See below for troubleshooting CA Gateway issues related to EJBCA enrollment.

EJBCA authentication failures

If you see authentication errors when enrolling certificates with an EJBCA certificate authority:

1. Verify the client certificate was issued by ManagementCA.
2. Verify the administrator was added as a member of the role with the correct match criteria.
3. Check that the role has access to the required CAs and End Entity Profiles.

See Configuring and issuing the EJBCA client certificate for details on each operation.

EJBCA SSL/TLS Connection Failures

If you see SSL/TLS connection errors when enrolling certificates with an EJBCA certificate authority:

1. Verify the trust store file path is correct.
2. Verify the EJBCA hostname matches the SSL certificate.
3. Check that the trust store contains the correct CA certificates.
4. For password-less JKS files, ensure trust-store-password is empty or omitted.

See EJBCA properties for details on the configuration parameters.

EJBCA certificate issuance failures

If certificates fail to issue with an EJBCA certificate authority:

1. Verify the End Entity Profile has access to the requested certificate profile.
2. Verify the certificate profile is configured for the desired key usage and extensions.
3. Check that Subject Alternative Names (SANs) are enabled in the End Entity Profile (if using SANs).
4. Review EJBCA logs for detailed error messages.