The identity in outgoing SSL connections is configured as an Internal Key Binding.

  • The certificate must have Key Usage: Digital Signature and Key Encipherment.

  • The certificate must have Extended Key Usage: Client Authentication.

  • The list of trusted certificates will be used to validate the remote server side SSL certificate.

Validation of the remote TLS certificate is subject to basic TLS certificate path validation and for example OCSP checks are currently not supported. You can configure the list of trusted remote server side TLS certificats in the following ways:

  • By default, any remote server side TLS certificate issued by a CA that exists in the local EJBCA instance will be trusted.

  • By specifying a CA, you can choose to trust only TLS certificates issued by this CA.

  • By specifying both a CA and a certificate serial number, only the specific TLS certificate will be trusted.

In the case where an external CA is used and you need to trust a specific TLS certificate, the certificate must be known to the local instance as well. To ensure that this is known, You can for example use

bin/ ca importcert

No implementation specific properties exist for this Internal Key Binding.

See the sections Setting up Peer Connectors for Outgoing Connections or OCSP signer renewal for examples of how this is used.