Managing CAs

Export and import CAs

Under certain circumstances, it can be wise to backup the CA's signature and encryption keys. Remember to protect the backup in the same way as the CA itself.

Soft token CAs can be exported and backed up. CAs with the keys on a HSM can naturally not be exported through EJBCA. Use the HSMs methods to back up such keys.

Soft token CAs can be imported using both the CLI and Admin GUI, while HSM CAs can only be imported using the CLI.

Using command line interface

To export a CA named TestCA to the PKCS#12-file /path/TestCA.p12 with password foo123 enter the following from the $EJBCA_HOME directory:

$ bin/ejbca.sh ca exportca TestCA ./TestCA.p12
Using JBoss JNDI provider...
Enter keystore password: foo123
$

To import the backup keys for TestCA later, enter the following from the $EJBCA_HOME directory:

$ bin/ejbca.sh ca importca TestCA /path/TestCA.p12 SignatureKeyAlias EncryptionKeyAlias
Using JBoss JNDI provider...
Enter keystore password: foo123
$

Enter the command:

$ bin/ejbca.sh ca importca --help

to get usage instructions how to import HSM CAs.

Using admin-GUI

To be able to export and import the CA's keys using the Admin GUI, you have to have superadministrator access. Make sure that .p12 files are not automatically saved to an unsuitable place by your browser. before you do an export.

To export a the CA's keys, do the following:

  • Select Certificate Authorities from the administrator menu.

Select the CA you want to export and press the Edit button.

  • Go to the line where the help-text say CA export requires the keystore password.

  • Enter the keystore password in the box to the right of the help-text.

  • Press the Export CA keystore.. button.

  • The PKCS#12-file will be downloaded by your browser to the location you select.

To import a CA's keys, do the following:

  • Select Certificate Authorities from the administrator menu.

  • Press the Import CA keystore.. button.

  • Fill out the form with the CA's name, full pathname to the PKCS#12-file and keystore password.

  • Keep the two Alias.. fields to the default value, if you used EJBCA to export the CA's keys.

  • Press the Import CA keystore button.

Remove and restore CA soft keystore

Soft token CAs can have their keystore removed from the database. When the keystore is removed the CA can not issue certificates and its CA token status is set to offline.

Before removing the keystore, make sure you have exported it if you would like to be able to restore it later. See the section Export and import CAs

To remove the catoken keys for TestCA, enter the following from the $EJBCA_HOME directory:

$ bin/ejbca.sh ca removekeystore TestCA
Using JBoss JNDI provider...
$

To restore the catoken keys again for TestCA with the keystore exported as TestCA-exported.p12, enter the following from the $EJBCA_HOME directory:

$ bin/ejbca.sh ca restorekeystore TestCA /path/TestCA-exported.p12 -s SignatureKeyAlias -e EncryptionKeyAlias
Using JBoss JNDI provider...
Enter keystore password: foo123
$

Renew CAs

You can renew CAs in different ways:

  • Renew only CA certificate, using the same keys.

  • Renew CA keys and certificate.

To renew only the CA certificate using the same keys you simply press the button Renew CA. Your CA have to be on-line for this to work, so it can sign the new certificate if it's a self signed CA or the certificate request if it is a sub CA. Also if it is a subCA with the rootCA in the same EJBCA instance the root CA must also be on-line.

To renew the CA keys, set Next CA key to - Generate new key using KeySequence -. After this you simply press Renew CA. Renewing the keys will not always work if you are using an HSM. It may work with some HSMs and not work with others. You can report success and failures to us.

When using an HSM you can also make the renewal of keys manually. Simply generate new keys on the HSM with whatever tools you used the first time (preferably the EJBCA cli tools) and select the newly generated keys as the Next CA key. Press Renew CA to generate your new CA certificate.

Revoke CAs

If you want to revoke a CA you can do so by going to Certificate Authorities in the admin GUI. There is a button Revoke CA.

  • If you revoke a Root CA it will revoke all certificates in the database issued by the root CA, and create a CRL.

  • If you revoke a Sub CA it will revoke all certificates in the database issued by the sub CA, and to the sub CA, and create a CRL. This works automatically if the sub CA and root CA is handled by the same EJBCA instance. If the Sub CA is signed by an external CA, the sub CA's certificate must be revoked by the external CA.

  • If you revoke an external CA /sub CA to a CA in EJBCA) the external CAs certificate will be revoked and put on the CRL of the issuing CA in EJBCA.