Administrators Issued by External CAs

Administrator certificates in EJBCA can be issued by a CA other than a CA in the same installation. This can for example be useful if you want to use a national ID for administration of an organizational PKI.

To use a certificate issued by an external CA as Administrator, do the following:

  1. Add the CA-certificate to p12/truststore.jks with

    keytool -import -trustcacerts -file externalca.pem -keystore p12/truststore.jks -storepass changeit -alias externalca

  2. Redeploy EJBCA truststore using ant deploy-keystore and restart the application server to make sure the new truststore is in use

  3. Import the CA-certificate under Admin GUI > Certificate Authorities > Import CA Certificate or use the CLI.

  4. Add the Administrator to the desired role under Admin GUI > Administrator Roles.

  5. To allow administrators to log in when their certificates are not present in the EJBCA database, set web.reqcertindb=false in conf/web.properties.

Installing EJBCA with External Administrators

You can install an EJBCA instance from scratch, with a certificate from an external CA as the initial SuperAdmin certificate.

Start with deploying EJBCA as usual with ant deploy, but instead of running ant install, run the following to import the certificate of the external Administration CA and initialize the authorization system of EJBCA:

bin/ejbca.sh ca importcacert ManagementCA ManagementCA.cacert.pem -initauthorization -superadmincn SuperAdmin

You need to configure TLS and the truststore of the application server yourself, or if you have a p12/tomcat.jks and p12/truststore.jks this can be done for you on JBoss by ant deploy-keystore in the same way as configuring TLS as described in Installation Instructions.

The initial administrator that is set up has DN CN=SuperAdmin, but you can change this using the -superadmincn (run bin/ejbca.sh ca importcacert for documentation). You can also run the bin/ejbca.sh admins command for information on how to configure other admins.

After this command is run and TLS is correctly configured, you can log in to EJBCA and create your CAs in the Admin GUI. No initial CA is created for you.