The RA is installed as part of the EJBCA installation and after setting up a CA on localhost for example, the RA UI will be available on https://localhost:8443/ejbca/ra/.

To install the RA as an external service, install EJBCA with an external Management CA (from your EJBCA CA) and then configure a Peer Connection from the CA to the RA. For more information, see Installing EJBCA with external administrators and Peer Systems.

Setting Up a New RA

To set up a new RA polled by the CA, perform the following steps. Note that this does not describe a complete installation procedure for any use case.

Step 1: On the CA, do the following:

  1. Issue a TLS keystore ant truststore for the RA server from the Management CA:

    • keystore with correct dnsName and/or IP.

    • truststore with the Management CA CA certificate.

  2. Add the issued TLS certificate for the RA to a Role on the CA. Note that the Super Administrator Role in production should not be used.

Step 2: On the RA, do the following:

  1. Configure web.reqcertindb=false in conf/

  2. Configure the RA JBoss with TLS and database connection.

  3. Deploy EJBCA on the RA JBoss (ant deployear).

  4. Initialize EJBCA using the same superadmin as on the CA:

    bin/ ca importcacert ManagementCA ManagementCA.cacert.pem -initauthorization -superadmincn SuperAdmin

    You can now access the Admin GUI on the RA.

  5. Go to Peer Systems and check Allow incoming connections.

Step 3: On the CA, do the following:

  1. Create an internal key binding for authenticating the TLS connection to the RA, issue a certificate for it and activate.

  2. Create a Peer Connector to the RA and select Process incoming requests.

  3. Click Ping to ping the Peer Connector and create a connection to the RA.

Step 4: On the RA, do the following:

  1. Click Peer Systems to open incoming connection to authorize.

  2. Click Create Role.

  3. Select Create new Role and click Select.

  4. Select Accept long hanging connections.

  5. Ensure that Accept RA Requests is cleared.

  6. Select Access Management CA and select a CA for which you have imported a CA certificate to the RA.

  7. Click Create new Role.

On the CA, you can now see multiple statuses on the peer connector towards the RA.


You can use multiple RA servers to provide higher availability or increase performance. The RA itself is stateless and therefore any user can access any RA server to perform their tasks, as long as it is an RA with the same privileges. For more information, see Security Features in EJBCA RA.

A user session against the RA UI uses HTTPS sessions, and are typically pinned to a certain node by a load balancer. An RA node must always service one CA cluster, but it does not matter which particular node in the CA cluster that serves a request as long as they all have a common view of the CA database.