Quick Start Guide - Start EJBCA Container with Client Certificate Authenticated Access

Learn how to start an EJBCA Community container with client certificate authenticated access.

In this guide, you will learn to:

• Pull EJBCA Community container
• Start EJBCA Community container
• Generate administrator certificate
• Import certificate into browser
• Access EJBCA CA UI

The EJBCA Community container is started as an ephemeral instance which means that when you stop the container, it will automatically be removed and all data will be destroyed. The container will require client certificate access to the EJBCA Administration and will generate a Management CA and allow you to enroll for the initial SuperAdmin client certificate keystore used for administration.

This guide covers how to quickly get an instance of EJBCA up and running, primarily for testing or evaluation purposes. For detailed instructions on how to install a production Certificate Authority (CA), see the EJBCA Installation guide.

Prerequisites

Before you begin, you need Docker running in the background. To download and install, refer to docker.com.

Since this build is based on a self-contained Docker image, build tools such as Apache ANT or an application server such as Wildfly are not needed.

Step 1 - Pull EJBCA Community container

The EJBCA Community Docker container is available on Docker Hub  and can be pulled straight from the command line using the docker tool.

• To download and unpack the latest EJBCA Community container image from Docker Hub, use the following command:

  $ sudo docker pull keyfactor/ejbca-ce

  CODE

Step 2 - Start EJBCA Community container

Start the EJBCA Community container as an ephemeral instance, suitable for testing or evaluation purposes:

1. Start the container with the container hostname set to "localhost":
   

   $ docker run -it --rm -p 80:8080 -p 443:8443 -h localhost -e TLS_SETUP_ENABLED="true" keyfactor/ejbca-ce

   CODE

   The container starts running with "localhost" as the hostname, but feel free to use any substitute.
   

2. The end of the output is similar to the following, displaying the URL and password to use to enroll for the initial SuperAdmin client certificate:
   
   

EJBCA is now up and running and has generated a Management CA (used to manage internal PKI in EJBCA) as well as an initial super administrator with full rights.

Step 3 - Generate administrator certificate

To access the EJBCA CA UI, the SuperAdmin credentials need to be retrieved from the server and installed in your browser. We recommend using Mozilla Firefox as it has self-enrollment capabilities and its own keystore separate from the operating system.

The P12 (PKCS#12 file) referred to in the console output above is a key pair that will be generated by the EJBCA server when accessing the provided URL. The P12 format contains the private key, a certificate signed by the Management CA containing the public key, and is encrypted and password protected. It is with these credentials you will be able to generate additional administrators and users, CAs, and profiles, and therefore you mustn't lose these credentials.

To generate the super admin credentials:

1. To generate the P12, copy the URL from the console output and paste it into your browser.
2. A browser warning is shown as you have not added the Management CA to the list of trusted roots in your certificate store (nor will you need to for this example). Accept this warning by clicking Advanced and then clicking through the warning.
   
3. On the EJBCA RA Web Enrollment with Enrollment code page, enter the password from the console output and click Check.
   

4. Select a key algorithm and length from the Key algorithm list, for example RSA 2048 bits, and click Download PKCS#12 to generate a file named SuperAdmin.p12 and download the file. 
   

Step 4 - Import certificate into browser

To access the EJBCA CA UI, import the downloaded SuperAdmin certificate into your web browser.

The procedure for importing a certificate may vary. This example describes how to import a certificate to Mozilla Firefox.

To import the certificate in Mozilla Firefox:

1. On the Firefox menu, select Preferences.
2. Click Privacy & Security.
3. In the Security section, click View Certificates.
4. On the Your Certificates tab, select Import.
   
5. Browse to the downloaded P12 keystore (SuperAdmin.p12 file) to import and select the file.
6. Enter the password provided in the console output, and click Sign in.
7. On the Mozilla Firefox tab Your Certificates, verify that the certificate was imported, and then click OK.
   

Step 5 - Access EJBCA CA UI

Next, point your browser to https://localhost/ejbca/adminweb/ to access EJBCA using the imported certificate.

EJBCA CA UI opens displaying the administration page.

Next steps

In this guide, you learned how to start an EJBCA Docker container with client certificate authenticated access and download and install the administrator certificate to access EJBCA.

To learn how to create basic profiles and issue a client authentication certificate in EJBCA, you can follow the Quick Start Guide - Issue Client Authentication Certificate using EJBCA.

To find out more about EJBCA use cases, see Solution Areas.