- EJBCA Introduction
- Installation Prerequisites
- Managing EJBCA Configurations
- Creating the Database
- Application Servers
- Deploying EJBCA
- Installing EJBCA
- Finalizing the Installation
- High Availability (HA), a.k.a Clustering
- Maximizing Performance
- EJBCA Security
- Deployment Reference
- Upgrading EJBCA
EJBCA CA Concept Guide
Certificate Authority Overview
- CA Fields
- ePassport PKI
- ECDSA Keys and Signatures
- CVC CA
- Partitioned CRLs
- Crypto Tokens Overview
- End Entities Overview
- Active Directory Publisher
- Custom Publishers
- LDAP Publisher/LDAP Search Publisher
- Multi Group Publisher
- SCP Publisher
- Validation Authority Peer Publisher
- Validation Authority Publisher (Legacy)
- AWS S3 Publisher
- Validators Overview
- Certificate Profiles Overview
- Approval Profiles
- Peer Systems
- Internal Key Bindings Overview
- Roles and Access Rules
- Character Limitations
- User Data Sources
- Certificate Authority Overview
- EJBCA RA Concept Guide
EJBCA Operations Guide
CA Operations Guide
- Approving Actions
- CA Web Overview
- Configure EJBCA for Public Access
- CRL Generation
- EJBCA Configuration Checker
- EJBCA Maintenance
- End Entities
- End Entity Profile Operations
- Exporting and Importing Profiles
- Importing Certificates
- Key Recovery
- Managing CAs
- Managing Certificate Profiles
- Managing Crypto Tokens
- Managing Internal Keybindings
- Modular Protocol Configuration
- OCSP Management
- Peer Systems Operations
- Roles and Access Rules Operations
- RA Operations Guide
- Command Line Interfaces
- EJBCA Batch Enrollment GUI
- ConfigDump Tool
- CA Operations Guide
- EJBCA CA Concept Guide
Integrating with Third-Party Applications
- Access EJBCA using USB Tokens and Smart Cards
- Native Certificate Autoenrollment for Windows
- Microsoft Intune Device Certificate Enrollment
- Script based Autoenrollment for Windows clients with EJBCA
- Integrating EJBCA with GreyLog
- Versasec Card Management System Integration
- Ciphermail Email Gateway and EJBCA Integration
- Microsoft Smart Card Logon
- EJBCA and Cisco IOS
- OpenSSH and X509 Authentication
- Configure EJBCA with OpenSSO
- Setting up an Apache Web Server as a Proxy
- Setting up an Apache Web Server with mod_jk
- Setting up a HA Proxy in front of EJBCA
- EJBCA with GemSAFE Toolbox
- SensorNet PKI
- Issuing Certificates to Kubernetes Services using cert-manager
- Hardware Security Modules (HSM)
- Integrating with Third-Party Applications
- Troubleshooting Guide
Tutorials and Guides
- Quick Install Guide
- Migrating from other CAs to EJBCA
- Modifying EJBCA
- Enabling Debug Logging
- Creating a custom RA application using EJBCA Web Services and Java
- Using EJBCA as a Certificate Management System (CMS)
- Batch Creating Certificates
- Making an ASN.1 Dump of a Certificate
- Using the Demo Servlet
EJBCA Release Information
EJBCA Release Notes
- EJBCA 22.214.171.124 Release Notes
- EJBCA 7.3.1 Release Notes
- EJBCA 7.3 Release Notes
- EJBCA 126.96.36.199 Release Notes
- EJBCA 7.2.1 Release Notes
- EJBCA 7.2 Release Notes
- EJBCA 7.1 Release Notes
- EJBCA 7.0.1 Release Notes
- EJBCA 7.0.0 Release Notes
- EJBCA 188.8.131.52 Release Notes
- EJBCA 6.15.2 Release Notes
- EJBCA 6.15.1 Release Notes
- EJBCA 6.15 Release Notes
- EJBCA 6.14.1 Release Notes
- EJBCA 6.14 Release Notes
- EJBCA 6.13 Release Notes
- EJBCA 6.12 Release Notes
- EJBCA 6.11 Release Notes
- EJBCA 6.10 Release Notes
- EJBCA 6.9 Release Notes
- EJBCA 6.8 Release Notes
- EJBCA 6.7 Release Notes
- EJBCA 6.6 Release Notes
- EJBCA 6.5 Release Notes
- EJBCA 6.4 Release Notes
- EJBCA 6.3 Release Notes
- EJBCA 6.2 Release Notes
- EJBCA 6.1 Release Notes
- EJBCA 6.0 Release Notes
- EJBCA Release Notes Summary
- EJBCA Change Log Summary
EJBCA Upgrade Notes
- EJBCA 184.108.40.206 Upgrade Notes
- EJBCA 7.3.1 Upgrade Notes
- EJBCA 7.3 Upgrade Notes
- EJBCA 7.2.1 Upgrade Notes
- EJBCA 7.2 Upgrade Notes
- EJBCA 7.1 Upgrade Notes
- EJBCA 7.0.1 Upgrade Notes
- EJBCA 7.0 Upgrade Notes
- EJBCA 220.127.116.11 Upgrade Notes
- EJBCA 6.15 Upgrade Notes
- EJBCA 6.14 Upgrade Notes
- EJBCA 6.13 Upgrade Notes
- EJBCA 6.12 Upgrade Notes
- EJBCA 6.11 Upgrade Notes
- EJBCA 6.10 Upgrade Notes
- EJBCA 6.9 Upgrade Notes
- EJBCA 6.8 Upgrade Notes
- EJBCA 6.7 Upgrade Notes
- EJBCA 6.6 Upgrade Notes
- EJBCA 6.5 Upgrade Notes
- EJBCA 6.4 Upgrade Notes
- EJBCA 6.3 Upgrade Notes
- EJBCA 6.2 Upgrade Notes
- EJBCA 6.1 Upgrade Notes
- EJBCA 6.0 Upgrade Notes
- EJBCA Upgrade Notes Summary
- EJBCA Release Notes
Command Line Interfaces
The following EJBCA Command Line Interfaces (CLI) are available:
- EJBCA Client Toolbox: Set of tools built as a stand-alone package, which can be put on any machine and run independently of EJBCA. Includes a Web Service Interface.
- EJBCA Validation/Conformance Tool: Allows running tests on issued certificates or OCSP responses to see that they match the configured criteria.
- Local Command Line Interface (EJBCA CLI): The Local CLI can be run directly on the CA machine and contains many functions that can be used in scripts, or come to rescue when your Admin certificate has expired, or you have accidentally revoked your Admin privileges for the Admin GUI.
- Local Database CLI: Accessing a database, export and import, copy, verify audit log and OCSP monitoring.
- CAA Lookup Tool: Providing additional verification, fallback and troubleshooting for the built-in CAA Validator.
- P11NG-CLI: PKCS#11 tool used for interaction with the p11-ng provider. Supports key generation, key authorization (Utimaco CP5 specific) and so on.
Local Command Line Interface (EJBCA CLI)
The Local CLI can be run directly on the CA machine and contains many functions that can be used in scripts, or come to rescue when your Admin certificate has expired, or you have accidentally revoked your Admin privileges for the Admin GUI.
EJBCA has command line interfaces to both the CA and RA, as well as some other operations.
To list available commands, run the CLI using for example:
To list available options for a specific command, run the command without any options, for example:
bin/ejbca.sh ra addendentity
To access usage information for certain commands that do not take parameters, provide the -? option.
Note that when providing files as input to the CLI it is advisable to use full path names as the working directory may not be what you think.
The local CLI uses the following return codes to facilitate scripting:
- 0 - Normal exit.
- 1 - Functional failure, command was entered correctly but failed for some other reason.
- 2 - Authentication failure.
- 3 - CLI failure, command failed due to incorrect parameter use.
Local CLI Authentication
By default, the CLI authenticates using a standard user defined in ejbca.properties. Disabling this user on the server will lead to all CLI operations demanding authentication in the form of the following flags appended to the argument list:
-u <username> -p
which will cause the console to prompt for the password. If instead the password should be included in the command line (such as) from a script, it can be specified using the following flags:
-u <username> --clipassword=<password>
You can also specify that the password is provided as the first line in a file, which can be useful for scripting. It can be specified prepending 'file:' to the password:
-u <username> --clipassword=file:<filename>
Where filename is a file, for example /tmp/pwd.txt, containing the password as a single line.
An example CLI command to list CAs can look like:
bin/ejbca.sh ca listcas -u ejbca --clipassword=file:/tmp/pwd.txt
Command line users are authenticated from the existing list of End Entities and are granted the same rights. You can find the default CLI user in the Super Administrator Role listed under Administrator Roles after a default install or upgrade. You can add new CLI users by adding an end entity and adding a member to a Role using the CLI:Username authentication token.
Deleting this user or revoking all its privileges makes it impossible to use the CLI for any operation that requires administrator rights including renewing the Super Administrator certificate. Make sure to renew the administrator certificates using the Admin Web before they expire!
Disabling the Command Line Interface
You can disable the command line interface to prevent a user running operations that require authorization. Go to System Functions>System Configuration and clear the option Enable Command Line Interface Access to disable performing operations requiring authorization from the command line interface.
The Enable Command Line Interface Access option, in contrast to disabling the CLI users privileges in Administrator Roles, allows switching having the CLI enabled or disabled as long as you have access to the Admin GUI.
Disabling Enable Command Line Interface Access makes it impossible to use the CLI for any operation that requires administrator rights, including renewing the Super Administrator certificate. Make sure to renew the administrator certificates using the Admin Web before they expire!
After changing this property, you may need to select Clear All Caches or run the following CLI command:
$ bin/ejbca.sh clearcache -all
Local Database CLI
ENTERPRISE This is an EJBCA Enterprise feature.
You can build and run the local database CLI using the commands:
$ ant ejbca-db-cli $ cd dist/ejbca-db-cli $ ./run.sh
The CLI contains commands for directly accessing a database, export, import, copy, verify audit log and OCSP monitoring. Run the command to get a description about all available commands.
To verify database protection, make sure that you have conf/databaseprotection.properties configured. If you are using database protection for your CA, you can use the same file.
For verification, you can also use a verification token, without the private key, so you can do verification on another host from the CA. The file conf/databaseprotection.properties.sample provide example configuration and documentation for the various options.
You can also use the DB tool to create databaseprotection in case you started off not enabling it, and want to enable it later.
- Shut down EJBCA
- Configure databaseprotection.properties and build ejbca-db-cli (so the propereties file is included in dist/ejbca-db-cli/conf)
- Export the database with db-cli
- Drop the database
- Import the database with db-cli
CAA Lookup Tool
ENTERPRISE This is an EJBCA Enterprise feature.
Full support is provided for CAs through the built-in CAA Validator. To provide additional verification, fallback and troubleshooting, a command line tool is provided, using the same underlying code to perform CAA requests from the command line. To build this tool and find out how it works, perform the following actions:
$ ant ejbca-caa-cli $ java -jar $ java -jar dist/caa-cli/caa-cli.jar --help