Prerequisites

Before deploying EJBCA and SignServer to cloud environments, ensure the systems and tools described on this page are in place. Some prerequisites are required for any deployment, and others only apply to production environments or specific configurations.

• Kubernetes v1.32+

  • kubectl

• Helm v3+

• External access management:

  • It is recommended that TLS connections are terminated at the EJBCA pod. The EJBCA pod includes a proxy configured with TLS credentials. This ensures that plain HTTP communication never leaves the node and enables certificate-based authentication.

    • Any Ingress that allows TLS passthrough or SNI can be used. This type of Ingress is functionally equivalent to a Network Load Balancer provided by cloud service providers. You may apply additional annotations using ingress.annotations, for example: haproxy.org/ssl-passthrough: "true".

    • A Network Load Balancer (for example, a cloud-provider-managed load balancer or MetalLB) may also be used.

  • Ingress NGINX Deprecated . Ingress NGINX may be used but is currently deprecated. Follow the Ingress NGINX Controller Installation Guide. Enable controller snippets to allow certificate authentication by setting: controller.allowSnippetAnnotations=true in your Helm chart deployment. This setting is disabled by default starting with Ingress NGINX version 1.9.0.
    

• Supported database (for non-ephemeral instances):

  • MariaDB

  • MySQL

  • PostgreSQL

  • Oracle Database

  • Microsoft SQL Server or Azure SQL
    

• Hardware Security Module (HSM):

  • One of the supported HSMs listed on HSM Integration.