- EJBCA Introduction
- Installation Prerequisites
- Managing EJBCA Configurations
- Creating the Database
- Application Servers
- Deploying EJBCA
- Installing EJBCA
- Finalizing the Installation
- High Availability and Clustering
- Maximizing Performance
- EJBCA Security
- Deployment Reference
- Upgrading EJBCA
- EJBCA Software Appliance
EJBCA CA Concept Guide
- Certificate Authority Overview
- Crypto Tokens Overview
- End Entities Overview
- Active Directory Publisher
- Custom Publishers
- LDAP Publisher/LDAP Search Publisher
- Multi Group Publisher
- SCP Publisher
- Validation Authority Peer Publisher
- Validation Authority Publisher (Legacy)
- AWS S3 Publisher
- Validators Overview
- Certificate Profiles Overview
- Approval Profiles
- Certificate and CRL Reader Service
- Certificate Expiration Check Service
- CRL Download and CRL Update Service
- CRL Updater Service
- HSM Keepalive Service
- Publisher Queue Process Service
- Remote Internal Key Binding Updater
- Renew CA Service
- User Password Expire Service
- OCSP Response Pre-Signer
- Rollover Service
- Peer Systems
- Internal Key Bindings Overview
- Roles and Access Rules
- Character Limitations
- User Data Sources
- EJBCA RA Concept Guide
EJBCA Operations Guide
CA Operations Guide
- Approving Actions
- Configure EJBCA for Public Access
- CRL Generation
- EJBCA Configuration Checker
- EJBCA Maintenance
- End Entities
- End Entity Profile Operations
- Exporting and Importing Profiles
- Importing Certificates
- Key Recovery
- Managing CAs
- Managing Certificate Profiles
- Managing Crypto Tokens
- Managing Internal Keybindings
- Modular Protocol Configuration
- OCSP Management
- Peer Systems Operations
- Enrollment Protocol Configuration
- Roles and Access Rules Operations
- Managing CVC CAs
- RA Operations Guide
- Command Line Interfaces
- EJBCA Batch Enrollment GUI
- ConfigDump Tool
- CA Operations Guide
- EJBCA CA Concept Guide
Integrating with Third-Party Applications
- Access EJBCA using USB Tokens and Smart Cards
Auto Enrollment Configuration Guide
- Auto Enrollment Requirements
- Part 1: Active Directory Domain Services
- Part 2: MS Certification Authority and Group Policies
- Part 3: EJBCA Administration
- Part 4: EJBCA Certificate Chain Deployment to Clients
- Part 5a: Configure Microsoft Auto Enrollment Servlet on Windows
- Part 5b: Configure Microsoft Auto Enrollment Servlet on Linux
- Part 6: Prevent Duplicate Certificates
- Auto Enrollment Troubleshooting
- Microsoft Intune Device Certificate Enrollment
- Script based Autoenrollment for Windows clients with EJBCA
- Subordinate HashiCorp Vault CA to EJBCA Root
- Integrating EJBCA with Graylog
- Issuing Certificates to Kubernetes Services using cert-manager
- Using CertBot to Issue Certificates with ACME to an Apache Web Server
- Versasec Card Management System Integration
- Ciphermail Email Gateway and EJBCA Integration
- Microsoft Smart Card Logon
- 3Key Dashboarding, Monitoring and Reporting Add-on
- 3Key RA Profiles Add-on
- EJBCA and Cisco ISE
- EJBCA and Cisco IOS
- OpenSSH and X509 Authentication
- Configure EJBCA with OpenSSO
- Setting up an Apache Web Server as a Proxy
- Setting up an Apache Web Server with mod_jk
- Setting up a HA Proxy in front of EJBCA
- EJBCA with GemSAFE Toolbox
- SensorNet PKI
Hardware Security Modules (HSM)
- Generic PKCS#11 Provider
- AEP Keyper
- ARX CoSign
- AWS CloudHSM
- AWS KMS
- Azure Key Vault
- Bull Trustway PCI Crypto Card
- Bull Trustway Proteccio
- Google KMS
- nCipher nShield/netHSM
- Nitrokey HSM
- SafeNet AT Luna
- SafeNet Luna
- SafeNet ProtectServer
- Unbound Key Control
- Utimaco CryptoServer
- Utimaco CryptoServer CP5
- YubiHSM 2
- Integrating with Third-Party Applications
- Troubleshooting Guide
Tutorials and Guides
- Quick Install Guide
- Migrating from other CAs to EJBCA
- Modifying EJBCA
- Enabling Debug Logging
- Creating a custom RA application using EJBCA Web Services and Java
- Using EJBCA as a Certificate Management System (CMS)
- Batch Creating Certificates
- Making an ASN.1 Dump of a Certificate
- Using the Demo Servlet
- Setting up Peer Connectors and OCSP
- Uncommon CA Workflows
EJBCA Release Information
EJBCA Release Notes
- EJBCA 7.4.1 Release Notes
- EJBCA 7.4 Release Notes
- EJBCA 22.214.171.124 Release Notes
- EJBCA 126.96.36.199 Release Notes
- EJBCA 188.8.131.52 Release Notes
- EJBCA 184.108.40.206 Release Notes
- EJBCA 7.3.1 Release Notes
- EJBCA 7.3 Release Notes
- EJBCA 220.127.116.11 Release Notes
- EJBCA 7.2.1 Release Notes
- EJBCA 7.2 Release Notes
- EJBCA 7.1 Release Notes
- EJBCA 7.0.1 Release Notes
- EJBCA 7.0.0 Release Notes
- EJBCA 18.104.22.168 Release Notes
- EJBCA 6.15.2 Release Notes
- EJBCA 6.15.1 Release Notes
- EJBCA 6.15 Release Notes
- EJBCA 6.14.1 Release Notes
- EJBCA 6.14 Release Notes
- EJBCA 6.13 Release Notes
- EJBCA 6.12 Release Notes
- EJBCA 6.11 Release Notes
- EJBCA 6.10 Release Notes
- EJBCA 6.9 Release Notes
- EJBCA 6.8 Release Notes
- EJBCA 6.7 Release Notes
- EJBCA 6.6 Release Notes
- EJBCA 6.5 Release Notes
- EJBCA 6.4 Release Notes
- EJBCA 6.3 Release Notes
- EJBCA 6.2 Release Notes
- EJBCA 6.1 Release Notes
- EJBCA 6.0 Release Notes
- EJBCA Release Notes Summary
- EJBCA Change Log Summary
EJBCA Upgrade Notes
- EJBCA 7.4.1 Upgrade Notes
- EJBCA 7.4 Upgrade Notes
- EJBCA 22.214.171.124 Upgrade Notes
- EJBCA 126.96.36.199 Upgrade Notes
- EJBCA 188.8.131.52 Upgrade Notes
- EJBCA 7.3.1 Upgrade Notes
- EJBCA 7.3 Upgrade Notes
- EJBCA 7.2.1 Upgrade Notes
- EJBCA 7.2 Upgrade Notes
- EJBCA 7.1 Upgrade Notes
- EJBCA 7.0.1 Upgrade Notes
- EJBCA 7.0 Upgrade Notes
- EJBCA 184.108.40.206 Upgrade Notes
- EJBCA 6.15 Upgrade Notes
- EJBCA 6.14 Upgrade Notes
- EJBCA 6.13 Upgrade Notes
- EJBCA 6.12 Upgrade Notes
- EJBCA 6.11 Upgrade Notes
- EJBCA 6.10 Upgrade Notes
- EJBCA 6.9 Upgrade Notes
- EJBCA 6.8 Upgrade Notes
- EJBCA 6.7 Upgrade Notes
- EJBCA 6.6 Upgrade Notes
- EJBCA 6.5 Upgrade Notes
- EJBCA 6.4 Upgrade Notes
- EJBCA 6.3 Upgrade Notes
- EJBCA 6.2 Upgrade Notes
- EJBCA 6.1 Upgrade Notes
- EJBCA 6.0 Upgrade Notes
- EJBCA Upgrade Notes Summary
- EJBCA Release Notes
OCSP Response Pre-Production
ENTERPRISE This is an EJBCA Enterprise feature.
Pre-produced OCSP responses (as described in RFC 6960 section 2.5) allow responses to be pre-produced and persisted before they are requested. This allows for increased throughput on the OCSP responders since signing responses commonly becomes a bottleneck during peak loads.
The following covers all aspects of setting up and managing pre-production of OCSP responses. For more conceptual information, see Pre-Produced OCSP Responses in OCSP.
Enabling OCSP Pre-Production
OCSP pre-production is enabled per CA level. Unless enabled, EJBCA will never serve or persist pre-produced responses for this CA.
To enable OCSP pre-production:
- Go to CA UI → Certification Authorities.
- Select CA and click Edit.
- Select Pre-produce OCSP Responses and click Save.
Store responses on-demand
Enabling Store Responses on-demand will persist a copy of OCSP Responses generated while requesting the status of certificates issued by this CA. The persisted response will be used to serve future requests for the same certificate until the response validity expires or a newer response is generated. If the persisted response nextUpdate field has passed the current date while requesting the certificate status, the responder will generate and store a new response in parallel with answering the request.
The response to an OCSP Request containing status requests for multiple certificates will not be persisted for future use since the number of possible permutations makes it unlikely to ever be reused.
There are two ways of generating pre-produced OCSP Responses. Either by allowing on-demand response generation (see Store responses on-demand) or by setting up an OCSP Response Pre-Signer service. Both approaches may be used at the same time.
- On-demand: Responses are persisted, upon request and used for future requests until it expires.
- OCSP Response Presigner: Generates, persists and updates responses for all certificates issued by the configured CAs.
For more information on the service worker, see OCSP Response Pre-Signer.
Cleaning up Responses
This functionality enables the periodical removal of old/expired responses stored by the OCSP Response Pre-signer. It removes all responses except the ones with the latest "
producedAt" for each response to the corresponding certificate.
When enabled, it runs on an interval schedule defined by every X days/hours/minutes.
To enable response cleanup:
- Click System Configuration → Basic Configuration.
- Select Activate for Enable OCSP Responses Cleanup in the OCSP Options section.
- Select an interval. Valid schedule interval values are:
- Days: [1-31]
- Hours: [1-23]
- Minutes: [1-59]
It is recommended to keep Enable OCSP Responses Cleanup enabled in environments where new responses are generated continuously with short expiration times (i.e. short nextUpdate times).
Publishing of OCSP Responses
Two types of publishers support publishing of OCSP responses, the Validation Authority Peer Publisher and the Validation Authority Publisher.
Like the Validation Authority Publisher, the Validation Authority Peer Publisher publishes issued certificates from an EJBCA CA to a VA, but over TLS using EJBCA Peer Systems. For more information about the publishers, see Validation Authority Peer Publisher and the Validation Authority Publisher.
Validation Authority Peer Publisher
To allow publishing OCSP responses on a VA, create a Validation Authority Peer Publisher configured according to the following example.
Note that the option Store OCSP Responses at the Validation Authority must be enabled in order for the responses to get published.
The Publisher Queue configuration works similarly to CRLs and certificates. If the option Use queue for OCSP responses is enabled, then if something goes wrong while publishing the responses to the VA, the responses will get queued waiting for the next round of queue processing.
Validation Authority Publisher
To use the Validation Authority Publisher, create a Validation Authority Publisher configured according to the following example.
Enabling Store OCSP Responses at the Validation Authority results in publishing the OCSP responses using the Data Source set in the Validation Authority Publisher configuration. For more information on VA Publisher settings, see Validation Authority Publisher.
Note that according to the implementation, publishing of OCSP responses occurs asynchronously and right after creating the OCSP response, signing it and returning the response to the client.
Generally, EJBCA will not persist responses containing extensions with the exceptions of the extensions below. However, such requests will still be server as usual when no stored response exists. That is, a new response will be generated for those requests.
Having "pre-produced" responses enabled will still allow the client to send a request with the nonce extension. However, the responder will ignore that and send a response back without the nonce extension. This is because each nonce is only valid for that specific request and it cannot be served to other clients. Hence it does not make sense to persist the response for future use.
If Archive Cutoff is configured for the responder, it will also be used while pre-producing responses for it. That is, the behavior is unchanged compared to not using pre-produced responses. For more information, see Archive Cutoff.
Issuing Final OCSP Responses
According to ETSI EN 319 411-2 (CSS-6.3.10-09), Trust Service Providers (TSPs) may compute a last OCSP answer for each and every issued certificate when the CAs certificate is about to expire. This is in practice done by generating responses with 'nextUpdate' set to '99991231235959Z', sign and persist them before the CA expires. The OCSP Response Pre-Signer service can be used to perform such an operation.
Since signing responses for every certificate issued by a CA may be very time consuming and cause high HSM load, this should be done well in advance of the CA expiration date. The time interval can be configured using the Time Before CA Expires input field. Once a final OCSP response has been issued for a certificate, no new responses will be persisted for that certificate. For more information on the service settings, see OCSP Response Pre-Signer.