Skip to main content
Skip table of contents

Deploy CA in Kubernetes

The following provides an example of deploying EJBCA to a Kubernetes cluster, integrating it with an external MariaDB database, and utilizing Ingress or LoadBalancer to expose HTTPS routes from outside the cluster to the EJBCA service.

Prerequisites

Before you begin, you need a functioning Kubernetes cluster with the tools Helm and kubectl installed. For details, see the Prerequisites section.

Step 1 - Prepare database

To create a quick-start test database, follow the instructions Deploy MariaDB in Kubernetes.

Optionally, you can use an existing database. Note that you need to adjust the connection settings used in the following steps accordingly.

Step 2 - Deploy EJBCA

Cluster external access for EJBCA can be set up with Ingress or a LoadBalancer service. Here we explain both. Most of the steps are common to both. We clearly point out in the title of the section when the steps differ i.e. with Ingress or LoadBalancer.

Please use the steps relevant for your installation.

To deploy EJBCA, first prepare the deployment parameters by creating a YAML configuration file, and then use the Helm Chart with your values file to install EJBCA to a Kubernetes cluster.

Prepare deployment parameters

With Ingress

Create an ejbca.yaml configuration file with the following content:

YAML
ejbca:
  env:
    DATABASE_JDBC_URL: "jdbc:mariadb://mariadb:3306/ejbca?characterEncoding=utf8"
    LOG_AUDIT_TO_DB: true
    DATABASE_USER: ejbca
  envRaw:
    - name: DATABASE_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mariadb-passwords
          key: mariadb-password

ingress:
  enabled: true
  hosts:
    - host: "ejbca.example.com"
      paths:
        - path: /
          pathType: Prefix

#imagePullSecrets:
#  - name: keyfactor-registry

With LoadBalancer

YAML
ejbca:
  env:
    DATABASE_JDBC_URL: "jdbc:mariadb://mariadb:3306/ejbca?characterEncoding=utf8"
    LOG_AUDIT_TO_DB: true
    DATABASE_USER: ejbca
  envRaw:
    - name: DATABASE_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mariadb-passwords
          key: mariadb-password
nginx:
  enabled: true
  initializeWithSelfSignedTls: true
  host: "ejbca.example.com"
  service:
    type: LoadBalancer

#imagePullSecrets:
#  - name: keyfactor-registry

Parameter details

Parameter

Value

Details

ejbca.env.DATABASE_JDBC_URL

jdbc:mariadb://mariadb:3306/ejbca?characterEncoding=utf8

Database connection string

ejbca.env.DATABASE_USER

ejbca

Database username

ejbca.envRaw.DATABASE_PASSWORD

mariadb-password secret key value

Database password reference to a key in a Kubernetes secret.

ingress.enabled

true

Flag that enables usage of Ingress

ingress.hosts

ejbca.example.com

Ingress host configuration

Tip: When deploying to a local dev cluster, you can use ejbca.localhost as the host or add an entry for, e.g. ejbca.example.com to your hosts file.

nginx.enabled

true

Deploys NGINX as sidecar along with a Kubernetes service

nginx.service.type

LoadBalancer

Set the type of associated service

nginx.initializeWithSelfSignedTls

true

A temporary setting before the TLS setup is finalized

nginx.host

ejbca.example.com

Domain to access EJBCA

imagePullSecrets.name

keyfactor-registry

Reference to an image pull secret.

Uncomment and adjust this parameter if you're using the Keyfactor Container Registry or a private registry.

For a list of all supported parameters, seeEJBCA Helm Deployment Parameters.

Install EJBCA

Use the Enterprise or Community Helm Chart with your values file to install EJBCA to a Kubernetes cluster.

Enterprise

CODE
helm install ejbca -f ejbca.yaml oci://repo.keyfactor.com/charts/ejbca --version <version>

Community

CODE
helm install ejbca -f ejbca.yaml oci://repo.keyfactor.com/charts/ejbca-ce --version <version>

Wait for the installation to finish. You can use the following command to monitor the pod creation process:

CODE
kubectl get pods -w -l app.kubernetes.io/instance=ejbca

Proceed once all pods are ready (1/1).

CODE
NAME       READY   STATUS              RESTARTS   AGE
ejbca...   0/1     Pending             0          0s
ejbca...   0/1     ContainerCreating   0          0s
ejbca...   0/1     Running             0          20s
ejbca...   1/1     Running             0          40s

Step 3 - Configure EJBCA

The following sections demonstrate how to create an initial Management CA and issue certificates for secure access to EJBCA.

Initialize CA

Access EJBCA Admin Web by navigating your browser to the host configured in ejbca.yaml. The following uses https://ejbca.example.com as an example.

init-pki-ee.png

Next, follow the steps in the EJBCA setup wizard:

  1. Select Create a New CA and click Next.

  2. For Create Management CA, select Create New Crypto Token.

  3. On the New Crypto Token page, specify the following:

    • Name: Specify a name for the crypto token, such as ManagementCaToken.

    • Type: Select SOFT.

    • Auto-activation: Select Use to allow EJBCA to save the password and reapply it after a restart so that the CA is always available.

    • Authentication Code: Enter a password to be used to activate the crypto token.

    • Repeat Authentication Code: Re-enter the password.

  4. Click Save to create the crypto token.

  5. On the Crypto Token: ManagementCaToken page, click Generate new key pair. A new signKey key pair is generated and displayed in the list of key pairs.

    generate-new-key-pair-done.png
  6. Click Back to PKI Installation.

  7. On the Create Management CA page, click Next.

    create-management-ca.png
  8. On the Create Super Administrator page, specify the following:

    • For Super Administrator DN, specify CN=SuperAdmin.

    • For Super Administrator Password, enter your password.

    • For Repeat Super Administrator Password, re-enter your password.

  9. Click Next to create the super administrator.

  10. Review the information on the Summary page and click Install to create the Management CA.

    installation-summary.png
  11. Click Enroll to retrieve the Super Administrator key store (SuperAdmin.p12) file.

  12. Click Download CA Certificate.

  13. On the CA Structure & CRLs page, click Download PEM file to download the ManagementCA.cacert.pem file.

    ca-certificate-download.png

Enroll server TLS certificate

Use the EJBCA RA Web to enroll a server TLS certificate for Ingress.

  1. In EJBCA, click RA Web to access the EJBCA RA user interface.

  2. Select Enroll > Make New Request and specify the following:

    • For Certificate Type, select EMPTY.

    • For Certificate subtype, select SERVER.

    • For CA (if prompted), select ManagementCA.

    • For Key-pair generation, select By the CA.

    • For Key algorithm, select for example, RSA-2048, or P-256.

    • For the Required Subject DN Attributes, specify CN, Common Name=ejbca.example.com.

    • For Optional Subject Alternative Name Attributes, specify DNS Name=ejbca.example.com

    • For Provide User Credentials, enter a username and password.

  3. Click Download PEM to download the server certificate in PEM format.

    ra-enroll.png
  4. Save the server certificate file.

Step 4 - Configure Server TLS Credentials

To configure client certificate authentication and TLS termination at the Ingress level, you need to create two secrets: one secret containing the full Certificate Authority chain, and another with the TLS certificate.

Prepare secrets

First, extract the certificate and private key components from the previously generated PEM file. Open the PEM formatted server certificate file in your favorite text editor, or use the provided AWK commands to extract the components into dedicated files.

Private key

Copy the content starting from -----BEGIN PRIVATE KEY----- till -----END PRIVATE KEY----- to a file named server_tls.key.

BASH
awk '/-----BEGIN PRIVATE KEY-----/,/-----END PRIVATE KEY-----/' \
    ejbca.example.com.pem > server_tls.key

Certificate

The downloaded PEM file contains two certificates: the server TLS certificate, and the issuer CA certificate.

Copy the content of the server TLS certificate (first entry) starting from -----BEGIN CERTIFICATE----- till -----END CERTIFICATE----- to a file named server_tls.pem.

BASH
awk '/-----BEGIN CERTIFICATE-----/ {found=1} found && !printed; \
    /-----END CERTIFICATE-----/ {printed=1}' \
    ejbca.example.com.pem > server_tls.pem

Create secrets for Ingress

Create a secret for the TLS certificate using the server_tls.key and server_tls.pem files:

BASH
kubectl create secret generic ingress-nginx-credential-secret-ca \
    --from-file=tls.crt=server_tls.pem \
    --from-file=tls.key=server_tls.key

Create a secret containing the full Certificate Authority chain using the previously downloaded Management CA PEM file:

BASH
kubectl create secret generic ejbca-ingress-trust-secret \
    --from-file=ca.crt=ManagementCA.cacert.pem

Create secrets for LoadBalancer

Create a secret for the TLS certificate using the server_tls.key , server_tls.pem and ManagementCA.cacert.pem files:

BASH
kubectl create secret generic internal-nginx-credential-secret \
    --from-file=ejbca.example.com.pem=server_tls.pem \
    --from-file=ejbca.example.com-Key.pem=server_tls.key \
    --from-file=ejbca.example.com-CA.pem=ManagementCA.cacert.pem

Upgrade to enable TLS

Next, use your secrets to enable TLS and client certificate authentication by upgrading the EJBCA deployment.

Finalize configuration with Ingress

Modify the ingress section of your ejbca.yaml according to the following example:

YAML
ingress:
  enabled: true
  annotations:
    nginx.ingress.kubernetes.io/auth-tls-secret: "default/ejbca-ingress-trust-secret"
  hosts:
    - host: "ejbca.example.com"
      paths:
        - path: /
          pathType: Prefix
  tls:
    - hosts:
        - "ejbca.example.com"
      secretName: ingress-nginx-credential-secret-ca

When using a dedicated namespace, replace default/ with the relevant namespace name.

The following displays an example of the full content of ejbca.yaml file:

YAML
ejbca:
  env:
    DATABASE_JDBC_URL: "jdbc:mariadb://mariadb:3306/ejbca?characterEncoding=utf8"
    LOG_AUDIT_TO_DB: true
    DATABASE_USER: ejbca
  envRaw:
    - name: DATABASE_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mariadb-passwords
          key: mariadb-password

ingress:
  enabled: true
  annotations:
    nginx.ingress.kubernetes.io/auth-tls-secret: "default/ejbca-ingress-trust-secret"
  hosts:
    - host: "ejbca.example.com"
      paths:
        - path: /
          pathType: Prefix
  tls:
    - hosts:
        - "ejbca.example.com"
      secretName: ingress-nginx-credential-secret-ca

#imagePullSecrets:
#  - name: keyfactor-registry

Finalize configuration with LoadBalancer

Modify the nginx section of your ejbca.yaml according to the following example:

YAML
nginx:
  enabled: true
  host: "ejbca.example.com"
  mountInternalNginxCert: true
  secretInternalNginxCert: "internal-nginx-credential-secret"
  service:
    type: LoadBalancer

Notice that we also removed the initializeWithSelfSignedTls as it is no longer needed.

The complete configuration:

YAML
ejbca:
  env:
    DATABASE_JDBC_URL: "jdbc:mariadb://mariadb:3306/ejbca?characterEncoding=utf8"
    DATABASE_USER: ejbca
  envRaw:
    - name: DATABASE_PASSWORD
      valueFrom:
        secretKeyRef:
          name: mariadb-passwords
          key: mariadb-password
nginx:
  enabled: true
  host: "ejbca.example.com"
  mountInternalNginxCert: true
  secretInternalNginxCert: "internal-nginx-credential-secret"
  service:
    type: LoadBalancer

Upgrade the EJBCA deployment

Enterprise

BASH
helm upgrade ejbca -f ejbca.yaml oci://repo.keyfactor.com/charts/ejbca --version <version>

Community

BASH
helm upgrade ejbca -f ejbca.yaml oci://repo.keyfactor.com/charts/ejbca-ce --version <version>

Step 5 - Finalize installation

Finalize the installation by importing the administrator certificate into your browser and then accessing EJBCA using the installed certificate.

Import the administrator certificate

The process of importing a certificate may vary depending on the web browser you are using. The following example outlines how to import a certificate into Mozilla Firefox.

To import the downloaded super administrator P12 keystore:

  1. Open the Firefox application menu and click Settings.

  2. Go to Privacy & Security and in the Security section, click View Certificates.

  3. On the Your Certificates tab, select Import.

  4. Browse to the downloaded P12 file, select the file, and click OK.

  5. Enter the password you specified as the Super Administrator Password in a previous step, and click Sign in.

  6. Click OK to close the Firefox Certificate Manager.

Access EJBCA

To access EJBCA using the certificate you just installed:

  1. Navigate your browser to https://<hostname>/ejbca/adminweb/.

  2. When prompted for the SuperAdmin certificate, select the one you just imported and click OK.

  3. Verify that you are logged in as SuperAdmin which is shown in the text as highlighted in green rectangle in the picture below.

    admin-web-super-admin-check.png
  4. (Relevant only when Ingress is used) In the text highlighted in green rectangle, you might not see SuperAdmin or the Common Name(CN) of your administrator certificate. Instead it might show the text 'Welcome to EJBCA Administration'. This may happen if Ingress has not forwarded the client certificate to EJBCA. Please see the Prerequisites page for more details.

  5. To remove public access and restrict access to EJBCA to only the Super Administrator, click Remove next to “Public access with Super Administrator Role exists”.

EJBCA is now successfully deployed.

admin-web-without-public-access-role.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.