1. Home
  2. /
  3. Deploy EJBCA with Ansible

Deploy EJBCA with Ansible

We provide an Ansible playbook and roles to use with EJBCA and integrations. Both Community and Enterprise versions of EJBCA are supported. Using the Ansible playbook, you can easily get EJBCA up and running, including a complete technology stack.

hero-sub-2
ansible-wide

Ansible playbooks ensure consistent and secure EJBCA deployments

Ansible helps ensure that the PKI deployments are consistent and repeatable across different environments including test environments and systems, thereby reducing the risk of errors or inconsistencies. 

The EJBCA Ansible playbook has been developed as open source to make it easier for you to get started with EJBCA. We encourage everyone to share and contribute any improvements or alternative solutions so that we all have the most optimal and secure deployment possible. 

How to get started

Our open-source Ansible playbook is available on GitHub. It is capable of performing the following high-level tasks:

  • Install and upgrade EJBCA Community and Enterprise editions
  • Configure external RAs and VAs or a standalone CA (EJBCA Enterprise only)
  • Deploy and configure SignServer

Learn step by step from this video tutorial 

In this tutorial, we will demonstrate how to automate the wizard installation and configuration of EJBCA Enterprise Cloud using our open-source Ansible playbook for a zero-touch PKI experience. The playbook uses a variety of Ansible roles developed for EJBCA to automate the deployment and configuration. 

The installation and configuration of EJBCA Cloud include these steps:

  • Launch the EJBCA Enterprise Cloud AMI/VM from the AWS or Azure marketplace. Make sure the private key you select is configured on your Ansible controller to connect using SSH to the EJBCA instance in the cloud.
  • Download the Keyfactor Ansible repository to your Ansible controller. Once the repository is downloaded you can update the ecloud_inventory file with the IP address or fully qualified domain name to connect to the remote EJBCA instance.
  • Review the host_vars and group_vars to update variables for your deployment. If you are unsure about what to update, you can try deploying with the defaults, or you can ask a question on the Keyfactor Ansible repository Discussion forum.
  • At this point, you should be able to run the Ansible playbook and review the output of the tasks as EJBCA is configured. 

Running the Ansible playbook

Running the Ansible playbook to configure EJBCA automates the following steps:

  • Provide configuration to the installation wizard for a zero-touch experience with the EJBCA setup
  • Create a crypto token for the Root and Sub CA
  • Generate keys on the crypto token for the Root CA and Sub CA
  • Use the EJBCA Enterprise configdump utility to complete the following:
    • Import certificate profiles for the Root CA and Sub CA
    • Initialize the Root CA and Sub CA
    • Import certificate profiles for end entities
    • Import end entity profiles used to create and issue certificates for end entities
    • Configure EJBCA services such as the CRL update service
    • Configure EJBCA enrollment protocols such as ACME, EST, SCEP, and REST API endpoints
    • Configure roles that can be used for testing various permissions in the PKI 

Once the Ansible playbook has completed, open the EJBCA RA web in your internet browser and create your P12 credential to access EJBCA. Install the P12 credential into either the OS truststore or browser truststore depending on which browser you use. Then you can access the EJBCA adminweb UI in your web browser and review the EJBCA settings or begin testing certificate enrollment.

Prerequisites

Before you begin, you will need: 

  • AWS or Azure account with permission to deploy EJBCA from the marketplace
  • Network access to GitHub to download the Keyfactor Ansible repository
  • Network access to the EJBCA Cloud instance; this could be a host in the cloud, if you run Ansible there
  • Ansible controller that can access the EJBCA Cloud instance using SSH
  • Familiarity with Ansible playbooks, roles, and the YAML format

Tutorials/documentation

Documentation

Using Ansible to Automate PKI Deployment and Configuration.

See GitHub readme

YouTube

Take a peek at our tutorial video on YouTube, and browse through some of our other tutorial videos as well.

Go to YouTube

Discuss

You can ask your questions and learn from PKI specialists in the EJBCA forum on GitHub Discussions.

Engage with us on GitHub

Related open-source projects

This website uses cookies

Cookies consist of small text files. They contain data that is stored on your device. To enable us to place certain types of cookies we need to obtain your consent. At PrimeKey Solutions AB, corp. ID no. 556628-3064, we use the following kinds of cookies. To read more about which cookies we use and storage times, click here to access our cookies policy.

Manage your cookie-settings

Necessary cookies

Check to consent to the use of Necessary cookies
Necessary cookies are cookies that must be placed for basic functions to work on the website. Basic functions are, for example, cookies which are needed so that you can use menus on the website and navigate on the site.

Functional cookies

Check to consent to the use of Functional cookies
Functional cookies need to be placed on the website in order for it to perform as you would expect. For example, so that it recognizes which language you prefer, whether or not you are logged in, to keep the website secure, remember login details or to be able to sort products on the website according to your preferences.

Cookies for statistics

Check to consent to the use of Cookies for statistics
For us to measure your interactions with the website, we place cookies in order to keep statistics. These cookies anonymize personal data.

Cookies for ad-tracking

Check to consent to the use of Cookies for ad-tracking
To enable us to offer better service and experience, we place cookies so that we can provide relevant advertising. Another aim of this processing is to enable us to promote products or services, provide customized offers or provide recommendations based on what you have purchased in the past.

Ad measurement user cookies

Check to consent to the use of Ad measurement user cookies
In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

Check to consent to the use of Personalized ads cookies
To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data
Close