. This allows an RA administrator with sufficient access rights to create duplicate or further constrained RA administrators within the same namespace in order to handle local user administration without needing to interact with the CA.