- EJBCA Introduction
- Installation Prerequisites
- Managing EJBCA Configurations
- Creating the Database
- Application Servers
- Deploying EJBCA
- Installing EJBCA
- Finalizing the Installation
- High Availability (HA), a.k.a Clustering
- Maximizing Performance
- EJBCA Security
- Deployment Reference
- Upgrading EJBCA
EJBCA CA Concept Guide
Certificate Authority Overview
- CA Fields
- ePassport PKI
- ECDSA Keys and Signatures
- CVC CA
- Partitioned CRLs
- Crypto Tokens Overview
- End Entities Overview
- Active Directory Publisher
- Custom Publishers
- LDAP Publisher/LDAP Search Publisher
- Multi Group Publisher
- SCP Publisher
- Validation Authority Peer Publisher
- Validation Authority Publisher (Legacy)
- AWS S3 Publisher
- Validators Overview
- Certificate Profiles Overview
- Approval Profiles
- Peer Systems
- Internal Key Bindings Overview
- Roles and Access Rules
- Character Limitations
- User Data Sources
- Certificate Authority Overview
- EJBCA RA Concept Guide
EJBCA Operations Guide
CA Operations Guide
- Approving Actions
- CA UI Overview
- Configure EJBCA for Public Access
- CRL Generation
- EJBCA Configuration Checker
- EJBCA Maintenance
- End Entities
- End Entity Profile Operations
- Exporting and Importing Profiles
- Importing Certificates
- Key Recovery
- Managing CAs
- Managing Certificate Profiles
- Managing Crypto Tokens
- Managing Internal Keybindings
- Modular Protocol Configuration
- OCSP Management
- Peer Systems Operations
- Roles and Access Rules Operations
- RA Operations Guide
- Command Line Interfaces
- EJBCA Batch Enrollment GUI
- ConfigDump Export and Audit Tool
- CA Operations Guide
- EJBCA CA Concept Guide
Integrating with Third-Party Applications
- Access EJBCA using USB Tokens and Smart Cards
- Native Certificate Autoenrollment for Windows
- Script based Autoenrollment for Windows clients with EJBCA
- Integrating EJBCA with GreyLog
- Versasec Card Management System Integration
- Ciphermail Email Gateway and EJBCA Integration
- Microsoft Smart Card Logon
- EJBCA and Cisco IOS
- OpenSSH and X509 Authentication
- Configure EJBCA with OpenSSO
- Setting up an Apache Web Server as a Proxy
- Setting up an Apache Web Server with mod_jk
- Setting up a HA Proxy in front of EJBCA
- EJBCA with GemSAFE Toolbox
- SensorNet PKI
- Issuing Certificates to Kubernetes Services using cert-manager
- Hardware Security Modules (HSM)
- Integrating with Third-Party Applications
- Troubleshooting Guide
Tutorials and Guides
- Quick Install Guide
- Migrating from other CAs to EJBCA
- Modifying EJBCA
- Enabling Debug Logging
- Creating a custom RA application using EJBCA Web Services and Java
- Using EJBCA as a Certificate Management System (CMS)
- Batch Creating Certificates
- Making an ASN.1 Dump of a Certificate
- Using the Demo Servlet
EJBCA Release Information
EJBCA Release Notes
- EJBCA 7.2.1 Release Notes
- EJBCA 7.2 Release Notes
- EJBCA 7.1 Release Notes
- EJBCA 7.0.1 Release Notes
- EJBCA 7.0.0 Release Notes
- EJBCA 6.15.2 Release Notes
- EJBCA 6.15.1 Release Notes
- EJBCA 6.15 Release Notes
- EJBCA 6.14.1 Release Notes
- EJBCA 6.14 Release Notes
- EJBCA 6.13 Release Notes
- EJBCA 6.12 Release Notes
- EJBCA 6.11 Release Notes
- EJBCA 6.10 Release Notes
- EJBCA 6.9 Release Notes
- EJBCA 6.8 Release Notes
- EJBCA 6.7 Release Notes
- EJBCA 6.6 Release Notes
- EJBCA 6.5 Release Notes
- EJBCA 6.4 Release Notes
- EJBCA 6.3 Release Notes
- EJBCA 6.2 Release Notes
- EJBCA 6.1 Release Notes
- EJBCA 6.0 Release Notes
- EJBCA Release Notes Summary
- EJBCA Change Log Summary
EJBCA Upgrade Notes
- EJBCA 7.2.1 Upgrade Notes
- EJBCA 7.2 Upgrade Notes
- EJBCA 7.1 Upgrade Notes
- EJBCA 7.0.1 Upgrade Notes
- EJBCA 7.0 Upgrade Notes
- EJBCA 6.15 Upgrade Notes
- EJBCA 6.14 Upgrade Notes
- EJBCA 6.13 Upgrade Notes
- EJBCA 6.12 Upgrade Notes
- EJBCA 6.11 Upgrade Notes
- EJBCA 6.10 Upgrade Notes
- EJBCA 6.9 Upgrade Notes
- EJBCA 6.8 Upgrade Notes
- EJBCA 6.7 Upgrade Notes
- EJBCA 6.6 Upgrade Notes
- EJBCA 6.5 Upgrade Notes
- EJBCA 6.4 Upgrade Notes
- EJBCA 6.3 Upgrade Notes
- EJBCA 6.2 Upgrade Notes
- EJBCA 6.1 Upgrade Notes
- EJBCA 6.0 Upgrade Notes
- EJBCA Upgrade Notes Summary
- EJBCA Release Notes
Crypto Tokens Overview
This overview provides information on what crypto tokens are, what they do and also lists crypto token fields.
For more information about how to manage crypto tokens, see Crypto Tokens Operations.
Historically the term crypto token denotes the differentiation of a smart keycard and a slot reader, where the card and the slot from which it is read are not permanent.
As the modern HSM became widely used, this model has become dated, but the terminology remains. The modern crypto token most often remains in the same memory area of the HSM (the two being one and the same), though while crypto token labels and slot indexes are always constant, slot numbering may vary. In EJBCA, the term crypto token means an area of memory containing keys, whether this is an HSM slot or a soft keystore created locally.
Common for all EJBCA crypto tokens is that:
- A crypto token may exist on one and only one slot.
- A crypto token may contain any number of keypairs and aliases.
To this end, crypto tokens have several different applications in EJBCA:
Contained within Certificate Authority Overview.for signing certificates and CRLs. For more information, see
Referred to by OCSP Responders to sign OCSP replies. For more information, see OCSP KeyBindings.
Used to authenticate TLS communication between EJBCA nodes. For more information, see Authentication Keybinding.
Crypto Token Fields
Common fields for all crypto tokens:
|Name||A user-friendly name for the Crypto Token.|
|Type||PKCS#11 HSM slot mapping or a Soft PKCS#12 keystore in the database.|
|Authentication Code||The PKCS#11 slot PIN or the password that will protect the soft keystore.|
|Repeat Authentication Code||Should be the same as the Authentication Code value.|
If the authentication code should be stored (encrypted) in the database and used to always keep the Crypto Token active.
|Allow export of private keys||If selected, EJBCA will not try to prevent Soft Crypto Token keystore export.|
|Use explicit ECC parameters (ICAO CSCA and DS certificates)|
Select to use the explicit ECC parameters. If cleared, the parameters are ignored.
Note that this is only applicable for ePassport ICAO CSCA and DS certificates.
In addition to the common fields, the following fields are available if you have chosen to create a PKCS#11 crypto token:
|PKCS#11 Library||PKCS#11 shared library configured as available in conf/web.properties.|
|PKCS#11 Reference Type||Type of a slot reference described by the PKCS#11 Reference (Id, Index or Label).|
|PKCS#11 Reference||PKCS#11 slot number, index or label.|
|PCKS#11 Attribute File|
If required, this is a PKCS#11 attribute file configured as available in conf/web.properties. Note that this should only be required for non-common HSMs.
For more information on PKCS#11 properties, see Hardware Security Modules (HSM). A unique Crypto Token identifier is generated when the token is created.
Crypto Token Authorization
For all authorized CA operations, authorization for underlying Crypto Token operations are implied. The minimum authorization required to create a CA is authorization to "view" and "use" (or "modify") a Crypto Token. Since modification of PKCS#11 Crypto Tokens can change the slot mapping, the same authorization for creation and modification are required.
The following lists the authorization rules:
Required for displaying the Crypto Token management in the Admin GUI.
Required for viewing Crypto Token information and listing key pairs.
Required for binding a Crypto Token to a CA.
Required for creating or modifying a Crypto Token.
Required for deletion of a Crypto Token.
Required for activation of a Crypto Token.
Required for de-activation of a Crypto Token.
Required for key pair generation.
Required for key pair removal.
Required for key pair testing.