Configure EJBCA for Public Access

The following covers how to enable public access to the EJBCA RA UI and to the EJBCA CA UI.

Enabling Public Access to the EJBCA RA UI

An RA or CA can be configured for public access using a PublicAccessAuthenticationToken. Public access allows anyone to navigate to the RA UI without having to present a client certificate (this would normally be port 8442 instead of 8443 if you have set up EJBCA with 3-port separation, see Use 3-Port Separation application server configuration instructions).

You can configure EJBCA for public access either using the CA UI or the EJBCA CLI.

Configure Public Access using the CA UI

To configure EJBCA public access, go to System Functions → Roles and Access Rules and add a new member to any role. The member should have Match with set to one of the following:

  • PublicAccessAuthenticationToken : Any transport (HTTP or HTTPS)

  • PublicAccessAuthenticationToken: Non-confidential transport (HTTP)

  • PublicAccessAuthenticationToken: Confidential transport (HTTPS)

images/download/attachments/143722994/Screenshot_2020-12-22_at_09.49.24.png

Next, click Access Rules for that role, go to Advanced Mode and give this role the following access rights:

  • Access to /ca_functionality/create_certificate/:

    images/download/attachments/143722994/Screenshot_2022-02-01_at_16.49.57.png
  • Access to the CAs and End Entity Profiles that you wish to be publicly accessible:
    images/download/attachments/143722994/Screenshot_2020-12-22_at_09.51.48.png

  • Optionally, to let the public user create new end entities and have access to the Make New Request page, they need to be given the access rule /ra_functionality/create_end_entity/:
    images/download/attachments/143722994/Screenshot_2020-12-22_at_15.04.42.png

  • Optionally, to let the public user access to CA Certificates and CRLs page, they need to be given the access rule /ca_functionality/view_ca: images/download/attachments/143722994/Screenshot_2022-04-06_at_10.46.36.png

This will produce a minimal enrollment interface for anybody to use.

images/download/attachments/143722994/Screenshot_2020-12-22_at_15.08.29.png

Note that public users cannot use the EMPTY End Entity Profile when choosing Key-pair generation "By the CA" since that would require the public role to have ROOT access to EJBCA.

Configure Public Access using the EJBCA CLI

To configure EJBCA for public access using the CLI, run the following:

./ejbca.sh roles addrolemember --caname "" --role "Super Administrator Role" --value "" --with PublicAccessAuthenticationToken:TRANSPORT_ANY

This will disable client certificate authentication in EJBCA for the RA. Alternatively, instead of allowing both HTTP and HTTPS using TRANSPORT_ANY it is possible to allow only HTTP using TRANSPORT_PLAIN and only HTTPS using TRANSPORT_CONFIDENTIAL.

Enabling Public Access to the EJBCA CA UI

Please note that this operation would make the CA UI publicly available to any party and would in almost all cases cause a gaping security risk. Make sure you know what you're doing before you disabling the web.reqcert property.

To disable all authentication checking to the CA UI, recompile setting web.reqcert=false in conf/web.properties.