The following provides step-by-step instructions for configuring EJBCA and describes how to create a Crypto Token and a Certificate Authority (CA) in EJBCA.

Within EJBCA, Crypto Tokens store the keys that the CA uses to perform its duties. For more information, refer to the EJBCA Documentation Crypto Tokens Overview.

Create Crypto Token and Keys

The following provides step-by-step instructions for creating a Crypto Token and keys in EJBCA. For more information on Crypto Tokens and available fields, refer to the EJBCA Documentation Crypto Tokens Overview.

To create a Crypto Token and keys in EJBCA, do the following.

  1. On the EJBCA Software Appliance Overview page, click Admin Web for EJBCA listed in the Application Overview.
  2. In EJBCA, click Crypto Tokens under CA Functions.
  3. In the Manage Crypto Tokens page, click Create new.
  4. On the New Crypto Token page, specify the following:
    • Name: Specify a name for the new crypto token.
    • Authentication Code: Specify
    • Type: Select PKCS#11.
    • PKCS#11: Reference Type: Select Slot/Token Label.
    • PKCS#11: Reference: Allows you to select a test partition. If only one test partition is available, that partition is automatically selected.
    • Click Save to create the crypto token.
      The new Crypto Token is displayed on the Crypto Token page. Next, create keys for the crypto token.
  5. Create two key pairs within the Crypto Token according to the following example::
    • Specify an alias, for example, otherKey, select key specification RSA 3072 bit, and then click Generate new key pair. This key will be used for everything not signing.
    • Specify an alias, for example, signKey, select key specification RSA 3072 bit, and then click Generate new key pair. This key will be used for certificate signing.

The new keys are available and listed on the page.

Create CA

The following provides basic instructions for creating a Certificate Authority (CA) in EJBCA. 

For more information on Certificate Authorities (CAs) and available fields, refer to the EJBCA Documentation Certificate Authority Overview and for information on adding an external Management CA, refer to Importing an External CA.

To create a CA in EJBCA, do the following.

  1. Click Certificate Authorities under CA Functions.
  2. In the Add CA field, enter a name for the CA and click Create.
  3. On the Create CA page, specify the following and then click Create:
    • Crypto Token: Select the Crypto Token created in the earlier step.
    • Signing Algorithm: SHA256WithRSA.
    • The keys previously created and named otherKey and signKey (in section Create Crypto Token and Keys) should be populated automatically with the rest as "- Default key".
      • defaultKey: Verify that the key pair created earlier is selected, in this example: otherkey.
      • certSignKey: Verify that the key pair created earlier is selected, in this example: signkey.
      • keyEncrypKey: Select -Default key.
      • testKey: Select -Default key.
    • Signed By: Self Signed.
    • Certificate Profile: Root CA.
    • Validity: 5y.
  4. Click Create to list the newly created CA on the Manage Certification Authorities page.

You have now created a CA and Crypto Token and keys.

Next Step: Renew TLS Certificate

Next, optionally continue with renewing the TLS certificate, see Step 5 - Renew TLS Certificate. Renewing the TLS cerfiicate might be required to meet your company's security rules, for example, to remove the security warning in the address bar of the browser.