Use this procedure to install your first instance of EJBCA. This installation creates the Management CA, which serves as the administrative root for your Public Key Infrastructure (PKI).
Configure the Installation
Create an install.properties file in ejbca/conf (or ../ejbca-custom/conf for a custom installation) and configure the installation parameters.
The following example shows the default values for an installation:
#install.properties
ca.name=ManagementCA
ca.dn=CN=ManagementCA,O=EJBCA Sample,C=SE
ca.tokentype=soft
ca.tokenpassword=null
ca.keytype=RSA
ca.keyspec=2048
ca.signaturealgorithm=SHA256WithRSA
ca.validity=3650
ca.policy=null
httpsserver.hostname=localhost
httpsserver.dn=CN=${httpsserver.hostname},O=EJBCA Sample,C=SE
httpsserver.password=serverpwd
httpsserver.tokentype=P12
superadmin.cn=SuperAdmin
superadmin.dn=CN=${superadmin.cn}
superadmin.password=ejbca
superadmin.batch=true
java.trustpassword=changeit
For descriptions of all available properties and additional configuration examples, see the install.properties.sample file.
Run the Installation Command
The installation command initializes the EJBCA environment and performs the following actions:
-
Creates the Management CA, used for internal administration of your PKI and certificate signing.
-
Generates TLS keystores for HTTPS, signed by the Management CA.
-
Creates a keystore for the initial Super Administrator.
-
Adds initial access control values to the database and role information for the Super Administrator.
To perform the installation, run the following command:
$ ./gradlew runinstall
If you are migrating an existing EJBCA installation and already have the required TLS keystores, you can skip this step.
Deploy TLS Keystores to WildFly
After the installation completes, deploy the generated TLS keystores to WildFly:
$ ./gradlew deployKeystore
This command copies the generated keystores to:
WILDFLY_HOME/standalone/configuration/keystore/
Verify File Ownership
If WildFly runs as a different operating system user than the user who executed the deployment command, update the ownership of the keystore files (keystore.p12 and truststore.p12) accordingly. For example:
chown wildfly:wildfly opt/wildfly/standalone/configuration/keystore/*
Optional: Add Additional Management CAs
If you create additional CAs that you want to add as acceptable CAs in the server TLS configuration, or if you renew the CA certificate, you can install any CA certificate in the server TLS configuration using:
$ ant -Dca.name="My CA Name" javatruststore
This procedure currently uses an Ant task and has not yet been migrated to Gradle.
This command:
-
Adds the specified CA certificate to
p12/truststore.jks. -
Copies the updated trust store to:
APPSRV_HOME/standalone/configuration/keystore.
After updating the truststore, restart the application server.
For more information about roles and access management, see Roles and Access Rules Operations.
Next Step: Finalizing the Installation
Continue by reviewing information on Finalize the Installation.