1. Home
  2. /
  3. Resources
  4. /
  5. Understanding OAuth in EJBCA and How It Can Help You Get Started

Understanding OAuth in EJBCA and How It Can Help You Get Started

hero-sub-3
PKI hierarchies - 1, 2, 3 tiers ?

2025-12-17

What is OAuth?

OAuth (Open Authorization) is an open standard for secure delegated access. It allows applications and services to authenticate and authorize users or other services without directly sharing passwords. Instead, a trusted identity provider (IdP) issues tokens that can be used to access protected resources.

OAuth in the context of EJBCA

In EJBCA, OAuth support enables API clients to authenticate using access tokens issued by an external IdP instead of the default certificate based authentication and credentials. This is especially valuable for modern, cloud-native environments where single sign-on (SSO) and centralized identity management are standard.
With OAuth, EJBCA can integrate into your existing authentication ecosystem, making certificate management more secure, auditable, and aligned with enterprise identity governance.

Typical scenarios where OAuth is useful in EJBCA

  • Centralized authentication for administrators, Let all EJBCA admins log in with their corporate SSO accounts via an IdP like Keycloak, Okta*, or Azure AD*.
  • Securing API access – Allow automated systems and integrated client applications to request and manage certificates using short-lived OAuth tokens instead of static API keys and client certificates.
  • Multi-tenant or delegated environments – Separate authentication policies per tenant, while still using a single EJBCA instance.
  • Cloud-native deployments – Integrate with Kubernetes service accounts or other workload identities issued by an OAuth/OIDC-compliant IdP.

Who benefits from this support and when 

  • Platform engineers who already run an IdP and want PKI integrated into their existing authentication flow.
  • Security architects enforcing centralized identity governance across tools.
  • Developers building automation for certificate enrollment and lifecycle management without storing long-lived credentials.
  • New EJBCA users who want to quickly get started without setting up separate authentication inside EJBCA.

Example: EJBCA with Keycloak

Keycloak is an open-source identity and access management solution that supports OAuth 2.0 and OpenID Connect.
Here is a high-level overview of how a newcomer to EJBCA can integrate with a simple Keycloak setup. Detailed, step-by-step instructions are available in our documentation:

  1. Start Keycloak - Launch a Keycloak instance (for example using Docker) and log in to the admin console.
  2. Configure Keycloak - Create a realm, an OIDC client for EJBCA (with redirect URIs), and a test user. Enable client authentication and note the client secret.
  3. Trust Keycloak in EJBCA - Register Keycloak as a trusted OAuth provider in EJBCA using the client ID/secret and Keycloak signing key.
  4. Map roles and claims - Map Keycloak user claims to EJBCA roles to define what the OAuth user is allowed to do.
  5. Sign in with OAuth - Access EJBCA Admin Web or RA Web, choose Keycloak as the provider, and authenticate using OAuth.

 

Documentation 

With this workflow, you do not need to create or maintain separate user accounts inside EJBCA. Instead, you leverage the identity provider you already use and thus simplifying onboarding for new users and enabling a more secure, centralized, and modern authentication model. For someone just experimenting with EJBCA, it removes the friction of creating and managing separate EJBCA user accounts and helps you get up and running faster in a secure way.

Conclusion

OAuth support in EJBCA makes it much easier for new users and teams to get started. By relying on an existing identity provider like Keycloak, you avoid the overhead of creating and maintaining separate EJBCA accounts. Instead, you can authenticate securely using the same identities and access policies you already use elsewhere. This not only accelerates onboarding but also provides a clear path toward more secure, consistent, and centrally governed certificate operations.

Read more in the EJBCA Documentation

https://docs.keyfactor.com/ejbca/latest/oauth-provider-management
https://docs.keyfactor.com/ejbca/latest/setting-up-oauth-using-keycloak

Download EJBCA

  • EJBCA Community edition currently supports OAuth with Keycloak. Support for other identity providers, such as Okta or Azure AD, is available in the Enterprise Edition.

 

Related resources

Jet-Blog (1)
Implementing Cryptography
Installation & Deployment
Post-Quantum Cryptography
Signing
Tech Update
Ejbca
Signserver
11 December, 2025

Keyfactor PQC Lab Test Drive – now with support for Signing

From Open Source to Enterprise- try it for yourself. If you are testing or ev...
Read more
PKI hierarchies - 1, 2, 3 tiers ?
DevOps
Installation & Deployment
Tech Update
Ejbca
Signserver
21 October, 2025

#KEYMASTER: CVE Blind Spots – Why Defenders Are Still Left in the Dark

In this episode of #KEYMASTER, Sven Rajala, International PKI Man of Mystery,...
Read more

This website uses cookies

Cookies consist of small text files. They contain data that is stored on your device. To enable us to place certain types of cookies we need to obtain your consent. At PrimeKey Solutions AB, corp. ID no. 556628-3064, we use the following kinds of cookies. To read more about which cookies we use and storage times, click here to access our cookies policy.

Manage your cookie-settings

Necessary cookies

Check to consent to the use of Necessary cookies
Necessary cookies are cookies that must be placed for basic functions to work on the website. Basic functions are, for example, cookies which are needed so that you can use menus on the website and navigate on the site.

Functional cookies

Check to consent to the use of Functional cookies
Functional cookies need to be placed on the website in order for it to perform as you would expect. For example, so that it recognizes which language you prefer, whether or not you are logged in, to keep the website secure, remember login details or to be able to sort products on the website according to your preferences.

Cookies for statistics

Check to consent to the use of Cookies for statistics
For us to measure your interactions with the website, we place cookies in order to keep statistics. These cookies anonymize personal data.

Cookies for ad-tracking

Check to consent to the use of Cookies for ad-tracking
To enable us to offer better service and experience, we place cookies so that we can provide relevant advertising. Another aim of this processing is to enable us to promote products or services, provide customized offers or provide recommendations based on what you have purchased in the past.

Ad measurement user cookies

Check to consent to the use of Ad measurement user cookies
In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

Check to consent to the use of Personalized ads cookies
To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data
Close