Setting up EJBCA with multiple CAs==================================This guide will install EJBCA from scratch setting up one initial administrative CA andone production CA.The administrative CA is only used for the super administrator, that can create other CAs.This CA is not exposed to users and other administrator.Installing EJBCA ----------------Installation of ejbca is done with the install.sh script. This will create an initial RootCA.You can call this AdminCA. The certificate for the superadministrator and for the tomcat serveris issued by this CA.Follow the regular installation instructions to the point where you can access the admin GUI assuperadmin.Creating the production CA (ProdCA)-----------------------------------If you want the certicates from the production CA published in LDAP, start by creating a new publisherwith 'Edit publishers'. Consult HOWTO-LDAP.txt for help with this.Create your production CA with the admin GUI. This is done with 'Edit Certificate Authorities'.If the CA will use a publisher select your publisher as 'CRL Publishers'. The ProdCA can for example have a DN 'CN=ProdCA,O=Foo,DC=bigcorp,dc=com'.Creating an administrator for ProdCA------------------------------------If the default certificate profile does not fullfill your requirements, start by creating new certificate profiles and end entity profiles for use by ProdCA.Add a new end entity with the administrators DN etc. CA should be ProdCA and don't forget to check the 'Administrator' checkbox.Issue the certificate for the administrator.Create a new administrator group for the CA and edit access rules to what you like, for example 'CA Administrators'.Add the new administrator the the admin group by selecting for example 'CN' in the drop down list and giving the administrators CN. You can also use other attributes such as the certificate serialnumber etc.Export the CA-certificate for ProdCA to a file from 'Basic Functions'->'Download PEM file', save as ca.pemor similar.Import the CA-certificate in Javas trust keystore with a command like:keytool -import -trustcacerts -keystore $JAVA_HOME/jre/lib/security/cacerts -file ca.pem -alias prodcaThe password for the file cacerts is 'changeit'. You should consider chaning this to something more secure.keytool -storepasswd -new new_pwd -storepass changeit -keystore $JAVA_HOME/jre/lib/security/cacertsRestart JBoss for the new settings to take effect.Now you can connect to the admin GUI using the newly created administrator certificate from ProdCA.However, the site certificate presented to your admins (and other users using the SSL connection on port 8442 without client cert) are still exposed to the AdminCA certificate since the Tomcat SSL certificate is signed by the AdminCA.Creating a new SSL cert for Tomcat----------------------------------Find the user 'tomcat' by finding this by username on the 'List/Edit End Entities' page.Edit End Entity. Look in the file JBOSS_HOME/server/default/deploy/jbossweb-tomcat50.sar/server.xml and find thecurrent password in attribute 'keystorePass' in the SSL sections. Alternatively, you can set your own password for user tomcat, and change the passwords in server.xml.Change CA to your ProdCA to make tomcat generated by this CA. Set status to NEW, save and close.Batch generate a new keystore for tomcat. Copy the file $EJBCA_HOME/p12/tomcat.jks to $JBOSS_HOME/bin, replacing the old file there.On Linux/UNix systems Tomcat might want the tomcat.jks file to be executable. In that case, modify permissionsof the file when put in place.Restart JBoss. Now the SSL pages are exposing the ProdCA certificate, and you can connect to the admin GUI as both the newly generated ProdCA administrator or the original SuperAdmin.