Install EJBCA as a CA without a Management CA

These steps apply when you are either migrating your initial CA from another installation, or creating a sub CA.

In this case, the Management CA has already been created elsewhere, and you already have the TLS key stores signed by that Management CA.

Copy Your Existing Key Store

If you have already created a key store as the part of the initial installation of EJBCA on another instance, copy it to the p12 directory in EJBCA. If the p12 directory does not exist, create it.

Deploy TLS Keystores to WildFly

To copy the existing key stores from p12 to wildfly_home/standalone/configuration/keystore, run the following:

$ ant deploy-keystore

Add Additional Management CAs to the Key Store

If you create other CAs that you want to add as acceptable CAs in the server TLS configuration, or if you renew the CA certificate, you can install any CA certificate in the server TLS configuration afterwards with the following command:

$ ant -Dca.name="My CA Name" javatruststore

This command adds the CA certificate to p12/truststore.jks and copies this file to APPSRV_HOME/standalone/configuration/keystore, where the TLS keystores are located. This step requires a restart of the application server.

For more information about roles and access management, see Roles and Access Rules Operations.

Import the Management CA Certificate

1. Ensure that web.reqcertindb=false is set in conf/web.properties.

   If you change this value, redeploy EJBCA by running:

   CODE

   $ ant deploy deployear

2. Download the Management CA certificate from the RA UI on the instance hosting the Management CA.

3. From the EJBCA CLI on the RA, import the Management CA certificate on the RA with:

   BASH

   $ bin/ejbca.sh ca importcacert ManagementCA ManagementCA.cacert.pem -initauthorization -superadmincn SuperAdmin

Next Step: Finalizing the Installation

Proceed to Finalizing the Installation to complete setup and verify that the CA instance is operational.