EJBCA provides full capabilities for managing your certificate lifecycles, from powerful profiles to advanced administrative workflows to ensure that your organization retains control and oversight of your certificates. PrimeKey tools allow administrators to easily revoke and renew certificates, ensuring that lost keys are immediately contained and that your organization suffers no downtime.
The following provides an overview of the different types of certificate credentials that require lifecycle management in the integration between SignServer and Jenkins.
Code Signing Certificate
Jenkins Access Certificate for Authentication to SignServer
Jenkins credentials can be managed using the Jenkins credentials plugin, see the GitHub Credentials API User Guide.
- The REST API and CLI can be used for automation of credential creation and updating.
- A standardized protocol like EST or CMP can be used to automate renewal of TLS client credentials from EJBCA.
TLS Certificates for the Hosts
In addition to manually configuring TLS certificates as described in this guide, ACME can be used to automatically generate TLS certificates for the Apache server using the EJBCA and SignServer hosts.
Administrator Client Certificate
The SuperAdmin administrator client certificate can expire and need to be renewed. Depending on how these credentials are issued, different methods are used:
- Expiration notifications can be used to notify administrators about expiring certificates for manual updates, which can be self-service.
- If credentials are stored on a hardware token (like a smart card or USB token), the token management system handles renewal, which can be self-service.
- If the credentials are received using MS Autoenrollment, auto enrollment can perform credential renewal.