Skip to content

Creating an EJBCA connector

This topic explains how to set up an EJBCA certificate authority (CA) connector in TLS Protect Cloud using the Venafi CA Connector Framework. If you need to configure a different type of CA connector, use these steps as a guide. The process is similar, but the terminology may vary.

Before you begin

Before you set up the CA connector, you'll need:

  • A deployed VSatellite that resolves the hostname to the IP address of your CA server.
  • The downloaded root certificate that validates the certificate used by your site.
  • A single file that contains the client authentication certificate and private key in PKCS#12 or PEM format.

PKCS#12 recommended

CyberArk recommends PKCS#12 for enhanced security, as this format uses an encrypted private key. In the coming months, PEM format will be deprecated.

Create a EJBCA CA connector in TLS Protect Cloud

Before you complete these steps, review Create a custom CA connector, including the prerequisites and notes.

  1. Sign in to Venafi Control Plane.

  2. Click Settings > Certificate Authorities.

  3. Click New > Add Certificate Authority connector.
  4. Under Connection, add the following.

    1. Enter a Name for the CA connector to use as its display name.
    2. Select the VSatellite that can resolve the hostname to the IP address of your CA server.
    3. (Optional) If no VSatellite is available, click Deploy VSatellite. Learn more
    4. Select a Certificate Authority Type, for example EJBCA.
    5. Click Next.
  5. Under Information, add connection details for the CA server.

    1. Enter the fully qualified URL for the CA server, for example https://your-custom-ca.example.com.
    2. Click Choose a file and upload the certificate and private key in PKCS#12 or PEM format.
    3. For the PKCS#12 format, enter the Password of the file.
    4. Click Choose a file and upload the Root Certificate.
    5. Click Test Connection.

      If successful, continue. If the connection isn't successful, resolve all issues and ensure you have a successful connection before continuing.

    6. Click Next.

  6. Under Issuance, set the following options.

    1. In Product Options, select Default Product.

      What is this field for?

      For EJBCA, this field isn't used. Other CAs may have multiple products or issuing templates to select.

    2. Click Next.

  7. (Optional) Under Import, set the following options to configure certificate import.

    1. In Import options, specify if you want to include revoked or expired certificates.
    2. To schedule certificate import, enable Scheduled import and choose a schedule.
  8. Click Create. The new EJBCA CA appears on the Certificate Authorities page.

What's next?

Now that you have created a new CA connector, you need to create an issuing template that uses the CA connector.

Once you have an issuing template, add the issuing template to an application.