Installing EJBCA as a CA with a Management CA

Congratulations, dear traveler. If you've made it to this point it probably means you're in your first steps of setting up your PKI, and if that's the case we would like to thank you for making it this far, and would like to ask you to hold on to your hat for the rest of the trip!

Running the Install Command

Running the installation command will do three things:

  • It will create the Management CA. This is an administrative CA which will be both used for internal administration of your PKI by signing user certificates, and be used for signing the following points
  • Create TLS keystores for handling HTTPS, signed by the Management CA
  • Create the key store for the initial super administrator

It will also add some initial access control values to the database, and role information for the super administrator user

If you are moving an existing installation that already has TLS keystores available, this step is not needed.

$ ant runinstall

Deploy TLS Keystores to WildFly

After the install, TLS keystores have been created. Run this command to copy them to wildfly_home/standalone/configuration/keystore:

$ ant deploy-keystore

Adding in Other Management CAs to the Key Store

For more information, see Roles and Access Rules Operations

If you create other CAs that you want to add as acceptable CAs in the server TLS configuration, or if you renew the CA certificate, you can install any CA certificate in the server TLS configuration afterwards with the following command:

$ ant -Dca.name="My CA Name" javatruststore

What this does in the background is that it adds the CA certificate to p12/truststore.jks and copies this file to APPSRV_HOME/standalone/configuration/keystore, where the TLS keystores are located. This step will require a restart of the application server.

Next Step: Finalizing the Installation

Continue by reviewing information on Finalizing the installation.