Add End Entity outside EJBCA server

  • Roman

    Roman - 2013-08-28

    From a security point of view it is desirable to set RA administrators to add, edit or remove end entities outside the installation of EJCBA. We don't want to allow RA administrators to be able to get to the administration web GUI of EJBCA.

    Is there a way how RA administrator could be able to do that remotely? For example to install admin GUI on different server where RA administrators will be able to add end entity and it will be synchronized with server where is the CA.

    The most preffered situation is that the CA will not accept any inbound traffic.

  • Tomas Gustavsson

    There are severla different types of interfaces and ways this can be done.
    There is a smorgasboard of options :-)

    • You can use WebServices (API or CLI can be integrated with other tools such as ID mgmgt and SSO solutions)
    • You can use CMP (integrate with other products like Card Mgmgt)
    • You can use External RA (make your own GUI or integrate with other GUIs)
    • You can use something else as well...

    External RA gives only outgoing connections from the CA, but has of course put-retrieve delays).
    CMP has a CMP proxy to break incoming connectioons and inspect packages.
    WebService is client certificate authenticated.

    The only thing you can not do is to install the integrated Admin GUI on a remote server.


    PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see or contact for more information.

  • Roman

    Roman - 2013-08-29

    I understand.

    In connection with that, is it also possible to have a separate server where RA administrators would be able to login to approve request or other action without access to the EJBCA?

    What if we don't want to let RA administrators to access directly to EJBCA server to approve? We want to minimize access to the CA server.
    Is such a remote approval possible through API?

    I think that through external RA API we are able to store requests in a database to where EJBCA server is polling so there is no such functionality. The only way I know about now is to login to admin-gui on a EJBCA server as a RA administrator and approve the action. But this is not the way that I'm looking for.


Log in to post a comment.