Creating an EJBCA connector¶
This topic explains how to set up an EJBCA certificate authority (CA) connector in Certificate Manager - SaaS using the Venafi CA Connector Framework. If you need to configure a different type of CA connector, use these steps as a guide. The process is similar, but the terminology may vary.
Before you begin¶
Before you set up the CA connector, you'll need:
- A deployed VSatellite that resolves the hostname to the IP address of your CA server.
- The downloaded root certificate that validates the certificate used by your site.
- A single file that contains the client authentication certificate and private key in PKCS#12 or PEM format.
PKCS#12 recommended
CyberArk recommends PKCS#12 for enhanced security, as this format uses an encrypted private key. In the coming months, PEM format will be deprecated.
Create a EJBCA CA connector in Certificate Manager - SaaS¶
Before you complete these steps, review Create a custom CA connector, including the prerequisites and notes.
-
Sign in to Venafi Control Plane.
-
Click Settings > Certificate Authorities.
- Click New > Add Certificate Authority connector.
-
Under Connection, add the following.
- Enter a Name for the CA connector to use as its display name.
- Select the VSatellite that can resolve the hostname to the IP address of your CA server.
- (Optional) If no VSatellite is available, click Deploy VSatellite. Learn more
- Select a Certificate Authority Type, for example EJBCA.
- Click Next.
-
Under Information, add connection details for the CA server.
- Enter the fully qualified URL for the CA server, for example
https://your-custom-ca.example.com
. - Click Choose a file and upload the certificate and private key in PKCS#12 or PEM format.
- For the PKCS#12 format, enter the Password of the file.
- Click Choose a file and upload the Root Certificate.
-
Click Test Connection.
If successful, continue. If the connection isn't successful, resolve all issues and ensure you have a successful connection before continuing.
-
Click Next.
- Enter the fully qualified URL for the CA server, for example
-
Under Issuance, set the following options.
-
In Product Options, select Default Product.
What is this field for?
For EJBCA, this field isn't used. Other CAs may have multiple products or issuing templates to select.
-
Click Next.
-
-
(Optional) Under Import, set the following options to configure certificate import.
- In Import options, specify if you want to include revoked or expired certificates.
- To schedule certificate import, enable Scheduled import and choose a schedule.
-
Click Create. The new EJBCA CA appears on the Certificate Authorities page.
What's next?¶
Now that you have created a new CA connector, you need to create an issuing template that uses the CA connector.
Once you have an issuing template, add the issuing template to an application.