Creating an EJBCA connector¶

This is an example of how to specify the CA connector settings in TLS Protect Cloud for EJBCA. The connector was created using the Venafi CA Connector Framework.

You can use this topic to configure an EJBCA connector (if you have access to one), or you can use it as a reference for designing other CA connectors.

Before you begin¶

Before you try to set up a CA connector in TLS Protect Cloud, you'll need to do the following:

• Have a deployed VSatellite that can resolve the hostname to the IP address of your CA. Learn more about VSatellites
• Have downloaded the root certificate that validates the certificate used by your site.Learn more about exporting the root certificate
• Have a single file that contains the client authentication certificate and private key in PEM format. Learn more about the client authentication certificate

Create the EJBCA CA connector in TLS Protect Cloud¶

Here are the steps you'll take in TLS Protect Cloud to configure an EJBCA CA connector. Before you complete these steps, be sure to read the entire Create custom CA connector topic, including the pre-requisites and Notes.

If you are creating a custom connector that is not EJBCA, use these steps as a guide. Remember that your CA may use other terminology than what is documented in this example.

1. In the Venafi TLS Protect Cloud menu, click Settings > Certificate Authorities.
2. Click the New button, then click Add Certificate Authority connector.

3. Specify the Connection information.

   1. Enter a Name that will be used as the display name for the CA connector you are creating.
   2. Select the VSatellite that can resolve the hostname to the IP address of your CA server.
   3. Select the Certificate Authority Type. (For this example, we are selecting EJBCA).
   4. Click Next.

4. Provide the Information needed to connect to the CA server.

   1. Enter the fully-qualified URL for the CA server.

      For example: https://your-custom-ca.example.com

   2. Click Choose a file to upload the unencrypted Client Authentication certificate and private key in PEM format.

   3. Click Choose a file to upload the Root Certificate.

   4. Click the Test Connection button.

      If successful, continue. If the connection isn't successful, resolve all issues and ensure you have a successful connection before continuing.

   5. Click Next.

5. Specify the Issuance options.

   1. In Product Options, select the checkbox for Default Product.

      What is this field for?

      For EJBCA, this field isn't used. Other CAs may have multiple products (or issuing templates) that you would select here.

   2. Click Next.

6. (Optional) Specify the Import settings.

   The rest of these steps are to set up the import of certificates, which is optional. If you don't want to set up import steps, click Create.

   1. In the Import options section, specify if you want to include revoked or expired certificates.
   2. To schedule importing new certificates from this EJBCA server, enable the Scheduled import option, then select the scheduling options.
   3. Click Create.

You will see your new EJBCA CA in the Certificate Authority list.

What's next?¶

Now that you have created a new CA connector, you need to create an issuing template that uses this new CA connector. Pay attention to the section that gives specific instructions on extra fields that are required for custom connectors.

Once you have an issuing template for your new CA connector, you need to add the issuing template to an application.

Related Links¶

• CA Connector overview
• Creating a custom CA connector
• Custom CAs in the CA inventory
• EJBCA's client authentication certificate and root certificate chain
• Create an issuing template