NOTE: This guide is not updated with the frequency of the official User Guide, so please go there first. Howto originally made for EJBCA 3.0.x, but has been updated and tested with EJBCA 3.6.x. Setting up EJBCA with multiple CAs ================================== This guide will install EJBCA from scratch setting up one initial administrative CA and one production CA. The administrative CA is only used for the super administrator, that can create other CAs. This CA is not exposed to users and other administrator. Installing EJBCA ---------------- Installation of EJBCA is done with the regular installation instruction. This will create an initial RootCA. You can call this AdminCA. The certificate for the superadministrator and for the tomcat server is issued by this CA. Follow the regular installation instructions to the point where you can access the admin GUI as superadmin. Creating the production CA (ProdCA) ----------------------------------- If you want the certificates from the production CA published in LDAP, start by creating a new publisher with 'Edit publishers'. Consult HOWTO-LDAP.txt for help with this. Create your production CA with the admin GUI. This is done with 'Edit Certificate Authorities'. If the CA will use a publisher select your publisher as 'Publishers'. The ProdCA can for example have a DN 'CN=ProdCA,O=Foo,DC=bigcorp,dc=com'. Creating an administrator for ProdCA ------------------------------------ If the default certificate profile does not fulfill your requirements, start by creating new certificate profiles and end entity profiles for use by ProdCA. Add a new end entity with the administrators DN etc. CA should be ProdCA and don't forget to check the 'Administrator' checkbox. Issue the certificate for the administrator. Create a new role for the CA and edit access rules to what you like, for example 'CA Administrators'. Add the new administrator the the role by selecting for example 'CN' in the drop down list and giving the administrators CN. You can also use other attributes such as the certificate serial number etc. When you create the role, do not forget to select ProdCA from the drop-down. In order for JBoss to accept certificate issued by ProdCA for SSL connections, you must add the ProdCA certificate to the SSL truststore. This can be done by a utility command in EJBCA: ant -Dca.name=ProdCA javatruststore This will add the ProdCA certificate to p12/truststore.jks, which is then copied to $JBOSS_HOME/server/defualt/conf/keystore/truststore.jks. Restart JBoss for the new settings to take effect. Now you can connect to the admin GUI using the newly created administrator certificate from ProdCA. However, the site certificate presented to your admins (and other users using the SSL connection on port 8442 without client cert) are still exposed to the AdminCA certificate since the Tomcat SSL certificate is signed by the AdminCA. Creating a new SSL cert for Tomcat ---------------------------------- Being logged in as superadmin, find the user 'tomcat' by finding this by username on the 'List/Edit End Entities' page. Click on 'Edit End Entity'. Look in the file $JBOSS_HOME/server/default/deploy/jboss-web.deployer/server.xml and find the current password in attribute 'keystorePass' in the SSL sections. Alternatively, you can set your own password for user tomcat, and change the passwords in server.xml. Change the user tomcat to use ProdCA as CA to make the SSL certificate be generated by this CA. Set status to NEW, save and close. Batch generate a new keystore for tomcat using 'bin/ejbca.sh batch'. Copy the file $EJBCA_HOME/p12/tomcat.jks to $JBOSS_HOME/server/default/keystore/keystore.jks, replacing the old file there. Restart JBoss. Now the SSL pages are exposing the ProdCA certificate, and you can connect to the admin GUI as both the newly generated ProdCA administrator or the original SuperAdmin.