TLS=later and self signed TLS EJBCA docker

[maxwellchandler]

How can I use "later" mode but replace the self-signed auto tls cert it makes on the admin portal with one that has been made by a management ca I have on another server? I don't like that this cert says "keyfactor docker quickstart" under organization, but I don't know how to get around this. I also want the TLS cert to be signed by my management ca, I don't want it to be self signed. Or am I just over thinking this and it does not really matter in a proxy production setup?

Also with regards to the password used to activate the initial crypto token, I don't know how to change it from the default of "ejbca".

I tried setting APPSERVER_KEYSTORE_SECRET and APPSERVER_TRUSTSTORE_SECRET, this led to a "secure connection failed"

I tried mounting a custom cesecore.properties file, this led to an "authorization denied".

[primetomas]

In the documentation we have added more information about relevant directories.
https://hub.docker.com/r/keyfactor/ejbca-ce

You can find there that /mnt/external/secrets/tls/ks and /mnt/external/secrets/tls/ts contains the TLS keystores, it is these that APPSERVER_KEYSTORE_SECRET and APPSERVER_TRUSTSTORE_SECRET. You can overlay mount your own and use correct password for these.