Configure EJBCA for Public Access
The following covers how to enable public access to the EJBCA RA UI and to the EJBCA CA UI.
Enabling Public Access to the EJBCA RA UI
An RA or CA can be configured for public access using a PublicAccessAuthenticationToken. Public access allows anyone to navigate to the RA UI without having to present a client certificate (this would normally be port 8442 instead of 8443 if you have set up EJBCA with 3-port separation as described in the application server configuration instructions).
You can configure EJBCA for public access either using the CA UI or the EJBCA CLI.
In the CA UI
To configure EJBCA public access, go to System Functions → Roles and Access Rules and add a new member to any role. The member should have Match with set to one of the following:
PublicAccessAuthenticationToken : Any transport (HTTP or HTTPS)
PublicAccessAuthenticationToken: Non-confidential transport (HTTP)
PublicAccessAuthenticationToken: Confidential transport (HTTPS)
Next, click Access Rules for that role and then go to Advanced Mode. You're going to need to give this role the following access rights:
Access to the CA's and End Entity Profiles that you wish to be publicly accessible:
As well as access to /ra_functionality/create_end_entity/:
This will produce a minimal enrollment interface for anybody to use.
In the EJBCA CLI
To configure EJBCA for public access using the CLI, run the following:
./ejbca.sh roles addrolemember --caname "" --role "Super Administrator Role" --value "" --with PublicAccessAuthenticationToken:TRANSPORT_ANYThis will disable client certificate authentication in EJBCA for the RA.
Enabling Public Access to the EJBCA CA UI
Please note that this operation would make the CA UI publicly available to any party and would in almost all cases cause a gaping security risk. Make sure you know what you're doing before you disabling the web.reqcert property.
To disable all authentication checking to the CA UI, recompile setting web.reqcert=false in conf/web.properties.