Skip to content

Client authentication certificate and root certificate chain for CA connectors

When setting up a certificate authority (CA) connector, you need to provide the following:

  • The root certificate, which validates the certificate used by your site.
  • A file containing the client authentication certificate and private key in PKCS#12 or PEM format.

This topic provides general guidelines to obtain client credential files.

To export the root certificate

The following explains how to export the root certificate that proves your CA's certificate can be trusted. The root certificate is required when configuring an EJBCA connector.

Browser-specific steps

These steps are based on using Firefox, a supported browser for TLS Protect Cloud. Your steps may vary depending on your browser and operating system.

  1. Open the administration site for EJBCA in a browser such as Firefox.
  2. In the address bar, click the security icon (lock icon).
  3. Click Connection Secure.
  4. Click More Information.
  5. Click View Certificate. The site's certificate and the certificate it chains to are displayed from left to right order. You don't need the CA's certificate; you need the next level up in the chain. There may be several levels of chaining. For example, at the time of publishing, Google.com has four levels, and Venafi.com has three. There will be at least two, likely more.

  6. Click the second tab (from the left).

    If there are only two tabs, then this will also be the last tab.

  7. Scroll down to the Miscellaneous section, then click to Download in PEM (cert) format.

  8. Make note of where the certificate is downloaded, as you'll need it when you set up the EJBCA's CA connector settings in TLS Protect Cloud.

About the client authentication certificate and private key

When using EJBCA, you were required to generate a client authentication certificate when you installed the EJBCA software on your server. Without this client authentication certificate, you can't log in to the admin console.

You will upload the PKCS#12 or PEM file containing the client authentication certificate to TLS Protect Cloud during the configuration of the custom certificate authority settings. A PKCS#12 file includes an encrypted private key in the container, while a PEM file must provide the private key in unencrypted text form.

You can also create additional authentication credentials for each of the CAs listed in the EJBCA server's list of CAs on the CA Activation page. This may be helpful in a case where you don't want to use the super admin client authentication certificate in TLS Protect Cloud.

For more information on how to issue TLS client certificates with EJBCA, see the EJBCA documentation.

What's next?

With the client authentication certificate and the root certificate saved to your device, you're ready to create a CA connector.