RA Profiles
Certificate Lifecycle Management

When it comes to Public Key Infrastructure (PKI) integration, many systems struggle with correct and secure implementation of the certificate management and validation. Required expertise that should be in place to understand all aspects of using the PKI usually lacks, which is on of the reason of becoming vulnerable. The service-based PKI can help us.

Service-based approach

Abstraction of PKI tasks and agility

Fast integration of use-cases

Easy maintenance of the PKI


RA Profiles is an add-on for EJBCA for easy, transparent, and secure integration with clients that needs to manage certificates. The RA Profiles specifically:

  • Provide a higher-level abstraction on top of EJBCA configuration using bundle of service attributes
  • Introduce agility – change the service configuration on the fly, without impact on integrated clients, and EJBCA
  • Streamline integration procedures and reduce time and costs needed to enable clients to use certificates

Abstraction of configuration

RA Profiles provides a configuration of the integration point based on the following attributes:

EJBCA attributes:

  • End Entity Profile
  • Certificate Profile
  • Certification Authority Name
  • Initial Status of End Entities
  • Token Type

Additional attributes:

  • RA Profile Name
  • RA Keystore
  • Keystore Credentials
  • Description

Agility in certificate management

The abstraction of the EJBCA attributes gives us the control about what is changing on the EJBCA side, as well as control about the integrated services and authorized clients.

Without interrupting the operation of the public key infrastructure we can change the service behaviour (change of the issuing CA, change of certificate or end entity attributes, signing algorithms, etc.)

With this approach we have all benefits of agile PKI we can work with. And what is also important, we do not need to put many requirements on the client side in order to make all of the changes happen.

Streamlined integration

From the integrator point of view, the process will be simple, because we need to know only the RA Profile Name and all other attributes are not relevant for us, we simply do not need them. All we require is to have:

  • REST API end point URL
  • RA Profile Name
  • Client certificate for authentication and authorization

Nothing more, nothing less. And typically it goes through the following simple steps:

  1. prepare the service and RA Profile
  2. register and authorize client to consume RA Profile service
  3. implement client REST API calls to the RA Profiles
  4. start consuming service

    PrimeKey and EJBCA are trademarks of PrimeKey Solutions AB.