EJBCA RA Management

This section covers EJBCA RA Management tasks and describes the EJBCA menu sections and the functions a user can perform in the EJBCA RA GUI:

User Access

Different menu items will be visible depending on the Users access role.

Front page

The RA front page contains quick links to the most common operations performed by a user:

  • Making a new certificate request

  • Checking status of a request, and retrieving the certificate

  • Requesting revocation of a certificate


The Enroll menu includes options for making certificate requests and retrieving (enrolling) certificates issued to the User.

Make New Request

The Make New Request page allows requesting a new certificate. Note that the options available are depending on your role, and when there is only one choice available and thus no selection to be made, the option is not displayed on the page. To view these predefined options, click Show details in the bottom-right of each section.

Select Request Template

Select Certificate Type to choose which type of certificate to request. If you have access to request multiple certificates, the options are available for selection in a list. Note that you will not have to make a selection if you only have access to one certificate type.

Second you select Certificate subtype. The subtype choice exists if there are multiple variants, for example SMIME Signing or Encryption, or different validity periods for TLS certificates. If you only have access to one Certificate subtype, you will not be able to choose anything.

Third you can choose which CA to request the certificate from, if you have access to more than one CA. If only one CA choice is available, you will not be able to choose anything.

Last in the Request Template section you choose if you will provide a CSR or if the CA will generate a keystore, including the private key, for you. If only one choice is available, you will not be able to choose anything.

Upload CSR

If the last choice in the Request Template section was Provided by User, you now get the ability to upload a CSR. Once uploaded some basic information about the CSR, such as the type and length of the public key is displayed.

Select key algorithm

If the last choice in the Request Template section was On Server, you now get the ability to choose key type and key length, within the restrictions set by the policy.

Provide request info

This is the section where you enter you personal data for the request. This includes Distinguished Name fields and Subject Alternative name fields. Only available fields are displayed and an asterisk (*), marks required fields.

Provide User Credentials

The last section to fill in contains your User credentials. This can include a username and enrollment code, or only an enrollment code if the username is automatically generated. The enrollment code will be used when you, at a later stage, retrieve your certificate.

Confirm request

Last there is a summary section of your choices so you can verify the data you entered before confirming the request. As last step you are asked to either Confirm the request to be sent for approvals, or immediately issue the certificate if the certificate can be issued immediately for your role.

  • Confirm Request: Creates a request for approval and provides you with a Request ID for tracking the request.

  • Download buttons: Immediately issues a certificate

Use Request ID

This menu selection will let you check status of a request sent for approval, using the Request ID, you were given. If the request is ready for issuance, you will then be able to provide the enrollment code that you either provided yourself or was sent. After giving the Request ID and an enrollment code, your certificate or keystore will be downloaded to you.

Use Username

As an alternative to using a Request ID, you may be provided with a username and an enrollment code by your administrator. These can be used on this screen in order to issue your certificate.

Manage Requests

The Manage Requests menu functions are used for RA Administrators to approve requests that have been performed by less privileged users, i.e. such requests that require approval by an administrator before the certificate can be issued, a revocation performed etc.

The Manage Requests page contains the following tabs:

  • To Approve: Lists requests that you as an administrator may approve or deny.

  • Pending Approval: Lists currently pending requests you have access to view, including those that you may approve yourself.

  • Processed: Lists past requests you have access to view.

  • Custom Search: A search screen allowing you to filter and search all requests you have access to view.

To Approve

The tab To Approve shows what approvals request you as an RA Administrator have the possibility to attend to. As an RA Administrator, this is your view to pick up requests to review.

Note that approval requests have an expire period and will disappear from the To Approve list when expired.

Requests to review are listed in a table displaying:




The request ID

Request Date

Date and time of the request.


The CA the request was made for.


Type of request:

  • Add End Entity

  • Change Status of End Entity

  • Edit End Entity

  • Key Recovery

  • Revoke Certificate

  • Revoke End Entity


Username of the request end entity

Requested by

Your login

Request Status

Valid values:

  • Waiting for Approval

  • Approved

  • Executed

  • Rejected

  • Execution Failed

  • Expired


Clicking Review displays View Request details about the request and allows you to edit the request.

View Request

Clicking Review displays View Request details about the request and allows you to edit the request.

Note that if you edit a request, you will not be able to approve the same request since the request will have to be approved by another administrator.


Below the request details may be information to approve or reject for the request. The details to specify for approval depends on the configuration of Approval Profiles in the CA and can be text fields, options, or numbers that you have to specify before clicking Approve or Reject.

If only one approval is required, the request will be Executed after you approve the request. In a multi-step approval process, the request will move to the next administrator to approve the next step. The approval workflow is configured by the CA Administrators.

Pending Approval

If you have made requests yourself, and have privileges to view the Manage Requests page, this tab displays the requests that you have made, and that are waiting for approval by another administrator. If you have requests that are pending approval, a table is shown displaying information about your request, with the same information as for To Approve.

Click Review to the right in the table to view details about your request. To edit your request before it has been approved, click Edit while viewing request details.


The Processed tab shows requests that you have approved or rejected and allows you to review what has been done.

CA Certificates and CRLs

The CA Certificates and CRLs screen allows downloading CA certificates and CRLs for CAs that you have access to.

The CAs you can access to are listed in a table displaying the following:



Certificate Authority

Name of Certificate Authority.


  • Full: Download a full CRL.

  • Delta: Download a deltaCRL if one is available.


  • PEM: Download certificate in PEM format.

  • DER: Download certificate in binary format.

Certificate chain

Downloads a certificate chain for a sub CA, the sub CA certificate(s) and root CA certificate:

  • PEM: Download certificate chain in PEM format.

  • JKS: Download certificate chain in a Java Keystore format.

  • PKCS#7: Download certificate chain as a certificate-only binary PKCS#7 (CMS) file.

Browser import

Downloads the CA certificate with headers to trigger a browser import.

Download CA Certificate Fingerprint Sheet

To download a YAML text document with the CA Certificate fingerprints of all CAs you have access to, click Download Fingerprints. This is useful during a key ceremony and eliminates the need for downloading CA certificates and computing the fingerprints manually using a third-party tool such as OpenSSL. The fingerprint is computed using SHA-256.

Download CA Certificate Bundle

To download a compressed zip file containing the CA certificates of all CAs you have access to, click Download Certificate Bundle. The certificates in the bundle are provided in binary format (DER).

Role Management

Role management is available in the RA Web as of EJBCA 6.8.0, allowing RA administrators to manage their users and roles without access to the CA. The Role Management tab is visible among the menu items in the RA Web if the logged in administrator has sufficient access rights to manage roles.

RA role management consists of functionality similar to Administrator Roles in the Administrator Web, including:

  • Viewing existing roles and role members

  • Creating new roles and namespaces

  • Adding members to roles

  • Editing end entity permissions

Edit / Create Role

From the RA Web menu, roles can be added or edited through Role Management > Roles . In the edit page, CAs and End Entity Profile, authorized by the logged in administrator are displayed in the Available box. Moving items to the Allowed box will grant corresponding access to the members of the role. Access may also be granted to other RA related operations using th e End Entity permissions options.

Role Members

Members can be added to an existing role or edited through Role Management > Role Members . Similar to the administrator web, options are available select role, match with attribute and select CA to associate the member with.


A new concept introduced to role management is Namespaces. A role may be associated with a namespace which controls visibility of other roles. Members of a role, belonging to a specific namespace may only view other roles belonging to that namespace. In practice this introduces an option to keep multiple roles on the same CA, with separated visibility to different RA administrators. E.g. it might be desired to keep roles of organization A hidden from the administrators of organization B, even though the belong to the same CA.

Managing Namespaces

Through the edit page displayed when editing or creating a new role, the desired namespace to be associated with the role may be selected from the drop down menu at the top of the page. A new namespace can also be created by selecting Create new namespace from the list menu (if the logged in administrator is authorized to do so).