A professional-grade PKI (Public Key Infrastructure) platform demonstrating Keyfactor EJBCA Community Edition with modern DevOps practices, cloud-native technologies, and enterprise security standards.
This platform demonstrates a production-ready PKI infrastructure with:
- PKI Core: Keyfactor EJBCA CE (Certificate Authority)
- Infrastructure: Terraform-managed Azure resources (AKS, Key Vault, Storage)
- Orchestration: Kubernetes with Helm charts
- Service Mesh: Linkerd for secure service-to-service communication
- Ingress: NGINX Ingress Controller
- GitOps: ArgoCD for declarative deployments
- CI/CD: GitHub Actions with security scanning
- Configuration Management: Ansible for OS provisioning
- Artifact Management: Harbor Registry & JFrog Artifactory
- Security Scanning: Trivy for vulnerability detection
- Observability: Loki for logs, OpenTelemetry for traces
- Cloud Integration: Azure Key Vault & Storage
- Azure subscription with appropriate permissions
- kubectl (v1.28+)
- Terraform (v1.6+)
- Ansible (v2.15+)
- Helm (v3.12+)
- Docker (v24+)
- Azure CLI (v2.50+)
- Git
# 1. Clone and initialize
git clone <repository-url>
cd EJBCA---Automated-Lab
# 2. Configure Azure credentials
az login
export ARM_SUBSCRIPTION_ID="your-subscription-id"
# 3. Deploy infrastructure
cd terraform
terraform init
terraform plan -out=tfplan
terraform apply tfplan
# 4. Configure kubectl
az aks get-credentials --resource-group ejbca-platform-rg --name ejbca-aks-cluster
# 5. Deploy platform components
cd ../kubernetes
./deploy.sh
# 6. Access EJBCA
kubectl get ingress -n ejbca.
βββ README.md # This file
βββ EJBCA---Automated-Lab/ # Main project directory
βββ docs/ # Comprehensive documentation
β βββ ANALYSIS-REPORT.md
β βββ BASTION-SETUP-GUIDE.md
β βββ DYNAMIC-IP-SOLUTIONS.md
β βββ SECURITY-FIXES-CHECKLIST.md
β βββ ejbca-features.md
βββ terraform/ # Infrastructure as Code
β βββ main.tf
β βββ variables.tf
β βββ outputs.tf
β βββ aks.tf
β βββ networking.tf
β βββ keyvault.tf
β βββ storage.tf
β βββ compute.tf
βββ ansible/ # Configuration Management
β βββ playbooks/
β β βββ windows-server-2025.yml
β β βββ rhel-latest.yml
β β βββ common-setup.yml
β βββ inventory/
βββ kubernetes/ # K8s Manifests
β βββ observability/
β βββ ingress-nginx/
β βββ linkerd/
β βββ harbor/
β βββ artifactory/
βββ helm/ # Helm Charts
β βββ ejbca-ce/
βββ argocd/ # GitOps Configurations
β βββ applications/
β βββ projects/
βββ .github/ # CI/CD Pipelines
β βββ workflows/
βββ scripts/ # Utility Scripts
β βββ deploy.sh
β βββ demo-scenarios.sh
β βββ apply-security-fixes.sh
β βββ update-my-ip.sh
βββ configs/ # Application Configs
βββ ejbca/
- Root CA and Sub CA hierarchy
- Multiple certificate profiles
- End entity profiles
- Certificate issuance workflows
- ACME (Automated Certificate Management Environment)
- EST (Enrollment over Secure Transport)
- SCEP (Simple Certificate Enrollment Protocol)
- CMP (Certificate Management Protocol)
- Web Services API (SOAP/REST)
- Issuance and enrollment
- Renewal and revocation
- CRL (Certificate Revocation List) generation
- OCSP (Online Certificate Status Protocol) responder
- HSM integration (Azure Key Vault)
- Certificate transparency logging
- Custom certificate extensions
- Publisher for certificate distribution
- Key recovery and archival
- Role-based access control (RBAC)
- Audit logging
- Administrator approval workflows
- Backup and restore procedures
- Network Security: Linkerd mTLS between services
- Secret Management: Azure Key Vault integration
- Image Scanning: Trivy in CI/CD pipeline
- Ingress Security: TLS termination with NGINX
- RBAC: Kubernetes RBAC and EJBCA role-based access
- Logging: Loki for centralized log aggregation
- Tracing: OpenTelemetry for distributed tracing
- Metrics: Prometheus metrics exposure
- Dashboards: Grafana for visualization
- Code changes pushed to GitHub
- GitHub Actions validates and tests
- Trivy scans for vulnerabilities
- Artifacts published to Harbor/Artifactory
- ArgoCD detects changes and syncs
- Kubernetes applies configurations
- Single node with minimal resources
- In-cluster databases
- Development certificates
- Multi-node cluster
- External managed databases
- Valid staging certificates
- High-availability configuration
- Azure-managed services (Database, Key Vault)
- Production-grade certificates
- Disaster recovery setup
- QUICKSTART Guide - Fast track deployment
- EJBCA Features Guide - Complete feature demos
- Security Analysis Report - Performance & security analysis
- Implementation Guide - Detailed setup steps
- Azure Bastion Setup - Secure VM access
- Dynamic IP Solutions - IP management options
- Security Fixes Checklist - Security improvements
Adrian Johnson
π§ Email: adrian207@gmail.com
πΌ Enterprise PKI & Cloud Infrastructure Specialist
This is a demonstration lab environment. Feel free to adapt and extend for your use case.
MIT License - See LICENSE file for details
- This is a lab/demo environment - adapt security settings for production
- Review all default passwords and credentials before deployment
- Ensure compliance with your organization's security policies
- Back up CA keys and certificates securely
Status: π§ Active Development | Version: 1.0.0 | Last Updated: October 2025