2024-06-27
EJBCA can be set up to operate as an Ephemeral Certificate Authority (CA). In this mode, EJBCA enforces certificate policy compliance with high-speed certificate issuance, issuing certificates without storing any record of them in the database. Unlike long-lived certificates, ephemeral certificates are intended to exist for a short period, reducing the risk of misuse if compromised. With EJBCA, you can also revoke these ephemeral certificates.
In this tutorial video, Sven Rajala demonstrates how to configure EJBCA to create an ephemeral CA to issue ephemeral device certificates. The focus is on zero-trust environments, which stipulate that every connection should be verified each time it is made. The certificates are valid for one to three weeks, and it should be possible to revoke them and validate their revocation using OCSP. This allows network access to be blocked if a certificate is revoked without the need to store every certificate in the database.
Sven demonstrates the process of handling Certificate Signing Requests (CSRs), issuing certificates, performing OCSP checks, and managing revocations. The tutorial emphasizes the ease of creating an ephemeral CA that issues short-lived certificates without overloading the database, while still being able to revoke certificates to manage network access.
Simply follow our tutorial and try it out today: