- EJBCA Introduction
- Installation Prerequisites
- Managing EJBCA Configurations
- Creating the Database
- Application Servers
- Deploying EJBCA
- Installing EJBCA
- Finalizing the Installation
- High Availability and Clustering
- Maximizing Performance
- EJBCA Security
- Deployment Reference
- Upgrading EJBCA
- EJBCA Software Appliance
EJBCA CA Concept Guide
- Certificate Authority Overview
- Crypto Tokens Overview
- End Entities Overview
- Active Directory Publisher
- Custom Publishers
- LDAP Publisher/LDAP Search Publisher
- Multi Group Publisher
- SCP Publisher
- Validation Authority Peer Publisher
- Validation Authority Publisher (Legacy)
- AWS S3 Publisher
- Validators Overview
- Certificate Profiles Overview
- Approval Profiles
- Certificate and CRL Reader Service
- Certificate Expiration Check Service
- CRL Download and CRL Update Service
- CRL Updater Service
- HSM Keepalive Service
- Publisher Queue Process Service
- Remote Internal Key Binding Updater
- Renew CA Service
- User Password Expire Service
- OCSP Response Pre-Signer
- Rollover Service
- Peer Systems
- Internal Key Bindings Overview
- Roles and Access Rules
- Character Limitations
- User Data Sources
- EJBCA RA Concept Guide
EJBCA Operations Guide
CA Operations Guide
- Approving Actions
- Configure EJBCA for Public Access
- CRL Generation
- EJBCA Configuration Checker
- EJBCA Maintenance
- End Entities
- End Entity Profile Operations
- Exporting and Importing Profiles
- Importing Certificates
- Key Recovery
- Managing CAs
- Managing Certificate Profiles
- Managing Crypto Tokens
- Managing Internal Keybindings
- Modular Protocol Configuration
- OCSP Management
- Peer Systems Operations
- Enrollment Protocol Configuration
- Roles and Access Rules Operations
- Managing CVC CAs
- RA Operations Guide
- Command Line Interfaces
- EJBCA Batch Enrollment GUI
- ConfigDump Tool
- CA Operations Guide
- EJBCA CA Concept Guide
Integrating with Third-Party Applications
- Access EJBCA using USB Tokens and Smart Cards
Auto Enrollment Configuration Guide
- Auto Enrollment Requirements
- Part 1: Active Directory Domain Services
- Part 2: MS Certification Authority and Group Policies
- Part 3: EJBCA Administration
- Part 4: EJBCA Certificate Chain Deployment to Clients
- Part 5a: Configure Microsoft Auto Enrollment Servlet on Windows
- Part 5b: Configure Microsoft Auto Enrollment Servlet on Linux
- Part 6: Prevent Duplicate Certificates
- Auto Enrollment Troubleshooting
- Microsoft Intune Device Certificate Enrollment
- Script based Autoenrollment for Windows clients with EJBCA
- Subordinate HashiCorp Vault CA to EJBCA Root
- Integrating EJBCA with Graylog
- Issuing Certificates to Kubernetes Services using cert-manager
- Using CertBot to Issue Certificates with ACME to an Apache Web Server
- Versasec Card Management System Integration
- Ciphermail Email Gateway and EJBCA Integration
- Microsoft Smart Card Logon
- 3Key Dashboarding, Monitoring and Reporting Add-on
- 3Key RA Profiles Add-on
- EJBCA and Cisco ISE
- EJBCA and Cisco IOS
- OpenSSH and X509 Authentication
- Configure EJBCA with OpenSSO
- Setting up an Apache Web Server as a Proxy
- Setting up an Apache Web Server with mod_jk
- Setting up a HA Proxy in front of EJBCA
- EJBCA with GemSAFE Toolbox
- SensorNet PKI
Hardware Security Modules (HSM)
- Generic PKCS#11 Provider
- AEP Keyper
- ARX CoSign
- AWS CloudHSM
- AWS KMS
- Azure Key Vault
- Bull Trustway PCI Crypto Card
- Bull Trustway Proteccio
- Google KMS
- nCipher nShield/netHSM
- Nitrokey HSM
- SafeNet AT Luna
- SafeNet Luna
- SafeNet ProtectServer
- Unbound Key Control
- Utimaco CryptoServer
- Utimaco CryptoServer CP5
- YubiHSM 2
- Integrating with Third-Party Applications
- Troubleshooting Guide
Tutorials and Guides
- Quick Install Guide
- Migrating from other CAs to EJBCA
- Modifying EJBCA
- Enabling Debug Logging
- Creating a custom RA application using EJBCA Web Services and Java
- Using EJBCA as a Certificate Management System (CMS)
- Batch Creating Certificates
- Making an ASN.1 Dump of a Certificate
- Using the Demo Servlet
- Setting up Peer Connectors and OCSP
- Uncommon CA Workflows
EJBCA Release Information
EJBCA Release Notes
- EJBCA 7.4.2 Release Notes
- EJBCA 7.4.1 Release Notes
- EJBCA 7.4 Release Notes
- EJBCA 18.104.22.168 Release Notes
- EJBCA 22.214.171.124 Release Notes
- EJBCA 126.96.36.199 Release Notes
- EJBCA 188.8.131.52 Release Notes
- EJBCA 7.3.1 Release Notes
- EJBCA 7.3 Release Notes
- EJBCA 184.108.40.206 Release Notes
- EJBCA 7.2.1 Release Notes
- EJBCA 7.2 Release Notes
- EJBCA 7.1 Release Notes
- EJBCA 7.0.1 Release Notes
- EJBCA 7.0.0 Release Notes
- EJBCA 220.127.116.11 Release Notes
- EJBCA 6.15.2 Release Notes
- EJBCA 6.15.1 Release Notes
- EJBCA 6.15 Release Notes
- EJBCA 6.14.1 Release Notes
- EJBCA 6.14 Release Notes
- EJBCA 6.13 Release Notes
- EJBCA 6.12 Release Notes
- EJBCA 6.11 Release Notes
- EJBCA 6.10 Release Notes
- EJBCA 6.9 Release Notes
- EJBCA 6.8 Release Notes
- EJBCA 6.7 Release Notes
- EJBCA 6.6 Release Notes
- EJBCA 6.5 Release Notes
- EJBCA 6.4 Release Notes
- EJBCA 6.3 Release Notes
- EJBCA 6.2 Release Notes
- EJBCA 6.1 Release Notes
- EJBCA 6.0 Release Notes
- EJBCA Release Notes Summary
- EJBCA Change Log Summary
EJBCA Upgrade Notes
- EJBCA 7.4.2 Upgrade Notes
- EJBCA 7.4.1 Upgrade Notes
- EJBCA 7.4 Upgrade Notes
- EJBCA 18.104.22.168 Upgrade Notes
- EJBCA 22.214.171.124 Upgrade Notes
- EJBCA 126.96.36.199 Upgrade Notes
- EJBCA 7.3.1 Upgrade Notes
- EJBCA 7.3 Upgrade Notes
- EJBCA 7.2.1 Upgrade Notes
- EJBCA 7.2 Upgrade Notes
- EJBCA 7.1 Upgrade Notes
- EJBCA 7.0.1 Upgrade Notes
- EJBCA 7.0 Upgrade Notes
- EJBCA 188.8.131.52 Upgrade Notes
- EJBCA 6.15 Upgrade Notes
- EJBCA 6.14 Upgrade Notes
- EJBCA 6.13 Upgrade Notes
- EJBCA 6.12 Upgrade Notes
- EJBCA 6.11 Upgrade Notes
- EJBCA 6.10 Upgrade Notes
- EJBCA 6.9 Upgrade Notes
- EJBCA 6.8 Upgrade Notes
- EJBCA 6.7 Upgrade Notes
- EJBCA 6.6 Upgrade Notes
- EJBCA 6.5 Upgrade Notes
- EJBCA 6.4 Upgrade Notes
- EJBCA 6.3 Upgrade Notes
- EJBCA 6.2 Upgrade Notes
- EJBCA 6.1 Upgrade Notes
- EJBCA 6.0 Upgrade Notes
- EJBCA Upgrade Notes Summary
- EJBCA Release Notes
Roles and Access Rules Operations
The following describes how to work with roles and access rules. For more information on the general concepts, see Roles and Access Rules Overview.
Managing Role Namespaces
See main page: Managing Role Namespaces
Creating a New Administrator
Follow the steps below to create a new Administrator certificate, add this Administrator to a role, and test the access.
Creating a Certificate Profile for the Administrator
Follow the steps below to create a new Certificate Profile for administrators. The administrators certificates will be issued by a CA called ManagementCA.
- Under CA Functions, click Certificate Profiles.
- Click Clone for the profile named ENDUSER.
- Enter AdministratorEndEntityCertificateProfile as the new name and click Create from Template.
- Click Edit for the new profile.
- Under Validity, enter 365d (1 year validity).
- Under Key usage, choose Digital Signature and Key encipherment (Ctrl+Click to select multiple).
- Clear Allow Key Usage Override.
- Select Use Extended Key Usage.
- Under Extended Key Usage, choose Client Authentication.
- Under Available bit lengths, "1024 bit", "2048 bit" and "4096 bit".
- Under Available CAs, choose ManagementCA (the CA you use to issue Administrator certificates).
- Click Save.
Creating an End Entity Profile for the Administrator
Follow the steps below to create a new End Entity Profile for Administrators. The profile will be connected to the Certificate Profile created above.
- Under RA Functions, click Edit End Entity Profiles.
- Enter a name for your end entity profile, AdministratorEndEntityProfile.
- Click Create.
- Select AdministratorEndEntityProfile and click Edit End Entity Profile.
- Under the Subject DN Fields, add DN fields for the Admin DN, for example O, UID and C.
- Under Default Certificate Profile, choose AdministratorEndEntityCertificateProfile.
- Under Available Certificate Profiles, choose AdministratorEndEntityCertificateProfile.
- Under Default CA, choose ManagementCA.
- Under Available CAs, choose ManagementCA.
- Click Save.
Issue the following new end entity based on the new end entity profile:
CN: SoftCard RA Admin1.
Creating a new RA Role
Follow the steps below to create a RA Administrator role with access to add/list/edit end entities:
- Under System Functions, click Administrator Roles.
- Click Add.
- Choose a name for your new administrator group, RAAdministratorRole.
- When the group is created, click Access Rules.
- Choose the RA Administrator role template.
- Under Authorized CAs, choose which CAs the role should have access to and select ManagementCA.
- Under Edit End Entity Profiles, select AdministratorEndEntityProfile.
- Click Save.
Adding new Administrators to the RA Role
Follow the steps below to add new administrators to the RA role:
- Choose Search > Edit End Entities and select your newly created end entity, choose View Certificates.
- Copy the value of Certificate Serial Number, e.g. 5F003A0113F507F9.
- Go to Administrator Roles, click Administrators under RAAdministratorRole.
- Choose the CA that the administrator belongs to, ManagementCA.
- Paste the text from < in the Match value.
- Click Add.
In EJBCA Enterprise Edition, it is also possible to add a new administrator to an existing role by using the WS API call addSubjectToRole in your application or with the Web Services CLI.
Test the new Administrator
Log in with the new administrators to view differences between that and the super administrator. Additionally, try the different roles and privileges to see the differences between them all.
The authorization privileges are cached and there will be a slight delay before a rule change is used.
Renewing the Super Administrator
Renewing the SuperAdmin certificate is done in the same way as for any client certificate. You can reset your SuperAdmin credentials when expired using either the Admin GUI or the CLI.
The SuperAdmin certificate is normally issued as a PKCS#12 keystore, if not issued as a browser certificate for smart card enrollment.
Renewing SuperAdmin Using the Admin GUI
To renew SuperAdmin using the Admin GUI, do the following:
- Go to Search/Edit End Entities and search for user superadmin.
- Click Edit End Entity.
- Set a new password and set status to NEW, click Save.
- Go to EJBCA Public Web and click Create Keystore.
- Enter the username superadmin, and the password set in step 3.
- In the next screen, select key length 2048 and click OK.
Your new superadmin keystore is downloaded and you can install it in your browser.
Renewing SuperAdmin Using the CLI
To renew SuperAdmin using the CLI, do the following:
- Access your EJBCA server CLI.
Run the following to reset the status of the SuperAdmin End Entity.
bin/ejbca.sh ra setendentitystatus superadmin 10
- Run the following to reset the password. This password is used to protect the superadmin.p12 file and is set to
passwordin the following example:
bin/ejbca.sh ra setclearpwd superadmin password
Run the following to process the request from the CLI. The batch command outputs the file to the directory /ejbca/p12.
Your new SuperAdmin keystore is generated and stored in the subdirectory /ejbca/p12. The password is set according to what you specified using the
setclearpwd command in step 3 above.
Using Client Certificates Issued by External CAs
Administrator certificates in EJBCA can be issued by a CA other than a CA in the same installation. This can for example be useful if you want to use a national ID for administration of an organizational PKI.
To use a certificate issued by an external CA as Administrator, do the following:
- Add the CA-certificate to p12/truststore.jks with
keytool -import -trustcacerts -file externalca.pem -keystore p12/truststore.jks -storepass changeit -alias externalca
- Redeploy EJBCA truststore using
ant deploy-keystoreand restart the application server to make sure the new truststore is in use
- Import the CA-certificate under CA UI > Certificate Authorities > Import CA Certificate or use the CLI.
- Add the Administrator to the desired role under CA UI > Administrator Roles.
- To allow administrators to log in when their certificates are not present in the EJBCA database, set web.reqcertindb=false in conf/web.properties.
Installing EJBCA with External Administrators
You can install an EJBCA instance from scratch, with a certificate from an external CA as the initial SuperAdmin certificate.
Start with deploying EJBCA as usual with
ant deploy, but instead of running
ant install, run the following to import the certificate of the external Administration CA and initialize the authorization system of EJBCA:
bin/ejbca.sh ca importcacert ManagementCA ManagementCA.cacert.pem -initauthorization -superadmincn SuperAdmin
You need to configure TLS and the truststore of the application server yourself, or if you have a p12/tomcat.jks and p12/truststore.jks this can be done for you on JBoss by
ant deploy-keystore in the same way as configuring TLS as described in Application Servers.
The initial administrator that is set up has DN CN=SuperAdmin, but you can change this using the -superadmincn (run
bin/ejbca.sh ca importcacert for documentation). You can also run the
bin/ejbca.sh admins command for information on how to configure other admins.
After this command is run and TLS is correctly configured, you can log in to EJBCA and create your CAs in the CA UI. No initial CA is created for you.