Install EJBCA as a CA with a Management CA

Use this procedure to install your first instance of EJBCA. This installation creates the Management CA, which serves as the administrative root for your Public Key Infrastructure (PKI).

Configure the Installation

Create an install.properties file in ejbca/conf (or ../ejbca-custom/conf for a custom installation) and configure the installation parameters.

The following example shows the default values for an installation:

#install.properties
ca.name=ManagementCA
ca.dn=CN=ManagementCA,O=EJBCA Sample,C=SE
ca.tokentype=soft
ca.tokenpassword=null
ca.keytype=RSA
ca.keyspec=2048
ca.signaturealgorithm=SHA256WithRSA
ca.validity=3650
ca.policy=null

httpsserver.hostname=localhost
httpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE
httpsserver.password=serverpwd
httpsserver.tokentype=P12

superadmin.cn=SuperAdmin
superadmin.dn=CN=${superadmin.cn}
superadmin.password=ejbca
superadmin.batch=true

java.trustpassword=changeit

For descriptions of all available properties and additional configuration examples, see the install.properties.sample file.

Run the Installation Command

The installation command initializes the EJBCA environment and performs the following actions:

  • Creates the Management CA, used for internal administration of your PKI and certificate signing.

  • Generates TLS keystores for HTTPS, signed by the Management CA.

  • Creates a keystore for the initial Super Administrator.

  • Adds initial access control values to the database and role information for the Super Administrator.

To perform the installation, run the following command:

$ ./gradlew runinstall

If you are migrating an existing EJBCA installation and already have the required TLS keystores, you can skip this step.

Deploy TLS Keystores to WildFly

After the installation completes, deploy the generated TLS keystores to WildFly:

$ ./gradlew deployKeystore

This command copies the generated keystores to:

WILDFLY_HOME/standalone/configuration/keystore/

Verify File Ownership

If WildFly runs as a different operating system user than the user who executed the deployment command, update the ownership of the keystore files (keystore.p12 and truststore.p12) accordingly. For example:

chown wildfly:wildfly opt/wildfly/standalone/configuration/keystore/*

Optional: Add Additional Management CAs

If you create additional CAs that you want to add as acceptable CAs in the server TLS configuration, or if you renew the CA certificate, you can install any CA certificate in the server TLS configuration using:

$ ant -Dca.name="My CA Name" javatruststore

This procedure currently uses an Ant task and has not yet been migrated to Gradle.

This command:

  • Adds the specified CA certificate to p12/truststore.jks.

  • Copies the updated trust store to: APPSRV_HOME/standalone/configuration/keystore.

After updating the truststore, restart the application server.

For more information about roles and access management, see Roles and Access Rules Operations

Next Step: Finalizing the Installation

Continue by reviewing information on Finalize the Installation.