Skip to main content
Skip table of contents

Connect EJBCA to a database over TLS

This guide outlines how to connect EJBCA to a database over TLS.

You can secure connections between EJBCA and an external database by using TLS. Two authentication methods are supported:

  • Username and password, which is the standard method.

  • Mutual TLS (mTLS), where the database validates EJBCA based on a client certificate.

Regardless of the method, EJBCA must trust the private CA that issued the certificate to the database server. You can provide additional trusted CA certificates to the EJBCA container when deploying it.

Provide Additional Trusted CA Certificates

EJBCA allows you to provide additional trusted CA certificates to the EJBCA container:

  1. Obtain the private CA certificate(s) in PEM format.

  2. Create a Kubernetes secret in the namespace where EJBCA will run. For example:

    BASH 
    kubectl create secret generic trusted-cas-secret -n cadeployment \
                    --from-file=SubCa002-chain.crt="SubCa002-chain.pem" \
                    --from-file=Ca001.cacert.crt="Ca001.cacert.pem"

    (info) Each file inside the container must have the suffix .crt. A file may contain multiple CA certificates.

  3. Configure the Helm values to import the certificates into the JVM truststore:

    YAML 
    ejbca:
  importJvmTruststore: true
  jvmTruststoreSecret: trusted-cas-secret

EJBCA imports the certificates into the JVM truststore during startup.

PostgreSQL

The following examples use PostgreSQL.

The examples are based on the Bitnami Helm chart, which is now deprecated. These configurations are suitable for testing only. Use a maintained PostgreSQL deployment for production.

TLS configuration of the PostgreSQL server itself is out of scope, but the examples below assume a TLS-enabled PostgreSQL instance with the following relevant settings:

YAML 
auth:
  username: "postgrejbca"
  database: "ejbca"
  postgresPassword: "ejbcapass"
  replicationPassword: "ejbcapass"
primary:
  persistence:
    size: 250Mi
  pgHbaConfiguration: |
    hostssl all all 0.0.0.0/0 cert clientcert=verify-full
readReplicas:
  replicaCount: 0	
tls:
  enabled: true
  certificatesSecret: postgres-certs-secret
  certFilename: postgres-cert.pem
  certKeyFilename: postgres-key.pem
  certCAFilename: Ca001.cacert.pem

  • The pg_hba.conf entry enforces TLS and client certificate verification:

CODE 
hostssl all all 0.0.0.0/0 cert clientcert=verify-full

A Kubernetes secret (postgres-certs-secret) provides the server certificate, private key, and issuing CA certificate (Ca001.cacert.pem). The same CA is used to issue the client certificate for EJBCA when mTLS is used.

Authenticate with username and password

To use password-based authentication over TLS:

  1. Ensure EJBCA trusts the CA that issued the database server’s certificate.

  2. Configure the JDBC URL with the required TLS parameters:
    ssl=true
    sslmode=verify-ca
    sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory

Example:

YAML 
ejbca:
  importJvmTruststore: true
  jvmTruststoreSecret: trusted-cas-secret
  env:
    DATABASE_JDBC_URL: "jdbc:postgresql://ejbca-postgres-postgresql:5432/ejbca?ssl=true&sslmode=verify-ca&sslfactory=org.postgresql.ssl.DefaultJavaSSLFactory"
    DATABASE_USER: ejbca
  envRaw:
  - name: DATABASE_PASSWORD
    valueFrom:
     secretKeyRef:
       name: ejbca-credentials
       key: database_password

For configuration details, see Connect EJBCA to external database.

Authenticate with Mutual TLS (mTLS)

Configure EJBCA to import the private CA certificate that issued the certificate to the database server as described above.

Follow the steps below to configure EJBCA to use a specific TLS credential, thus a certificate and private key to authenticate to the database.

Requirements

  • The client certificate is typically issued by the same private CA that issued the certificate to the database server.

  • The database username must match the client certificate’s Common Name (CN).

  • When you supply the client certificate to EJBCA in a PKCS#12 file, the PKCS#12 must use the alias user. Refer to the PostgreSQL documentation on Initializing the Driver for details on the sslkey attribute.

Step 1 - Validate the client credential in PKCS12 file

Validate the PKCS12 file with TLS credential with the following command and the password when prompted.

  • Validate the PKCS#12 bundle:

    CODE 
    openssl pkcs12 -in <your-ejbca-postgres-client>.p12 -nodes

  • Confirm the following:

    • The friendlyName is user.

    • The certificate subject contains the expected database username (postgrejbca), for example:

      BASH 
      friendlyName: user
subject=CN = postgrejbca
issuer=CN = Ca001

Step 2 - Create Kubernetes secrets

Create two secrets: one to mount the PKCS12 file and the private CA certificate file in EJBCA, and another to configure the JDBC URL.

Secret 1: PKCS#12 file and private CA Certificate

BASH 
kubectl create secret generic postgres-tls-secrets -n cadeployment \
              --from-file=clientkey.p12="postgrejbca.p12" \
              --from-file=rootca.pem="Ca001.cacert.pem"

These files will be mounted into the EJBCA container.

Secret 2: JDBC URL

Because the JDBC URL contains the PKCS#12 password in plaintext, store it in a secret:

BASH 
kubectl create secret generic ejbca-db-credentials \
    --from-literal=DATABASE_JDBC_URL='jdbc:postgresql://ejbca-postgres-postgresql:5432/ejbca?ssl=true&sslmode=verify-ca&sslkey=/mnt/postgres/clientkey.p12&sslpassword=foo123&sslrootcert=/mnt/postgres/rootca.pem'

Notes:

  • The PKCS#12 file password must match the value in sslpassword.

  • The PKCS#12 and the private CA certificate files are mounted under /mnt/postgres.

  • Use sslmode=verify-ca or sslmode=verify-full depending on whether hostname validation is required. For details, refer to the PostgreSQL documentation on Using SSL.

Step 3 - Configure the Helm chart

Configure the values.yaml to:

  • Read the database username postgrejbca as an environment variable

  • Read the JDBC URL from the Kubernetes secret as an environment variable

  • Mount the PKCS12 and the private CA certificate file to /mnt/postgres

Example configuration:

YAML 
ejbca:
  importJvmTruststore: true
  jvmTruststoreSecret: trusted-cas-secret
  env:
    DATABASE_USER: postgrejbca
  envRaw:
  - name: DATABASE_JDBC_URL
    valueFrom:
     secretKeyRef:
       name: ejbca-db-credentials
       key: DATABASE_JDBC_URL
  volumes:
    - name: postgres-tls-secrets
      secret:
        secretName: postgres-tls-secrets
  volumeMounts:
    - name: postgres-tls-secrets
      mountPath: /mnt/postgres

Once applied, EJBCA will connect to PostgreSQL using TLS with mutual certificate authentication.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close