The EJBCA SaaS portal allows navigation of the EJBCA SaaS application and getting information regarding the EJBCA SaaS installation. 

Access the portal at any time by navigating to https://aws.saas.primekey.com and logging in with the appropriate credentials.

The portal displays information relating to the customer installation and the EJBCA Dashboard shows essential information about the overall health of the EJBCA cluster.

Information is displayed pertaining to the installation and the Dashboard graphs and indicators include:

  • System Health: Displays the system health status of EJBCA for the issuing CA cluster.
  • Total Certificates: Overall certificates generated by the system during its lifetime.
  • Today: Certificates generated in the last 24 hours displaying trends every two hours to detect when spikes in generation happen.
  • Certificates By Profile: Shows the top three profiles that have generated certificates all time by percentage.
  • Certificate Expiration Quantity: Shows the quantity of expiring certificates over the next 30, 60, and 90 days.

The EJBCA Links page provides access to links to the EJBCA application resources. Below you will find links to the Issuing CA cluster, EJBCA Root CA, and shows the CRL and OCSP URLs for the Issuing CA and Root CA nodes.

Access the EJBCA cluster at any time by bookmarking the link to the Issuing CA cluster in your web browser. The EJBCA Links page can also be used to access the EJBCA Issuing CA cluster and list relevant links. When running, the EJBCA Root CA link allows access the Root CA that can be used to sign the Issuing CA created by administrators. 

The CRLs and OCSP section shows what the CRL URL is for the Issuing CA and Root CA clusters. Click the respective link to get the cached URL for your CRL Distribution Point (CDP) after a certificate authority is created. Once a CA is created, a hash of the DN or Subject Key Identifier will be generated and shown on the provided link.  

The example above shows the iHash (the ASN1 encoded DN of the issuer in a certificate) and the sKIDHash (the ASN1 encoded hash of the CA subjectKeyIdentifier). Links to both the full CRL and the delta CRL are displayed and can be used as a CDP for CAs. This URL will hold the cached URL to the CRL for better performance. For more information, refer to the EJBCA Documentation on CRL Distribution Points.

The Source IPs page allows control over what IPs can access the EJBCA Clusters. IP addresses here will be added to the inbound access to the EJBCA Clusters directly, and need to be added in the CIDR notation. For more information on CIDR notation, refer to the IETF.org page on RFC4632 or Wikipedia page on CIDR.  This page will be disabled during the provisioning process.

Note that adding a single IP without a CIDR notation will result in it being added with /32 (single IP).

Click the get current IP button to populate the current IP address that the EJBCA SaaS Portal sees you coming from.   This button will also populate your name in the Description field.
At least one IP must be added to the access list.  A description can be added to the IP so that it can be referenced by something meaningful.

The Root CA page allows for controlling the Root CA. Click Start Root CA to start the EJBCA Root CA node for 24 hours. This allows ample time to perform actions such as Signing a Sub CA, Updating a CRL, or other PKI functions.  This page will be disabled during the provisioning process.

When running, the status will display when the 24-hour automatic shutdown of the Root CA will occur as well as a link to access the Root CA. The Superadmin credential issued from the ManagmentCA on the issuing CA cluster is used to access the Root CA Administrative interface. To change who can access the Root CA, navigate to the Root CA Admin Web and configure the Super Administrator Role as needed. For more information, refer to the EJBCA Documentation on EJBCA Roles and Access Rules. The Root CA is provisioned in a running state for the initial deployment and will shut itself down within 24 hours after the initial launch.

To shut down the Root CA before the planned shutdown time, click Stop Root CA.

Certificates and/or keys are supplied here to update the truststore or keystore of the EJBCA SaaS Deployment. These certificates and keys are used to communicate with other systems or devices. Use the truststore feature if you would like this EJBCA deployment to trust an additional CA such as an Issuing CA. This is common in cases of EST, where an End Entity might need to renew the certificate that was originally issued from an Issuing CA. Use the TLS keystore feature if you would like to replace or renew the TLS certificate used by EJBCA. TLS updates are applied immediately.

The truststore contains the certificate authority certificates trusted by EJBCA. Updating the truststore here adds to the truststore in the deployment and does not replace the existing truststore that was provisioned with the system.  Note: the full chain is required.

A keystore is used to store private keys and identity certificates that EJBCA SaaS should present for verification. This can be a CA certificate, key and issued certificate bundle. Please have the CA and issued certificate in a single chain file.

The Compliance page includes the necessary information to complete internal compliance questionnaires.

The FAQ tab provides some of the necessary information that internal compliance teams may need to perform compliance audits.

The CP and CPS tabs provide links to download a Certificate Policy (CP) and Certificate Practice Statement (CPS) template pack that can be used for writing company-specific versions of these documents. For assistance in writing these documents, please contact us at sales@keyfactor.com to start a Professional Services engagement.

The Logging page allows users to configure external syslog destinations for getting the EJBCA and Apache logs from the Root and Issuing CA deployments. External logging can be beneficial when troubleshooting things like certificate enrollments.


The following types of syslog streaming methods are allowed: Authenticated, Unauthenticated, and Unencrypted. For more information, see Enable Syslog Log Streaming.

The User Management page allows for the management of users that have access to and can perform actions in the EJBCA SaaS Portal.  Permissions can be granted to view, edit or restrict access to the Source IP, Root, and Logging pages. For more information, see Manage Users.


The Support page provides resources for users to gain help while using EJBCA SaaS.

For directions on how to retrieve the Superadmin certificate from EJBCA for the first time, expand the Superadmin Credentials section.

For helpful links to EJBCA and EJBCA SaaS documentation, expand the Documentation section.

To contact support, expand the Contact Support section and use the links provided to access support.


Please let us know how we can improve EJBCA SaaS. Whether it is something not behaving as expected, or a feature request, please let us know. To send feedback, click the Feedback button at the bottom right of the portal page. The feedback category should be aware of the current page, but an alternate page can also be selected from the Feedback Category list.

Next, for information on configuring EJBCA SaaS and setting up Certificate Authorities, see EJBCA SaaS Configuration Guide.