Link Search Menu Expand Document

EJBCA - TLS Certificate Profile Setup

This example demonstrates how to create a TLS profile in EJBCA for use within certdog

Most of the settings mentioned for a profile are optional, depending on the requirements. But to function with certdog correctly, the following must be configured:

  • Allow Subject DN Override by CSR
  • Allow Extension Override
  • Store Certificate Data
  • Use Certificate Storage

More information on these settings is given below

Navigate to the Administration console (e.g. https://myhostname:8443/ejbca/adminweb)

Under CA Functions, select Certificate Profiles

Enter a name for this profile e.g. CERTDOG_TLS and click Add, then click Edit

For the Type, choose End Entity

For Available Key Algorithms, choose an algorithm. certdog supports RSA and ECDSA, for this example, select RSA

For Available Bit Lengths, select 2048

As shown below:


Scroll down and for Permissions, tick

  • Allow Subject DN Override by CSR
    • certdog will be generating the Subject DN
  • Allow Extension Override and enter (the OID for SANs) for the Overridable Extension OID list
    • This allows certdog to add SAN (Subject Alternative Names) attributes to requests
  • Store Certificate Data and Use Certificate Storage
    • These settings store the certificate data enabling certdog to revoke, if required

As shown below:


For the extensions, for Key Usage set:

  • Digital Signature
  • Key Encipherment

For Extended Key Usage, set:

  • Server Authentication
  • If you plan to use these certificates for client TLS authentication then also select Client Authentication


Scroll down to Other Data and optionally, uncheck the box for

  • LDAP DN Order
    • This orders the DN as CN=name,O=org,C=GB, rather than the LDAP ordering which is C=GB,O=org,CN=name. You may leave checked if you prefer
  • Select the CA you wish to be able to issue these certificates


Click Save

Note the profile name you selected as this name is required when configuring certdog