Restore and Upgrade Procedure

Follow the instructions below to upgrade the version of EJBCA from 7.0.1.2 to 7.1.0 in the following steps (the same steps apply for restoring a backup).

Currently used EJBCA version

The version of EJBCA is visible in the top-right corner of the EJBCA Administration home screen.

Step 1: Backup Existing Instance anchor

  1. If you selected ssh key access when procuring your instance, use the SSH key you selected when procuring the instance. If you chose username and password, use the combination you chose at launch time to SSH into the EJBCA Cloud instance. For example, for azure-user with an IP address of 40.78.9.87 use the following:

    # ssh azure-user@40.78.9.87

  2. Run the command sudo su to get elevated privileges:

    # sudo su
  3. Change to the /opt/PrimeKey/support directory.

  4. Run the script system_backup.sh to create a backup of your system.
  5. Press Y to proceed and enter a password to protect the backup once prompted:


  6. Make a note of the name of the backup file created.

  7. Copy the backup file to a directory that is accessible by the azure-user, for example /home/azure-user/.
    In this case, the file "/opt/PrimeKey/support/backup_files/ejbca_db-40.78.9.87-1556732870.tar.gz" is copied to /home/azure-user/:

    # cp /opt/PrimeKey/support/backup_files/ejbca_db-40.78.9.87-1556732870.tar.gz /home/azure-user/

Step 2: Copy Backup to New Instance

Using either the command line interface (CLI) or a Secure Copy Protocol (SCP) utility, copy the file to your local system. You can copy the file directly from one instance to another if your VPC allows it. In this example, the file is brought down locally and then SCP it to the new instance.

  1. Copy the file to your local system, using either CLI or a SCP utility:
    • Using the CLI:

      # scp azure-user@40.78.9.87:/home/azure-user/ejbca_db-40.78.9.87-1556732870.tar.gz ~/Downloads/ejbca_db-40.78.9.87-1556732870.tar.gz

    • Using a SCP utility (in this case Cyberduck)

      1. Specify details to connect to your instance, for example hostname, username, and SSH key):
      2. Connect to the instance and download the file to the local system:
      3. Wait for the download to complete.
  2. Start a new instance from the Azure Marketplace. Select the correct version in the Version list menu (the most recent version is by default selected). For more information, refer to the Launch Guide.
  3. Wait for the new instance to start and retrieve the superadmin certificate for the new version. For more information, refer to the Launch Guide.
  4. Access the administration interface for the new instance.
  5. Note the version of the new instance in the top-right corner of the EJBCA Administration home screen, in this example Version: EJBCA 7.1.0 Enterprise (r26978).
  6. SCP the backup file created in section Backup Existing Instance and copied to the new instance using the instructions in step 1 above.If using the CLI, the command will be a bit different since you are copying local to remote.

    # scp ~/Downloads/ejbca_db-40.78.9.87-1556732870.tar.gz azure-user@52.246.249.239:/home/azure-user/

  7. Once copied, SSH into the new host.

  8. Change to the /opt/PrimeKey/support directory.

Step 3: Restore Backup on New Instance

  1. Run the script system_restore.sh by pointing it to the backup file location after the script. In this example, the backup file is located in /home/azure-user/ and the file name is ejbca_db-40.78.9.87-1556732870.tar.gz

    # /opt/PrimeKey/support/system_restore.sh /home/ec2_user/ejbca_db-40.78.9.87-1556732870.tar.gz
  2. Confirm the script once prompted to continue.

  3. If you would like to encrypt the existing backup of the database for the new node, press Y. To skip encryption press N.  A backup of the existing database will be located at /opt/PrimeKey/support/backup_files and SSL files will be backed up to /etc/httpd/ssl_backup.
  4. Enter the password for the backup file you are restoring.  
  5. Generate new TLS certificates for your new instance. Since you likely have a new public and internal IP on this node, new certificates are needed to match the new instance. Run the following script to generate new certs. Refer to the TLS Certificate Generation Guide for more details if custom IP and DNS names are needed.
    # /opt/PrimeKey/support/new_tls_cert.sh -p
  6. Access your new instance and verify your existing data appears in the new instance.

NOTE Depending on the version you are moving from, you may see a link to perform "post-upgrade" in the admin UI.  Click this link and perform post-upgrade once all of the EJBCA servers in your cluster are upgraded.