To enroll for a certificate using a browser, go to http://your_server_name:servlet_container_port/ejbca/ra (e.g. http://127.0.0.1:8080/ejbca/ra) and select Enroll → Use username. Enter username and enrollment code, click Check and follow the instructions.

To enroll for certificates manually (e.g. for server certificates), go to http://your_server_name:servlet_container_port/ejbca/ra, select Enroll → Use Reqest ID. Enter request ID, click Check and follow the instructions.

Note that application for certificates only work when the status of a user is NEW, FAILED or INPROCESS (one time password thing). The status is set to GENERATED after a certificate has been issued. To issue a new certificate, the status must be reset to NEW, which can be done through the Admin GUI or the CLI.

During batch generation of certificates, users with status NEW or FAILED are generated. This is due to the possibility that a batch generation for some reason failed. If it fails, status is set to FAILED and you can re-try again after resolving the issue.

Suite B/ECC Certificates in Browsers

IE and Firefox do not yet (march 2014) support browser-based ECC certificate enrollment. They always default to RSA regardless of the CA ECC properties.

To install ECC certificates in a browser:

Edit batchtool.proproties file in folder conf: keys.alg=ECDSA, keys.spec=P-384 (or whatever named spec you need).
Set all NEW entity passwords first:

bin/ejbca.sh ra setclearpwrd entity-user entity-pw
Run the following command to process all NEW entities and place the p12 files in the p12 folder (or batch generate for a single user by appending username to batch command):

bin/ejbca.sh batch
Copy the *.p12 files from the p12 directory on the ejbca server.
Install the p12 keystore in your browser.