Guide to modern PKI: Setting up the EJBCA

Certification authority is the heart of the PKI that can issue, renew, and revoke various certificates. In the modern infrastructure, you probably need multiple certification authorities for different purposes, like certificate for web servers, clients, code signing, etc.

In this part of the guide to modern PKI, we will take a look at how to install and setup the EJBCA. We will use EJBCA as one of the PKI software that will handle the certification authorities and issue certificates.


The following is assumed to be already available before installing EJBCA:

In case you would like to expose EJBCA to the outside world through Ingress, you should also install Ingress Controller, if none is available. We are going to use NodePort instead of Ingress to access EJBCA deployment.

Deployment of EJBCA

For the successful deployment of the EJBCA, we need to execute the following steps that are further described:

  • Create database and database user
  • Prepare namespace and Helm chart repository
  • Deploy EJBCA
  • Access EJBCA Admin Web

Create database and database user

Connect to your PostgreSQL database server and execute the following commands to create user and database that will be used for EJBCA:

postgres=# CREATE USER ejbcauser WITH PASSWORD 'your-strong-password';
postgres=# GRANT ALL PRIVILEGES ON DATABASE ejbca to ejbcauser;

The database name is ejbca and the user which has access to the database is identified as ejbcauser. We will use these values during deployment.

Prepare namespace

We’ll need to define a Kubernetes namespace where the resources created by the Chart should be installed. The namespace will be named ejbca:

% kubectl create namespace ejbca

Add Helm chart repository

Use helm repo add command to add the Helm chart repository that contains charts to install EJBCA:

% helm repo add ejbca

Deploy EJBCA

All we need should be prepared for the deployment of EJBCA. We need to specify the database properties to access the ejbca database and a few other properties that allow us to manage trusted certificates.

  • database.type – database technology, in our case postgresql
  • – hostname of the database
  • database.port – database port number
  • database.username – user to access the database
  • database.password – password for the user
  • – database properties to be used with the connection
  • ejbca.ui.enabled – creates objects to access EJBCA web interfaces
  • ejbca.reverseProxy.caFinderImage.repository – repository for CA image finder deployed as ca-cert-locator init container. Certificate found by this container is used for client certificate authentication by reverse proxy
  • ejbca.reverseProxy.caFinderImage.tag – CA finder image pull tag
  • ejbca.ejbcaImage.tag – EJBCA image pull tag

We can install it through the Helm command:

% helm install --namespace ejbca \                                         
  --set database.type=postgresql \
  --set \
  --set database.port=30107 \
  --set \
  --set database.username=ejbcauser \
  --set database.password=your-strong-password \
  --set'?sslmode=disable' \
  --set ejbca.ui.enabled=true \
  --set \
  --set ejbca.reverseProxy.caFinderImage.tag=1.0.0 \
  --set ejbca.ejbcaImage.tag= \
  ejbca ejbca/ejbca-ce

Now, wait few minutes for the Kubernetes to download all required containers (if not present in the local repository) and create all resources that are required for the EJBCA deployment. When the EJBCA is deployed, you should see that the pod is ready and running:

% kubectl get all -n ejbca 
NAME                                  READY   STATUS    RESTARTS   AGE
pod/ejbca-ejbca-ce-6d8cbd7458-zggd6   2/2     Running   0          3m2s

NAME                   TYPE        CLUSTER-IP      EXTERNAL-IP   PORT(S)                      AGE
service/ejbca-lb-svc   NodePort           443:32713/TCP,80:32513/TCP   3m2s
service/ejbca-ui       ClusterIP            8443/TCP                     3m2s

NAME                             READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/ejbca-ejbca-ce   1/1     1            1           3m2s

NAME                                        DESIRED   CURRENT   READY   AGE
replicaset.apps/ejbca-ejbca-ce-6d8cbd7458   1         1         1       3m2s

Access EJBCA Admin Web

During the initial deployment, the database is bootstrapped, ManagementCA is generated and initial superadmin end entity is prepared. You can find information how to issue certificate for superadmin in the ejbca-ce-init container. You should look for the similar information in the log:

% kubectl logs -c ejbca-ce-init -n ejbca ejbca-ejbca-ce-6d8cbd7458-zggd6

* A fresh installation was detected and a ManagementCA was created for your initial  *
* administaration of the system.                                                     *
*                                                                                    *
* Initial SuperAdmin client certificate enrollment URL (adapt port to your mapping): *
*                                                                                    *
*   URL:      https://ejbca-ejbca-ce-6d8cbd7458-zggd6:443/ejbca/enrol/keystore.jsp
*   Username: superadmin                                                             *
*   Password: hAEjPmy9JudNosM+VGfItGYu                                               *
*                                                                                    *
* Once the P12 is downloaded, use "hAEjPmy9JudNosM+VGfItGYu" to import it.           *

Now you can access the web to enrol superadmin certificate:

  • https://localhost:32713/ejbca/enrol/keystore.jsp (change your host accordingly)

and enrol with the superadmin as username and uniquely generated password from above ejbca-ce-init container logs:

  • Set key specification to RSA 2048 bits
  • Set certificate profile to ENDUSER

Once your certificate in the form of PKCS#12 is downloaded, you should import it to your browser and access the Admin Web with the authentication of the superadmin certificate:

  • https://localhost:32713/ejbca/adminweb (change your host accordingly)

And that’s it! Your EJBCA instance is successfully deployed, and you can start building certification authorities. Easy, right?

Next steps

When you have successfully deployed EJBCA, you can start playing around with various configuration options and fine-tune your PKI. You can find the list and description of all Helm chart values in the GitHub repository.

You can change the behavior and state of your deployment in time using Helm. Some of the changes may involve:

  • Database migration
  • Change of web certificates
  • Configure Ingress Controller
  • Replication setup to achieve high availability and failover

In the next articles, we will prepare new hierarchy of certification authorities to start managing web server certificates.

Get more information about the CZERTAINLY

CZERTAINLY is an open-source platform for effective and efficient certificate lifecycle management for companies of any size and individuals. One of its goals is to provide an easy and affordable way to secure digital communication and support information security in more and more connected world.

Need Help

Do not hesitate to get in touch with us!