Skip to main content
Skip table of contents

Quick Start Guide - Issue Client Authentication Certificate using EJBCA

Learn how to issue a client authentication certificate using the EJBCA Community container. 

In this guide, you will learn to:

  • Create basic profiles​

  • Issue client authentication certificate​ (PKCS#12 keystore​)

  • Download CA certificate

  • Import client certificate into browser

The EJBCA Community container is started as an ephemeral instance which means that when you stop the container, it will automatically be removed and all data will be destroyed. This setup is suitable for testing EJBCA or for evaluating added functionality in an updated version. For information on running the container with more production-like settings with persistent data, refer to EJBCA on Docker Hub.


Before you begin, you need a started EJBCA container and access to the EJBCA CA UI. To learn how, you can follow the Quick Start Guide - Start EJBCA Container with Client Certificate Authenticated Access.

Step 1 - Create profiles

Follow these steps to create a certificate profile, end entity profile, and add an end entity.

Create certificate profile 

To create a certificate profile, follow these steps:

  1. In EJBCA, under CA Functions, click Certificate Profiles.

  2. Click Clone next to the ENDUSER template to use that as a basis for creating your new profile.

  3. Name the new certificate profile ClientAuth and click Create from template.

  4. To edit the profile values to fit your needs, find the newly created ClientAuth in the list and click Edit.

  5. On the Edit page, verify that the type is End Entity and update the following:

    • For Validity or end date of the certificate, specify 1y.

    • For Key Usage, clear Non-repudiation and verify that Digital Signature and Key encipherment are selected.

    • For Extended Key Usage, select Client Authentication.

  6. Click Save to store the certificate profile.

The newly created ClientAuth profile is displayed in the list of certificate profiles.

Create end entity profile

To create an end entity profile, follow these steps:

  1. In EJBCA, under RA Functions, click End Entity Profiles.

  2. In the Add End Entity Profile field, specify ClientAuth, and click Add profile.
    The newly created ClientAuth profile is displayed in the list of end entity profiles.

  3. Select the profile, and click Edit End Entity Profile.

  4. Edit the profile and update the following:

    • Verify that End Entity E-mail is selected, not Required and Modifiable. This allows you to optionally add an email address to this user account in EJBCA to later enable notifications about expiring certificates and renewals, for example. For more information, see End Entity E-Mail.

    • Under Other Subject Attributes, you can specify options for Subject Alternative Name (SAN). In the Subject Alternative Name list, select RFC 822 Name (e-mail address) and click Add.

    • Under Main Certificate Data, map the certificate profile, and type of key pair the profile can be used together with:

      • For Default Certificate Profile, select the ClientAuth profile you created in Create certificate profile).

      • Specify the Default Token option P12 file format to define how the key pair generation should be implemented for the certificates:

  5. Click Save to store the end entity profile.

Add end entity

To create an end entity, follow these steps::

  1. In EJBCA, under RA Functions, click Add End Entity and specify the following:

    • In End Entity Profile, verify that ClientAuth is selected.

    • In Username, specify a name for the user.

    • Password, specify a one-time enrollment code.

    • Confirm Password: As above

    • For E-mail address, enter an e-mail address for the user.

    • For CN, Common Name under Subject DN Attributes, enter the name of the user.

    • For Subject Alternative Name list, select to use the data from the E-mail address field RFC 822 Name (e-mmail address).

  2. To add the end entity, click Add.

The end entity is added and your PKI is aware of your first user.

Step 2 - Issue client authentication certificate​

To issue a client authentication certificate in EJBCA, do the following:

  1. In EJBCA, click RA Web to access the EJBCA RA user interface.

  2. To enroll, select Enroll > Use Username and specify the following:

    • Username: Enter the username as specified earlier in the step Add end entity.

    • Enrollment code: Enter the password specified earlier in the step Add end entity.

    • Click Check.

    • For Key algorithm, you can limit the type of keys to be used, such as only RSA 2048 bits.

    • Click Download PKCS#12 to download and save the keystore.

You now have downloaded the keystore.

Step 3 - Download CA certificate

To download the certificate for the CA, follow these steps:

  1. In RA Web, click CA Certificates and CRLs in the menu bar.

  2. On the CA Certificates and CRLs page, for the Management CA, click PEM in the Certificate column.

  3. The PEM file for the CA certificate is downloaded as a ManagementCA.pem file.

The CA certificate ManagementCA.pem file is now downloaded.

Step 4 - Import certificate into browser

The following describes how to import the client certificate into your web browser.

The procedure for importing a certificate may vary. This example describes how to import a certificate to Mozilla Firefox.

To import the client certificate in Mozilla Firefox:

  1. On the Firefox menu, select Preferences.

  2. Click Privacy & Security.

  3. In the Security section, click View Certificates.

  4. On the Your Certificates tab, select Import.

  5. Browse to the downloaded P12 keystore file to import and select the file.

  6. Enter the password you specified as the one-time enrollment code, and click Sign in.

  7. On the Mozilla Firefox tab Your Certificates, verify that the certificate was imported, and then click OK.

The client certificate is now imported and installed in your browser.

Next steps

In this guide, you learned how to create basic profiles and issue a client authentication certificate in EJBCA.

To learn how to get started with the SignServer container, you can follow Quick Start Guide - Start SignServer Container with Client Certificate Authenticated Access.

Next, you can review our other Tutorials and Guides or browse our video tutorials on the Keyfactor Community YouTube channel.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.