Guide to modern PKI: Integration and configuration

After successful deployment of CZERTAINLY platform, we are ready to integrate it with various technologies and prepare the necessary configuration. This allows us to automate trust services lifecycle for current and all future use-cases.

In this part of the guide to modern PKI, we are going to integrate EJBCA we have deployed and prepared in Setting up the EJBCA, and Preparing the certification authority.

Once this step is done, we are ready to discover certificates issued by certification authorities, manage certificates lifecycle, use standardized protocols like ACME, automate certificate distribution, and many more.

Configure EJBCA protocols

CZERTAINLY works with the EJBCA through the Web Services and REST API. The following protocols should be therefore enabled and allowed in the EJBCA:

  • Web Service
  • REST Certificate Management V2

Web Service interface is mandatory, as it serves as a primary point for the certificate management operations. The REST Certificate Management V2 is optional, and it must be available in case you want to run certificate discovery process on the EJBCA.

Firewall configuration

To access the EJBCA protocols, the firewall needs to allow inbound connections from the connector on TCP/IP port, which is 8443 by default. Make sure you have network connection successfully established before next steps.

Enroll administrator

The certificate for the administrator is used to authenticate and authorize requests coming from CZERTAINLY. Enroll new administrator using the AdministratorEndEntityProfile:

  • Key-pair generation: By the CA
  • Common Name: Modern PKI Administrator
  • Username: modern-pki-administrator
  • Enrollment code: your-strong-password

Download PKCS#12 administrator certificate and private key. We will use this later for authentication to the EJBCA interfaces.

Configure CZERTAINLY role

The CZERTAINLY role in the EJBCA represents the access rule and permissions that are allowed for a given user within the EJBCA.

The following access rules should be allowed for the CZERTAINLY role:


Once the role is created, assign the Modern PKI Administrator to the role CZERTAINLY as member.

Create SoftKeyStore credential

The SoftKeyStore kind of credential represents the administrator credential to access the EJBCA interfaces. Create new credentials in CZERTAINLY:

  • Credential Name: Modern PKI Administrator
  • Credential Provider: Common-Credential-Connector (if you have a different name, select it)
  • Kind: SoftKeyStore
  • Key Store Type: PKCS#12
  • Upload your PKCS#12 administrator certificate
  • Key Store Password: your-strong-password
  • Trust Store: configure according to your trusted certificates of Management CA and server certificate

Once the credential is successfully created, you should be able to see its details, including the UUID of the credential.

Create authority instance

We will establish authorized connection with EJBCA using the Modern PKI Administrator and Web Services. Create new authority in the CZERTAINLY:

  • Certification Authority Name: Modern EJBCA
  • Authority Provider: EJBCA-NG-Connector (if you have a different name, select it)
  • Kind: EJBCA
  • EJBCA WS URL: your URL address to EJBCA Web Services (https://[host]:[port]/ejbca/ejbcaws/ejbcaws?wsdl)
  • Credential: Modern PKI Administrator

Once the authority is successfully created, you should be able to see its details, including the UUID of the authority.

Test the integration

When your integration is configured, you can test if everything is working as expected. The test can be done by trying to load EJBCA resources when creating a new RA Profile.

Create a new RA Profile and select Modern EJBCA as Authority. In case the integration is configured properly, allowed end entity profiles, certificate profiles, and certification authorities will be loaded.

Get more information about the CZERTAINLY

CZERTAINLY is an open-source platform for effective and efficient certificate lifecycle management for companies of any size and individuals. One of its goals is to provide an easy and affordable way to secure digital communication and support information security in more and more connected world.

Need Help

Do not hesitate to get in touch with us!