EJBCA Cloud AWS
- AWS Launch Guide
Quick Start Guide
- Create Crypto Tokens
- Create Root CA Certificate Profile
- Create Issuing CA Certificate Profile
- Create Certificate Authorities
- Create User and Workstation Profiles
- Create End Entity Profiles
- Request Certificate
- Create Another Administrator Account
- Import Certificate to Mozilla Firefox
- Configure Health Checks
- Create CRL Updater Service
- AWS Backup Guide
- AWS Restore and Upgrade Guide
- AWS TLS Certificate Generation Guide
- AWS RA Configuration and Administration Guide
- AWS VA Configuration and Administration Guide
- AWS Cluster Configuration Guide
AWS CloudHSM Integration Guide
- Multiple Crypto Tokens with AWS CloudHSM
- 1 - Create CloudHSM Cluster
- 2 - Use OpenSSL to Validate the HSM
- 3 - Initialize the CloudHSM
- 4 - Assigning the Security Group to the EJBCA Instance
- 5 - Configure the cloudhsm-client
- 6 - PKCS11 PIN
- 7 - Activate the Cluster
- 8 - Create a CloudHSM Crypto User
- 9 - Create a Keystore in the HSM with clientToolBox
- 10 - Test with EJBCA ClientToolbox
- 11 - Create a CryptoToken in EJBCA
- Appendix A - Restoring an HSM Backup to a New Instance
- Appendix B - Troubleshooting HSM Issues
AWS Certificate Manager Integration Guide
- Provisioning an EJBCA Instance and setting up CloudHSM
- Create Root CA Keys
- Create CloudHSM Crypto Token for Root CA
- Create the Root and Issuing CA Certificate Profiles
- Create End Entity Sub CA Profile
- Create Root CA that uses the CloudHSM Crypto Token
- Create AWS ACM Certificate Authority CSR
- Add ACM PCA End Entity
- Generate the ACM PCA Certificate for AWS
- Fulfill the Pending ACM PCA Certificate Request
- AWS S3 Publisher Configuration Guide
- How to Create Support Package
EJBCA Cloud Azure
- Azure Launch Guide
- Azure Backup Guide
- Azure Restore and Upgrade Guide
- Azure TLS Certificate Generation Guide
- Azure RA Configuration and Administration Guide
- Azure VA Configuration and Administration Guide
- Azure Cluster Configuration Guide
- Azure Key Vault Integration Guide
- How to Create Azure Support Package
- EJBCA Cloud Release Notes
RA User Management
The following introduces EJBCA RA Management tasks and functions you can perform in the EJBCA RA GUI. For more information, refer to the EJBCA documentation on RA Operations.
The EJBCA RA UI is the portal for all end entity related operations, from enrolling certificates to administrating access for other RA administrators. The RA can either exist locally on the same instance as the CA, or be proxied to the CA via peers.
The RA can be configured to both use certificate authentication or to allow for public access. In either case, the menu items described on this page and its sub-pages will only appear in accordance to the rights set up for that user. Additionally, both the user and the peer connector itself (if using) have their access rights limited to only permitted CAs and role namespaces.
Enrolling Certificates, Creating Key Stores and Retrieving Generated Certificates
The heart of any RA is the ability to enroll for certificates and key stores. The EJBCA RA allows for both having the server generate key stores or simply sign a supplied CSR, and can also be used to pre-configure end entities for the end user to enroll against at a later date.
Certificate and End Entity Lifecycle Management
Managing certificates is an essential day-to-day task of RA administration. The EJBCA provides a full interface for searching among certificates and end entities in order to find certificates needing renewal, or responding from requests from users to suspend and revoke certificates.
EJBCA's powerful approvals mechanism is naturally used in the RA as well, though it's limited to enrollment, renewal and revocation operations. The EJBCA RA provides an interface to manage approvals, view other pending approval requests and audit past operations.
CA Certificates and CRLs
The CA Certificates and CRLs screen allows downloading CA certificates and CRLs for CAs that you have access to.
The CAs you can access to are listed in a table displaying the following:
Name of Certificate Authority.
Downloads a certificate chain for a sub CA, the sub CA certificate(s) and root CA certificate:
Downloads the CA certificate with headers to trigger a browser import.
Download CA Certificate Fingerprint Sheet
To download a YAML text document with the CA Certificate fingerprints of all CAs you have access to, click Download Fingerprints. This is useful during a key ceremony and eliminates the need for downloading CA certificates and computing the fingerprints manually using a third-party tool such as OpenSSL. The fingerprint is computed using SHA-256.
Download CA Certificate Bundle
To download a compressed zip file containing the CA certificates of all CAs you have access to, click Download Certificate Bundle. The certificates in the bundle are provided in binary format (DER).
In order to allow for Managed PKI setups using the EJBCA RA, the RA makes full use of access rights and role namespaces. This allows an RA administrator with sufficient access rights to create duplicate or further constrained RA administrators within the same namespace in order to handle local user administration without needing to interact with the CA.