>
    Strata Copilot
    Client Authentication Certificate and Root Certificate Chain for CA Connectors
    Focus
    Focus
    1. Home
    2. Next‑Gen Trust Security
    3. Next-Gen Trust Security
    4. Next-Gen Trust Security Overview
    5. Overview: Certificate Issuance
    6. Adding a Certificate Authority
    7. Create a Custom Certificate Authority (CA)
    8. Creating an EJBCA Connector
    9. Client Authentication Certificate and Root Certificate Chain for CA Connectors
    Next‑Gen Trust Security

    Client Authentication Certificate and Root Certificate Chain for CA Connectors

    Table of Contents

    Client Authentication Certificate and Root Certificate Chain for CA Connectors

    When setting up a certificate authority (CA) connector, you need to provide the following:
    • The root certificate, which validates the certificate used by your site.
    • A file containing the client authentication certificate and private key in PKCS#12 or PEM format.
    This topic provides general guidelines to obtain client credential files.

    To export the root certificate

    The following explains how to export the root certificate that proves your CA's certificate can be trusted. The root certificate is required when configuring an EJBCA connector.
    Note: Browser-specific steps - These steps are based on using Firefox, a supported browser for Next-Gen Trust Security. Your steps may vary depending on your browser and operating system.
    1. Open the administration site for EJBCA in a browser such as Firefox.
    2. In the address bar, click the security icon (lock icon).
    3. Click Connection Secure.
    4. Click More Information.
    5. Click View Certificate. The site's certificate and the certificate it chains to are displayed from left to right order. You don't need the CA's certificate; you need the next level up in the chain. There may be several levels of chaining. For example, at the time of publishing, Google.com has four levels, and Venafi.com has three. There will be at least two, likely more.
    6. Click the second tab (from the left).
      If there are only two tabs, then this will also be the last tab.
    7. Scroll down to the Miscellaneous section, then click to Download in PEM (cert) format.
    8. Make note of where the certificate is downloaded, as you'll need it when you set up the EJBCA's CA connector settings in Next-Gen Trust Security.

    About the client authentication certificate and private key

    When using EJBCA, you were required to generate a client authentication certificate when you installed the EJBCA software on your server. Without this client authentication certificate, you can't log in to the admin console.
    You will upload the PKCS#12 or PEM file containing the client authentication certificate to Next-Gen Trust Security during the configuration of the custom certificate authority settings. A PKCS#12 file includes an encrypted private key in the container, while a PEM file must provide the private key in unencrypted text form.
    You can also create additional authentication credentials for each of the CAs listed in the EJBCA server's list of CAs on the CA Activation page. This may be helpful in a case where you don't want to use the super admin client authentication certificate in Next-Gen Trust Security.
    For more information on how to issue TLS client certificates with EJBCA, see the EJBCA documentation.

    What's next?

    With the client authentication certificate and the root certificate saved to your device, you're ready to create a CA connector.

    © 2026 Palo Alto Networks, Inc. All rights reserved.