- EJBCA Introduction
- Installation Prerequisites
- Managing EJBCA Configurations
- Creating the Database
- Application Servers
- Deploying EJBCA
- Installing EJBCA
- Finalizing the Installation
- High Availability and Clustering
- Maximizing Performance
- EJBCA Security
- Deployment Reference
- Upgrading EJBCA
- EJBCA Software Appliance
EJBCA CA Concept Guide
- Certificate Authority Overview
- Crypto Tokens Overview
- End Entities Overview
- Active Directory Publisher
- Custom Publishers
- LDAP Publisher/LDAP Search Publisher
- Multi Group Publisher
- SCP Publisher
- Validation Authority Peer Publisher
- Validation Authority Publisher (Legacy)
- AWS S3 Publisher
- Validators Overview
- Certificate Profiles Overview
- Approval Profiles
- Certificate and CRL Reader Service
- Certificate Expiration Check Service
- CRL Download and CRL Update Service
- CRL Updater Service
- HSM Keepalive Service
- Publisher Queue Process Service
- Remote Internal Key Binding Updater
- Renew CA Service
- User Password Expire Service
- OCSP Response Pre-Signer
- Rollover Service
- Peer Systems
- Internal Key Bindings Overview
- Roles and Access Rules
- Character Limitations
- User Data Sources
- EJBCA RA Concept Guide
EJBCA Operations Guide
CA Operations Guide
- Approving Actions
- Configure EJBCA for Public Access
- CRL Generation
- EJBCA Configuration Checker
- EJBCA Maintenance
- End Entities
- End Entity Profile Operations
- Exporting and Importing Profiles
- Importing Certificates
- Key Recovery
- Managing CAs
- Managing Certificate Profiles
- Managing Crypto Tokens
- Managing Internal Keybindings
- Modular Protocol Configuration
- OCSP Management
- Peer Systems Operations
- Enrollment Protocol Configuration
- Roles and Access Rules Operations
- Managing CVC CAs
- RA Operations Guide
- Command Line Interfaces
- EJBCA Batch Enrollment GUI
- ConfigDump Tool
- CA Operations Guide
- EJBCA CA Concept Guide
Integrating with Third-Party Applications
- Access EJBCA using USB Tokens and Smart Cards
Auto Enrollment Configuration Guide
- Auto Enrollment Requirements
- Part 1: Active Directory Domain Services
- Part 2: MS Certification Authority and Group Policies
- Part 3: EJBCA Administration
- Part 4: EJBCA Certificate Chain Deployment to Clients
- Part 5a: Configure Microsoft Auto Enrollment Servlet on Windows
- Part 5b: Configure Microsoft Auto Enrollment Servlet on Linux
- Part 6: Prevent Duplicate Certificates
- Auto Enrollment Troubleshooting
- Microsoft Intune Device Certificate Enrollment
- Script based Autoenrollment for Windows clients with EJBCA
- Subordinate HashiCorp Vault CA to EJBCA Root
- Integrating EJBCA with Graylog
- Issuing Certificates to Kubernetes Services using cert-manager
- Using CertBot to Issue Certificates with ACME to an Apache Web Server
- Versasec Card Management System Integration
- Ciphermail Email Gateway and EJBCA Integration
- Microsoft Smart Card Logon
- 3Key Dashboarding, Monitoring and Reporting Add-on
- 3Key RA Profiles Add-on
- EJBCA and Cisco ISE
- EJBCA and Cisco IOS
- OpenSSH and X509 Authentication
- Configure EJBCA with OpenSSO
- Setting up an Apache Web Server as a Proxy
- Setting up an Apache Web Server with mod_jk
- Setting up a HA Proxy in front of EJBCA
- EJBCA with GemSAFE Toolbox
- SensorNet PKI
Hardware Security Modules (HSM)
- Generic PKCS#11 Provider
- AEP Keyper
- ARX CoSign
- AWS CloudHSM
- AWS KMS
- Azure Key Vault
- Bull Trustway PCI Crypto Card
- Bull Trustway Proteccio
- Google KMS
- nCipher nShield/netHSM
- Nitrokey HSM
- SafeNet AT Luna
- SafeNet Luna
- SafeNet ProtectServer
- Unbound Key Control
- Utimaco CryptoServer
- Utimaco CryptoServer CP5
- YubiHSM 2
- Integrating with Third-Party Applications
- Troubleshooting Guide
Tutorials and Guides
- Quick Install Guide
- Migrating from other CAs to EJBCA
- Modifying EJBCA
- Enabling Debug Logging
- Creating a custom RA application using EJBCA Web Services and Java
- Using EJBCA as a Certificate Management System (CMS)
- Batch Creating Certificates
- Making an ASN.1 Dump of a Certificate
- Using the Demo Servlet
- Setting up Peer Connectors and OCSP
- Uncommon CA Workflows
EJBCA Release Information
EJBCA Release Notes
- EJBCA 7.4.2 Release Notes
- EJBCA 7.4.1 Release Notes
- EJBCA 7.4 Release Notes
- EJBCA 188.8.131.52 Release Notes
- EJBCA 184.108.40.206 Release Notes
- EJBCA 220.127.116.11 Release Notes
- EJBCA 18.104.22.168 Release Notes
- EJBCA 7.3.1 Release Notes
- EJBCA 7.3 Release Notes
- EJBCA 22.214.171.124 Release Notes
- EJBCA 7.2.1 Release Notes
- EJBCA 7.2 Release Notes
- EJBCA 7.1 Release Notes
- EJBCA 7.0.1 Release Notes
- EJBCA 7.0.0 Release Notes
- EJBCA 126.96.36.199 Release Notes
- EJBCA 6.15.2 Release Notes
- EJBCA 6.15.1 Release Notes
- EJBCA 6.15 Release Notes
- EJBCA 6.14.1 Release Notes
- EJBCA 6.14 Release Notes
- EJBCA 6.13 Release Notes
- EJBCA 6.12 Release Notes
- EJBCA 6.11 Release Notes
- EJBCA 6.10 Release Notes
- EJBCA 6.9 Release Notes
- EJBCA 6.8 Release Notes
- EJBCA 6.7 Release Notes
- EJBCA 6.6 Release Notes
- EJBCA 6.5 Release Notes
- EJBCA 6.4 Release Notes
- EJBCA 6.3 Release Notes
- EJBCA 6.2 Release Notes
- EJBCA 6.1 Release Notes
- EJBCA 6.0 Release Notes
- EJBCA Release Notes Summary
- EJBCA Change Log Summary
EJBCA Upgrade Notes
- EJBCA 7.4.2 Upgrade Notes
- EJBCA 7.4.1 Upgrade Notes
- EJBCA 7.4 Upgrade Notes
- EJBCA 188.8.131.52 Upgrade Notes
- EJBCA 184.108.40.206 Upgrade Notes
- EJBCA 220.127.116.11 Upgrade Notes
- EJBCA 7.3.1 Upgrade Notes
- EJBCA 7.3 Upgrade Notes
- EJBCA 7.2.1 Upgrade Notes
- EJBCA 7.2 Upgrade Notes
- EJBCA 7.1 Upgrade Notes
- EJBCA 7.0.1 Upgrade Notes
- EJBCA 7.0 Upgrade Notes
- EJBCA 18.104.22.168 Upgrade Notes
- EJBCA 6.15 Upgrade Notes
- EJBCA 6.14 Upgrade Notes
- EJBCA 6.13 Upgrade Notes
- EJBCA 6.12 Upgrade Notes
- EJBCA 6.11 Upgrade Notes
- EJBCA 6.10 Upgrade Notes
- EJBCA 6.9 Upgrade Notes
- EJBCA 6.8 Upgrade Notes
- EJBCA 6.7 Upgrade Notes
- EJBCA 6.6 Upgrade Notes
- EJBCA 6.5 Upgrade Notes
- EJBCA 6.4 Upgrade Notes
- EJBCA 6.3 Upgrade Notes
- EJBCA 6.2 Upgrade Notes
- EJBCA 6.1 Upgrade Notes
- EJBCA 6.0 Upgrade Notes
- EJBCA Upgrade Notes Summary
- EJBCA Release Notes
EJBCA Software Appliance
EJBCA® Software Appliance is a packaged solution that allows you to deploy and maintain your PKI solution utilizing your existing virtualization environment. The software appliance enables you to reuse your Hardware Security Module (HSM) infrastructure and control the technology stack for the complete PKI solution.
EJBCA Software Appliance is for customers that need an easy to deploy PKI solution. The software appliance includes all the required software and is distributed as an Open Virtual Appliance (OVA) package, making it easy to install and maintain. Different models are available to allow you to choose the most cost-efficient deployment solution for your needs, see Model Specifications.
The software appliance supports the leading virtualization platform VMware and the hypervisor solution VMware ESXi. The EJBCA Software Appliance supports high availability based on VMware Hypervisor HA and the OVA includes:
- EJBCA Enterprise
- MariaDB Galera Cluster
- Support for net attached HSM
Before you install the software appliance, ensure that the system requirements are met.
The following minimum hardware specifications are recommended for the guest virtual machine (VM).
- RAM: 12 GiB
- Disk space: 30 GB
- CPU cores: Minimum 4 cores allocated
The following is recommended for the host.
- Hypervisor run on VMware certified hardware. For more information, refer to the VMware Compatibility Guide.
- The system must be able to provide reasonable high I/O operations.
EJBCA Software Appliance Installation
The following installation instructions cover how to create the VM using VMware ESXi and access EJBCA to enroll and install the SuperAdmin certificate.
- Step 1 - Create VM
- Step 2 - Enroll SuperAdmin Certificate
- Step 3 - Install SuperAdmin Certificate
- Step 4 - Change OS Root Password
- Optional Step 5 - Change VM Hostname
- Optional Step 6 - Generate New TLS Server Certificate
The following lists prerequisites for the installation instructions.
- An installation of VMware ESXi.
- An EJBCA® Software Appliance package (downloaded from your PrimeKey download area).
- A Mozilla Firefox browser.
Step 1 - Create VM
Perform the steps below to create a virtual machine from OVF and VMDK files, using the VMware ESXi New Virtual Machine wizard.
- Download the software appliance package
EJBCA_Software_Appliance_1.0.0.zipfrom your PrimeKey download area and extract it.
- Open VMware ESXi in Firefox, select Virtual Machines in the Navigator pane and then click Create / Register VM.
- Select Deploy a virtual machine from an OVF or OVA file and click Next.
- Specify a name for the virtual machine, drop the files
ejbca-node-01-1.vmdkfrom the software appliance package, and click Next.
- On the Select storage page, select a storage device and click Next.
- On the Deployment options page, select a VM Network and click Next.
- Review the settings and click Finish to create the virtual machine.
- The files
ejbca-node-01-1.vmdkare uploaded to ESXi and you can monitor the progress in the Recent tasks list Result column.
- Wait for the software appliance to boot. Once the appliance is booting, Power On VM is displayed in the Recent tasks list.
- Click Refresh to refresh the list of virtual machines and then select the software appliance in the list.
- Click the IP address assigned to the software appliance to open EJBCA Public Web.
Step 2 - Enroll SuperAdmin Certificate
To enroll for a SuperAdmin certificate, do the following.
- Click Fetch CA Certificates in the EJBCA Public Web.
- On the Fetch CA certificates page, click the link Download to Firefox to download the CA certificate chain.
- Select Trust this CA to identify websites and click OK.
- In the EJBCA Public Web, click the menu option Create Keystore.
- On the Keystore Enrollment page, specify the following and then click OK:
On the EJBCA Token Certificate Enrollment page, click Enroll to create a keystore and save the file as superadmin.p12.
Step 3 - Install SuperAdmin Certificate
The following describes how to install the SuperAdmin certificate in Firefox.
On the Firefox menu, select Preferences.
Click Privacy & Security.
Scroll down to the Security section and click View Certificates to open the Certificate Manager.
- On the tab Your Certificates, click Import and select the file superadmin.p12.
- When Firefox asks for a password to decrypt the P12 file, enter the password PrimeKey.
- Click OK to close the Certificate Manager and close the Preferences page.
- With the credentials installed, click Administration in the EJBCA Public Web to access the EJBCA CA UI.
- Firefox will ask you for a certificate, select SuperAdmin and click OK to proceed.
Firefox will recognize your new certificate and open the EJBCA CA UI displaying the Administration page.
Step 4 - Change OS Root Password
To change the OS root password from the default password, do the following:
- Select the appliance in VMware ESXi and click Console > Open browser console to open a console for the appliance.
- Log in as root using the default password primekey.
Change the password using the
passwdcommand and then enter your new password when requested.
The following displays an example output after the password has been updated.
- To log out, type
Optional Step 5 - Change VM Hostname
The following describes how to change the VM hostname if required.
Open a VMware ESXi console window and log in as
Change the hostname and ensure to replace
<NEW_HOSTNAME>in the example code below with the new hostname, for example,
hostnamectl set-hostname <NEW_HOSTNAME>
Update the hostname in the hosts file:
Verify that the new hostname has been updated:
Optional Step 6 - Generate New TLS Server Certificate
The following describes how to generate a new TLS server certificate if required.
Open a VMware ESXi console window.
To generate a new TLS server certificate, run the following:
/opt/PrimeKey/support/new_tls_cert.sh -d $(hostname -f)
Specify additional names to be added to the SAN of the TLS server certificate using -d and the domain name. Specify IP addresses using -i. For example:
/opt/PrimeKey/support/new_tls_cert.sh -d pkihost.domain.com -i 10.10.10.100
Press Y to restart Apache.