The SaaS portal allows navigation of the EJBCA SaaS application and getting information regarding the EJBCA SaaS installation. 

Access the portal at any time by navigating to https://aws.saas.primekey.com and logging in with the appropriate credentials.

The portal displays information relating to the customer installation and the EJBCA Dashboard shows essential information about the overall health of the EJBCA cluster.

Information is displayed pertaining to the installation and the Dashboard graphs and indicators include:

  • System Health: Displays the system health status of EJBCA for the issuing CA cluster.
  • Total Certificates: Overall certificates generated by the system during its lifetime.
  • Today: Certificates generated in the last 24 hours displaying trends every two hours to detect when spikes in generation happen.
  • Certificates By Profile: Shows the top three profiles that have generated certificates all time by percentage.
  • Certificate Expiration Quantity: Shows the quantity of expiring certificates over the next 30, 60, and 90 days.

The EJBCA Links page provides access to links to the EJBCA application resources. Below you will find links to the Issuing CA cluster, EJBCA Root CA, and shows the CRL and OCSP URLs for the Issuing CA and Root CA nodes.

Access the EJBCA cluster at any time by bookmarking the link to the Issuing CA cluster in your web browser. The EJBCA Links page can also be used to access the EJBCA Issuing CA cluster and list relevant links. When running, the EJBCA Root CA link allows access to the Root CA that can be used to sign the Issuing CA created by administrators. 

The CRLs and OCSP section shows what the CRL URL is for the Issuing CA and Root CA clusters. Click the respective link to get the cached URL for your CRL Distribution Point (CDP) after a certificate authority is created. Once a CA is created, a hash of the DN or Subject Key Identifier will be generated and shown on the provided link.
 

The example above shows the iHash (the ASN1 encoded DN of the issuer in a certificate) and the sKIDHash (the ASN1 encoded hash of the CA subjectKeyIdentifier). Links to both the full CRL and the delta CRL are displayed and can be used as a CDP for CAs. This URL will hold the cached URL to the CRL for better performance. For more information, refer to the EJBCA Documentation on CRL Distribution Points.

The Source IPs page allows control over what IPs can access the EJBCA Clusters. IP addresses here will be added to the inbound access to the EJBCA Clusters directly, and need to be added in the CIDR notation. For more information on CIDR notation, refer to the IETF.org page on RFC4632 or Wikipedia page on CIDR.  This page will be disabled during the provisioning process.

Note that adding a single IP without a CIDR notation will result in it being added with /32 (single IP).

  At least one IP must be added to the access list.  A description can be added to the IP so that it can be referenced by something meaningful.


The Root CA page allows for controlling the Root CA. Click Start Root CA to start the EJBCA Root CA node for 24 hours. This allows ample time to perform actions such as Signing a Sub CA, Updating a CRL, or other PKI functions.  This page will be disabled during the provisioning process.

When running, the status will display when the 24-hour automatic shutdown of the Root CA will occur as well as a link to access the Root CA. The Superadmin credential issued from the ManagmentCA on the issuing CA cluster is used to access the Root CA Administrative interface. To change who can access the Root CA, navigate to the Root CA Admin Web and configure the Super Administrator Role as needed. For more information, refer to the EJBCA Documentation on EJBCA Roles and Access Rules. The Root CA is provisioned in a running state for the initial deployment and will shut itself down within 24 hours after the initial launch.

To shut down the Root CA before the planned shutdown time, click Stop Root CA.

The Compliance page includes the necessary information to complete internal compliance questionnaires.

The FAQ tab provides some of the necessary information that internal compliance teams may need to perform compliance audits.

The CP and CPS tabs provide links to download a Certificate Policy (CP) and Certificate Practice Statement (CPS) template pack that can be used for writing company-specific versions of these documents. For assistance in writing these documents, please contact sales at sales@primekey.com to start a Professional Services engagement.


The Logging page allows users to configure external syslog destinations for getting the EJBCA and Apache logs from the Root and Issuing CA deployments. External logging can be beneficial when troubleshooting things like certificate enrollments.

The logging page has two tabs, Credentials and Syslog. Adding credentials to the syslog section will allow you to select them for use in the Syslog tab. The following types of syslog streaming methods are allowed: Authenticated, Unauthenticated, and Unencrypted. For more information, see Enable Syslog Log Streaming.


The User Management page allows for the management of users that have access to and can perform actions in the EJBCA SaaS Portal. Permissions can be granted to view, edit or restrict access to the Source IP, Root, and Logging pages. For more information, see Manage Users.


The Support page provides resources for users to gain help while using EJBCA SaaS.

For directions on how to retrieve the Superadmin certificate from EJBCA for the first time, expand the Superadmin Credentials section.

For helpful links to EJBCA and EJBCA SaaS documentation, expand the Documentation section.

To contact support, expand the Contact Support section and use the links provided to access the support.


Please let us know how we can improve EJBCA SaaS. Whether it is something not behaving as expected, or a feature request, please let us know. To send feedback, click the Feedback button at the bottom right of the portal page. The feedback category should be aware of the current page, but an alternate page can also be selected from the Feedback Category list.


Next, for information on configuring EJBCA SaaS and setting up Certificate Authorities, see EJBCA SaaS Configuration Guide.