- EJBCA Introduction
- Installation Prerequisites
- Managing EJBCA Configurations
- Creating the Database
- Application Servers
- Deploying EJBCA
- Installing EJBCA
- Finalizing the Installation
- High Availability (HA), a.k.a Clustering
- Maximizing Performance
- EJBCA Security
- Deployment Reference
- Upgrading EJBCA
EJBCA CA Concept Guide
Certificate Authority Overview
- CA Fields
- ePassport PKI
- ECDSA Keys and Signatures
- CVC CA
- Partitioned CRLs
- Crypto Tokens Overview
- End Entities Overview
- Active Directory Publisher
- Custom Publishers
- LDAP Publisher/LDAP Search Publisher
- Multi Group Publisher
- SCP Publisher
- Validation Authority Peer Publisher
- Validation Authority Publisher (Legacy)
- AWS S3 Publisher
- Validators Overview
- Certificate Profiles Overview
- Approval Profiles
- Peer Systems
- Internal Key Bindings Overview
- Roles and Access Rules
- Character Limitations
- User Data Sources
- Certificate Authority Overview
- EJBCA RA Concept Guide
EJBCA Operations Guide
CA Operations Guide
- Approving Actions
- CA UI Overview
- Configure EJBCA for Public Access
- CRL Generation
- EJBCA Configuration Checker
- EJBCA Maintenance
- End Entities
- End Entity Profile Operations
- Exporting and Importing Profiles
- Importing Certificates
- Key Recovery
- Managing CAs
- Managing Certificate Profiles
- Managing Crypto Tokens
- Managing Internal Keybindings
- Modular Protocol Configuration
- OCSP Management
- Peer Systems Operations
- Roles and Access Rules Operations
- RA Operations Guide
- Command Line Interfaces
- EJBCA Batch Enrollment GUI
- ConfigDump Export and Audit Tool
- CA Operations Guide
- EJBCA CA Concept Guide
Integrating with Third-Party Applications
- Access EJBCA using USB Tokens and Smart Cards
- Native Certificate Autoenrollment for Windows
- Script based Autoenrollment for Windows clients with EJBCA
- Integrating EJBCA with GreyLog
- Versasec Card Management System Integration
- Ciphermail Email Gateway and EJBCA Integration
- Microsoft Smart Card Logon
- EJBCA and Cisco IOS
- OpenSSH and X509 Authentication
- Configure EJBCA with OpenSSO
- Setting up an Apache Web Server as a Proxy
- Setting up an Apache Web Server with mod_jk
- Setting up a HA Proxy in front of EJBCA
- EJBCA with GemSAFE Toolbox
- SensorNet PKI
- Issuing Certificates to Kubernetes Services using cert-manager
- Hardware Security Modules (HSM)
- Integrating with Third-Party Applications
- Troubleshooting Guide
Tutorials and Guides
- Quick Install Guide
- Migrating from other CAs to EJBCA
- Modifying EJBCA
- Enabling Debug Logging
- Creating a custom RA application using EJBCA Web Services and Java
- Using EJBCA as a Certificate Management System (CMS)
- Batch Creating Certificates
- Making an ASN.1 Dump of a Certificate
- Using the Demo Servlet
EJBCA Release Information
EJBCA Release Notes
- EJBCA 7.2.1 Release Notes
- EJBCA 7.2 Release Notes
- EJBCA 7.1 Release Notes
- EJBCA 7.0.1 Release Notes
- EJBCA 7.0.0 Release Notes
- EJBCA 6.15.2 Release Notes
- EJBCA 6.15.1 Release Notes
- EJBCA 6.15 Release Notes
- EJBCA 6.14.1 Release Notes
- EJBCA 6.14 Release Notes
- EJBCA 6.13 Release Notes
- EJBCA 6.12 Release Notes
- EJBCA 6.11 Release Notes
- EJBCA 6.10 Release Notes
- EJBCA 6.9 Release Notes
- EJBCA 6.8 Release Notes
- EJBCA 6.7 Release Notes
- EJBCA 6.6 Release Notes
- EJBCA 6.5 Release Notes
- EJBCA 6.4 Release Notes
- EJBCA 6.3 Release Notes
- EJBCA 6.2 Release Notes
- EJBCA 6.1 Release Notes
- EJBCA 6.0 Release Notes
- EJBCA Release Notes Summary
- EJBCA Change Log Summary
EJBCA Upgrade Notes
- EJBCA 7.2.1 Upgrade Notes
- EJBCA 7.2 Upgrade Notes
- EJBCA 7.1 Upgrade Notes
- EJBCA 7.0.1 Upgrade Notes
- EJBCA 7.0 Upgrade Notes
- EJBCA 6.15 Upgrade Notes
- EJBCA 6.14 Upgrade Notes
- EJBCA 6.13 Upgrade Notes
- EJBCA 6.12 Upgrade Notes
- EJBCA 6.11 Upgrade Notes
- EJBCA 6.10 Upgrade Notes
- EJBCA 6.9 Upgrade Notes
- EJBCA 6.8 Upgrade Notes
- EJBCA 6.7 Upgrade Notes
- EJBCA 6.6 Upgrade Notes
- EJBCA 6.5 Upgrade Notes
- EJBCA 6.4 Upgrade Notes
- EJBCA 6.3 Upgrade Notes
- EJBCA 6.2 Upgrade Notes
- EJBCA 6.1 Upgrade Notes
- EJBCA 6.0 Upgrade Notes
- EJBCA Upgrade Notes Summary
- EJBCA Release Notes
Versasec Card Management System Integration
To illustrate an example integration between the Certificate Authority EJBCA and a Card Management System (CMS), the Versasec vSEC:CMS has been deployed in combination with EJBCA. Versasec has native integration with EJBCA, enabling a straightforward and robust integration.
This guide describes how to integrate EJBCA with the Versasec vSEC:CMS Card Management System.
Versasec vSEC:CMS S-Series is a card management system that runs on a Windows Server. The vSEC:CMS software uses the Web Service API in EJBCA to integrate the PKI seamlessly with the CMS. During the card issuance and revocation, the vSEC:CMS makes web service calls to EJBCA to issue and revoke certificates.
The following are required for the integration:
- EJBCA version 6.15.0 or later
- Versasec vSEC:CMS S-Series version: 5.3
Integrating vSEC:CMS with EJBCA
The EJBCA Web Service API is available over TLS with mutual certificate authentication. This means that an administrator certificate has to be issued for vSEC:CMS in order for the CMS to access EJBCA. The issued certificate also needs to be linked to a role with privileges to issue and revoke the desired certificates in EJBCA. Role-based access provides detailed control of what CAs and profiles are available for the vSEC:CMS to issue certificates from. Thus, different CMSs can have access to different CAs if needed, for different departments or customers to issue their card using their own CMS.
Integrating vSEC:CMS with EJBCA includes the following steps:
- Step 1: Create Certificate for vSEC:CMS
- Step 2: Create a Role for vSEC:CMS
- Step 3: Add Certificate to Role
- Step 4: Install vSEC:CMS
- Step 5: Add connection to EJBCA in vSEC:CMS
Step 1: Create Certificate for vSEC:CMS
Issuing a certificate for vSEC:CMS is done using the EJBCA RA Web. Note that profiles are required to exist and be properly configured in EJBCA. For more information, see Certificate Profiles Overview.
To issue a certificate for vSEC:CMS, log in as a suitable Administrator with permission to issue other RA Admin certificates, and do the following:
- Go to the RA Web and select Make New Request.
- Specify the fields to issue a PKCS#12 keystore.
The following example uses server-side generated keys, but client generated keys work just as well.
Step 2: Create a Role for vSEC:CMS
In order for the vSEC:CMS to be able to issue and revoke certificates, it must be added to a role to provide necessary privileges.
To create an RA Administrator role with privileges to issue and revoke the desired certificates, do the following:
- In EJBCA Admin Web, select System Functions > Administrator Roles.
- Click Add, specify a Role name, in this example Versasec CMS, and click Save.
- When the Versasec CM group is created, click Access Rules.
- Select the RA Administrator role template, specify the settings according to the following example, and click Save.
Step 3: Add Certificate to Role
With the role created, add the certificate created for the vSEC:CMS to the newly created role by editing the members of the role and clicking Add.
Step 4: Install vSEC:CMS
Install Versasec vSEC:CMS according to the installation instructions in the Administration Guide provided with the S-Series installation installer.
Note that an Active Directory must be available in order for vSEC:CMS to manage users which should get cards issued.
Step 5: Add connection to EJBCA in vSEC:CMS
Finally, create a connection to EJBCA in vSEC:CMS:
- Install the issued certificate in the Windows server where vSEC:CMS is running.
- Create a new connection to a CA, entering the web service URL of the EJBCA instance to connect to EJBCA and list the available profiles
Note that vSEC:CMS has native support for EJBCA and allows you to select EJBCA from the CA types list.
For more information on adding connections, refer to the Versasec documentation on vSEC:CMS S-Series Documentation - Connections.
The URL for the EJBCA Web Service API is: https://<ejbca-server-hostname>/ejbca/ejbcaws/ejbcaws?wsdl.
The integration is now completed, and you can start using Versasec vSEC:CMS to issue cards with certificates from your EJBCA Certificate Authority.
Multiple CA connections can be added to issue different cards and certificates from different CAs.
CMS Demo Workflow
A basic CMS workflow consists of:
- Issue a card
- Revoke the card
- Unregister the card, making it available to be issued again
A brief process with two card readers includes:
- Start vSEC:CMS using an operator card.
- Put a blank smart card in the card reader.
- In the Life Cycle view, click the Issue bubble.
- A workflow is started with a choice of Card Template to use and which user in AD the card is issued for.
- Once the workflow is completed, the card is issued.
For a video tutorial showing the complete workflow, refer to https://youtu.be/el5_o-HhvOc.
Documentation on the life cycle process is available at vSEC:CMS S-Series Documentation - Lifecycle Processes.