Backup and Restore

The EJBCA Enterprise software designed to operate in a high availability and high performance environment.

Backup of EJBCA is essential for most organizations, and EJBCA is designed to make backup easy.

Backing up of EJBCA consists of Dynamic and Static data. Dynamic data is data changed during daily operations. All dynamic data is stored in the database. Static data does not change during normal operations, and only needs to be backed up when changed.

  • Dynamic data that needs to be backed up regularly:
    • Database contents.
  • Static data that only needs to be backed up when changed:
    • EJBCA program files.
    • EJBCA configuration (ejbca/conf).
    • Admin and SSL keystores (ejbca/p12).

Back up an EJBCA installation

To backup an EJBCA installation, do the following:

  • Backup the database
  • Backup all $EJBCA_HOME/conf/**
  • Backup all $EJBCA_HOME/p12/**

If using soft keystores for the CAs, this is all that is needed. If you are using an HSM you need to backup your keys in the HSM as well. How this backup and restore is done depends on the HSM you are using. Consult the documentation for your HSM.

Restore

To restore, do the following:

  • Restore database
  • Unzip new EJBCA
  • Restore conf and p12
  • Run the following to configure JBoss and deploy EJBCA.
    If you are using another application server, consult the Installation documentation for deployment.

    ant deploy
    ant deploy-keystore
    ant web-configure


Export Certificates

The certificates produced by EJBCA are saved in the CertificateData table in the database if certificate storage is enabled. The CertificateData table contains a column called "base64Cert" containing the base64 encoded certificate. You can grab all certificates directly from the database using an SQL select query. If you use MariaDB or MySQL it could look something like:

mysql -u root -p -B ejbca -e "SELECT subjectDN,base64Cert FROM CertificateData" > /tmp/certs

This will give you a file with a header and two columns, where the first column contains the subject DN of the certificate and the second column contains the certificate itself.

Or, if you just want the certificates and no header, add the -N flag and select only the base64Cert column:

mysql -u root -p -BN ejbca -e "SELECT base64Cert FROM CertificateData" > /tmp/certs

You will now have a file containing all certificates present on your EJBCA installation, with one certificate per line. If you want the certificates in separate files, use split:

split -d --lines=1 /tmp/certs

Export CRLs

Similarly, the CRLs are stored base64 encoded in the CRLData table.

mysql -u root -p -B ejbca -e "SELECT crlNumber,issuerDN,base64CRL FROM CRLData ORDER BY crlNumber" > /tmp/crls