Deploy EJBCA and SignServer with Ansible playbooks

The EJBCA and SignServer Ansible playbook supports Community, Enterprise Cloud, and software stack versions.

Using Keyfactor’s Ansible playbook and roles, you can easily get EJBCA and SignServer up and running, including integrations and a complete technology stack.

The open-source Ansible playbook for EJBCA and SignServer is available on GitHub. It is capable of performing the following high-level tasks:

• Install and upgrade EJBCA Community and Cloud editions

• Configure external RAs and VAs or a standalone CA (EJBCA Enterprise Cloud only)

• Deploy and configure SignServer Community and Cloud

Supported deployment options are Community and Enterprise Cloud versions, with a variety of roles developed specifically for both EJBCA and SignServer.

About Ansible playbooks

About Ansible playbooks... – Click to learn more

Ansible helps ensure that your PKI and signing deployments are consistent and repeatable across different environments, including test environments and systems, thereby reducing the risk of errors or inconsistencies. 

The EJBCA and SignServer Ansible playbook has been developed as open source to make it easier for you to get started with EJBCA and SignServer. We encourage everyone to share and contribute any improvements or alternative solutions so that we all have the most optimal and secure deployment possible. 

Video

In this video, you will learn how to automate the wizard installation and configuration of EJBCA Enterprise Cloud using the open-source Ansible playbook for a zero-touch PKI experience.

Prerequisites

For this guide, EJBCA Enterprise Cloud version 8.2.0 was used.

Before you begin, you need:

• AWS or Azure account with permission to deploy EJBCA from the marketplace

• Network access to GitHub to download the Keyfactor Ansible repository

• Network access to the EJBCA Cloud instance; this could be a host in the cloud, if you run Ansible there

• Ansible controller that can access the EJBCA Cloud instance using SSH

• Familiarity with Ansible playbooks, roles, and the YAML format

Overview: Install and Configure EJBCA Cloud

The installation and configuration of EJBCA Cloud include these steps:

• Launch the EJBCA Enterprise Cloud AMI/VM from the AWS or Azure marketplace. Make sure the private key you select is configured on your Ansible controller to connect using SSH to the EJBCA instance in the cloud.

• Download the Keyfactor Ansible repository to your Ansible controller. Once the repository is downloaded, you can update the ecloud_inventory file with the IP address or fully qualified domain name to connect to the remote EJBCA instance.

• Review the host_vars and group_vars to update variables for your deployment. If you are unsure about what to update, you can try deploying with the defaults.

• At this point, you should be able to run the Ansible playbook and review the output of the tasks as EJBCA is configured. 

Overview: Running the Ansible playbook

Running the Ansible playbook to configure EJBCA automates the following steps:

• Provide configuration to the installation wizard for a zero-touch experience with the EJBCA setup

• Create a crypto token for the Root and Sub CA

• Generate keys on the crypto token for the Root CA and Sub CA

• Use the EJBCA Enterprise configdump utility to complete the following:

  • Import certificate profiles for the Root CA and Sub CA

  • Initialize the Root CA and Sub CA

  • Import certificate profiles for end entities

  • Import end entity profiles used to create and issue certificates for end entities

  • Configure EJBCA services such as the CRL update service

  • Configure EJBCA enrollment protocols such as ACME, EST, SCEP, and REST API endpoints

  • Configure roles that can be used for testing various permissions in the PKI 

Once the Ansible playbook has completed, open the EJBCA RA web in your internet browser and create your P12 credential to access EJBCA. Install the P12 credential into either the OS truststore or browser truststore, depending on which browser you use. Then you can access the EJBCA adminweb UI in your web browser and review the EJBCA settings or begin testing certificate enrollment.

Next steps

In this guide, you learned how to automate the installation and configuration of EJBCA Enterprise Cloud using the open-source Ansible playbook.

Here are some next steps we recommend:

• Find the open-source Ansible playbook for EJBCA and SignServer on GitHub.

• If you are interested in EJBCA Enterprise, read more on Keyfactor EJBCA Enterprise.

• If you are interested in EJBCA Community, check out EJBCA Community vs Enterprise or read more on ejbca.org.

• If you are an EJBCA Enterprise customer and need support, visit the Keyfactor Support Portal.

• Discuss with the EJBCA Community on GitHub Discussions. 

• If you are interested in SignServer Enterprise, read more on Keyfactor SignServer Enterprise.

• If you are interested in SignServer Community, check out SignServer Community vs Enterprise or read more on signserver.org.

• If you are a SignServer Enterprise customer and need support, visit the Keyfactor Support Portal.

• Discuss with the SignServer Community on GitHub Discussions. 

Contact us

Request a live demo with one of our experts — whether you want to explore workflows hands-on or discuss your specific needs.

Request a Demo