Create an End Entity Profile for SSL Servers

The following describes how to create an end entity profile suitable for SSL/TLS servers, such as web servers.

End Entity Profiles allow narrowing down and automatically input some variables used in the certificate.

The End Entity Profile is used together with the Certificate Profile to create the certificates signed by the CA. The Certificate Profile defines the constraints of the certificate, for example what keys it can use and what the extensions will be, while the End Entity Profile defines the information in the certificate, for example country and organization.

For conceptual information on End Entity Profiles, see End Entity Profiles Overview, also listing available End Entity Profiles Fields.


Create End Entity Profile for Server Certificates

Before you begin you should have created the certificate profile for SSL servers according to Create a Certificate Profile for SSL Servers.

To create a certificate profile suitable for SSL/TLS servers, such as web servers, do the following:

  1. Click Edit End Entity Profiles under RA Functions.

  2. In the Add Profile field, specify a name for your end entity profile, for example SSLServerEndEntityProfile, and click Add.

  3. Find the new SSLServerEndEntityProfile in the List of End Entity Profiles, and click Edit.

  4. Edit the settings according to the following:

  5. Under Subject DN Fields select O, Organization and click Add.

    • For O, Organization enter EJBCA Edu, select Required and clear Modifiable.

  6. Under Subject DN Fields, select C, Country and click Add.

    • For C, Country enter SE, select Required and clear Modifiable.

  7. Under Subject Alternative Fields, select DNS Name and click Add.

  8. Clear Use at Email Domain.

  9. Default Certificate Profile: Select a previously created Server Certificate Profile, see Create a Certificate Profile.

  10. Available Certificate Profiles: Select SSLServerEndEntityCertificateProfile.

  11. Default CA: Select the CA you use to issue server certificates, see Managing CAs).

  12. Available CAs: Select the same CA as above.

  13. Default Token: Select User Generated.

  14. Available Tokens: Select all options for evaluation convenience purposes (Ctrl-click to set multiple options).

    • User Generated: User will provide a CSR for a certificate request.

    • P12: The certificate and key will be generated by EJBCA.

    • JKS: Generally used for Tomcat Application servers.

    • PEM: Certificate only in PEM format.

  15. Click Save to save the End Entity Profile.