certificatepkicertificate-authorityejbca

Create EJBCA subCA during EJBCA installation


I am learning how to install and use EJBCA to deploy an enterprise PKI. I know I can install EJBCA using a quick install configuring the script ejbca-setup like is explained here, and I also have tested a longer install process with WildFly 10 like explained here. In both variants I need to create a default ManagementCA and I can make some configuration changes related to the database I'm using and other things during the installation process. My problem is I need to install a CA of subCA type, and my subCA private key comes in a PKCS12 or PEM file from the root CA (I'm not completelly sure about the format yet).

Right now I know I can install EJBCA with the default CA and then create my subCA as a second one like is explained here, but I want to know if I can create this subCA as my first CA at the installation process, because I dont't need the default CA. Also if I have to create the default CA mandatorily I want to know if I can remove this default CA after I create my subCA without problems or if this first default CA is some kind of special CA for EJBCA.


Solution

  • The default ManagementCA is nothing special and can be deleted.

    You can make the initial installation using an external CA for administrator certificates if you like. Documented here: https://doc.primekey.com/ejbca/ejbca-installation/installing-ejbca/install-ejbca-as-a-ca-without-a-management-ca Note the "-superadmincn" argument which binds your externally issued certificate to the suprt administrator role during the installation.