- EJBCA Introduction
- Installation Prerequisites
- Managing EJBCA Configurations
- Creating the Database
- Application Servers
- Deploying EJBCA
- Installing EJBCA
- Finalizing the Installation
- High Availability (HA), a.k.a Clustering
- Maximizing Performance
- EJBCA Security
- Deployment Reference
- Upgrading EJBCA
- EJBCA Software Appliance
EJBCA CA Concept Guide
Certificate Authority Overview
- CA Fields
- ePassport PKI
- ECDSA Keys and Signatures
- CVC CA
- Partitioned CRLs
- Crypto Tokens Overview
- End Entities Overview
- Active Directory Publisher
- Custom Publishers
- LDAP Publisher/LDAP Search Publisher
- Multi Group Publisher
- SCP Publisher
- Validation Authority Peer Publisher
- Validation Authority Publisher (Legacy)
- AWS S3 Publisher
- Validators Overview
- Certificate Profiles Overview
- Approval Profiles
- Peer Systems
- Internal Key Bindings Overview
- Roles and Access Rules
- Character Limitations
- User Data Sources
- Certificate Authority Overview
- EJBCA RA Concept Guide
EJBCA Operations Guide
CA Operations Guide
- Approving Actions
- CA Web Overview
- Configure EJBCA for Public Access
- CRL Generation
- EJBCA Configuration Checker
- EJBCA Maintenance
- End Entities
- End Entity Profile Operations
- Exporting and Importing Profiles
- Importing Certificates
- Key Recovery
- Managing CAs
- Managing Certificate Profiles
- Managing Crypto Tokens
- Managing Internal Keybindings
- Modular Protocol Configuration
- OCSP Management
- Peer Systems Operations
- Roles and Access Rules Operations
- RA Operations Guide
- Command Line Interfaces
- EJBCA Batch Enrollment GUI
- ConfigDump Tool
- CA Operations Guide
- EJBCA CA Concept Guide
Integrating with Third-Party Applications
- Access EJBCA using USB Tokens and Smart Cards
- Native Certificate Autoenrollment for Windows
- Microsoft Intune Device Certificate Enrollment
- Script based Autoenrollment for Windows clients with EJBCA
- Integrating EJBCA with Graylog
- Versasec Card Management System Integration
- Ciphermail Email Gateway and EJBCA Integration
- Microsoft Smart Card Logon
- EJBCA and Cisco ISE
- EJBCA and Cisco IOS
- OpenSSH and X509 Authentication
- Configure EJBCA with OpenSSO
- Setting up an Apache Web Server as a Proxy
- Setting up an Apache Web Server with mod_jk
- Setting up a HA Proxy in front of EJBCA
- EJBCA with GemSAFE Toolbox
- SensorNet PKI
- Issuing Certificates to Kubernetes Services using cert-manager
- Hardware Security Modules (HSM)
- Integrating with Third-Party Applications
- Troubleshooting Guide
Tutorials and Guides
- Quick Install Guide
- Migrating from other CAs to EJBCA
- Modifying EJBCA
- Enabling Debug Logging
- Creating a custom RA application using EJBCA Web Services and Java
- Using EJBCA as a Certificate Management System (CMS)
- Batch Creating Certificates
- Making an ASN.1 Dump of a Certificate
- Using the Demo Servlet
- Setting up Peer Connectors and OCSP
EJBCA Release Information
EJBCA Release Notes
- EJBCA 184.108.40.206 Release Notes
- EJBCA 220.127.116.11 Release Notes
- EJBCA 18.104.22.168 Release Notes
- EJBCA 7.3.1 Release Notes
- EJBCA 7.3 Release Notes
- EJBCA 22.214.171.124 Release Notes
- EJBCA 7.2.1 Release Notes
- EJBCA 7.2 Release Notes
- EJBCA 7.1 Release Notes
- EJBCA 7.0.1 Release Notes
- EJBCA 7.0.0 Release Notes
- EJBCA 126.96.36.199 Release Notes
- EJBCA 6.15.2 Release Notes
- EJBCA 6.15.1 Release Notes
- EJBCA 6.15 Release Notes
- EJBCA 6.14.1 Release Notes
- EJBCA 6.14 Release Notes
- EJBCA 6.13 Release Notes
- EJBCA 6.12 Release Notes
- EJBCA 6.11 Release Notes
- EJBCA 6.10 Release Notes
- EJBCA 6.9 Release Notes
- EJBCA 6.8 Release Notes
- EJBCA 6.7 Release Notes
- EJBCA 6.6 Release Notes
- EJBCA 6.5 Release Notes
- EJBCA 6.4 Release Notes
- EJBCA 6.3 Release Notes
- EJBCA 6.2 Release Notes
- EJBCA 6.1 Release Notes
- EJBCA 6.0 Release Notes
- EJBCA Release Notes Summary
- EJBCA Change Log Summary
EJBCA Upgrade Notes
- EJBCA 188.8.131.52 Upgrade Notes
- EJBCA 184.108.40.206 Upgrade Notes
- EJBCA 7.3.1 Upgrade Notes
- EJBCA 7.3 Upgrade Notes
- EJBCA 7.2.1 Upgrade Notes
- EJBCA 7.2 Upgrade Notes
- EJBCA 7.1 Upgrade Notes
- EJBCA 7.0.1 Upgrade Notes
- EJBCA 7.0 Upgrade Notes
- EJBCA 220.127.116.11 Upgrade Notes
- EJBCA 6.15 Upgrade Notes
- EJBCA 6.14 Upgrade Notes
- EJBCA 6.13 Upgrade Notes
- EJBCA 6.12 Upgrade Notes
- EJBCA 6.11 Upgrade Notes
- EJBCA 6.10 Upgrade Notes
- EJBCA 6.9 Upgrade Notes
- EJBCA 6.8 Upgrade Notes
- EJBCA 6.7 Upgrade Notes
- EJBCA 6.6 Upgrade Notes
- EJBCA 6.5 Upgrade Notes
- EJBCA 6.4 Upgrade Notes
- EJBCA 6.3 Upgrade Notes
- EJBCA 6.2 Upgrade Notes
- EJBCA 6.1 Upgrade Notes
- EJBCA 6.0 Upgrade Notes
- EJBCA Upgrade Notes Summary
- EJBCA Release Notes
EJBCA Software Appliance
EJBCA® Software Appliance is a packaged solution that allows you to deploy your PKI solution on-premises, utilizing your native virtualization resources. The software appliance enables you to reuse your existing Hardware Security Module (HSM) infrastructure and control the technology stack for the complete PKI solution.
EJBCA Software Appliance is for customers that need an easy to deploy PKI solution. The software appliance includes all the required software and is distributed as an Open Virtual Appliance (OVA) package, making it easy to install and maintain.
The software appliance supports the leading virtualization platform VMware and the hypervisor solution VMware ESXi. The EJBCA Software Appliance package includes a pre-installed EJBCA virtual machine (VM) image containing:
- EJBCA Enterprise version 7.3 (latest feature release)
- MariaDB Galera Cluster
- CentOS image
- Hypervisor high availability (HA)
Before you install the software appliance, ensure that the system requirements are met.
The following minimum hardware specifications are recommended for the guest virtual machine (VM).
- RAM: 12 GiB
- Disk space: 30 GB
- CPU cores: Minimum 4 cores allocated
The following is recommended for the host.
- Hypervisor run on VMware certified hardware. For more information, refer to the VMware Compatibility Guide.
- The system must be able to provide reasonable high I/O operations.
EJBCA Software Appliance Installation
The following installation instructions cover how to create the VM using VMware ESXi and access EJBCA to enroll and install the SuperAdmin certificate.
- Step 1 - Create VM
- Step 2 - Enroll SuperAdmin Certificate
- Step 3 - Install SuperAdmin Certificate
- Step 4 - Change OS Root Password
- Optional Step 5 - Change VM Hostname
- Optional Step 6 - Generate New TLS Server Certificate
The following lists prerequisites for the installation instructions.
- An installation of VMware ESXi.
- An EJBCA® Software Appliance package (downloaded from your PrimeKey download area).
- A Mozilla Firefox browser.
Step 1 - Create VM
Perform the steps below to create a virtual machine from OVF and VMDK files, using the VMware ESXi New Virtual Machine wizard.
- Download the software appliance package
ejbca-node-01.zipfrom your PrimeKey download area and extract it.
- Open VMware ESXi in Firefox, select Virtual Machines in the Navigator pane and then click Create / Register VM.
- Select Deploy a virtual machine from an OVF or OVA file and click Next.
- Specify a name for the virtual machine, drop the files
ejbca-node-01-1.vmdkfrom the software appliance package, and click Next.
- On the Select storage page, select a storage device and click Next.
- On the Deployment options page, select a VM Network and click Next.
- Review the settings and click Finish to create the virtual machine.
- The files
ejbca-node-01-1.vmdkare uploaded to ESXi and you can monitor the progress in the Recent tasks list Result column.
- Wait for the software appliance to boot. Once the appliance is booting, Power On VM is displayed in the Recent tasks list.
- Click Refresh to refresh the list of virtual machines and then select the software appliance in the list.
- Click the IP address assigned to the software appliance to open EJBCA Public Web.
Step 2 - Enroll SuperAdmin Certificate
To enroll for a SuperAdmin certificate, do the following.
- Click Fetch CA Certificates in the EJBCA Public Web.
- On the Fetch CA certificates page, click the link Download to Firefox to download the CA certificate chain.
- Select Trust this CA to identify websites and click OK.
- In the EJBCA Public Web, click the menu option Create Keystore.
- On the Keystore Enrollment page, specify the following and then click OK:
On the EJBCA Token Certificate Enrollment page, click Enroll to create a keystore and save the file as superadmin.p12.
Step 3 - Install SuperAdmin Certificate
The following describes how to install the SuperAdmin certificate in Firefox.
On the Firefox menu, select Preferences.
Click Privacy & Security.
Scroll down to the Security section and click View Certificates to open the Certificate Manager.
- On the tab Your Certificates, click Import and select the file superadmin.p12.
- When Firefox asks for a password to decrypt the P12 file, enter the password PrimeKey.
- Click OK to close the Certificate Manager and close the Preferences page.
- With the credentials installed, click Administration in the EJBCA Public Web to access the EJBCA CA UI.
- Firefox will ask you for a certificate, select SuperAdmin and click OK to proceed.
Firefox will recognize your new certificate and open the EJBCA CA UI displaying the Administration page.
Step 4 - Change OS Root Password
To change the OS root password from the default password, do the following:
- Select the appliance in VMware ESXi and click Console > Open browser console to open a console for the appliance.
- Log in as root using the default password primekey.
Change the password using the
passwdcommand and then enter your new password when requested.
The following displays an example output after the password has been updated.
- To log out, type
Optional Step 5 - Change VM Hostname
The following describes how to change the VM hostname if required.
Open a VMware ESXi console window and log in as
Change the hostname and ensure to replace
<NEW_HOSTNAME>in the example code below with the new hostname, for example,
hostnamectl set-hostname <NEW_HOSTNAME>
Update the hostname in the hosts file:
Verify that the new hostname has been updated:
Optional Step 6 - Generate New TLS Server Certificate
The following describes how to generate a new TLS server certificate if required.
Open a VMware ESXi console window.
To generate a new TLS server certificate, run the following:
/opt/PrimeKey/support/new_tls_cert.sh -d $(hostname -f)
Specify additional names to be added to the SAN of the TLS server certificate using -d and the domain name. Specify IP addresses using -i. For example:
/opt/PrimeKey/support/new_tls_cert.sh -d pkihost.domain.com -i 10.10.10.100
Press Y to restart Apache.