Ciphermail Email Gateway and EJBCA Integration

Ciphermail Email Encryption Gateway is a standard based centrally managed email server (MTA) that encrypts and decrypts your incoming and outgoing email at the gateway level.

By using the Ciphermail-EJBCA integration, Ciphermail can automatically request certificates from EJBCA for a transparent email encryption experience.


The following covers steps included to set up Ciphermail to work with EJBCA. For more information on how to configure the Ciphermail gateway to request certificates from an external EJBCA server, refer to the Ciphermail Gateway EJBCA Integration Guide.

Create Certificate for Ciphermail

Ciphermail communicates with EJBCA using the WebService interface. This means that Ciphermail needs an administrator certificate from EJBCA before is can connect to EJBCA.

To create a new administrator keystore for Ciphermail in EJBCA:

  • Create a P12 keystore for administrator.
  • Add the administrator certificate to an role in EJBCA with RA privileges, i.e. privileges to add/edit end entities.

Configure Ciphermail

  • Configure the EJBCA certificate request handler.
  • Configure properties as described in the Ciphermail-EJBCA Setup Guide.

Configure EJBCA

  • Create a Certificate Profile with the following:
    • Key Usage: Digital Signature and Key encipherment.
    • Extended Key Usage: Any Extended Key Usage or Email Protection (but not both).
  • Create an End Entity Profile with:
    • RFC 822 Name as Subject Alternative Name.

When the setup is done, select the EJBCA Certificate Request Handler in the CA configuration of Ciphermail.