Managing Internal Key Bindings


An Internal Key Binding can be used to make keys in a Crypto Token available for other uses than in a CA. It is a reference to a key pair available to the EJBCA instance, a non-CA certificate, an optional list of trusted certificates and properties for its purpose. It can be thought of as a simplified key store with purpose-specific properties.

Example: An OcspKeyBinding can be used to sign OCSP responses on behalf of a CA. It has a key in an HSM accessible from the EJBCA instance (via a Crypto Token) and an OCSP signing certificate. Additionally the trusted certificates can be used to verify that OCSP requests are sent from a trusted source and additional properties can be used to specify how long an OCSP response should be valid.

The following sections list properties shared by all Internal Key Bindings and Actions available from the Overview page.

For information on the Internal Key Binding types OcspKeyBinding and AuthenticationKeyBinding, see the respective section.

Common Properties

All Internal Key Bindings share the following properties:




OcspKeyBinding or AuthenticationKeyBinding.


Unique identifying number.


A unique and human readable name.

Crypto Token

The Crypto Token where we reference a key pair.

Key Pair Alias

A reference to the currently used key pair in the specified Crypto Token.

Signature Algorithm

The signature algorithm user during signing, for example the signing of an OCSP response.

Next Key Pair Alias

A reference to the next key pair to use in the specified Crypto Token when renewing.

Bound Certificate

A certificate issued for the current key pair's public key.


The following actions are available from the Overview page:




Marks the Internal Key Binding as Active/Disabled. Only Active ones will be used and processed by health-check.


Removes the Internal Key Binding, but will not remove the referenced key pair or certificates.

New keys

Generates a new key pair in the referenced Crypto Token using the same key specification as the current key has and an alias derived from the current alias.


Creates a Certificate Signing Request using the next key pair (or current key pair when no next key pair exists).


Searches the database for the latest issued matching certificate for the next key pair (or current key pair when no next key pair exists) by using SubjectKeyId.


When the CA that issued the current certificate is active and resides in the same instance, this will create a new certificate using the same End Entity as the last one was issued with. If a next key pair exists, that key pair will be used.