Synchronizing the VA Database
Once you have an operational EJBCA instance dedicated as a VA, the next step is to synchronize its database. During this process, you will also configure publishing operations between the CA and VA.
The VA database acts as the master database for standalone VA installations, and it is where the master CA publishes certificates when they are issued or revoked.
Using the EJBCA Peer Publisher (recommended)
ENTERPRISE
For information on setting up an outgoing peer connector, see Adding an Outgoing Peer Connection and for information on how to set up a Peer Publisher, see Setting up a Validation Authority Peer Publisher.
Synchronize the VA
If you are setting up a new VA for an existing PKI (with already issued certificates), synchronize the new VA to match the current state.
In the CA UI, go to Peer Systems.
Click Manage for the peer connector representing the VA and select the Certificate Data Synchronization tab.
Configure the relevant subset of information to synchronize.
Click Start to begin the synchronization as a background task. You can monitor progress either from this view or from the Peer Systems overview.
Required Access Rules
The connecting system needs to be authorized to the following access rules to synchronize data and push missing or outdated certificate entries:
/peerincoming
/peerpublish/readcert
/peerpublish/writecert
/ca/[CAName]
If you're setting up a new VA for an already existing PKI (with issued certificates), you should synchronize the new VA to the current state. To do this:
In the CA UI, go to Peer Systems.
Click Manage for the peer connector representing the VA and select the Certificate Data Synchronization tab.
Configure the relevant subset of information to synchronize and click Start to initiate the synchronization as a background task. The progress can be followed either in this view or in the Peer Systems overview.
The connecting system needs to be authorized to the /peerincoming /peerpublish/readcert /peerpublish/writecert /ca/[CAName] access rules to be able to check synchronization data and push missing or outdated certificate entries
Using the Legacy VA Publisher
ENTERPRISE
If the VA functions as an OCSP responder, set the data source java:/OcspDS in JBoss.
The VA data source should not be involved in transactions (a no-tx-datasource in JBoss), and should have auto-commit enabled (default in JBoss).
Using the CRL Download and CRL Update Service
This is the common option when using EJBCA as a VA performing OCSP services for a non-EJBCA CA.
The CRL Download and CRL Update Service is configured on the VA to periodically download CRLs from a URL and use them to populate the VA database.
For detailed configuration steps, see the relevant section in OCSP Management.