Configure EJBCA for Public Access

An RA or CA can be configured for public access using a PublicAccessAuthenticationToken. This allows anyone to navigate to /ejbca/ra and /ejbca/adminweb respectively without having to present a certificate.

You can configure EJBCA for public access either using the Admin Web or the EJBCA CLI.

To configure EJBCA public access, go to /ejbca/adminweb/administratorprivileges/roles.xhtml and add a new member to any role. The member should have Match with set to one of the following:

    • PublicAccessAuthenticationToken : Any transport (HTTP or HTTPS)
    • PublicAccessAuthenticationToken: Non-confidential transport (HTTP)
    • PublicAccessAuthenticationToken: Confidential transport (HTTPS)

To configure EJBCA for public access using the CLI, run the following:

./ejbca.sh roles addrolemember --caname "" --role "Super Administrator Role" --value "" --with PublicAccessAuthenticationToken:TRANSPORT_ANY

This will disable client certificate authentication in EJBCA for the RA. The CA Web (/ejbca/adminweb) will still require a certificate unless you compile EJBCA with web.reqcert=false in conf/web.properties.

Disabling client certificate checks for the CA web is a really good way to get completely pwnd/hacked/compromised and render any support contract invalid. Make sure you know what you're doing before you disabling the web.reqcert property.