Skip to main content
Skip table of contents

Fresh Installation

The following provides some example steps for the initial setup that are recommended for setting up the Next Generation Hardware Appliance.

After logging into the Appliance for the first time, we recommend the following setup steps.

Step 1 - Add a New User Account

Create a user account, by adding either a client certificate user account or an OAuth user account.

Step 2 - Remove the OTP User

As the Next Generation Hardware Appliance is often managed by different people, the Initial OTP User should be removed to avoid security issues.
After the new User Account has been added, log in again with the new User Account.
You can now delete the Initial OTP User.

To remove the OTP user, see the following guide.

Step 3 - Configure a Hardware Security Module (HSM)

You can configure a Hardware Security Module (HSM) to store and protect your cryptographic keys.

For instructions on how to configure the HSM, see:

Step 4 - Configure the Application

Configure the EJBCA Application

Create a Certificate Authority (CA) and Crypto Token in EJBCA. Within EJBCA, Crypto Tokens store the keys that the CA uses to perform its duties. For more information, refer to the EJBCA Documentation Crypto Tokens Overview and Managing CAs. The following provides some example steps for creating a Crypto Token and CA in EJBCA.

Create Crypto Token and Keys

Follow the example steps below to create a Crypto Token and keys in EJBCA. For more information, refer to the EJBCA Documentation Crypto Tokens Overview and Managing Crypto Tokens.

To create a Crypto Token and keys in EJBCA, do the following.

  1. On the Next Generation Hardware Appliance Overview page, click Admin Web for EJBCA listed in the Application Overview.

  2. In EJBCA, click Crypto Tokens under CA Functions.

  3. On the Manage Crypto Tokens page, click Create new.

  4. On the New Crypto Token page, specify the following:

    • Name: Specify a name for the new crypto token.

    • Authentication Code: Specify the password to be used to activate the slot.

    • Type: Select PKCS#11.

    • PKCS#11: Reference Type: How to reference your PKCS#11 slot, by number, index or label.

    • PKCS#11: Reference: The slot number, index or label of the slot you want to connect to.

    • Click Save to create the crypto token.
      The new Crypto Token is displayed on the Crypto Token page. Next, create keys for the crypto token.

  5. Create two key pairs within the Crypto Token according to the following example:

    • Specify an alias, for example, otherKey, select key specification RSA 3072 bit.
      Click Generate new key pair. This key is used for everything, but cannot sign.

    • Specify an alias, for example, signKey, select key specification RSA 3072 bit.
      Click Generate new key pair. This key will be used for certificate signing.

The new keys are available and listed on the page.

Create CA

Follow the example steps below to create a Certificate Authority (CA) in EJBCA. For more information on Certificate Authorities (CAs) and available fields, refer to the EJBCA Documentation Certificate Authority Overview and for information on adding an external Management CA, refer to Importing an External CA.

To create a CA in EJBCA, do the following.

  1. Click Certification Authorities under CA Functions.

  2. In the Add CA field, enter a name for the CA.
    Click Create.

  3. On the Create CA page, specify the following:

    • Crypto Token: Select the Crypto Token created in the earlier step.

    • Signing Algorithm: SHA256WithRSA.

    • The keys previously created and named otherKey and signKey (in section Create Crypto Token and Keys) should be populated automatically with the rest as "- Default key".

      • defaultKey: Verify that the key pair created earlier is selected, in this example: otherkey.

      • certSignKey: Verify that the key pair created earlier is selected, in this example: signkey.

      • keyEncrypKey: Select -Default key.

      • testKey: Select -Default key.

    • Signed By: Self Signed.

    • Certificate Profile: Root CA.

    • Validity: 5y.

  4. Click Create to list the newly created CA on the Manage Certification Authorities page.

You have now created a CA and Crypto Token and keys.

Step 5 - Renew the TLS Certificate

This may be necessary to comply with your company's security regulations, for example, to remove the security warning in the browser address bar. For instructions on how to renew the TLS certificate, see Managing TLS Certificates.

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close