### Setup PostgreSQL Database Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/howto/HOWTO-database.txt Commands to create a PostgreSQL user and database with UTF-8 encoding. ```bash admin@host:~$ sudo su postgres postgres@host:~$ createuser -SDRP ejbca postgres@host:~$ createdb -E UTF8 ejbca ``` -------------------------------- ### Start Derby IJ Tool Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/howto/HOWTO-database.txt Launches the Derby IJ tool for database interaction. Specify the path to the Derby JARs. ```bash java -jar db-derby-10.2.1.3-bin/lib/derbyrun.jar ij ``` ```bash java -cp db-derby-10.1.3.1-bin/lib/derby.jar:db-derby-10.1.3.1-b in/lib/derbytools.jar org.apache.derby.tools.ij ``` -------------------------------- ### Install Pure CSS with Bower Source: https://github.com/keyfactor/ejbca-ce/blob/main/modules/ra-gui/resources/css/pure/README.md Install Pure CSS using the Bower package manager. This command saves Pure CSS as a dependency in your project. ```shell $ bower install --save pure ``` -------------------------------- ### Configure Cron for File Verification Source: https://github.com/keyfactor/ejbca-ce/blob/main/bin/extra/README.txt Example cron configuration to run the cronverify.sh script every minute. ```cron SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin * * * * * root /usr/local/ejbca/bin/extra/cronverify.sh >/dev/null ``` -------------------------------- ### Build Pure CSS from Source Source: https://github.com/keyfactor/ejbca-ce/blob/main/modules/ra-gui/resources/css/pure/README.md Clone the Pure CSS repository and install dependencies using npm. Then, run the Grunt build command to compile the CSS files. ```shell $ git clone git@github.com:yahoo/pure.git $ cd pure $ npm install $ grunt ``` -------------------------------- ### Create and Set Extended Information Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/client/gen/ExtendedInformationWS.html Example of creating a UserDataVOWS object and setting extended information using ExtendedInformationWS objects. This demonstrates how to add custom key-value pairs to user data. ```java UserDataVOWS user = new UserDataVOWS (); user.setUsername ("tester"); user.setPassword ("foo123"); . . . List ei = new ArrayList (); ei.add (new ExtendedInformationWS ("A name", "A value")); ei.add (new ExtendedInformationWS ("Another name", "Another value")); . . user.setExtendedInformation (ei); ``` -------------------------------- ### Initialize EJBCA WS Client Source: https://github.com/keyfactor/ejbca-ce/blob/main/modules/ejbca-ws/src/org/ejbca/core/protocol/ws/objects/package.html Initializes the EJBCA WS client. It's recommended to perform this once, for example, in a ServletContextListener. Client and trust-store certificates must be defined during initialization. ```java import javax.xml.namespace.QName; . . class MyClass { static EjbcaWS ejbcaws; // A single instance is enough . . void myInit () { // Initialization code System.setProperty ("javax.net.ssl.trustStore", "_ws-keystore.jks_"); System.setProperty ("javax.net.ssl.trustStorePassword", "_foo123_"); System.setProperty ("javax.net.ssl.keyStore", "_ws-keystore.jks_"); System.setProperty ("javax.net.ssl.keyStorePassword", "_foo123_"); QName qname = new QName ("http://ws.protocol.core.ejbca.org/", "EjbcaWSService"); EjbcaWSService service = new EjbcaWSService (new URL ("https://_localhost_:8443/ejbca/ejbcaws/ejbcaws?wsdl"), qname); ejbcaws = service.getEjbcaWSPort (); } ``` -------------------------------- ### Generate Certificate Request using EJBCA Interface Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/client/gen/package-summary.html This snippet demonstrates how to create a user object, set its properties, and then use the EJBCA interface to request a certificate. Ensure that the placeholder values are replaced with actual installation data. ```java UserDataVOWS user = new UserDataVOWS (); user.setUsername ("_tester_"); user.setPassword ("_foo123_"); user.setClearPwd (false); user.setSubjectDN ("_CN=Tester,C=SE_"); user.setCaName ("_ManagementCA_"); user.setTokenType (UserDataVOWS.TOKEN_TYPE_USERGENERATED); user.setEndEntityProfileName ("_EMPTY_"); user.setCertificateProfileName ("_ENDUSER_"); byte[] cert_blob = ejbcaws.certificateRequest (user, _pkcs10_request_in_base64_, CertificateHelper.CERT_REQ_TYPE_PKCS10, null, CertificateHelper.RESPONSETYPE_CERTIFICATE).getRawData (); ``` -------------------------------- ### DB2 CREATE REGULAR TABLESPACE Example Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/howto/HOWTO-database.txt SQL statement to create a regular tablespace in DB2 for EJBCA. Adjust file path and size as needed. ```sql CREATE BUFFERPOOL "BP16K" SIZE 2500 PAGESIZE 16384 NOT EXTENDED STORAGE; CONNECT RESET; CONNECT TO EJBCA; CREATE REGULAR TABLESPACE EJBCADB_DATA_01 IN DATABASE PARTITION GROUP IBMDEFAULTGROUP PAGESIZE 16384 MANAGED BY DATABASE USING (FILE '/home/db2inst1/db2inst1/EJBCA/ejbcadb_data_01.dbf'512000) EXTENTSIZE 32 PREFETCHSIZE 32 BUFFERPOOL BP16K OVERHEAD 7.500000 TRANSFERRATE 0.060000 FILE SYSTEM CACHING DROPPED TABLE RECOVERY ON; ``` -------------------------------- ### Get Certificate Profile Info Source: https://context7.com/keyfactor/ejbca-ce/llms.txt Fetch detailed information about a specific certificate profile by its identifier. This helps in understanding the configuration and constraints of a profile. ```bash # Get certificate profile details curl -X GET "https://localhost:8443/ejbca/ejbca-rest-api/v2/certificate/profile/ENDUSER" \ --cert admin.pem \ --key admin-key.pem ``` -------------------------------- ### Create and Configure UserDataVOWS Object Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/client/gen/UserDataVOWS.html Example of creating a UserDataVOWS object and setting various user attributes, including extended information for revocation reasons and subject directory attributes. This is useful for preparing user data before sending it to the EJBCA WebService API. ```java UserDataVOWS user = new UserDataVOWS (); user.setUsername ("tester"); user.setPassword ("foo123"); user.setClearPwd (false); user.setSubjectDN ("CN=Tester,C=SE"); user.setCaName ("ManagementCA"); user.setEmail (null); user.setSubjectAltName (null); user.setStatus (EndEntityConstants.STATUS_NEW); user.setTokenType (UserDataVOWS.TOKEN_TYPE_USERGENERATED); user.setEndEntityProfileName ("EMPTY"); user.setCertificateProfileName ("ENDUSER"); List ei = new ArrayList (); ei.add(new ExtendedInformationWS (ExtendedInformation.CUSTOMDATA+ExtendedInformation.CUSTOM_REVOCATIONREASON, Integer.toString(RevokeStatus.REVOKATION_REASON_CERTIFICATEHOLD))); ei.add(new ExtendedInformationWS (ExtendedInformation.SUBJECTDIRATTRIBUTES, "DATEOFBIRTH=19761123")); user.setExtendedInformation(ei); ``` -------------------------------- ### EJBCA Search Initialization and Message Handling Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/EJBCA.html This JavaScript code initializes the Lunr search index and handles incoming messages for setup and search requests. It requires Lunr.js and related scripts to be imported. ```javascript startIndex = function() { idx = lunr.Index.load(lunrIndex); idx.pipeline.remove(lunr.stopWordFilter); postMessage({type: "setup-complete"}); } onmessage = function (event) { var message = event.data; if ((message.type === 'setup') && message.baseUrl) { var url = message.baseUrl; importScripts(url + 'js/lunr.js'); importScripts(url + 'js/lunr-extras.js'); importScripts(url + 'js/lunr-index.js'); importScripts(url + 'js/lunr-data.js'); startIndex(); } if (idx && (message.type === 'search-request') && message.query) { var searchWord = message.query; var results = idx.search(searchWord).map(function (result) { return lunrData.filter(function (d) { return d.id === parseInt(result.ref, 10) })[0] }); postMessage({type: 'search-results', results: results, query: searchWord, queryId: message.queryId}); } ``` -------------------------------- ### Initialize Utimaco PKCS#11 Environment Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/howto/cryptoserver-lan-emulator.txt Commands to set up the library, configure the INI file, and initialize the token slot. ```bash cd cp /Software/PKCS#11/lib/linux/* . cp /Software/PKCS#11/p11tool/linux/p11tool . ln -s libcs2_pkcs11-1.1.5.so libcs2_pkcs11.so vi cs2_pkcs11.ini Device = TCP:3001@172.16.175.128 AppTimeout = 172800 sudo cp cs2_pkcs11.ini /etc/utimaco ./p11tool lib=./libcs2_pkcs11.so slot=1 InitToken=officer1 ./p11tool lib=./libcs2_pkcs11.so slot=1 loginSO=officer1 initpin=user1 ``` -------------------------------- ### GET getEjbcaVersion Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/index-all.html Retrieves the version of the EJBCA server. ```APIDOC ## GET getEjbcaVersion ### Description Returns the version of the EJBCA server. ### Method GET ### Response #### Success Response (200) - **version** (string) - The version string of the EJBCA server. ``` -------------------------------- ### Initialize MySQL Database Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/howto/HOWTO-database.txt Commands to create the database, grant privileges, and execute SQL scripts for table and index creation. ```bash $ mysql -u root -p mysql> CREATE DATABASE ejbca CHARACTER SET utf8 COLLATE utf8_general_ci; mysql> GRANT ALL PRIVILEGES ON ejbca.* TO 'ejbca'@'' IDENTIFIED BY ''; mysql> exit $ mysql -u root -p ejbca < doc/sql-scripts/create-tables-ejbca-mysql.sql $ mysql -u root -p ejbca < doc/sql-scripts/create-index-ejbca.sql $ mysql -u root -p ejbca < doc/sql-scripts/optimize-ejbca-mysql.sql ``` -------------------------------- ### GET getHardTokenData Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/index-all.html Fetches information about a specific hard token. ```APIDOC ## GET getHardTokenData ### Description Fetches information about a hard token. ### Method GET ### Parameters #### Query Parameters - **arg0** (String) - Required - The identifier for the hard token. - **arg1** (boolean) - Required - Boolean flag for token data retrieval. - **arg2** (boolean) - Required - Boolean flag for token data retrieval. ``` -------------------------------- ### GET getData (CertificateResponse) Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/index-all.html Retrieves the data from a certificate response. ```APIDOC ## GET getData ### Description Retrieves the Base64 encoded data from the CertificateResponse object. ### Method GET ### Response #### Success Response (200) - **data** (string) - Base64 encoded data. ``` -------------------------------- ### GET /revocationStatus Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/client/gen/EjbcaWS.html Retrieves the revocation status for a specific user certificate. ```APIDOC ## GET /revocationStatus ### Description Returns the revocation status for a given user. Requires authorization for /administrator or /ca/. ### Parameters #### Query Parameters - **issuerDN** (string) - Required - The issuer distinguished name. - **certificateSN** (string) - Required - A hexadecimal string representing the certificate serial number. ### Response #### Success Response (200) - **status** (RevokeStatus) - The revocation status or null if the certificate does not exist. ``` -------------------------------- ### KeyStore Helper Methods Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/index-all.html Static methods for retrieving keystore data. ```APIDOC ## POST /api/keystore/helper/data ### Description Retrieves the keystore from encoded data. ### Method POST ### Endpoint /api/keystore/helper/data ### Parameters #### Request Body - **encodedData** (string) - Required - The Base64 encoded keystore data. - **password** (string) - Required - The password for the keystore. - **type** (string) - Required - The type of the keystore (e.g., JKS, PKCS12). ### Request Example ```json { "encodedData": "base64EncodedData", "password": "keystorePassword", "type": "JKS" } ``` ### Response #### Success Response (200) - **keystore** (object) - The retrieved keystore object. ### Response Example ```json { "keystore": { "data": "decodedKeystoreData" } } ``` ``` -------------------------------- ### GET getHardTokenDatas Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/index-all.html Fetches all hard tokens associated with a given user. ```APIDOC ## GET getHardTokenDatas ### Description Fetches all hard tokens for a given user. ### Method GET ### Parameters #### Query Parameters - **arg0** (String) - Required - The username or identifier for the user. - **arg1** (boolean) - Required - Boolean flag for token data retrieval. - **arg2** (boolean) - Required - Boolean flag for token data retrieval. ``` -------------------------------- ### Sign and Verify Files with sign-verify.sh Source: https://github.com/keyfactor/ejbca-ce/blob/main/bin/extra/README.txt Commands to sign a file using a private key and verify it using a public key. ```bash sign-verify.sh sign signer.priv sign-verify.sh verify signer.pub ``` -------------------------------- ### GET getErrorCode Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/index-all.html Retrieves the error code from various exception types. ```APIDOC ## GET getErrorCode ### Description Gets the value of the errorCode property from exception classes such as AlreadyRevokedException, ApprovalException, CADoesntExistsException, CAExistsException, CAOfflineException, and CesecoreException. ### Method GET ### Response #### Success Response (200) - **errorCode** (string) - The error code associated with the exception. ``` -------------------------------- ### Manage Configuration and Caches via CLI Source: https://context7.com/keyfactor/ejbca-ce/llms.txt Commands for importing/exporting profiles, performing configuration dumps, and clearing internal caches. ```bash bin/ejbca.sh ca exportprofiles -d /path/to/export/ ``` ```bash bin/ejbca.sh ca importprofiles -d /path/to/import/ ``` ```bash bin/ejbca.sh config configdump export \ --location /path/to/configdump/ \ --include-all ``` ```bash bin/ejbca.sh config configdump import \ --location /path/to/configdump/ \ --continue-on-error ``` ```bash bin/ejbca.sh clearcache -all ``` -------------------------------- ### getKeyStore Method Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/common/KeyStoreHelper.html Retrieves and loads a java.security.KeyStore from provided byte data. ```APIDOC ## getKeyStore ### Description Retrieves the keystore from the encoded data and returns a loaded and unlocked java.security.KeyStore object. ### Parameters #### Request Body - **keystoreData** (byte[]) - Required - The raw encoded data of the keystore. - **type** (String) - Required - The type of the keystore (e.g., "PKCS12" or "JKS"). - **password** (String) - Required - The password used to lock/unlock the keystore. ### Response #### Success Response (200) - **KeyStore** (java.security.KeyStore) - The loaded and unlocked keystore object. ``` -------------------------------- ### GET /getCertificate Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/index-all.html Fetches an issued certificate using provided identifiers. ```APIDOC ## GET /getCertificate ### Description Fetches an issued certificate. ### Method GET ### Parameters #### Query Parameters - **arg0** (String) - Required - Identifier for the certificate - **arg1** (String) - Required - Additional identifier or context ``` -------------------------------- ### Manage Crypto Tokens via CLI Source: https://context7.com/keyfactor/ejbca-ce/llms.txt Commands for creating, activating, deactivating, and managing keys within crypto tokens. ```bash bin/ejbca.sh cryptotoken create \ --token MyNewToken \ --type SoftCryptoToken \ --pin "tokenPassword" \ --autoactivate true ``` ```bash bin/ejbca.sh cryptotoken activate --token MyToken ``` ```bash bin/ejbca.sh cryptotoken deactivate --token MyToken ``` ```bash bin/ejbca.sh cryptotoken generatekey \ --token MyToken \ --alias signKey \ --keyspec RSA2048 ``` ```bash bin/ejbca.sh cryptotoken removekey --token MyToken --alias oldKey ``` ```bash bin/ejbca.sh cryptotoken testkey --token MyToken --alias signKey ``` -------------------------------- ### GET /api/crl/{caname} Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/client/gen/EjbcaWS.html Retrieves the latest CRL issued by the given CA. ```APIDOC ## GET /api/crl/{caname} ### Description Retrieves the latest CRL issued by the given CA. ### Method GET ### Endpoint /api/crl/{caname} ### Parameters #### Path Parameters - **caname** (string) - Required - The unique name of the CA. #### Query Parameters - **deltaCRL** (boolean) - Required - Specifies whether to retrieve a delta CRL. ### Response #### Success Response (200) - **crlData** (byte[]) - The CRL data. ### Throws - **CADoesntExistsException** - If the CA with the given name does not exist. - **EjbcaException** - On internal errors. ``` -------------------------------- ### GET getHardTokenData Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/client/gen/EjbcaWS.html Fetches information about a specific hard token by its serial number. ```APIDOC ## GET getHardTokenData ### Description Fetches information about a hard token. If the caller is an administrator, the data is returned directly. If the user is not an administrator, the request is added to a queue for approval. ### Method GET ### Parameters #### Query Parameters - **hardTokenSN** (String) - Required - The serial number of the token to look for. - **viewPUKData** (boolean) - Required - Whether PUK data of the hard token should be returned. - **onlyValidCertificates** (boolean) - Required - Whether revoked and expired certificates should be filtered. ### Response #### Success Response (200) - **HardTokenData** (HardTokenDataWS) - The hard token data object. ``` -------------------------------- ### GET /getCertificatesByExpirationTime Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/index-all.html Retrieves certificates that will expire within a specified number of days. ```APIDOC ## GET /getCertificatesByExpirationTime ### Description Retrieves the certificates whose expiration date is before the specified number of days. ### Method GET ### Parameters #### Query Parameters - **arg0** (long) - Required - Expiration time threshold - **arg1** (int) - Required - Number of days ``` -------------------------------- ### Import Certificates Source: https://context7.com/keyfactor/ejbca-ce/llms.txt Import existing certificates or directories of certificates into the system. ```bash bin/ejbca.sh ca importcert \ --username importeduser \ --caname MyRootCA \ -f /path/to/certificate.pem \ --certprofile ENDUSER \ --eeprofile EMPTY bin/ejbca.sh ca importcertdir \ --caname MyRootCA \ -d /path/to/certificates/ \ --certprofile ENDUSER \ --eeprofile EMPTY ``` -------------------------------- ### pkcs12Req Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/client/gen/EjbcaWS.html Creates a server-generated keystore. ```APIDOC ## pkcs12Req ### Description Creates a server-generated keystore. ### Parameters #### Path Parameters - **username** (String) - Required - **password** (String) - Required - **hardTokenSN** (String) - Required - **keyspec** (String) - Required - **keyalg** (String) - Required ``` -------------------------------- ### GET /ejbca/ejbca-rest-api/v2/certificate/count Source: https://context7.com/keyfactor/ejbca-ce/llms.txt Returns the total count of certificates, optionally filtered by status. ```APIDOC ## GET /ejbca/ejbca-rest-api/v2/certificate/count ### Description Returns the total count of certificates, optionally filtered by status. ### Method GET ### Endpoint /ejbca/ejbca-rest-api/v2/certificate/count ### Parameters #### Query Parameters - **isActive** (boolean) - Optional - Filter by active status ``` -------------------------------- ### GET /ejbca/ejbca-rest-api/v1/certificate/expire Source: https://context7.com/keyfactor/ejbca-ce/llms.txt Lists certificates that will expire within a specified number of days. ```APIDOC ## GET /ejbca/ejbca-rest-api/v1/certificate/expire ### Description Lists certificates that will expire within a specified number of days. ### Method GET ### Endpoint /ejbca/ejbca-rest-api/v1/certificate/expire ### Parameters #### Query Parameters - **days** (integer) - Required - Number of days to check for expiration - **offset** (integer) - Optional - Pagination offset - **maxNumberOfResults** (integer) - Optional - Max results to return ``` -------------------------------- ### Configure MySQL/MariaDB my.cnf Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/howto/HOWTO-database.txt Recommended configuration settings for MySQL or MariaDB to ensure compatibility and performance with EJBCA. ```ini [mysqld] default-storage-engine = INNODB transaction_isolation = REPEATABLE-READ sync_binlog = 1 innodb_file_per_table = 1 innodb_file_format = Barracuda innodb_flush_log_at_trx_commit = 1 character-set-server = utf8 default-collation = utf8_general_ci default-character-set = utf8 ``` -------------------------------- ### GET /ejbca/ejbca-rest-api/v1/certificate/{issuer_dn}/{serial_number}/revocationstatus Source: https://context7.com/keyfactor/ejbca-ce/llms.txt Checks whether a certificate has been revoked. ```APIDOC ## GET /ejbca/ejbca-rest-api/v1/certificate/{issuer_dn}/{serial_number}/revocationstatus ### Description Checks the revocation status of a certificate by issuer DN and serial number. ### Method GET ### Endpoint /ejbca/ejbca-rest-api/v1/certificate/{issuer_dn}/{serial_number}/revocationstatus ### Parameters #### Path Parameters - **issuer_dn** (string) - Required - The issuer distinguished name. - **serial_number** (string) - Required - The certificate serial number. ``` -------------------------------- ### Configure Enrollment Protocols via CLI Source: https://context7.com/keyfactor/ejbca-ce/llms.txt Commands for managing CMP, SCEP, and EST aliases, as well as enabling or disabling specific protocols. ```bash bin/ejbca.sh config cmp listalias bin/ejbca.sh config cmp addalias --alias mycmp bin/ejbca.sh config cmp updatealias --alias mycmp --key operationMode --value ra bin/ejbca.sh config cmp dumpalias --alias mycmp bin/ejbca.sh config cmp removealias --alias mycmp ``` ```bash bin/ejbca.sh config scep listalias bin/ejbca.sh config scep addalias --alias myscep bin/ejbca.sh config scep updatealias --alias myscep --key RAMode --value true bin/ejbca.sh config scep removealias --alias myscep ``` ```bash bin/ejbca.sh config est listalias bin/ejbca.sh config est addalias --alias myest bin/ejbca.sh config est updatealias --alias myest --key certProfileID --value 123 bin/ejbca.sh config est removealias --alias myest ``` ```bash bin/ejbca.sh config protocols enable --protocol REST bin/ejbca.sh config protocols disable --protocol SCEP bin/ejbca.sh config protocols status ``` -------------------------------- ### GET /api/user/{username}/certificatechain Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/client/gen/EjbcaWS.html Retrieves the last certificate to expire for a given user. ```APIDOC ## GET /api/user/{username}/certificatechain ### Description Retrieves the last certificate to expire for a given user. Returns the certificate chain [C1, C2... Cn] where C1 is the user's leaf certificate and Cn is the root certificate. This method does not check whether the certificate to be returned has been revoked. ### Method GET ### Endpoint /api/user/{username}/certificatechain ### Parameters #### Path Parameters - **username** (string) - Required - The unique username of the user whose certificate should be returned. ### Response #### Success Response (200) - **certificates** (list of X509 Certificates) - A list of X509 Certificates with the leaf certificate first, or an empty list if no certificate chain could be found for the specified user. ### Throws - **AuthorizationDeniedException** - If the client does not fulfill the authorization requirements. - **EjbcaException** - On internal errors. ``` -------------------------------- ### Implement mobile-first responsive grids Source: https://github.com/keyfactor/ejbca-ce/blob/main/modules/ra-gui/resources/css/pure/HISTORY.md Include the core stylesheet and the responsive grid module. Use conditional comments to serve a legacy grid system to older versions of Internet Explorer. ```html ``` -------------------------------- ### GET /api/certificate/ca/{caname}/certificatechain Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/client/gen/EjbcaWS.html Retrieves the current certificate chain for a specified CA. ```APIDOC ## GET /api/certificate/ca/{caname}/certificatechain ### Description Retrieves the current certificate chain for a CA. ### Method GET ### Endpoint /api/certificate/ca/{caname}/certificatechain ### Parameters #### Path Parameters - **caname** (string) - Required - The unique name of the CA whose certificate chain should be returned. ### Response #### Success Response (200) - **certificates** (list of X509 Certificates or CVC Certificates) - A list of certificates with the root certificate last. Returns an empty list if the CA's status is "Waiting for certificate response". ### Throws - **AuthorizationDeniedException** - If the client does not fulfill the authorization requirements. - **CADoesntExistsException** - If the CA with the given name does not exist. - **EjbcaException** - On internal errors. ``` -------------------------------- ### POST /ejbca/ejbca-rest-api/v1/certificate/enrollkeystore Source: https://context7.com/keyfactor/ejbca-ce/llms.txt Creates a keystore with server-generated keys for an existing end entity. ```APIDOC ## POST /ejbca/ejbca-rest-api/v1/certificate/enrollkeystore ### Description Generates a keystore (P12/JKS/BCFKS) for an existing end entity. ### Method POST ### Endpoint /ejbca/ejbca-rest-api/v1/certificate/enrollkeystore ### Request Body - **username** (string) - Required - End entity username. - **password** (string) - Required - Keystore password. - **key_alg** (string) - Required - Key algorithm (e.g., RSA). - **key_spec** (string) - Required - Key specification (e.g., 2048). ``` -------------------------------- ### ExtendedInformationWS Get Value Method Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/client/gen/ExtendedInformationWS.html Method to retrieve the value associated with the extended information. ```java java.lang.String getValue() ``` -------------------------------- ### ExtendedInformationWS Get Name Method Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/client/gen/ExtendedInformationWS.html Method to retrieve the name (key) of the extended information. ```java java.lang.String getName() ``` -------------------------------- ### Manage Crypto Tokens Source: https://context7.com/keyfactor/ejbca-ce/llms.txt List available cryptographic tokens. ```bash bin/ejbca.sh cryptotoken list ``` -------------------------------- ### GET /api/v1/certificate/chain Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/client/gen/EjbcaWS.html Retrieves the last CA chain for a given Certificate Authority (CA) name. ```APIDOC ## GET /api/v1/certificate/chain ### Description Retrieves the last CA chain for a specified Certificate Authority (CA). ### Method GET ### Endpoint /api/v1/certificate/chain ### Parameters #### Query Parameters - **caname** (string) - Required - The name of the Certificate Authority (CA) for which to retrieve the chain. ### Response #### Success Response (200) - **Certificate** (list) - A list of Certificate objects representing the CA chain. This list will never be null. #### Response Example ```json [ { "serialNumber": "ABCDEF0123456789", "issuerDN": "CN=EJBCA Root CA,O=My Organization,C=US", "subjectDN": "CN=Intermediate CA,O=My Organization,C=US", "notBefore": "2022-01-01T00:00:00Z", "notAfter": "2032-01-01T00:00:00Z" }, { "serialNumber": "FEDCBA9876543210", "issuerDN": "CN=EJBCA Root CA,O=My Organization,C=US", "subjectDN": "CN=EJBCA Root CA,O=My Organization,C=US", "notBefore": "2020-01-01T00:00:00Z", "notAfter": "2040-01-01T00:00:00Z" } ] ``` ### Errors - **AuthorizationDeniedException_Exception**: If the caller is not authorized to access this information. - **CADoesntExistsException_Exception**: If the specified CA does not exist. - **EjbcaException_Exception**: If any other server-side exception occurs. ``` -------------------------------- ### Generate Server-Side Keystore Source: https://context7.com/keyfactor/ejbca-ce/llms.txt Creates a keystore (P12, JKS, or BCFKS) with server-generated keys for an existing end entity. Specify username, password, key algorithm, and key size. ```bash curl -X POST "https://localhost:8443/ejbca/ejbca-rest-api/v1/certificate/enrollkeystore" \ --cert admin.pem \ --key admin-key.pem \ -H "Content-Type: application/json" \ -d '{ "username": "testuser", "password": "keystorePassword123", "key_alg": "RSA", "key_spec": "2048" }' ``` ```json { "keystore": "MIIKIwIBAzCCCd8GCSqGSIb3...", "serial_number": "123456789ABCDEF", "keystore_type": "PKCS12" } ``` -------------------------------- ### GET /getCertificatesByExpirationTimeAndType Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/index-all.html Lists certificates that will expire within a given number of days and are of a specific type. ```APIDOC ## GET /getCertificatesByExpirationTimeAndType ### Description List certificates that will expire within the given number of days and of the given type. ### Method GET ### Parameters #### Query Parameters - **arg0** (long) - Required - Expiration time threshold - **arg1** (int) - Required - Certificate type - **arg2** (int) - Required - Number of days ``` -------------------------------- ### KeyStore Methods Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/index-all.html Methods for retrieving keystore data. ```APIDOC ## GET /api/keystore/data ### Description Returns the keystore data in Base64 format. ### Method GET ### Endpoint /api/keystore/data ### Response #### Success Response (200) - **keystoreData** (string) - The keystore data encoded in Base64. ### Response Example ```json { "keystoreData": "base64EncodedKeystoreData" } ``` ``` -------------------------------- ### Initialize EJBCA WS Client Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/client/gen/package-summary.html Initializes the EJBCA WS client by setting SSL properties for trust and key stores and passwords, then creating a service instance and obtaining the port. This should ideally be done once. ```java import javax.xml.namespace.QName; . . class MyClass { static EjbcaWS ejbcaws; // A single instance is enough . . void myInit () { // Initialization code System.setProperty ("javax.net.ssl.trustStore", "_ws-keystore.jks_"); System.setProperty ("javax.net.ssl.trustStorePassword", "_foo123_"); System.setProperty ("javax.net.ssl.keyStore", "_ws-keystore.jks_"); System.setProperty ("javax.net.ssl.keyStorePassword", "_foo123_"); QName qname = new QName ("http://ws.protocol.core.ejbca.org/", "EjbcaWSService"); EjbcaWSService service = new EjbcaWSService (new URL ("https://_localhost_:8443/ejbca/ejbcaws/ejbcaws?wsdl"), qname); ejbcaws = service.getEjbcaWSPort (); } ``` -------------------------------- ### GET /certificate/checkRevokationStatus Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/client/gen/EjbcaWS.html Checks the revocation status of a certificate based on the issuer DN and certificate serial number. ```APIDOC ## GET /certificate/checkRevokationStatus ### Description Checks the revocation status of a certificate. ### Parameters #### Query Parameters - **issuerDN** (string) - Required - The distinguished name of the issuer. - **certificateSN** (string) - Required - The serial number of the certificate. ### Response #### Success Response (200) - **status** (RevokeStatus) - The revocation status of the certificate. ``` -------------------------------- ### Create a new module build script Source: https://github.com/keyfactor/ejbca-ce/blob/main/modules/README.txt Use this template to define the build, clean, and test targets for a new EJBCA module. Ensure all placeholders are replaced with the specific module name and required dependencies. ```xml Describe the module here... ... ``` -------------------------------- ### GET /getCertificatesByExpirationTimeAndIssuer Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/index-all.html Lists certificates that will expire within a given number of days and were issued by a specific issuer. ```APIDOC ## GET /getCertificatesByExpirationTimeAndIssuer ### Description List certificates that will expire within the given number of days and issued by the given issuer. ### Method GET ### Parameters #### Query Parameters - **arg0** (long) - Required - Expiration time threshold - **arg1** (String) - Required - Issuer name - **arg2** (int) - Required - Number of days ``` -------------------------------- ### Configure OpenLDAP Upstream Syncprov Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/howto/HOWTO-LDAP-tips-n-tricks.txt Enable the syncprov overlay on the upstream server to support replication. ```text overlay syncprov syncprov-checkpoint 5 3 syncprov-sessionlog 100 ``` -------------------------------- ### Search Certificates by Criteria Source: https://context7.com/keyfactor/ejbca-ce/llms.txt Use this endpoint to search for certificates based on various criteria like subject name, status, and CA. Ensure you have the correct certificate and key files for authentication. ```bash curl -X POST "https://localhost:8443/ejbca/ejbca-rest-api/v1/certificate/search" \ --cert admin.pem \ --key admin-key.pem \ -H "Content-Type: application/json" \ -d '{ "max_number_of_results": 100, "criteria": [ { "property": "QUERY", "value": "CN=test*", "operation": "LIKE" }, { "property": "STATUS", "value": "CERT_ACTIVE", "operation": "EQUAL" }, { "property": "CA", "value": "MyRootCA", "operation": "EQUAL" } ] }' ``` -------------------------------- ### DB2 Connection String with Schema Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/howto/HOWTO-database.txt Example of specifying a schema name within the DB2 JDBC connection URL for EJBCA. ```properties database.url=jdbc:db2://bigfatiron.foo.com:5021/DB2T:currentSchema=EJBCA; ``` -------------------------------- ### PinDataWS Constructors Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/client/gen/PinDataWS.html Provides details on how to instantiate the PinDataWS object. ```APIDOC ## PinDataWS Constructors ### Description Constructors for the PinDataWS class. ### Constructor Summary - **PinDataWS()**: WS Constructor. - **PinDataWS(int type, String initialPIN, String puk)**: Default constructor. Initializes PinDataWS with type, initial PIN, and PUK. - **Parameters**: - **type** (int) - The type of PIN, referencing PINTYPE constants. - **initialPIN** (String) - The initial PIN for the token. - **puk** (String) - The PUK for the token. ``` -------------------------------- ### Certificate Generation and Keystore Creation Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/index-all.html APIs for generating PKCS#10 certificates and creating PKCS#12 keystores. ```APIDOC ## POST /api/ejbca/pkcs10Request ### Description Generates a certificate for a user using a PKCS#10 request. ### Method POST ### Endpoint /api/ejbca/pkcs10Request ### Parameters #### Query Parameters - **username** (string) - Required - The username for whom the certificate is generated. - **password** (string) - Required - The password for authentication. - **request** (string) - Required - The PKCS#10 request in PEM format. - **profile** (string) - Optional - The profile to use for certificate generation. - **issuerDN** (string) - Optional - The DN of the issuer. ### Request Example ```json { "username": "testuser", "password": "password123", "request": "-----BEGIN CERTIFICATE REQUEST-----\n...\n-----END CERTIFICATE REQUEST-----", "profile": "endentity", "issuerDN": "CN=EJBCA Root CA" } ``` ### Response #### Success Response (200) - **certificate** (string) - The generated certificate in PEM format. #### Response Example ```json { "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----" } ``` ## POST /api/ejbca/pkcs12Req ### Description Creates a server-generated keystore (PKCS#12). ### Method POST ### Endpoint /api/ejbca/pkcs12Req ### Parameters #### Query Parameters - **username** (string) - Required - The username for authentication. - **password** (string) - Required - The password for authentication. - **keyAndPassword** (string) - Required - The password for the keystore. - **profile** (string) - Optional - The profile to use for keystore generation. - **issuerDN** (string) - Optional - The DN of the issuer. ### Request Example ```json { "username": "testuser", "password": "password123", "keyAndPassword": "keystorepass", "profile": "endentity", "issuerDN": "CN=EJBCA Root CA" } ``` ### Response #### Success Response (200) - **keystore** (string) - The generated PKCS#12 keystore in base64 encoded format. #### Response Example ```json { "keystore": "MIIC..." } ``` ``` -------------------------------- ### GET /api/v1/hardtoken Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/client/gen/EjbcaWS.html Fetches hard token data for a specified user. This endpoint can be accessed by administrators or users with specific RA functionalities. ```APIDOC ## GET /api/v1/hardtoken ### Description Fetches all hard tokens for a given user. Access is restricted based on user roles and permissions. ### Method GET ### Endpoint /api/v1/hardtoken ### Parameters #### Query Parameters - **username** (string) - Required - The username for whom to retrieve hard token data. - **viewPUKData** (boolean) - Optional - If true, PUK data of the hard token will be returned. - **onlyValidCertificates** (boolean) - Optional - If true, filters out revoked and expired certificates. ### Response #### Success Response (200) - **HardTokenDataWS** (list) - A list of HardTokenData objects representing the user's hard tokens. This list will never be null. #### Response Example ```json [ { "hardTokenId": "123e4567-e89b-12d3-a456-426614174000", "serialNumber": "SN123456789", "tokenType": "SmartCard", "user": "testuser", "certificate": { "serialNumber": "ABCDEF0123456789", "issuerDN": "CN=EJBCA Root CA,O=My Organization,C=US", "subjectDN": "CN=testuser,O=My Organization,C=US", "notBefore": "2023-01-01T00:00:00Z", "notAfter": "2024-01-01T00:00:00Z" }, "pukData": "PUK123456" } ] ``` ### Errors - **AuthorizationDeniedException_Exception**: If the caller is not authorized to access this information. - **CADoesntExistsException_Exception**: If the specified CA does not exist. - **EjbcaException_Exception**: If any other server-side exception occurs. ``` -------------------------------- ### Web Server Configuration Properties Source: https://context7.com/keyfactor/ejbca-ce/llms.txt Settings for SuperAdmin, HTTPS server, and port configurations in web.properties. ```properties # SuperAdmin configuration superadmin.cn=SuperAdmin superadmin.dn=CN=${superadmin.cn},O=Example,C=US superadmin.password=ejbca superadmin.batch=true # HTTPS server configuration httpsserver.hostname=ejbca.example.com httpsserver.dn=CN=${httpsserver.hostname},O=Example,C=US httpsserver.password=serverpwd httpsserver.tokentype=P12 # Java truststore password java.trustpassword=changeit # HTTP/HTTPS ports httpserver.pubhttp=8080 httpserver.pubhttps=8442 httpserver.privhttps=8443 ``` -------------------------------- ### Get Certificate Count Source: https://context7.com/keyfactor/ejbca-ce/llms.txt Retrieve the total number of certificates, with an option to filter by active status. This is useful for quick inventory checks. ```bash # Get total active certificate count curl -X GET "https://localhost:8443/ejbca/ejbca-rest-api/v2/certificate/count?isActive=true" \ --cert admin.pem \ --key admin-key.pem ``` -------------------------------- ### NotFoundException Class Source: https://github.com/keyfactor/ejbca-ce/blob/main/doc/dist/ws/org/ejbca/core/protocol/ws/client/gen/NotFoundException.html Details of the NotFoundException class, including its message field, constructor, and methods for getting and setting error code and message. ```APIDOC ## Class: NotFoundException ### Description Represents a 'Not Found' exception, typically used when a requested resource is not found. ### Fields * **message** (String) - The detail message string. ### Constructor Detail #### NotFoundException() * Public constructor for NotFoundException. ### Method Detail #### getErrorCode() * **Returns**: ErrorCode - The error code associated with the exception. * Gets the value of the errorCode property. #### getMessage() * **Returns**: String - The detail message string. * Gets the value of the message property. #### setErrorCode(ErrorCode value) * **Parameters**: * `value` (ErrorCode) - The ErrorCode object to set. * Sets the value of the errorCode property. #### setMessage(String value) * **Parameters**: * `value` (String) - The message string to set. * Sets the value of the message property. ```