Migrating an OpenSSL CA to EJBCA
An OpenSSL based CA has the CA keys and certificate as PEM files (or the CA private key on an HSM), and issued subscriber certificates as PEM files.
You can convert a PEM-style Root CA key to a PKCS12 file that can be imported in EJBCA:
$ openssl pkcs12 -export -out server1.p12 -inkey cakey.pem -in ca.pem -name privateKey
The following EJBCA CA UI menu options and CLI commands allow you to import these and continue operations transparently:
- To import a PKCS#12 file with CA private key and certificate, select the EJBCA CA UI menu option Edit Certificate Authorities > Import CA keystore.
- To import CA keys from a PKCS#12 file or an HSM, use the CLI command
bin/ejbca.sh ca importca
. - To import user certificates, use the CLI command
bin/ejbca.sh ca importcert
. - To import CRLs (revocation information), use the CLI command bin/ejbca.sh ca importcrl.