Migrating an OpenSSL CA to EJBCA

An OpenSSL based CA has the CA keys and certificate as PEM files (or the CA private key on an HSM), and issued subscriber certificates as PEM files.

You can convert a PEM-style Root CA key to a PKCS12 file that can be imported in EJBCA:

$ openssl pkcs12 -export -out server1.p12 -inkey cakey.pem -in ca.pem -name privateKey

The following EJBCA CA UI menu options and CLI commands allow you to import these and continue operations transparently:

  • To import a PKCS#12 file with CA private key and certificate, select the EJBCA CA UI menu option Edit Certificate Authorities > Import CA keystore.
  • To import CA keys from a PKCS#12 file or an HSM, use the CLI command bin/ejbca.sh ca importca.
  • To import user certificates, use the CLI command bin/ejbca.sh ca importcert.