Reference manual

All configuration options, JNDI names etc is configured through the use of properties files in conf/*.properties file. You can copy the .sample files to respective .properties files and configures. Most options are documented in the .samples files.

Other Configuration

To change ports (default public http=8080, public https=8442, private https=8443) you must edit conf/ Change the properties httpserver.pubhttp, httpserver.pubhttps and httpserver.privhttps. After making the change, run ant deploy, ant web-configure, and re-start the application server.


You can make an asn1 dump of a certificate in order to study the asn1 produced:

bin/ asn1dump <filename-of-pem-encoded-certs or filename-of-der-encoded-asn1>
Ex: bin/ asn1dump managementca.pem

Batch creation of certificates

Certificates can be created batch-wise with EJBCA. The class org.ejbca.ui.cli.batch.BatchMakeP12 creates keystore files for all users designated as NEW or FAILED in the local RA database. To be able to batch generate certificates, the users must be registered with clear text passwords. To set a clear text password for a user use

bin/ ra setclearpwd username password
bin/ ra setendentitystatus username 10

The same is accomplished in the Admin-GUI by checking the checkbox Batch generation when adding the user.

To generate keystore files for all users with status NEW or FAILED, run

bin/ batch

This will generate files for users if their clear text passwords are NOT null.

Without arguments 'batch' generates keystore files for all NEW or FAILED users. To generate a keystore file for a specific user, enter command

bin/ batch username

Generated keystore files are stored in a subdirectory (to the current directory) called 'p12'. If the directory does not exist, it will be created. Make sure this directory is WELL protected, since the information contained in keystore files are secret (private keys). The format of keystores generated, PKCS12, JKS or PEM, is defined when adding the user in the database (using 'bin/ ra addendentity' or the admin-GUI).

Fetching certificates and CRLs

Certificates and CRLs can be fetched through the public web-interface. They can also be fetched directly from the CertificateStoreSession session bean or using the command 'bin/ ca getcrl'

Other deployment scenarios

EJBCA can be run with servlets and EJBs or only with EJBs. The servlets are only a publicly available front-end to the beans. If the CA is deployed integrated in another JEE application, this front-end may not be needed.