Installing EJBCA PKI System on Centos 7

EJBCA is an OpenSource Enterprise Certification Authority creation software. EJBCA is used to create a Public Key Infrastructure (PKI) Certificate Authority


Install software

$ sudo yum install -y nano tar unzip java-1.8.0-openjdk-devel ant psmisc mariadb bc patch

Installing MariaDB DBMS

Install and run MariaDB, check the status

$ sudo yum install -y mariadb-server
$ sudo systemctl enable --now mariadb
$ systemctl status mariadb

Initial MariaDB setup, setting a password for the root user

$ sudo mysql_secure_installation
Enter current password for root (enter for none):
Set root password? [Y/n]
Set root password? [Y/n]
New password: %password
Re-enter new password: %password%
Password updated successfully!
Remove anonymous users? [Y/n]
Disallow root login remotely? [Y/n]
Remove test database and access to it? [Y/n]
Reload privilege tables now? [Y/n]
Thanks for using MariaDB!

Create a database, a new database user, set a user password

$ sudo mysql -u root -p
mysql> CREATE DATABASE ejbcatest CHARACTER SET utf8 COLLATE utf8_general_ci;
mysql> GRANT ALL PRIVILEGES ON ejbcatest.* TO 'ejbca'@'localhost' IDENTIFIED BY 'ejbca';
mysql> exit

Installing an EJBCS PKI System

Let’s create a new user ejbcafrom which EJBCA will operate

$ sudo useradd -m -U -r -d /opt/ejbca ejbca

Set a password to the user

$ passwd ejbca
New password:
Retype new password:

Add user ejbca to the group wheel, then he would have superuser rights (sudo)

$ sudo usermod -aG wheel ejbca

Switch to our user, go to the home directory

$ sudo su - ejbca
$ cd

Download the distribution and unpack it to the home directory of the current user (/ opt / ejbca)

$ wget
$ unzip

If you created other databases and users, edit the login / password in the installation script

$ nano /opt/ejbca/ejbca_ce_6_15_2_6/bin/extra/

host: localhost
db: ejbcatest
dbuser: ejbca
dbuserpass: ejbca

Launching the EJBCA installation

$ ./ejbca_ce_6_15_2_6/bin/extra/

The script must be run from the current user, not root. The script must be run from the directory into which the EJBCA was unpacked.

During the installation process, we answer the questions:

This installs the EJBCA PKI
found RedHat/CentOS
EJBCA will be installed as OS user 'ejbca'

please install dependencies with:
yum install tar unzip java-1.8.0-openjdk-devel ant psmisc mariadb bc patch

Please select "Yes" if you did so, but not before
1) Yes
2) No
#? 1

This will destroy your complete EJBCA installation in database ejbcatest
Do you want this?
1) Yes
2) No
#? 1

Do you really want to destroy your EJBCA installation in database ejbcatest?
1) Yes
2) No
#? 1


You can now install the superadmin.p12 keystore, from /opt/ejbca/ejbca_ce_6_15_2_6/p12, in your web browser, using the password xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx, and access EJBCA at https://localhost:8443/ejbca

Configuring Firewall

Opening ports

$ sudo firewall-cmd --add-port=8443/tcp --permanent
$ sudo firewall-cmd --add-port=8442/tcp --permanent
$ sudo firewall-cmd --add-port=8080/tcp --permanent
$ sudo firewall-cmd --reload

Commands for starting / stopping the EJBCA service

Commands are executed from user ejbca

Start EJBCA:
$ cd ~
$ nohup wildfly/bin/ -b > /dev/null 2> /dev/null &

$ cd ~
$ ./wildfly/bin/ --connect :shutdown

Reload EJBCA:
$ cd ~
$ ./wildfly/bin/ --connect :reload

EJBCA as a system service on Linux

Create unit file ejbca.service

$ sudo nano /etc/systemd/system/ejbca.service

Description=EJBCA Server Daemon

ExecStart=/opt/ejbca/wildfly/bin/ -b
ExecReload=/opt/ejbca/wildfly/bin/ --connect :reload
ExecStop=/opt/ejbca/wildfly/bin/ --connect :shutdown


If EJBCA was started, stop it (from user ejbca)

$ cd ~ && ./wildfly/bin/ --connect :shutdown

After creating the unit file, you need to restart the systemd process to pick up the changes. Then we start the service and add it to startup. Checking the status

$ sudo systemctl daemon-reload
$ sudo systemctl enable --now ejbca
$ systemctl status ejbca

Useful information

After installing EJBCA, the system displays information about the location of the superadmin.p12 certificate and its password:


It must be downloaded and imported into a browser, for example firefox:

Настройки - Приватность и защита - Просмотр сертификатов - Ваши сертификаты - Импортировать

also the password of the superadmin.p12 certificate can be found by running the command

$ grep "superadmin.password" /opt/ejbca/ejbca-custom/conf/

The admin panel is located at: