The SPOC CA is a regular X.509 CA and is configured as such, following the profiles of the SPOC specification (CSN 369791:2009).

In the specification of the SPOC CA, two private Extended Key Usages defined in the standard requires configuration.

EJBCA 4.0 and later

As of EJBCA 4.0, the key usages are standard and can be selected in certificate profiles.

EJBCA 3.11 and earlier

For EJBCA 3.11 and earlier, configure conf/extendedkeyusage.properties and add the two new key usage OIDs:

extendedkeyusage.oid.23 =
extendedkeyusage.name.23 = CSN369791-TLS-CLIENT
extendedkeyusage.oid.24 =
extendedkeyusage.name.24 = CSN369791-TLS-SERVER

If the numbering has changed (i.e. other standard extended key usages have been added) since the publication of this sample, make sure the numbers (23 and 24) are changed to follow consecutive numbering in the file.

After this change, re-deploy ejbca (ant clean; ant deploy) and they will show up as selectable values in he EJCBA Admin GUI Certificate Profiles.

A SPOC client should use Client Authentication, CSN369791-TLS-CLIENT, while a SPOC server should use Server Authentication, CSN369791-TLS-SERVER.