EJBCA - Open Source PKI Certificate Authority
Search ejbca.org for:




I get an error with "Illegal key length" when using EJBCA.

This is because you have not installed the "Unlimited Strength Crypto Policy Files" in the Oracle JDK. See the prerequisites section in the the installation guide.
Even if you think you have installed them, you have not. This error is simple and unique.

I get an error with "Java heap space" when building EJBCA (during ant bootstrap).

The error should be something like:
/usr/local/ejbca_3_6_b1/compile.xmli:239: Java heap space

This error is because the default maximum allowed memory allocation for java is too low.
Do this in unixes:

      export ANT_OPTS=-Xmx=512m
      ant bootstrap

On windows set the environment variable ANT_OPTS to -Xmx=512m, and restart your shell.

That should work.

My installation failed for some reason that is now fixed, how do I proceed?

The best way to recover is usually to start over from scratch:

I get strange errors during 'ant bootstrap' or 'ant install'.

This is most usually due to a database configuration error. In the server log (JBOSS_HOME/server/default/log/server.log) you will probably see some SQLException errors. You should then:

See the configuration and troubleshooting section in doc/howto/HOWTO-database.txt for additional database related information.

During the build process I get errors like: BUILD FAILED /usr/ejbca/build.xml:789: java.lang.ExceptionInInitializerError

You probably have ant pre-installed as a package from Fedora or Suse. Those pre-installations does not contain all default ant modules. You need the "optional tasks" included in the official ant distribution. Either add modules to the installed ant, or download the latest ant from http://ant.apache.org/.

A simple fix is to change the /etc/ant.conf to point to your user installed ant (in /your/ant/home). Change from:

# ant.conf (Ant 1.6.x)
# JPackage Project (http://www.jpackage.org/)

# Validate --noconfig setting in case being invoked
# from pre Ant 1.6.x environment
if [ -z "$no_config" ] ; then

# Setup ant configuration
if $no_config ; then
  # Disable RPM layout
  # Use RPM layout

  # ANT_HOME for rpm layout

to this

# ant.conf (Ant 1.6.x)
# JPackage Project (http://www.jpackage.org/)

# Validate --noconfig setting in case being invoked
# from pre Ant 1.6.x environment
if [ -z "$no_config" ] ; then

# Setup ant configuration
if $no_config ; then
  # Disable RPM layout
  # Use RPM layout

  # ANT_HOME for rpm layout

For Ubuntu things are much easier, just 'sudo apt-get install ant' and 'sudo apt-get install ant-optional'.

SHA256 certs fails integrity check in IE

Internet Explorer (at least IE6) does not support SHA256.

You can have an AdminCA using SHA1 and CAs for other purposes using SHA256.

How can I run JBoss as a service in Windows?

There is documentation over at JBoss for several different options:

In short summary there are a couple of tools:
Java Service Wrapper

Enroll manually for a server - why are my PKCS10 DN fields Ignored?

EJBCA does not trust the DN parts the user enters when he creates the PKCS10 request. The only way to match the certificate with what you enter in the pkcs10 is to enter the same thing in the end entity in ejbca.

PKCS#10 is the standard format for sending the public key (self signed to provide proof-of-possession) to a CA.

Where is the log file stored for tracking errors and debug information?


How do I configure log level in JBoss?

JBOSS_HOME/server/default/conf/lo4j.xml. It is a good idea to limit the log level to not include debug logs. You can do this by changing the root category towards the end of log4j.xml:

  <priority value="ERROR" />
  <appender-ref ref="CONSOLE"/>
  <appender-ref ref="FILE"/>

You may also choose to remove the CONSOLE logging completely.

You can also add this to limit the EJBCA logging to INFO, this will enable the logging system to avoid formatting debug messages that will not be printed, enhancing performance some.

<category name="org.ejbca">
   <priority value="INFO"/>

You can here enable DEBUG logging for EJBCA by changing INFO to DEBUG. By doing all of the above (and playing around a little) you can get nice logging with only the things you are interested in logged to the log file.

I want to add my own static pages under http://hostname:8080/ejbca/ ?

Put your files (static html is easy) under publicweb/publicweb, do a full build and re-deploy.

I get an error message when accessing the admin-GUI, "Could not establish an encrypted connection because your certificate was rejected ... Error code: -12224"?

1) Make sure you have imported to correct superadmin.p12 in your browser.

2) You may have to delete and import the ca certificate in your java trust-store:

sudo ant javatruststore

You can also import another CA than the initial AdminCA (My CA in the example) with the command:

sudo ant -Dca.name="My CA" javatruststore

Or you can run the commands manually. You don't have to do this if you use the convenience command 'ant javatruststore'.

bin/ejbca.sh ca getrootcert caname rootca.der -der
keytool -alias EJBCA-CA -delete -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit
keytool -alias EJBCA-CA -import -trustcacerts -file rootca.der -keystore $JAVA_HOME/jre/lib/security/cacerts -storepass changeit

Make sure you restart JBoss after making changes to the java trust store.

3) Perhaps the JBoss/Tomcat configuration was not done automatically because you are running another configuration than 'default' in JBoss. the file '$JBOSS_HOME/server/default/deploy/jbossweb-tomcat55.sar/server.xml' holds the Tomcat configuration. The configuration should be like the following, where 'serverpwd' is the 'httpsserver.password' as configured in ejbca.properties.

<!-- HTTPS Connector requiring client cert on port 8443 -->
<Connector port="8443" address="${jboss.bind.address}"
    maxThreads="100" strategy="ms" maxHttpHeaderSize="8192"
    scheme="https" secure="true" clientAuth="true"
    keystorePass="serverpwd" sslProtocol = "TLS" />

Also the file '$EJBCA_HOME/p12/tomcat.jks' must be copied to '$JBOSS_HOME/server/default/conf/keystore/keystore.jks', where 'default' should be replaced with the JBoss configuration you are using.

I get a blank page on the admiweb after start?

Either you entered a hostname (in httpsserver.hostname in ejbca.properties) that does not resolve to the machine where EJBCA is running during setup, or you changed the port that JBoss listens to. Make sure the hostname resolves to the machine ejbca is running on. If you need the change to url, use the command 'bin/ejbca.sh setup setbaseurl'.

When running 'ant install' or creating JKS or PKCS12 files you can't use longer password than 7 characters. Anything longer gives an error?

If you want to use strong crypto and/or password longer than 7 characters in keystores you must install the 'Unlimited Strength Jurisdiction Policy Files' for JDK. The policy files can be found at the same place as the JDK download. Further information on this can be found in the Sun documentation on the JCE.

Java 1.6.0
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 6.0

Java 1.5.0
Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files 5.0

Installation hangs and the https server will not work.

Perhaps JBOSS_HOME/server/default/conf/keystore/tomcat.jks must be executable. All scripts in EJBCA_HOME/bin directory must be executable, run 'chmod u+x *.sh'. Make sure you run the installation of ejbca as a user with enough privileges to write in JBOSS_HOME, and to JAVA_HOME/jre/lib/security/cacerts. Preferably the same user as is used to run the JBoss server.

How do I connect to, and alter data in the built-in 'Hypersonic SQL' database.

A : Shut down JBoss. Alternative 1: If you want to simply drop a table, go into the file JBOSS_HOME\server\default\db\hypersonic\default.script and delete the lines that creates the table, for instance to delete the table GLOBALCONFIGURATIONDATA, delete the lines :


Just for fun you can also delete all lines beginning with: INSERT GLOBALCONFIGURATIONDATA...

Alternative 2: Download HsqlDb fom http://hsqldb.sourceforge.net/. Unpack and in the 'bin'-subdirectory run 'runUtil DatabaseManager'. In the window that opens connect to 'HSQL Engine Database In-Memory', select URL 'jdbc:hsqldb:$jboss.home\server\default\db\hypersonic\default' where the path-to-jboss is for example 'C:\jboss\jboss-3.0.6_tomcat-4.1.18'. Now you can enter you SQL-commands, for example 'drop table globalconfigurationdata' and press 'Execute'. Unforturnately you must now go into the file JBOSS_HOME\server\default\db\hypersonic\default.properties and set the version to the correct old one, edit the lines with 'version' to read 1.6 (for JBoss 3.0) instead of whatever is there.

When enrolling for certificates with IE, the enrollment controll (clsid) is incorrect.

Microsoft changed the enrollment controll due to secrity issues. Look in 'src/publicweb/publicweb/anrol/apply/apply_exp.jspf' for more information.

I get the error "Object Class Violation : (65)" when publishing certificates in LDAP

You LDAP object class may require some fields in the DN that you have not entered. Some schemas require the DN-attribute SN for instance.

Why do I get the exception/error: Got request with status GENERATED (40), NEW, FAILED or INPROCESS required: foo; nested exception is: javax.ejb.EJBException:null

When using the LocalAuthenticationSession (default) all users have a STATUS. The status lifecycle begins with NEW and ends with REVOKED. Only when the status is NEW, FAILED or INPROCESS is it possible to issue a certificate to a user. After a certificate has been issued, the status is set to GENERATED. This works like a one-time-password scheme. To issue a new certificate to the user his/her status must be reset to NEW, FAILED or INPROCESS. This can be done with the admin-GUI or: bin/ejbca.sh ra setuserstatus username status Status '10' is NEW. Just enter 'bin/ejbca.sh ra setuserstatus' to see a list of all status codes.

How do I manipulate EJBCA-keystores using Suns 'keytool'?

EJBCA use PKCS12 format for the keystore because it is a standard, and I like standards. Normally keytool (e.g. sun) can read PKCS12 file but not write, so the BouncyCastle JCE is needed to handle PKCS12 keystores. Put the BouncyCastle provider 'bcprov-jkd15.jar' in 'jre/lib/ext', the default classpath for extensions in java. Now it should be possible to run:

keytool -list -alias privateKey -keystore server.p12 -storetype PKCS12 -storepass foo123 -provider org.bouncycastle.jce.provider.BouncyCastleProvider

It should be possible to import etc as well using keytool.

How do I make a keystore using keytool with a real certificate from EJBCA?

# First generate a new keystore and a keypair:
keytool -genkey -alias mykey -keystore myks.jks -keyalg RSA -dname c=SE,O=AnaTom,CN=Test -keypass foo123 -storepass foo123
# You SUN keystore is now in the file 'myks.jks'. 
# Next generate a certification request (PKCS10):
keytool -certreq -alias mykey -sigalg SHA1WithRSA -file myreq.p10 -keypass foo123 -keystore myks.jks -storepass foo123

You now have the certification request in the file 'myreq.p10'. Open up EJBCA request page in your favorite browser, '', and select the link for NOT having a browser' Download the Root CA certificate by clicking on the link. Save the certificate as 'ca.pem'. Enter the username and password of a valid user with status NEW, see question 'Why do I get the exception/error:' above. Copy and paste the contents of the certification request, 'myreq.p10' into the text field. Save the returned certificate as 'cert.pem'.

# Import the Root CA certificate into the keystore 'myks.jks':
keytool -import -alias cacert -file ca.pem -keystore myks.jks -storepass foo123
# Import the certificate reply into the keystore:
keytool -import -alias mykey -file cert.pem -keystore myks.jks -storepass foo123 -keypass foo123
# Now you can take a look at your SUN keystore with:
keytool -list -keystore myks.jks

In theory, you can use the same method with a BouncyCastle PKCS12 keystore by adding the following arguments to every command above:

-provider org.bouncycastle.jce.provider.BouncyCastleProvider/ -storetype PKCS12

unforturnately a bug in keytool prevents this from functioning properly at the moment, therefore I recommend using the 'bin/ejbca.sh ca' to create PKCS12 keystores. It can be used to create keystores generally, not just for CAs.

What is EJBCA's export classification in the United States of America?

At the time of writing (26 Feb 2008) EJBCA is approved classified under ECCN code 5D002 and approved for export under License Exception TSU. See The Bureau of Industry and Security website for further details.
EJBCA actually has the same classification as the Bouncy Castle JCE provider, from which this FAQ text is a rip-off. Thanks BC!

When a new end entity is created, where and how is the password stored?

A one-time password is stored hashed with SHA-1 in the UserData table in the database. If the checkbox 'clear text password' is checked when adding the user the password is stored in clear text, to be used for server side generation.

Where are software based CA keys stored in the database?

These keys are stored in a PKCS#12 file, encrypted with a password. The PKCS#12 is stored in the database in the CAData table.

If I enable key recovery, where are the end entities private keys stored in the database?

The private keys for key recovery is stored in the KeyRecoveryData table in the database. The data is encrypted with the CAs encryption key. The private keys are only stored if key recovery is enabled.

Galssfish issue no. 1: ant install fails with some weird errors.

This issue affects Glassfishv2 Enterprise Edition (open source admin console is slightly different and doesn't have this features). If you are experiencing errors when doing ?ant install?, do the following:

Glassfish issue no. 2: ant install fails with some weird errors

This issue affects both Glassfishv2 Enterprise Edition and Glasfish v2 open source edition. If you notice messages such as "database open for read only access", you have started glassfish with insufficient privileges. Stop the domain and restart it with privileges of the user who has full rights for glassfish.