Install EJBCA as a CA without a Management CA

If you're at this step you're either migrating your initial CA from another installation, or creating a sub CA. In other words, the Management CA has already been created somewhere else, and you are already in possession of TLS key stores signed by that Management CA.

Copy Your Existing Key Store

If you've already created a key store as the part of the initial installation of EJBCA on another instance, copy it to the p12 directory in EJBCA. If no such directory exists, feel free to create one.

Deploy TLS Keystores to WildFly

Run this command to copy the existing key stores from p12 to to wildfly_home/standalone/configuration/keystore:

$ ant deploy-keystore

Adding in Other Management CAs to the Key Store

For more information, see Roles and Access Rules Operations.

If you create other CAs that you want to add as acceptable CAs in the server TLS configuration, or if you renew the CA certificate, you can install any CA certificate in the server TLS configuration afterwards with the following command:

$ ant -Dca.name="My CA Name" javatruststore

What this does in the background is that it adds the CA certificate to p12/truststore.jks and copies this file to APPSRV_HOME/standalone/configuration/keystore, where the TLS keystores are located.This step will require a restart of the application server.

Import the Management CA Certificate

  1. Verify that web.reqcertindb=false has been set in conf/web.properties (otherwise: do so and run ant deployear again).

  2. Download the Management CA certificate from the RA UI on the instance hosting the Management CA

  3. From the EJBCA CLI on the RA, run the following command to import the Management CA certificate on the RA:

    $ bin/ejbca.sh ca importcacert ManagementCA ManagementCA.cacert.pem -initauthorization -superadmincn SuperAdmin

Next Step: Finalizing the Installation

Continue by reviewing information on Finalizing the Installation.