Certificate Lifecycle Management

EJBCA provides full capabilities for managing your certificate lifecycles, from powerful profiles to advanced administrative workflows to ensure that your organization retains control and oversight of your certificates. PrimeKey tools allow administrators to easily revoke and renew certificates, ensuring that lost keys are immediately contained and that your organization suffers no downtime.

The following provides an overview of the different types of certificate credentials that require lifecycle management in the integration between SignServer and Jenkins.

Code Signing Certificate

The worker keys and certificate can be automatically lifecycle managed (issued and/or renewed) using the Peer System integration between EJBCA and SignServer. For more information, see Peer Systems.

Jenkins Access Certificate for Authentication to SignServer

Jenkins credentials can be managed using the Jenkins credentials plugin, see the GitHub Credentials API User Guide.

  • The REST API and CLI can be used for automation of credential creation and updating.
  • A standardized protocol like EST or CMP can be used to automate renewal of TLS client credentials from EJBCA.

TLS Certificates for the Hosts

In addition to manually configuring TLS certificates as described in this guide, ACME can be used to automatically generate TLS certificates for the Apache server using the EJBCA and SignServer hosts.

Administrator Client Certificate

The SuperAdmin administrator client certificate can expire and need to be renewed. Depending on how these credentials are issued, different methods are used:

  • Expiration notifications can be used to notify administrators about expiring certificates for manual updates, which can be self-service.
  • If credentials are stored on a hardware token (like a smart card or USB token), the token management system handles renewal, which can be self-service.
  • If the credentials are received using MS Autoenrollment, auto enrollment can perform credential renewal.

Certificate Expiration Check and Reporting

The EJBCA features Expiration Notification and Certificate Management allow you to get notified about certificates that are about to expire.