SCP Publisher

CA to Sign Published Certificate

If the published certificate/CRL should be individually signed by CA before being copied to the destination.

Publish Without Identifying Information

If identifying information (such as the contents of the Subject DN, SAN, etc) should be redacted, in compliance with GDPR and other privacy regulations.

Username for SSH Connection

The username used to establish the SSH connection.

Port for SSH Connection

The port for establishing the SSH connection. By default, port 22 is used.

Destination URL for Certificates/CRLs

URL for the end destination of the certificate/CRL files, including directory, in the format: domain.name:/path/to/folder/

If a fixed CRL file name is added to the destination location, it will publish a single file of the CA with the specified name. Existing CRLs will be overwritten. Example: download.widgetcorp.com:tmp/SubCA.crl. Note that this is not suitable if both regular and DeltaCRL are used at the same time, and it also requires a dedicated Publisher for each CA.

CRL file name pattern

By default, EJBCA uses the fingerprint of the CRL as its filename. While this works well with the CertificateCrlReader, it can cause confusion when integrating with external systems that expect predictable filenames. To address this, you can specify a constant or template-based filename pattern, see CRL File Name Templates.

It is recommended to schedule the CertificateCrlReader to run at half the validity interval of the CRL or delta CRL when the CRL filename remains constant for a given CA. For example, if a CRL or delta CRL is generated every hour, configure the CertificateCrlReader to run every 30 minutes to ensure timely synchronization.

Introduced in EJBCA 9.4.

Use SFTP

Recommended for better compatibility and security. Uses a key pair from an EJBCA crypto token for authentication. Introduced in EJBCA 9.4.

Cryptotoken and Keypair for authentication

Specifies the crypto token and corresponding key pair for authentication while using SFTP.

Supports RSA, ED25519, and EC keys (with curve P-256, P-384, P-521).

Introduced in EJBCA 9.4.

Only RSA, ED25519 and EC keys with curve P-256,P-384 and P-521 can be used.

The key pair needs must be added as an authorized SSH public key on the remote host. When Save and Test Connection is clicked, the corresponding public key is displayed under SSH Public Key used for authentication.

SSH Known hosts

Add known host entries here (one per line).

When the host is unknown, EJBCA displays the entry as an error during connection testing. Both plain and hashed hostnames are supported.

Introduced in EJBCA 9.4.

If you click Save and Test Connection and the host is unknown, EJBCA displays the entry as an error during connection testing.

Both plain and hashed host names are supported. Example:

|1|EVYZxRoGULxkdbjUiDnMN98KVp0=|MH0ocE6Fh+wVCSymtQhRfUbeBj0= ssh-rsa AAAAB3NzaC1yc2EAA.....
[178.122.22.124]:2222 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBMbPA....

Export Format

Choose the export format: Java Serialized Object or YAML.

Existing publishers will continue to use the Java format and are not automatically updated. YAML is the new default format for new publishers.

Introduced in EJBCA 9.4.

If you use a CA to sign the message containing a published certificate and want to validate the signature, see Signature Validation for Published Certificates as YAML.

Path to Private Key File

Path to a local private key used to establish the connection. A corresponding public key should exist in the same directory with the same name and the .pub suffix.

The private key file must be in PKCS#8 PEM or OpenSSH PEM format. If you generate the key using the ssh-keygen command, you must use the "-f PEM" option to generate the private key in OpenSSH PEM format (otherwise it will use RFC4716 format which is currently not supported).

Deprecated since EJBCA 9.4. Used only when SCP (not SFTP) is configured.

Password to Private Key File

Password to the private key. The field may be left blank if the private key is not password protected. The password is encrypted in the database using the passphrase defined by password.encryption.key in cesecore.properties to prohibit it from being read in clear text from a database dump.

Always change the password.encryption.key in cesecore.properties from the default value.

Deprecated since EJBCA 9.4. Used only when SCP (not SFTP) is configured.

Path to Known Hosts File

Path to the file of known hosts.

EJBCA enforces host key checking for security. The known hosts file must contain the fingerprint of the server's public RSA key. Be wary of copying an existing known hosts file since they typically only contain an EdDSA or ECDSA key fingerprint. To create a working known hosts file, use the following command:

ssh-keyscan -H -t rsa,ecdsa my.server >> known_hosts

Deprecated since EJBCA 9.4. Used only when SCP (not SFTP) is configured.

${CA_NAME}

Use the name of the CA in EJBCA in template

${CA_NAME}.crl → IssuerCA.crl

${CA_COMMON_NAME}

Use the Common Name or CN of the CA’s subjectDN. Recommended when the CA uses special or non-latin characters in the name.

${CA_COMMON_NAME}.crl → MyIssuer.crl

${CA_SUBJECTDN}

Use the CA’s subjectDN. Useful when the same common name is used across multiple CAs.

${CA_SUBJECTDN}.crl → CN=MyIssuer,OU=MyOrg.crl

${CRL_NUMBER}

Use the CRL number.

${CA_NAME}_${CRL_NUMBER}.crl → IssuerCA_120.crl when CRL number is 120.

${DELTA}

Puts _delta in the file name when the delta CRL is published. Otherwise ignored.

${CA_NAME}${DELTA}.crl → IssuerCA_delta.crl for delta CRL or IssuerCA.crl otherwise

${PARTITION}

Puts _partitionX in the file name when the partition CRL is published. Otherwise ignored.

${CA_NAME}${DELTA}${PARTITION}.crl → IssuerCA_delta_partition2.crl for delta CRL or IssuerCA_partition2.crl for base CRL when it comes to partition 2