Skip to content

Example: Creating a custom EJBCA connector

Below, is an example of a custom CA connector created for EJBCA. You can use this example to show you how to create an EJBCA connector, and use it as a reference for connecting to other CAs.

Before you begin

Before you try to set up a CA connector in TLS Protect Cloud, you'll need to do the following:

Create the custom CA connector in TLS Protect Cloud

Here are the steps you'll take in TLS Protect Cloud to configure an EJBCA CA connector. Before you complete these steps, be sure to read the entire Create custom CA connector topic, including the pre-requisites and Notes.

  1. In the Venafi TLS Protect Cloud menu, click Settings > Certificate Authorities.
  2. Click the New button, then click Add Certificate Authority connector.
  3. Enter a Name that will be used as the display name for the EJBCA CA connector you are creating.
  4. Select the VSatellite that can resolve the hostname to the IP address of your EJBCA server.
  5. Select the EJBCA Certificate Authority Type.
  6. Click Next.
  7. Enter the fully-qualified URL for the CA server.

    For example: https://your-custom-ca.example.com

  8. Click Choose a file to upload the unencrypted Client Authentication certificate and private key in PEM format.

  9. Click Choose a file to upload the Root Certificate.
  10. Click the Test Connection button.

    If successful, continue. If the connection isn't successful, resolve all issues and ensure you have a successful connection before continuing.

  11. Click Next.

  12. In Product Options, select the checkbox for Default Product.

    What is this field for?

    For EJBCA, this field isn't used. Other CAs may have multiple products (or issuing templates) that you would select here.

  13. Click Next.

    The rest of these steps are to set up the import steps, which is optional. If you don't want to set up import steps, click Create.

  14. In the Import options section, specify if you want to include revoked or expired certificates.

  15. To schedule importing new certificates from this EJBCA server, enable the Scheduled import option, then select the scheduling options.
  16. Click Create.

You will see your new EJBCA CA in the Certificate Authority list.

What's next?

Now that you have created a new CA connector, you need to create an issuing template that uses this new CA connector. Pay attention to the section that gives specific instructions on extra fields that are required for custom connectors.

Once you have an issuing template for your new CA connector, you need to add the issuing template to an application.