The EJBCA Enterprise software designed to operate in a high availability and high performance environment.
Backup of EJBCA is essential for most organizations, and EJBCA is designed to make backup easy.
Backing up of EJBCA consists of Dynamic and Static data. Dynamic data is data changed during daily operations. All dynamic data is stored in the database. Static data does not change during normal operations, and only needs to be backed up when changed.
- Dynamic data that needs to be backed up regularly:
- Static data that only needs to be backed up when changed:
- EJBCA program files.
- EJBCA configuration (ejbca/conf).
- Admin and SSL keystores (ejbca/p12).
Back up an EJBCA installation
To backup an EJBCA installation, do the following:
- Backup the database
- Backup all $EJBCA_HOME/conf/**
- Backup all $EJBCA_HOME/p12/**
If using soft keystores for the CAs, this is all that is needed. If you are using an HSM you need to backup your keys in the HSM as well. How this backup and restore is done depends on the HSM you are using. Consult the documentation for your HSM.
Restore
To restore, do the following:
Export Certificates
The certificates produced by EJBCA are saved in the CertificateData table in the database if certificate storage is enabled. The CertificateData table contains a column called "base64Cert" containing the base64 encoded certificate. You can grab all certificates directly from the database using an SQL select query. If you use MariaDB or MySQL it could look something like:
mysql -u root -p -B ejbca -e "SELECT subjectDN,base64Cert FROM CertificateData" > /tmp/certs
CODE
This will give you a file with a header and two columns, where the first column contains the subject DN of the certificate and the second column contains the certificate itself.
Or, if you just want the certificates and no header, add the -N
flag and select only the base64Cert column:
mysql -u root -p -BN ejbca -e "SELECT base64Cert FROM CertificateData" > /tmp/certs
CODE
You will now have a file containing all certificates present on your EJBCA installation, with one certificate per line. If you want the certificates in separate files, use split:
split -d --lines=1 /tmp/certs
CODE
Export CRLs
Similarly, the CRLs are stored base64 encoded in the CRLData table.
mysql -u root -p -B ejbca -e "SELECT crlNumber,issuerDN,base64CRL FROM CRLData ORDER BY crlNumber" > /tmp/crls
CODE