Get started with EJBCA Community container on Azure

Learn how to get started with the EJBCA Community edition container on the Azure Marketplace.

In this guide, you will learn to:

• Subscribe to EJBCA Community edition in the Azure Marketplace

• Pull EJBCA Community container
• Start EJBCA Community container
• Generate administrator certificate
• Import certificate into browser
• Access EJBCA

Prerequisites

Before you begin, you need Docker running in the background. To download and install Docker, refer to docker.com.

To pull the container image, you will also need to have the Azure CLI installed. For instructions, refer to the Azure documentation on How to install the Azure CLI.

Step 1 - Subscribe to EJBCA Community in the Azure Marketplace 

Before you pull a container image from the Azure Marketplace, you must subscribe to the container image to the Azure Container Registry.

1. Browse to the Azure Marketplace and search for "EJBCA Community Edition". 
2. Click Get It Now to start the subscription process to the EJBCA Community container in Azure:
   
   
3. Optionally review your profile information, and click Continue.
4. Specify the following details in the subscription information:
   
   • Subscription: Subscription used to subscribe to EJBCA Community
   • Azure Container Registry: Create new registry, or use an existing one your organization may already have
   • Resource Group: The group for the subscription and registry to exist in. Create a new one or use an existing group.
   • Location: Location to deploy the above resources
   • Tag: Select a specific version or choose to automatically grab the latest version in the Azure registry. Enrolling for Auto Update will push newer tags or digest updates of the container image to your Azure Container Registry.
     
     
5. Click Subscribe. Once completed, a message notifies you that the subscription and container registry have been created.
   
6. Navigate to the resource group where the container registry was deployed. In this example, "ejbcacommunitydemo". 
   
   
7. Select the container registry ejbcacommunitydemo, and then click the menu option Access keys.
   
8. Enable Admin user and make a copy of the registry name as well as the password that was generated. You will use these credentials when logging into the container registry before pulling the EJBCA Community container in the next step.
   
   

Step 2 - Pull EJBCA Community container

To pull the EJBCA Community container, open a terminal with Azure CLI installed. For installation instructions, refer to the Azure documentation on How to install the Azure CLI.

1. Open a terminal with Azure CLI installed and login to the Container Registry that was created.
   

   az acr login -n ejbcacommunitydemo

   CODE
   • Log in with the username and password from the Access Keys section of the Container Registry (in step 8 above).
     

2. Pull the docker image using the docker pull command along with the registry name that was created previously.
   

   docker pull ejbcacommunitydemo.azurecr.io/primekey/ejbca-ce:latest

   CODE
3. Depending on your internet connection, the download could take a couple of minutes. Once complete, the output will say Pull complete.

Step 3 - Start EJBCA Community container

The following describes how to start the container with client certificate authenticated access and using parameters such as exposing ports to the localhost.

1. Start the container with the container hostname set to "localhost":
   

   docker run -it --rm -p 80:8080 -p 443:8443 -h localhost -e TLS_SETUP_ENABLED="true" ejbcacommunitydemo.azurecr.io/primekey/ejbca-ce:latest

   CODE
2. The end of the output is similar to the following, displaying the URL, username, and password to use to enroll for the initial SuperAdmin client certificate:
   
   

EJBCA is now up and running and has generated a Management CA (used to manage internal PKI in EJBCA) as well as an initial super administrator with full rights.

Step 4 - Generate administrator certificate

To access the EJBCA CA UI, the SuperAdmin credentials need to be retrieved from the server and installed in your browser. We recommend using Mozilla Firefox as it has self-enrollment capabilities and its own keystore separate from the operating system.

The P12 (PKCS#12 file) referred to in the console output above is a key pair that will be generated by the EJBCA server when accessing the provided URL. The P12 format contains the private key, a certificate signed by the Management CA containing the public key, and is encrypted and password protected. It is with these credentials you will be able to generate additional administrators and users, CAs, and profiles, and therefore you mustn't lose these credentials.

To generate the super admin credentials:

1. To generate the P12, copy the URL from the console output and paste it into your browser.
2. A browser warning is shown as you have not added the Management CA to the list of trusted roots in your certificate store (nor will you need to for this example). Accept this warning by clicking Advanced and then clicking through the warning.
   
3. On the EJBCA RA Web Enrollment page, enter the username "superadmin" (case sensitive) and the password from the console output and click OK.
   
   

4. On the Finalize Enrollment page, select a key algorithm and length in the Key algorithms list, for example, RSA 2048 bits, and click Enroll to generate a file named superadmin.p12 and download the file. 
   
   

Step 5 - Import certificate into browser

To access the EJBCA CA UI, import the downloaded SuperAdmin certificate into your web browser.

The procedure for importing a certificate may vary. This example describes how to import a certificate to Mozilla Firefox.

To import the certificate in Mozilla Firefox:

1. On the Firefox menu, select Preferences.
2. Click Privacy & Security.
3. In the Security section, click View Certificates.
4. On the Your Certificates tab, select Import.
5. Browse to the downloaded P12 keystore (superadmin.p12 file) to import and select the file.
6. Enter the password provided in the console output, and click Sign in.
7. On the Mozilla Firefox tab Your Certificates, verify that the certificate was imported, and then click OK.

Step 6 - Access EJBCA

Next, point your browser to https://localhost/ejbca/adminweb/ to access EJBCA using the imported certificate.

EJBCA CA UI opens displaying the administration page.

Next steps

In this guide, you learned how to start an EJBCA Community container on Azure and download and install the administrator certificate to access EJBCA.

To learn how to create basic profiles and issue a client authentication certificate in EJBCA, you can follow the tutorial Issue Client Authentication Certificate using EJBCA.

To find out more about EJBCA use cases, see Solution Areas.