- EJBCA Introduction
- Installation Prerequisites
- Managing EJBCA Configurations
- Creating the Database
- Application Servers
- Deploying EJBCA
- Installing EJBCA
- Finalizing the Installation
- High Availability and Clustering
- Maximizing Performance
- EJBCA Security
- Deployment Reference
- Upgrading EJBCA
- EJBCA Software Appliance
EJBCA CA Concept Guide
- Certificate Authority Overview
- Crypto Tokens Overview
- End Entities Overview
- Active Directory Publisher
- Custom Publishers
- LDAP Publisher/LDAP Search Publisher
- Multi Group Publisher
- SCP Publisher
- Validation Authority Peer Publisher
- Validation Authority Publisher (Legacy)
- AWS S3 Publisher
- Validators Overview
- Certificate Profiles Overview
- Approval Profiles
- Certificate and CRL Reader Service
- Certificate Expiration Check Service
- CRL Download and CRL Update Service
- CRL Updater Service
- HSM Keepalive Service
- Publisher Queue Process Service
- Remote Internal Key Binding Updater
- Renew CA Service
- User Password Expire Service
- OCSP Response Pre-Signer
- Rollover Service
- Peer Systems
- Internal Key Bindings Overview
- Roles and Access Rules
- Character Limitations
- User Data Sources
- EJBCA RA Concept Guide
EJBCA Operations Guide
CA Operations Guide
- Approving Actions
- Configure EJBCA for Public Access
- CRL Generation
- EJBCA Configuration Checker
- EJBCA Maintenance
- End Entities
- End Entity Profile Operations
- Exporting and Importing Profiles
- Importing Certificates
- Key Recovery
- Managing CAs
- Managing Certificate Profiles
- Managing Crypto Tokens
- Managing Internal Keybindings
- Modular Protocol Configuration
- OCSP Management
- Peer Systems Operations
- Enrollment Protocol Configuration
- Roles and Access Rules Operations
- Managing CVC CAs
- RA Operations Guide
- Command Line Interfaces
- EJBCA Batch Enrollment GUI
- ConfigDump Tool
- CA Operations Guide
- EJBCA CA Concept Guide
Integrating with Third-Party Applications
- Access EJBCA using USB Tokens and Smart Cards
Auto Enrollment Configuration Guide
- Auto Enrollment Requirements
- Part 1: Active Directory Domain Services
- Part 2: MS Certification Authority and Group Policies
- Part 3: EJBCA Administration
- Part 4: EJBCA Certificate Chain Deployment to Clients
- Part 5a: Configure Microsoft Auto Enrollment Servlet on Windows
- Part 5b: Configure Microsoft Auto Enrollment Servlet on Linux
- Part 6: Prevent Duplicate Certificates
- Auto Enrollment Troubleshooting
- Microsoft Intune Device Certificate Enrollment
- Script based Autoenrollment for Windows clients with EJBCA
- Subordinate HashiCorp Vault CA to EJBCA Root
- Integrating EJBCA with Graylog
- Issuing Certificates to Kubernetes Services using cert-manager
- Using CertBot to Issue Certificates with ACME to an Apache Web Server
- Versasec Card Management System Integration
- Ciphermail Email Gateway and EJBCA Integration
- Microsoft Smart Card Logon
- 3Key Dashboarding, Monitoring and Reporting Add-on
- 3Key RA Profiles Add-on
- EJBCA and Cisco ISE
- EJBCA and Cisco IOS
- OpenSSH and X509 Authentication
- Configure EJBCA with OpenSSO
- Setting up an Apache Web Server as a Proxy
- Setting up an Apache Web Server with mod_jk
- Setting up a HA Proxy in front of EJBCA
- EJBCA with GemSAFE Toolbox
- SensorNet PKI
Hardware Security Modules (HSM)
- Generic PKCS#11 Provider
- AEP Keyper
- ARX CoSign
- AWS CloudHSM
- AWS KMS
- Azure Key Vault
- Bull Trustway PCI Crypto Card
- Bull Trustway Proteccio
- Google KMS
- nCipher nShield/netHSM
- Nitrokey HSM
- SafeNet AT Luna
- SafeNet Luna
- SafeNet ProtectServer
- Unbound Key Control
- Utimaco CryptoServer
- Utimaco CryptoServer CP5
- YubiHSM 2
- Integrating with Third-Party Applications
- Troubleshooting Guide
Tutorials and Guides
- Quick Install Guide
- Migrating from other CAs to EJBCA
- Modifying EJBCA
- Enabling Debug Logging
- Creating a custom RA application using EJBCA Web Services and Java
- Using EJBCA as a Certificate Management System (CMS)
- Batch Creating Certificates
- Making an ASN.1 Dump of a Certificate
- Using the Demo Servlet
- Setting up Peer Connectors and OCSP
- Uncommon CA Workflows
EJBCA Release Information
EJBCA Release Notes
- EJBCA 7.4.2 Release Notes
- EJBCA 7.4.1 Release Notes
- EJBCA 7.4 Release Notes
- EJBCA 220.127.116.11 Release Notes
- EJBCA 18.104.22.168 Release Notes
- EJBCA 22.214.171.124 Release Notes
- EJBCA 126.96.36.199 Release Notes
- EJBCA 7.3.1 Release Notes
- EJBCA 7.3 Release Notes
- EJBCA 188.8.131.52 Release Notes
- EJBCA 7.2.1 Release Notes
- EJBCA 7.2 Release Notes
- EJBCA 7.1 Release Notes
- EJBCA 7.0.1 Release Notes
- EJBCA 7.0.0 Release Notes
- EJBCA 184.108.40.206 Release Notes
- EJBCA 6.15.2 Release Notes
- EJBCA 6.15.1 Release Notes
- EJBCA 6.15 Release Notes
- EJBCA 6.14.1 Release Notes
- EJBCA 6.14 Release Notes
- EJBCA 6.13 Release Notes
- EJBCA 6.12 Release Notes
- EJBCA 6.11 Release Notes
- EJBCA 6.10 Release Notes
- EJBCA 6.9 Release Notes
- EJBCA 6.8 Release Notes
- EJBCA 6.7 Release Notes
- EJBCA 6.6 Release Notes
- EJBCA 6.5 Release Notes
- EJBCA 6.4 Release Notes
- EJBCA 6.3 Release Notes
- EJBCA 6.2 Release Notes
- EJBCA 6.1 Release Notes
- EJBCA 6.0 Release Notes
- EJBCA Release Notes Summary
- EJBCA Change Log Summary
EJBCA Upgrade Notes
- EJBCA 7.4.2 Upgrade Notes
- EJBCA 7.4.1 Upgrade Notes
- EJBCA 7.4 Upgrade Notes
- EJBCA 220.127.116.11 Upgrade Notes
- EJBCA 18.104.22.168 Upgrade Notes
- EJBCA 22.214.171.124 Upgrade Notes
- EJBCA 7.3.1 Upgrade Notes
- EJBCA 7.3 Upgrade Notes
- EJBCA 7.2.1 Upgrade Notes
- EJBCA 7.2 Upgrade Notes
- EJBCA 7.1 Upgrade Notes
- EJBCA 7.0.1 Upgrade Notes
- EJBCA 7.0 Upgrade Notes
- EJBCA 126.96.36.199 Upgrade Notes
- EJBCA 6.15 Upgrade Notes
- EJBCA 6.14 Upgrade Notes
- EJBCA 6.13 Upgrade Notes
- EJBCA 6.12 Upgrade Notes
- EJBCA 6.11 Upgrade Notes
- EJBCA 6.10 Upgrade Notes
- EJBCA 6.9 Upgrade Notes
- EJBCA 6.8 Upgrade Notes
- EJBCA 6.7 Upgrade Notes
- EJBCA 6.6 Upgrade Notes
- EJBCA 6.5 Upgrade Notes
- EJBCA 6.4 Upgrade Notes
- EJBCA 6.3 Upgrade Notes
- EJBCA 6.2 Upgrade Notes
- EJBCA 6.1 Upgrade Notes
- EJBCA 6.0 Upgrade Notes
- EJBCA Upgrade Notes Summary
- EJBCA Release Notes
Installation and Deployment
The following provides information for troubleshooting installation and deployment issues. To view general troubleshooting tips and search for troubleshooting topics, see EJBCA Troubleshooting.
I get timeouts and/or errors during startup of JBoss/Wildfly10
Ensure that the application server has enough cores (more than one), enough CPU (otherwise timeouts will occur) and enough memory (will also slow down the system).
Ensure that database indexes are applied, otherwise database searches get very slow as your database size grows.
The following SQL file that is ready to run on your database contains a set of recommended database indexes that can be applied to your database:
For more information, see Creating the Database.
I get an error with "Java heap space" when building EJBCA (during ant deploy)?
This error is because the default maximum allowed memory allocation for JAVA is set too low in your environment.
My installation failed for some reason that is now fixed, how do I proceed?
The best way to recover is usually o start over from scratch:
- Stop JBoss
- Make sure the database is clean
- Deploy and install EJBCA
- Stop JBoss and check that it stops without problems
- Start JBoss and check that it starts without problems
- Remove the old superadmin.p12 in you browser and import the newly generated one
I get errors during 'ant deployear' or 'ant runinstall'.
This is most usually due to a database configuration error. In the server log (JBOSS_HOME/standalone/log/server.log) you will probably see some SQLException errors. You should then:
- Make sure the settings in conf/database.properties are correct
- Make sure your configuration of the database in JBoss/WildFly is correct
- Follow the guidelines from "My installation failed for some reason that is now fixed, how do I proceed?"
See the configuration and troubleshooting section in doc/howto/HOWTO-database.txt for additional database related information.
I get an error with "Illegal key length" when using EJBCA?
This is because you are using Oracle JDK (instead of OpenJDK) and have not installed the "Unlimited Strength Crypto Policy Files". See the prerequisites section in the the installation guide. Even if you think you have installed them, you have not. This error is simple and unique.
It may also be that you are trying to enroll for a certificate passing in a public key with length that is shorter than the required key length specified in the Certificate Profile.
After an upgrade I get a "java.lang.NoSuchMethodError" error accessing the UI.
JBoss is bad at cleaning temporary files, sometimes we have to help. Remove the directories JBOSS_HOME/standalone/tmp and restart JBoss.
During the build process I get errors like: BUILD FAILED /usr/ejbca/build.xml:789: java.lang.ExceptionInInitializerError
You probably have ant pre-installed as a package from Fedora or Suse. Those pre-installations does not contain all default ant modules. You need the "optional tasks" included in the official ant distribution. Either add modules to the installed ant, or download the latest ant from http://ant.apache.org/.
A simple fix is to change the /etc/ant.conf to point to your user installed ant (in /your/ant/home). Change from:
# # ant.conf (Ant 1.6.x) # JPackage Project (http://www.jpackage.org/) # # Validate --noconfig setting in case being invoked # from pre Ant 1.6.x environment if [ -z "$no_config" ] ; then no_config=true fi # Setup ant configuration if $no_config ; then # Disable RPM layout rpm_mode=false else # Use RPM layout rpm_mode=true # ANT_HOME for rpm layout ANT_HOME=/usr/share/ant fi
# # ant.conf (Ant 1.6.x) # JPackage Project (http://www.jpackage.org/) # # Validate --noconfig setting in case being invoked # from pre Ant 1.6.x environment if [ -z "$no_config" ] ; then no_config=true fi # Setup ant configuration if $no_config ; then # Disable RPM layout rpm_mode=false else # Use RPM layout rpm_mode=false # ANT_HOME for rpm layout ANT_HOME=/your/ant/home fi
For Ubuntu, things are much easier, just 'sudo apt-get install ant' and 'sudo apt-get install ant-optional'.
Where is the log file stored for tracking errors and debug information?
How do I configure log level in JBoss?
You can configure logging in JBoss to be able to dynamically change logging.
For production systems, INFO log level is recommended:
To later enable DEBUG log level, if needed, use the following:
/subsystem=logging/logger=org.ejbca:write-attribute(name=level, value=DEBUG) /subsystem=logging/logger=org.cesecore:write-attribute(name=level, value=DEBUG)
For more information on application server-specific instructions, see Application Servers.
How do I modify the Public Web pages?
You can add your own static pages under http://hostname:8080/ejbca/ by doing the following:
- Put your files (static HTML is easy) under
- Do a full build.
For more information, see Customizing the User Interface.
I get an error message when accessing the CA UI
Problem: Error message "Could not establish an encrypted connection because your certificate was rejected ... Error code: -12224" when accessing the CA Web.
- Make sure you have imported to correct superadmin.p12 in your browser.
- You may have to delete and import the CA certificate in your application server trust-store by running the following:
- You can also import another CA than the initial ManagementCA (My CA in the example), using the following command:
ant -Dca.name="My CA" javatruststore
Make sure you restart JBoss after making changes to the java trust store.
- You may have to delete and import the CA certificate in your application server trust-store by running the following:
Perhaps the JBoss configuration was not done automatically because you are running another configuration than 'default' in JBoss. Generally, the server configuration is located in the file
Also the file
$EJBCA_HOME/p12/tomcat.jksmust be copied to
$JBOSS_HOME/standalone/configuration/keystore/keystore.jks,where 'standalone' should be replaced with the JBoss configuration you are using.
I get a blank page on the UI after start?
Either you entered a hostname (in httpsserver.hostname in web.properties) that does not resolve to the machine where EJBCA is running during setup, or you changed the port that JBoss listens to. Make sure the hostname resolves to the machine EJBCA is running on.
When running 'ant runinstall' or creating JKS or PKCS12 files you can't use longer password than 7 characters. Anything longer gives an error?
Note, this is only relevant to OracleJDK. OpenJDK does not have this restriction.
If you want to use strong crypto and/or password longer than 7 characters in keystores you must install the 'Unlimited Strength Jurisdiction Policy Files' for JDK. The policy files can be found at the same place as the JDK download. Further information on this can be found in the Sun documentation on the JCE.
How do I manipulate EJBCA-keystores using JAVA's keytool?
EJBCA supports the PKCS12 format for the keystore because it is a standard, and we like standards. Normally keytool (e.g. Java's) can read PKCS12 file but not write, so the BouncyCastle JCE is needed to handle PKCS12 keystores.
keytool -list -alias privateKey -keystore server.p12 -storetype PKCS12 -storepass foo123 -provider org.bouncycastle.jce.provider.BouncyCastleProvider -providerpath $EJBCA_HOME/lib/bcprov-jdk15on-159.jar
It should be possible to import etc as well using keytool.
How do I make a keystore using keytool with a real certificate from EJBCA?
First generate a new keystore and a key pair:
$ keytool -genkey -alias mykey -keystore myks.jks -keyalg RSA -dname c=SE,O=AnaTom,CN=Test -keypass foo123 -storepass foo123
You SUN keystore is now in the file 'myks.jks'. Next generate a certification request (PKCS10):
$ keytool -certreq -alias mykey -sigalg SHA1WithRSA -file myreq.p10 -keypass foo123 -keystore myks.jks -storepass foo123
You now have the certification request in the file 'myreq.p10'. Open up EJBCA request page in your favorite browser, 'http://127.0.0.1:8080/ejbca', and select the link for NOT having a browser' Download the Root CA certificate by clicking on the link. Save the certificate as 'ca.pem'. Enter the username and password of a valid user with status NEW, see question 'Why do I get the exception/error:' above. Copy and paste the contents of the certification request, 'myreq.p10' into the text field. Save the returned certificate as 'cert.pem'.
Next import the Root CA certificate into the keystore 'myks.jks':
$ keytool -import -alias cacert -file ca.pem -keystore myks.jks -storepass foo123
Import the certificate reply into the keystore:
$ keytool -import -alias mykey -file cert.pem -keystore myks.jks -storepass foo123 -keypass foo123
Now you can take a look at your SUN keystore with:
$ keytool -list -keystore myks.jks
In theory, you can use the same method with a BouncyCastle PKCS12 keystore by adding the following arguments to every command above:
-provider org.bouncycastle.jce.provider.BouncyCastleProvider -storetype PKCS12 -providerpath $EJBCA_HOME/lib/bcprov-jdk15on-161.jar
Unfortunately a bug in keytool prevents this from functioning properly at the moment, therefore we recommend using the 'bin/ejbca.sh ca' to create PKCS12 keystores. It can be used to create keystores generally, not just for CAs.