Managing CAs

This Certificate Authority Operations page provides information on how to manage CAs:

For more conceptual information on CAs, see Certificate Authority Overview.

Export and Import CAs

Under certain circumstances, it can be wise to back up the CA's signature and encryption keys. Remember to protect the backup in the same way as the CA itself.

  • Soft token CAs can be exported and backed up. CAs with the keys on an HSM cannot be exported through EJBCA. Use the HSMs methods to back up such keys.

  • Soft token CAs can be imported using both the CLI and Admin GUI, while HSM CAs can only be imported using the CLI.

Using Command Line Interface

To export a CA named TestCA to the PKCS#12-file /path/TestCA.p12 with password foo123, enter the following from the $EJBCA_HOME directory:

$ bin/ejbca.sh ca exportca TestCA ./TestCA.p12
Using JBoss JNDI provider...
Enter keystore password: foo123
$

To import the backup keys for TestCA later, enter the following from the $EJBCA_HOME directory:

$ bin/ejbca.sh ca importca TestCA /path/TestCA.p12 SignatureKeyAlias EncryptionKeyAlias
Using JBoss JNDI provider...
Enter keystore password: foo123
$

To view usage instructions on how to import HSM CAs, run the following command:

$ bin/ejbca.sh ca importca --help

Using the CA UI

To export and import the CA's keys using the Admin GUI, you need superadministrator access. Make sure that .p12 files are not automatically saved to an unsuitable place by your browser. before you perform an export.

To export the CA's keys, do the following:

  1. Select the Certificate Authorities menu option.

  2. Select the CA to export and click Edit.

  3. Next to CA export requires the keystore password, enter the keystore password.

  4. Click Export CA keystore.

  5. The PKCS#12-file will be downloaded by your browser to the location you specify.

To import the CA's keys, do the following:

  1. Select the Certificate Authorities menu option.

  2. Click Import CA keystore.

  3. Specify the CA's name, full pathname to the PKCS#12-file, and keystore password.

  4. If you exported the CA's keys using EJBCA, do not edit the two Alias field default values.

  5. Click Import CA keystore.

Remove and Restore a CA Soft Key Store

Soft token CAs can have their keystore removed from the database. When the keystore is removed, the CA cannot issue certificates and its CA token status is set to offline.

Before removing the keystore, export it first to allow restoring it later, see Export and Import CAs above.

To remove the catoken keys for TestCA, enter the following from the $EJBCA_HOME directory:

$ bin/ejbca.sh ca removekeystore TestCA
Using JBoss JNDI provider...
$

To restore the catoken keys again for TestCA with the keystore exported as TestCA-exported.p12, enter the following from the $EJBCA_HOME directory:

$ bin/ejbca.sh ca restorekeystore TestCA /path/TestCA-exported.p12 -s SignatureKeyAlias -e EncryptionKeyAlias
Using JBoss JNDI provider...
Enter keystore password: foo123
$

Renewing CAs

You can renew CAs in different ways:

  • Renew only CA certificate, using the same keys.

  • Renew CA keys and certificate.

To renew only the CA certificate using the same keys, click Renew CA. Note that your CA must be online to be able to sign the new certificate (if a self-signed CA), or the certificate request (if a subCA). Additionally, if using a subCA with the rootCA in the same EJBCA instance, the root CA is also required to be online.

To renew the CA keys, set Next CA key to Generate new key using KeySequence and click Renew CA. Note that not all HSMs support renewal of CA keys.

When using an HSM, manual renewal of keys can also be made by generating new keys on the HSM, using for example the EJBCA CLI tools, and then selecting the generated keys in the Next CA key field and clicking Renew CA.

Revoking CAs

To revoke a CA, select Certificate Authorities and click Revoke CA.

  • If you revoke a Root CA it will revoke all certificates in the database issued by the root CA and create a CRL.

  • If you revoke a Sub CA it will revoke all certificates in the database issued by and to the sub CA, and create a CRL. This works automatically if the sub CA and root CA are handled by the same EJBCA instance. If the Sub CA is signed by an external CA, the sub CA's certificate must be revoked by the external CA.

  • If you revoke an external CA (a sub CA to a CA in EJBCA), the external CAs certificate will be revoked and placed on the CRL of the issuing CA in EJBCA.