- EJBCA Introduction
- EJBCA Installation
-
EJBCA Operations
-
EJBCA CA Concept Guide
- Certificate Authority Overview
- Crypto Tokens Overview
- End Entities Overview
- Publishers Overview
- Validators Overview
- Certificate Profiles Overview
- Approval Profiles
-
Services
- Certificate and CRL Reader Service
- Certificate Expiration Check Service
- CRL Download and CRL Update Service
- CRL Updater Service
- HSM Keepalive Service
- Publisher Queue Process Service
- Remote Internal Key Binding Updater
- Renew CA Service
- User Password Expire Service
- OCSP Response Pre-Signer
- Rollover Service
- Peer Systems
- Internal Key Bindings Overview
- Roles and Access Rules
- Protocols
- Logging
- Character Limitations
- User Data Sources
- Approvals
- EJBCA RA Concept Guide
-
EJBCA Operations Guide
-
CA Operations Guide
- Approving Actions
- Configure EJBCA for Public Access
- CRL Generation
- EJBCA Configuration Checker
- EJBCA Maintenance
- End Entities
- End Entity Profile Operations
- Exporting and Importing Profiles
- Importing Certificates
- Key Recovery
- Managing CAs
- Managing Certificate Profiles
- Managing Crypto Tokens
- Managing Internal Keybindings
- Modular Protocol Configuration
- OCSP Management
- Peer Systems Operations
- Enrollment Protocol Configuration
- Roles and Access Rules Operations
- Managing CVC CAs
- RA Operations Guide
- Command Line Interfaces
- EJBCA Batch Enrollment GUI
- ConfigDump Tool
-
CA Operations Guide
-
EJBCA CA Concept Guide
-
EJBCA Integration
-
Integrating with Third-Party Applications
- Access EJBCA using USB Tokens and Smart Cards
-
Auto Enrollment Configuration Guide
- Auto Enrollment Requirements
- Part 1: Active Directory Domain Services
- Part 2: MS Certification Authority and Group Policies
- Part 3: EJBCA Administration
- Part 4: EJBCA Certificate Chain Deployment to Clients
- Part 5a: Configure Microsoft Auto Enrollment Servlet on Windows
- Part 5b: Configure Microsoft Auto Enrollment Servlet on Linux
- Part 6: Prevent Duplicate Certificates
- Auto Enrollment Troubleshooting
- Microsoft Intune Device Certificate Enrollment
- Script based Autoenrollment for Windows clients with EJBCA
- Subordinate HashiCorp Vault CA to EJBCA Root
- Integrating EJBCA with Graylog
- Issuing Certificates to Kubernetes Services using cert-manager
- Using CertBot to Issue Certificates with ACME to an Apache Web Server
- Versasec Card Management System Integration
- Ciphermail Email Gateway and EJBCA Integration
- Microsoft Smart Card Logon
- 3Key Dashboarding, Monitoring and Reporting Add-on
- 3Key RA Profiles Add-on
- EJBCA and Cisco ISE
- EJBCA and Cisco IOS
- OpenSSH and X509 Authentication
- Configure EJBCA with OpenSSO
- Setting up an Apache Web Server as a Proxy
- Setting up an Apache Web Server with mod_jk
- Setting up a HA Proxy in front of EJBCA
- EJBCA with GemSAFE Toolbox
- SensorNet PKI
-
Hardware Security Modules (HSM)
- Generic PKCS#11 Provider
- AEP Keyper
- ARX CoSign
- AWS CloudHSM
- AWS KMS
- Azure Key Vault
- Bull Trustway PCI Crypto Card
- Bull Trustway Proteccio
- Google KMS
- nCipher nShield/netHSM
- Nitrokey HSM
- SafeNet AT Luna
- SafeNet Luna
- SafeNet ProtectServer
- SmartCard-HSM
- SoftHSM
- Unbound Key Control
- Utimaco CryptoServer
- Utimaco CryptoServer CP5
- YubiHSM 2
-
Integrating with Third-Party Applications
- Troubleshooting Guide
-
Tutorials and Guides
- Quick Install Guide
- Migrating from other CAs to EJBCA
- Modifying EJBCA
- Enabling Debug Logging
- Creating a custom RA application using EJBCA Web Services and Java
- Using EJBCA as a Certificate Management System (CMS)
- Batch Creating Certificates
- Making an ASN.1 Dump of a Certificate
- Using the Demo Servlet
- Setting up Peer Connectors and OCSP
- Uncommon CA Workflows
-
EJBCA Release Information
-
EJBCA Release Notes
- EJBCA 7.4.2 Release Notes
- EJBCA 7.4.1 Release Notes
- EJBCA 7.4 Release Notes
- EJBCA 7.3.1.4 Release Notes
- EJBCA 7.3.1.3 Release Notes
- EJBCA 7.3.1.2 Release Notes
- EJBCA 7.3.1.1 Release Notes
- EJBCA 7.3.1 Release Notes
- EJBCA 7.3 Release Notes
- EJBCA 7.2.1.1 Release Notes
- EJBCA 7.2.1 Release Notes
- EJBCA 7.2 Release Notes
- EJBCA 7.1 Release Notes
- EJBCA 7.0.1 Release Notes
- EJBCA 7.0.0 Release Notes
- EJBCA 6.15.2.5 Release Notes
- EJBCA 6.15.2 Release Notes
- EJBCA 6.15.1 Release Notes
- EJBCA 6.15 Release Notes
- EJBCA 6.14.1 Release Notes
- EJBCA 6.14 Release Notes
- EJBCA 6.13 Release Notes
- EJBCA 6.12 Release Notes
- EJBCA 6.11 Release Notes
- EJBCA 6.10 Release Notes
- EJBCA 6.9 Release Notes
- EJBCA 6.8 Release Notes
- EJBCA 6.7 Release Notes
- EJBCA 6.6 Release Notes
- EJBCA 6.5 Release Notes
- EJBCA 6.4 Release Notes
- EJBCA 6.3 Release Notes
- EJBCA 6.2 Release Notes
- EJBCA 6.1 Release Notes
- EJBCA 6.0 Release Notes
- EJBCA Release Notes Summary
- EJBCA Change Log Summary
-
EJBCA Upgrade Notes
- EJBCA 7.4.2 Upgrade Notes
- EJBCA 7.4.1 Upgrade Notes
- EJBCA 7.4 Upgrade Notes
- EJBCA 7.3.1.4 Upgrade Notes
- EJBCA 7.3.1.2 Upgrade Notes
- EJBCA 7.3.1.1 Upgrade Notes
- EJBCA 7.3.1 Upgrade Notes
- EJBCA 7.3 Upgrade Notes
- EJBCA 7.2.1 Upgrade Notes
- EJBCA 7.2 Upgrade Notes
- EJBCA 7.1 Upgrade Notes
- EJBCA 7.0.1 Upgrade Notes
- EJBCA 7.0 Upgrade Notes
- EJBCA 6.15.2.5 Upgrade Notes
- EJBCA 6.15 Upgrade Notes
- EJBCA 6.14 Upgrade Notes
- EJBCA 6.13 Upgrade Notes
- EJBCA 6.12 Upgrade Notes
- EJBCA 6.11 Upgrade Notes
- EJBCA 6.10 Upgrade Notes
- EJBCA 6.9 Upgrade Notes
- EJBCA 6.8 Upgrade Notes
- EJBCA 6.7 Upgrade Notes
- EJBCA 6.6 Upgrade Notes
- EJBCA 6.5 Upgrade Notes
- EJBCA 6.4 Upgrade Notes
- EJBCA 6.3 Upgrade Notes
- EJBCA 6.2 Upgrade Notes
- EJBCA 6.1 Upgrade Notes
- EJBCA 6.0 Upgrade Notes
- EJBCA Upgrade Notes Summary
-
EJBCA Release Notes
Signing an External CA
In some cases, you might want to have one of your CAs signing another external CA. This is typically performed in the following steps:
Assuming both your CA and the external CA are using EJBCA, the set up is performed as described in the following steps.
It is not possible to issue CA certificates using the RA Web in EJBCA 6.x versions. To issue a CA certificate in EJBCA 6.x you need to add an end entity using the CA Web, and then issue the CA certificate through the Public Web. This is the procedure described in the steps below.
Step 1: Create Profiles on Your CA Machine
It is recommended to create a dedicated certificate profile and an end entity profile for the external CA on your CA machine, instead of using the built-in profiles. The advantage is more flexibility and better management features.
To create a certificate profile and an end entity profile on your CA machine, do the following:
- Go to the CA Web, and select the CA Functions > Certificate Profiles menu option.
- Add a new certificate profile, and use "Sub CA" as template by selecting the Type option Sub CA.
- In the Available CAs list, select the CA that is going to sign the CSR.
- Make additional adjustments as required and save the certificate profile.
- Select the End Entity Profiles menu option.
- Create a new end entity profile. Pick your recently created certificate profile, the CA that is going to sign the CSR and select User Generated as token type:
- Make additional adjustments as required and save the end entity profile.
Step 2: Add End Entity
To add an end entity on your CA machine, do the following:
- Click the RA Functions > Add End Entity menu option.
- Add a new end entity using the end entity profile you created in the previous Step 1: Create Profiles on Your CA Machine.
Step 3: Create CSR
To create a CSR on the external CA machine, do the following:
- On the external CA machine, go to the CA Web, select the menu option CA Functions > Certificate Authorities, enter Sub CA in the Add CA field, and then click Create.
- To make this CA an externally signed CA, select the Signed By option External CA.
- To save the CA and create a CSR, click Make Certificate Request.
- Save the CSR to for example a USB stick and transfer it to your CA machine.
Step 4: Sign CSR and Issue CA Certificate
To sign the CSR and issue the CA certificate using the appropriate CA on your CA machine, do the following:
- Go to the Public Web on your CA machine, and select the Create Certificate from CSR menu option.
- Enroll using the username and enrolment code you specified when adding the end entity. Then save the certificate on for example a USB stick and transfer it to the external CA machine.
Step 5: Import CA Certificate
To import the CA certificate on the external CA machine, do the following:
- On the external CA machine, go to the CA Web, select the menu option CA Functions > Certificate Authorities, and edit the CA you signed in the previous Step 4: Sign CSR and Issue CA Certificate.
- Upload the CA certificate and click Receive Certificate Response to import the externally signed CA certificate and activate the CA.
