- EJBCA Introduction
- EJBCA Installation
-
EJBCA Operations
-
EJBCA CA Concept Guide
- Certificate Authority Overview
- Crypto Tokens Overview
- End Entities Overview
- Publishers Overview
- Validators Overview
- Certificate Profiles Overview
- Approval Profiles
-
Services
- Certificate and CRL Reader Service
- Certificate Expiration Check Service
- CRL Download and CRL Update Service
- CRL Updater Service
- HSM Keepalive Service
- Publisher Queue Process Service
- Remote Internal Key Binding Updater
- Renew CA Service
- User Password Expire Service
- OCSP Response Pre-Signer
- Rollover Service
- Peer Systems
- Internal Key Bindings Overview
- Roles and Access Rules
- Protocols
- Logging
- Character Limitations
- User Data Sources
- Approvals
- EJBCA RA Concept Guide
-
EJBCA Operations Guide
-
CA Operations Guide
- Approving Actions
- Configure EJBCA for Public Access
- CRL Generation
- EJBCA Configuration Checker
- EJBCA Maintenance
- End Entities
- End Entity Profile Operations
- Exporting and Importing Profiles
- Importing Certificates
- Key Recovery
- Managing CAs
- Managing Certificate Profiles
- Managing Crypto Tokens
- Managing Internal Keybindings
- Modular Protocol Configuration
- OCSP Management
- Peer Systems Operations
- Enrollment Protocol Configuration
- Roles and Access Rules Operations
- Managing CVC CAs
- RA Operations Guide
- Command Line Interfaces
- EJBCA Batch Enrollment GUI
- ConfigDump Tool
-
CA Operations Guide
-
EJBCA CA Concept Guide
-
EJBCA Integration
-
Integrating with Third-Party Applications
- Access EJBCA using USB Tokens and Smart Cards
-
Auto Enrollment Configuration Guide
- Auto Enrollment Requirements
- Part 1: Active Directory Domain Services
- Part 2: MS Certification Authority and Group Policies
- Part 3: EJBCA Administration
- Part 4: EJBCA Certificate Chain Deployment to Clients
- Part 5a: Configure Microsoft Auto Enrollment Servlet on Windows
- Part 5b: Configure Microsoft Auto Enrollment Servlet on Linux
- Part 6: Prevent Duplicate Certificates
- Auto Enrollment Troubleshooting
- Microsoft Intune Device Certificate Enrollment
- Script based Autoenrollment for Windows clients with EJBCA
- Subordinate HashiCorp Vault CA to EJBCA Root
- Integrating EJBCA with Graylog
- Issuing Certificates to Kubernetes Services using cert-manager
- Using CertBot to Issue Certificates with ACME to an Apache Web Server
- Versasec Card Management System Integration
- Ciphermail Email Gateway and EJBCA Integration
- Microsoft Smart Card Logon
- 3Key DMR Add-on to EJBCA
- 3Key RA Profiles Add-on to EJBCA
- EJBCA and Cisco ISE
- EJBCA and Cisco IOS
- OpenSSH and X509 Authentication
- Configure EJBCA with OpenSSO
- Setting up an Apache Web Server as a Proxy
- Setting up an Apache Web Server with mod_jk
- Setting up a HA Proxy in front of EJBCA
- EJBCA with GemSAFE Toolbox
- SensorNet PKI
-
Hardware Security Modules (HSM)
- Generic PKCS#11 Provider
- AEP Keyper
- ARX CoSign
- AWS CloudHSM
- AWS KMS
- Azure Key Vault
- Bull Trustway PCI Crypto Card
- Bull Trustway Proteccio
- Google KMS
- nCipher nShield/netHSM
- Nitrokey HSM
- SafeNet AT Luna
- SafeNet Luna
- SafeNet ProtectServer
- SmartCard-HSM
- SoftHSM
- Unbound Key Control
- Utimaco CryptoServer
- Utimaco CryptoServer CP5
- YubiHSM 2
-
Integrating with Third-Party Applications
- Troubleshooting Guide
-
Tutorials and Guides
- Quick Install Guide
- Migrating from other CAs to EJBCA
- Modifying EJBCA
- Enabling Debug Logging
- Creating a custom RA application using EJBCA Web Services and Java
- Using EJBCA as a Certificate Management System (CMS)
- Batch Creating Certificates
- Making an ASN.1 Dump of a Certificate
- Using the Demo Servlet
- Setting up Peer Connectors and OCSP
- Uncommon CA Workflows
-
EJBCA Release Information
-
EJBCA Release Notes
- EJBCA 7.4 Release Notes
- EJBCA 7.3.1.4 Release Notes
- EJBCA 7.3.1.3 Release Notes
- EJBCA 7.3.1.2 Release Notes
- EJBCA 7.3.1.1 Release Notes
- EJBCA 7.3.1 Release Notes
- EJBCA 7.3 Release Notes
- EJBCA 7.2.1.1 Release Notes
- EJBCA 7.2.1 Release Notes
- EJBCA 7.2 Release Notes
- EJBCA 7.1 Release Notes
- EJBCA 7.0.1 Release Notes
- EJBCA 7.0.0 Release Notes
- EJBCA 6.15.2.5 Release Notes
- EJBCA 6.15.2 Release Notes
- EJBCA 6.15.1 Release Notes
- EJBCA 6.15 Release Notes
- EJBCA 6.14.1 Release Notes
- EJBCA 6.14 Release Notes
- EJBCA 6.13 Release Notes
- EJBCA 6.12 Release Notes
- EJBCA 6.11 Release Notes
- EJBCA 6.10 Release Notes
- EJBCA 6.9 Release Notes
- EJBCA 6.8 Release Notes
- EJBCA 6.7 Release Notes
- EJBCA 6.6 Release Notes
- EJBCA 6.5 Release Notes
- EJBCA 6.4 Release Notes
- EJBCA 6.3 Release Notes
- EJBCA 6.2 Release Notes
- EJBCA 6.1 Release Notes
- EJBCA 6.0 Release Notes
- EJBCA Release Notes Summary
- EJBCA Change Log Summary
-
EJBCA Upgrade Notes
- EJBCA 7.4 Upgrade Notes
- EJBCA 7.3.1.4 Upgrade Notes
- EJBCA 7.3.1.2 Upgrade Notes
- EJBCA 7.3.1.1 Upgrade Notes
- EJBCA 7.3.1 Upgrade Notes
- EJBCA 7.3 Upgrade Notes
- EJBCA 7.2.1 Upgrade Notes
- EJBCA 7.2 Upgrade Notes
- EJBCA 7.1 Upgrade Notes
- EJBCA 7.0.1 Upgrade Notes
- EJBCA 7.0 Upgrade Notes
- EJBCA 6.15.2.5 Upgrade Notes
- EJBCA 6.15 Upgrade Notes
- EJBCA 6.14 Upgrade Notes
- EJBCA 6.13 Upgrade Notes
- EJBCA 6.12 Upgrade Notes
- EJBCA 6.11 Upgrade Notes
- EJBCA 6.10 Upgrade Notes
- EJBCA 6.9 Upgrade Notes
- EJBCA 6.8 Upgrade Notes
- EJBCA 6.7 Upgrade Notes
- EJBCA 6.6 Upgrade Notes
- EJBCA 6.5 Upgrade Notes
- EJBCA 6.4 Upgrade Notes
- EJBCA 6.3 Upgrade Notes
- EJBCA 6.2 Upgrade Notes
- EJBCA 6.1 Upgrade Notes
- EJBCA 6.0 Upgrade Notes
- EJBCA Upgrade Notes Summary
-
EJBCA Release Notes
E-mail Notifications
EJBCA uses a mail service in the application server to send emails. Mail settings in JBoss/WildFly are created during installation or configured afterward.
Approving End Entity E-mail Notifications
Email notification can be sent when the status changes for an end entity, for example when a new user is added (status changes to new).
To configure email notifications in EJBCA:
- Create a new end entity profile to be able to issue certificates to end users using email notifications. Under the RA functions, select Edit End Entity Profiles and add a new profile. Select the profile and go to Edit End Entity profile to Enable Send Notifications and create the notification message. Make sure the option Use Send Notification is enabled.
- Add a new end entity. Select the new end entity profile created above and make sure the option Send Notification is enabled. Enter the from-address, subject, and specify a message using the variables defined for dynamic substitution in the next section. Use ${NL} for newline in the mail message.
The Notification Recipient can have a few different values:
- USER: send notification to the email registered for the end entity.
- foo@bar.com: send notification to the specified email address. Multiple email addresses can be entered comma separated.
- CUSTOM: plug-in mechanism to retrieve addresses your own way. See interface org.ejbca.core.model.ra.raadmin.ICustomNotificationRecipient for implementation details. Enter a string like "CUSTOM:org.ejbca.MyCustomPluginClass" to use.
You can also use the substitution variable in the notification sender and recipie/nt fields. See samples below.
The Notification Events specify which status changes for a user that will trigger a notification. The default values are suitable to send an email to a user when he/she should go and pick up a certificate. You can also select for example STATUSGENERATED to send email notifications to an administrator when the user picks up the certificate.
When STATUSREVOKED is selected, the notification will be triggered either if the entire user is revoked or if an individual certificate is revoked or re-activated (even though the End Entity's status will not change by the individual certificate revocation or re-activation).
If you configure an autogenerated password in end entity profile you don't need to enter one in the adduser page. A generated one will automatically be sent with the email.
If you want to re-send a notification for a user, reset the status to NEW.
Dynamic Substitution Variables
Parameters can be used with different usages of email notification and mandatory parameters depend on the input data.
The following parameters can be set:
- ${NL} = New Line in message
- ${DATE} or ${current.DATE} = The current date
Variables used with userdata:
- ${USERNAME} or ${user.USERNAME} = The user's username.
- ${PASSWORD} or ${user.PASSWORD} = The user's password, or "enrollment code" as it is called in most pages in the public web.
- ${UID} or ${user.UID} = The user's unique identifier.
- ${CN} or ${user.CN} = The common name of the user.
- ${SN} or ${user.SN} = The serial number (in DN) of the user.
- ${O} or ${user.O} = The user's organization.
- ${OU} or ${user.OU} = The user's organizational unit.
- ${C} or ${user.C} = The user's country.
- ${user.E} = The user's email address from Subject DN.
- ${user.EE.EMAIL} = Ther user's email address from the End Entity data.
- ${user.SAN.EMAIL} = The user's email address from Subject Alternative Name, RFC822Name field.
- ${user.TIMECREATED} = The time the user was created.
- ${user.TIMEMODIFIED} = The time the user was modified.
- ${requestAdmin.CN} = The common name of the requesting administrator.
- ${requestAdmin.EE.EMAIL} = The email address of the administrator adding the end entity according to the administrator's End Entity data.
- ${requestAdmin.SAN.EMAIL} = The email address of the administrator adding the end entity according to the administrator's Subject Alternative Name, RFC822Name field.
- ${approvalAdmin.XX} variables from below can be used to get the administrator who adds an end entity.
Variables used with approvals:
- ${approvalAdmin.USERNAME} = The last approving administrator's username.
- ${approvalAdmin.CN} = The common name of the last approving administrator.
- ${approvalAdmin.SN} = The last approving administrator's DN serialNumber.
- ${approvalAdmin.O} = The last approving administrator's organization.
- ${approvalAdmin.OU} = The last approving administrator's organization unit.
- ${approvalAdmin.C} = The last approving administrator's country.
- ${approvalAdmin.E} = The last approving administrator's email address from Subject DN.
- ${approvalRequestID} = The ID of the approval request that was created.
Variables used with expiring certificates:
- ${expiringCert.CERTSERIAL} = The serial number of the certificate about to expire.
- ${expiringCert.EXPIREDATE} = The date the certificate will expire.
- ${expiringCert.CERTSUBJECTDN} = The certificate subject DN.
- ${expiringCert.CERTISSUERDN} = The certificate issuer DN.
Variables used with revocation or re-activation of individual End Entity certificates:
- ${revokedCertificate.CERTSERIAL} = The serial number of the revoked certificate.
- ${revokedCertificate.EXPIREDATE} = The date the revoked certificate will expire.
- ${revokedCertificate.CERTSUBJECTDN} = The certificate subject DN.
- ${revokedCertificate.CERTISSUERDN} = The certificate issuer DN.
- ${revokedCertificate.REVOCATIONSTATUS} = The new revocation status of the certificate (Active/Revoked).
- ${revokedCertificate.REVOCATIONREASON} = The new revocation reason of the certificate (unspecified, keyCompromise, ...).
Examples
If you need to comply with PCI or the lighter levels of FIPS-140/160, it may be required to configure a two-step issuance process.
Set up notifications by creating three email notifications according to the following:
- To: USER
Email notification to just the user with the URL to pick up the cert and the username. Make clear in the message that he or she will be contacted by the approving admin with the password. - To: ${approvalAdmin.E}
Email notification to the approving admin with the password (but not the username) and a message which makes clear that this password is to be passed to the user, by phone or f2f (but not by email). - To: ca-team@foo... **
Email notification of the issuing to the auditor mailing lists, without above username/password.