Install TLS/SSL certificate for my ejbca admin/ra portal

[sateeshkumarreddy1]

Hello good people,

I need some help on the the TLS certificate for my ejbca portal. I have recently installed EJBCA and my broswer showing the connection is not secure. how do I fix by installing a secure certificate either with selfsigned or any other options.

I tried to create a SSL cert profile and end entity profile and issued one self certificate with DN details and replaced keystore.p12 and restarted but still no luck. Tried to dig on wildfly level, but there not fruitful option to get my connection to make as secure.

I am running on wildfly 26, kindlly help me on this.

Thanks
Sateesh

[JannikZorn]

It's the same for me. Did you try http://localhost:8080/ejbca/, yet? I'm able to access http://localhost:8080/ejbca/ but not the https://localhost:8443/ejbca/adminweb.
I followed the offical documentation and only changed the necessary parts in properties.ejbca, properties.database and properties.web.
I couln't fix it, yet.

[sateeshkumarreddy1]

Hi Jannik, I am able to access both http and https. But i want to use the portal from public/Remote instead of localhost, where I need a TLS/SSL cert has to be installed on ejbca/wildfly to make the access is secured which I prefer with letsencrypt TLS certs

[primetomas]

Actually the connection is secure. For an internal PKI one could argue that it is actually more secure to use a private PKI than to use a public one. But anyhows...

• You can remove the warning in the web browser by installing the CA ceritifcate as trusted in your browser.
• You can configure WildFly to use any TLS server certificate. But you still need to make sure it allows the correct CA for client certificates.

TLS can be pretty tricky to get the right certficates in the right place, using the right keystore passwords. If you get it wrong, connections will stop working.

Here is some doc on the installation that deploys keystores. Keystores are stored in WildFly in standalone/configuration/keystores
https://doc.primekey.com/ejbca/ejbca-installation/installing-ejbca/installing-ejbca-as-a-ca-with-a-management-ca
The last section about adding ManagementCAs is important, so you don't loose your ability to log into the Admin UI.

It is also quite popular to use a web proxy in front of WildFly for these purposes. There are some documentation on how to use an apache proxy in front of EJBCA, or to use a HA proxy for load balancing.
https://doc.primekey.com/ejbca/ejbca-integration/integrating-with-third-party-applications

[sateeshkumarreddy1]

Hi Primetomas, thanks for your response.
I agree that to keep access secure by having the private PKI. But in my case I want to give RA access to public to enroll the users themselves. so I feel its not the right way to keep my RA portal access showing as "insecure". And we cant ask all the every public users to install the CA cert in their browsers.

hope you understand my requirement, kindly suggest. Looks HA proxy would solve my requirement and is that possible to install a TLS on HA proxy ?

[primetomas]

It should be. There are many many ways to achieve the same result in this regard. Fortunate and unfortunate, sometimes you have too many options :-).

[sateeshkumarreddy1]

Thank you primetomas, I will try to configure HA proxy and redirect them as to backend ejbca RA.