Installing EJBCA as a CA with a Management CA
Congratulations, dear traveler. If you've made it to this point it probably means you're in your first steps of setting up your PKI, and if that's the case we would like to thank you for making it this far, and would like to ask you to hold on to your hat for the rest of the trip!
Running the Install Command
Running the installation command will do three things:
- It will create the Management CA. This is an administrative CA which will be both used for internal administration of your PKI by signing user certificates, and be used for signing the following points
- Create TLS keystores for handling HTTPS, signed by the Management CA
- Create the key store for the initial super administrator
It will also add some initial access control values to the database, and role information for the super administrator user
If you are moving an existing installation that already has TLS keystores available, this step is not needed.
$ ant runinstall
Deploy TLS Keystores to WildFly
After the install, TLS keystores have been created. Run this command to copy them to wildfly_home/standalone/configuration/keystore
:
$ ant deploy-keystore
Adding in Other Management CAs to the Key Store
For more information, see Roles and Access Rules Operations.
If you create other CAs that you want to add as acceptable CAs in the server TLS configuration, or if you renew the CA certificate, you can install any CA certificate in the server TLS configuration afterwards with the following command:
$ ant -Dca.name="My CA Name" javatruststore
What this does in the background is that it adds the CA certificate to p12/truststore.jks and copies this file to APPSRV_HOME/standalone/configuration/keystore, where the TLS keystores are located. This step will require a restart of the application server.
Next Step: Finalizing the Installation
Continue by reviewing information on Finalizing the installation.