Applying Custom Certificate Extensions after CA creation

[chriso2025]

I am currently using the Community Edition v9.3.7 and building EJBCA from source.

My scenario is I created a bash script that builds and installs EJBCA into a Wildfly instance. The script creates a CA specifying a certificate profile with my settings. After installation, I then create 2 custom certificate extensions, Policy Mappings and Inhibit Any. I edit the certificate profile that is assigned to the CA and select both of those to apply using 'Used Custom Certificate Extensions'.

Using the RA Web page I download the P7C bundle for the CA certificate and I do not see extensions for 'Policy Mappings' or 'Inhibit Any' in the certificate. In the UI for the 'Certificate Authority' if I click the 'renew ca' button and then download and examine the P7C bundle then I see both of those extensions. This just does not seem correct to me, creating and them immediately renewing.

What are correct steps to have a CA use the 'custom extensions' after creation?

Also, I am not able to find documentation regarding the 'CA Life Cycle'.

Thanks in advance.

[primetomas]

By definition a signed certificate can not be altered, so it is expected that already issued certificates are not affected by changes to a profile. A profile affects how new certificates are issued.
Thus, certificate profiles need to be configured before a certificate is issued. In your case before the CA is created if you want the first certificate to be issued with your custom extensions. Otherwise, using "renew CA" is fully logical, it will create a new certificate based on the new profile. But the best process is:

1. create desired profiles
2. create CA

You can find a bunch of CA life cycle advice under Managing CAs in the documentation. https://docs.keyfactor.com/ejbca/latest/managing-cas