EJBCA® Software Appliance is a packaged solution that allows you to deploy and maintain your PKI solution utilizing your existing virtualization environment. The software appliance enables you to reuse your Hardware Security Module (HSM) infrastructure and control the technology stack for the complete PKI solution.

EJBCA Software Appliance is for customers that need an easy to deploy PKI solution. The software appliance includes all the required software and is distributed as an Open Virtual Appliance (OVA) package, making it easy to install and maintain. Different models are available to allow you to choose the most cost-efficient deployment solution for your needs, see Model Specifications.

The software appliance supports the leading virtualization platform VMware and the hypervisor solution VMware ESXi. The EJBCA Software Appliance supports high availability based on VMware Hypervisor HA and the OVA includes:

  • EJBCA Enterprise
  • OpenJDK
  • MariaDB Galera Cluster
  • Wildfly
  • CentOS
  • Support for net attached HSM

System Requirements

Before you install the software appliance, ensure that the system requirements are met.

Hardware Requirements

The following minimum hardware specifications are recommended for the guest virtual machine (VM).

  • RAM: 12 GiB
  • Disk space: 30 GB
  • CPU cores: Minimum 4 cores allocated

Host Requirements

The following is recommended for the host.

  • Hypervisor run on VMware certified hardware. For more information, refer to the VMware Compatibility Guide.
  • The system must be able to provide reasonable high I/O operations.

EJBCA Software Appliance Installation

The following installation instructions cover how to create the VM using VMware ESXi and access EJBCA to enroll and install the SuperAdmin certificate.


The following lists prerequisites for the installation instructions.

  • An installation of VMware ESXi.
  • An EJBCA® Software Appliance package (downloaded from your PrimeKey download area).
  • A Mozilla Firefox browser.

Step 1 - Create VM

Perform the steps below to create a virtual machine from OVF and VMDK files, using the VMware ESXi New Virtual Machine wizard.

  1. Download the software appliance package EJBCA_Software_Appliance_1.0.0.zip from your PrimeKey download area and extract it.
  2. Open VMware ESXi in Firefox, select Virtual Machines in the Navigator pane and then click Create / Register VM.
  3. Select Deploy a virtual machine from an OVF or OVA file and click Next. 
  4. Specify a name for the virtual machine, drop the files ejbca-node-01.ovf and ejbca-node-01-1.vmdk from the software appliance package, and click Next.
  5. On the Select storage page, select a storage device and click Next.
  6. On the Deployment options page, select a VM Network and click Next.

  7. Review the settings and click Finish to create the virtual machine.
  8. The files ejbca-node-01.ovf and ejbca-node-01-1.vmdk are uploaded to ESXi and you can monitor the progress in the Recent tasks list Result column.
  9. Wait for the software appliance to boot. Once the appliance is booting, Power On VM is displayed in the Recent tasks list.
  10. Click Refresh to refresh the list of virtual machines and then select the software appliance in the list.
  11. Click the IP address assigned to the software appliance to open EJBCA Public Web.

Step 2 - Enroll SuperAdmin Certificate

To enroll for a SuperAdmin certificate, do the following.

  1. Click Fetch CA Certificates in the EJBCA Public Web.
  2. On the Fetch CA certificates page, click the link Download to Firefox to download the CA certificate chain.
  3. Select Trust this CA to identify websites and click OK.
  4. In the EJBCA Public Web, click the menu option Create Keystore.
  5. On the Keystore Enrollment page, specify the following and then click OK:
    • Username: superadmin

    • Password: PrimeKey

  6. On the EJBCA Token Certificate Enrollment page, click Enroll to create a keystore and save the file as superadmin.p12.

Step 3 - Install SuperAdmin Certificate

The following describes how to install the SuperAdmin certificate in Firefox.

  1. On the Firefox menu, select Preferences.

  2. Click Privacy & Security.

  3. Scroll down to the Security section and click View Certificates to open the Certificate Manager.

  4. On the tab Your Certificates, click Import and select the file superadmin.p12.
  5. When Firefox asks for a password to decrypt the P12 file, enter the password PrimeKey.

  6. Click OK to close the Certificate Manager and close the Preferences page.
  7. With the credentials installed, click Administration in the EJBCA Public Web to access the EJBCA CA UI.
  8. Firefox will ask you for a certificate, select SuperAdmin and click OK to proceed.

Firefox will recognize your new certificate and open the EJBCA CA UI displaying the Administration page.

Step 4 - Change OS Root Password

To change the OS root password from the default password, do the following:

  1. Select the appliance in VMware ESXi and click Console > Open browser console to open a console for the appliance.
  2. Log in as root using the default password primekey.
  3. Change the password using the passwd command and then enter your new password when requested.

  4. The following displays an example output after the password has been updated.

  5. To log out, type exit.

Optional Step 5 - Change VM Hostname

The following describes how to change the VM hostname if required.

  1. Open a VMware ESXi console window and log in as root.

  2. Change the hostname and ensure to replace <NEW_HOSTNAME> in the example code below with the new hostname, for example, ca1.pki.mycompany.com.

    hostnamectl set-hostname <NEW_HOSTNAME>
  3. Update the hostname in the hosts file:

    vi /etc/hosts
  4. Verify that the new hostname has been updated:

    hostname -f

Optional Step 6 - Generate New TLS Server Certificate

The following describes how to generate a new TLS server certificate if required.

  1. Open a VMware ESXi console window.

  2. To generate a new TLS server certificate, run the following:

    /opt/PrimeKey/support/new_tls_cert.sh -d $(hostname -f)

    Specify additional names to be added to the SAN of the TLS server certificate using -d and the domain name. Specify IP addresses using -i. For example:

    /opt/PrimeKey/support/new_tls_cert.sh -d pkihost.domain.com -i
  3. Press Y to restart Apache.