EJBCA Cloud AWS
- AWS Launch Guide
Quick Start Guide
- Create Crypto Tokens
- Create Root CA Certificate Profile
- Create Issuing CA Certificate Profile
- Create Certificate Authorities
- Create User and Workstation Profiles
- Create End Entity Profiles
- Request Certificate
- Create Another Administrator Account
- Import Certificate to Mozilla Firefox
- Configure Health Checks
- Create CRL Updater Service
- AWS Backup Guide
- AWS Restore and Upgrade Guide
- AWS TLS Certificate Generation Guide
- AWS RA Configuration and Administration Guide
- AWS VA Configuration and Administration Guide
AWS Cluster Configuration Guide
- Cluster AWS Operating Environment
- Multi Node Clusters
- Cluster Security Groups
- Clustering with RDS Database
- Clustering with Galera on Local Nodes
AWS CloudHSM Integration Guide
- Multiple Crypto Tokens with AWS CloudHSM
- 1 - Create CloudHSM Cluster
- 2 - Use OpenSSL to Validate the HSM
- 3 - Initialize the CloudHSM
- 4 - Assigning the Security Group to the EJBCA Instance
- 5 - Configure the cloudhsm-client
- 6 - PKCS11 PIN
- 7 - Activate the Cluster
- 8 - Create a CloudHSM Crypto User
- 9 - Create a Keystore in the HSM with clientToolBox
- 10 - Test with EJBCA ClientToolbox
- 11 - Create a CryptoToken in EJBCA
- Appendix A - Restoring an HSM Backup to a New Instance
- Appendix B - Troubleshooting HSM Issues
AWS Certificate Manager Integration Guide
- Provisioning an EJBCA Instance and setting up CloudHSM
- Create Root CA Keys
- Create CloudHSM Crypto Token for Root CA
- Create the Root and Issuing CA Certificate Profiles
- Create End Entity Sub CA Profile
- Create Root CA that uses the CloudHSM Crypto Token
- Create AWS ACM Certificate Authority CSR
- Add ACM PCA End Entity
- Generate the ACM PCA Certificate for AWS
- Fulfill the Pending ACM PCA Certificate Request
- AWS S3 Publisher Configuration Guide
- AWS KMS Configuration Guide
- How to Create Support Package
- EJBCA Cloud AWS VA
EJBCA Cloud Azure
- Azure Launch Guide
- Azure Backup Guide
- Azure Restore and Upgrade Guide
- Azure TLS Certificate Generation Guide
- Azure RA Configuration and Administration Guide
- Azure VA Configuration and Administration Guide
- Azure Cluster Configuration Guide
- Azure Key Vault Integration Guide
- How to Create Azure Support Package
- EJBCA Cloud Release Notes
Create Root CA Certificate Profile
Certificate Profiles model how our CAs look with regards to the different types of certificates, DN contents, extensions and so on.
To manage Certificate Profiles, open the Manage Certificate Profiles page (CA Functions Certificate Profiles > CA Functions).
The following section describes how to create a.
Create Root CA Profile
Follow these steps to create a Root CA Profile:
- Clone the ROOTCA profile to create your own for the Root CA you are going to create:
- Click Clone next to the ROOTCA profile.
- Specify Corporate Root CA Certificate Profile and click Create from template in Name of new certificate profile, .
- Click Edit on the Corporate Root CA Certificate Profile and specify the following:
- Available key algorithms: Select desired key algorithm, for example, RSA.
- Available bit lengths: Select desired bit lengths, for example, 2048-4096.
- Validity or end date of the certificate: Keep the validity at the default 25y7d.
- CRL Distribution Points: Select if desired. CRLs hold the revocation status of certificates.
NOTE To make your CRL Distribution Point be on an internal server to your network, use an internal DNS name. It is recommended to put the CRL URL behind a CNAME or load balanced VIP. This way it is stamped in the certificate as something that should not ever change, but the system serving the CRL behind the VIP can.
To make your CRL Distribution Point public, use a public DNS name that points to an IP. If using EJBCA Cloud AWS, using an Elastic IP is not recommended since this IP/URL will change if the node is shut down invalidating the CRL location.
To allow clients to fetch the CRL from the CA directly and have Apache in front of EJBCA, remove port 8080 from the URL and change the DNS name as required. EJBCA does not know if Apache exists and internally responds to 8080 in most cases.
From EJBCA server directly: http://ip-172-16-0-148.ec2.internal/ejbca/publicweb/webdist/certdist?cmd=crl&issuer=CN=Corporate_Root_CA,O=Corporation,C=US.
Served from Webserver: http://crl.corporate-dns-url.com/corporate_root_ca.crl (you must setup a script to fetch and copy the file to the URL you choose).
- Clear LDAP DN order (to get X509 DN ordering) for greater compatibility with systems that use certificates.
- Click Save to save the Root CA Profile.