EJBCA, JEE PKI Certificate Authority

Hi,

so I take it that you want to move the installation from an old
installation using the built in HSQL database to a new installation with
PostgreSQL?

Depending on how many certificates you have issued it can be more or
less time consuming.
- To move the CA keys and certificate you can upgrade the existing
installation to a version where you can easily export and import the CA
(.p12). I'm not sure which version this is available in, see the changelogs.

- To move the user certificates you have to export the certificates and
username and revocation information so you can use the 'ejbca.sh ra
importcert...' command. There is no ready available command for this
though. If you have not issued very many certificate you can do it
manually. If you have issued many certificates you will have to write a
small program to do it.

I hope this helps.

Cheers,
Tomas
-----
PrimeKey Solutions offers a commercial EJBCA support subscription and
training for EJBCA. Please see http://www.primekey.se or contact
info@... for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/

Andrea wrote:
> Hi all,
> 
> i'm running an old version of ejbca ( 3.4.3 ) using user-cert in .p12 
> format.
> 
> Now i've succesfully set-up in a test server a new version (  3.9.1 ) 
> configured to store certs in a postgresql DB.
> 
> Now i've to export the certs from the old ( production) ejbca to the new 
> one, which will be the new-prodution env.
> 
> 
> Which is the correct way of doing this ??
> 
> Do i have to use command-line commands ( i.e. ejbca.sh script ) ??
> 
> Any help will be greatly appreciated !!!
> 
> --Andrea
> 
> ------------------------------------------------------------------------------
> Throughout its 18-year history, RSA Conference consistently attracts the
> world's best and brightest in the field, creating opportunities for Conference
> attendees to learn about information security's most important issues through
> interactions with peers, luminaries and emerging and established companies.
> http://p.sf.net/sfu/rsaconf-dev2dev
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop

Tomas Gustavsson ha scritto:
> Hi,
>
> so I take it that you want to move the installation from an old
> installation using the built in HSQL database to a new installation with
> PostgreSQL?
>   
Yes, i'm moving  in this direction
> Depending on how many certificates you have issued it can be more or
> less time consuming.
>   
..'till now i deployed almost 50-60 certs
> - To move the CA keys and certificate you can upgrade the existing
> installation to a version where you can easily export and import the CA
> (.p12). I'm not sure which version this is available in, see the changelogs.
>   
yes, for the CA i know i can use cli commands to export and then 
re-import in the new install
> - To move the user certificates you have to export the certificates and
> username and revocation information so you can use the 'ejbca.sh ra
> importcert...' command. There is no ready available command for this
> though. If you have not issued very many certificate you can do it
> manually. If you have issued many certificates you will have to write a
> small program to do it.
>   
..I suppose that this is my big problem.
I mean: how can i manage to export the users stuffs ( certificates, 
username, revocation info ) from the HsqlDB manually ??
I don't mind to do it manually ( or writing some shell code ), but my 
doubt is HOW ???
All the users info are created ( and stored ) in .p12 format in the DB.
How can i connect and get-out these info from the DB ???
Can you give some hints on this ???
> I hope this helps.
>
> Cheers,
>   
...Thanks a lot

--Andrea

Aha. The certificates, and revocation information, are stored in the
table CertificateData. The user information is stored in the table UserData.

If you did not use KeyRecovery, where the private key is generated and
kept by the CA, this is all you need.
You can even search for the users in the GUI, download the certificate
and not down the username and revocation information, and then import
the certificates using the 'bin/ejbca.sh ca importcert' command.
This command does not need much information:
-----
$ bin/ejbca.sh ca  importcert
Description: Imports a certificate file to the database
Usage: ca importcert <username> <password> <caname> <status> <email>
<certificate file> <endentityprofile> [<certificateprofile>]
-----

Otherwise you could also look in the HSQL database, the database scripts
are stored in JBOSS_HOME/server/default/data/hypersonic/localDB.script.

Fro this information you could actually create sql-scripts to improt
everything in you postgreSQL database.
The most important data are in UserData and CertificateData.

I guess also the CertificateProfileData and EndEntityProfileData might
be interesting, but the profiles can also be exported and imported using
CLI commands. The CLI commands takes care of somethings if the new
configuration is different, so that is probably recommended to use the
cli for the profiles.

Cheers,
Tomas
-----
PrimeKey Solutions offers a commercial EJBCA support subscription and
training for EJBCA. Please see http://www.primekey.se or contact
info@... for more information.
http://www.primekey.se/Services/Support/
http://www.primekey.se/Services/Training/

Andrea wrote:
> Tomas Gustavsson ha scritto:
>> Hi,
>>
>> so I take it that you want to move the installation from an old
>> installation using the built in HSQL database to a new installation with
>> PostgreSQL?
>>   
> Yes, i'm moving  in this direction
>> Depending on how many certificates you have issued it can be more or
>> less time consuming.
>>   
> ..'till now i deployed almost 50-60 certs
>> - To move the CA keys and certificate you can upgrade the existing
>> installation to a version where you can easily export and import the CA
>> (.p12). I'm not sure which version this is available in, see the changelogs.
>>   
> yes, for the CA i know i can use cli commands to export and then 
> re-import in the new install
>> - To move the user certificates you have to export the certificates and
>> username and revocation information so you can use the 'ejbca.sh ra
>> importcert...' command. There is no ready available command for this
>> though. If you have not issued very many certificate you can do it
>> manually. If you have issued many certificates you will have to write a
>> small program to do it.
>>   
> ..I suppose that this is my big problem.
> I mean: how can i manage to export the users stuffs ( certificates, 
> username, revocation info ) from the HsqlDB manually ??
> I don't mind to do it manually ( or writing some shell code ), but my 
> doubt is HOW ???
> All the users info are created ( and stored ) in .p12 format in the DB.
> How can i connect and get-out these info from the DB ???
> Can you give some hints on this ???
>> I hope this helps.
>>
>> Cheers,
>>   
> ...Thanks a lot
> 
> --Andrea
> 
> ------------------------------------------------------------------------------
> Throughout its 18-year history, RSA Conference consistently attracts the
> world's best and brightest in the field, creating opportunities for Conference
> attendees to learn about information security's most important issues through
> interactions with peers, luminaries and emerging and established companies.
> http://p.sf.net/sfu/rsaconf-dev2dev
> _______________________________________________
> Ejbca-develop mailing list
> Ejbca-develop@...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop

Tomas Gustavsson ha scritto:
> Andrea wrote:
>   
>> Tomas Gustavsson ha scritto:
>>     
>>> Aha. The certificates, and revocation information, are stored in the
>>> table CertificateData. The user information is stored in the table
>>> UserData.
>>>
>>> If you did not use KeyRecovery, where the private key is generated and
>>> kept by the CA, this is all you need.
>>> You can even search for the users in the GUI, download the certificate
>>> and not down the username and revocation information, and then import
>>> the certificates using the 'bin/ejbca.sh ca importcert' command.
>>>   
>>>       
>> ...You mean download the user-cert in PEM format from the GUI and then
>> re-import it in the new CA as is ??
>>     
>
> Yes. This way has been used to migrate from other CA products to EJBCA,
> so it should work for migration from another EJBCA as well :-)
>
>
>   
>>> This command does not need much information:
>>> -----
>>> $ bin/ejbca.sh ca  importcert
>>> Description: Imports a certificate file to the database
>>> Usage: ca importcert <username> <password> <caname> <status> <email>
>>> <certificate file> <endentityprofile> [<certificateprofile>]
>>>   
>>>       
>> using importcert do i need to provide all the above parameters ?? ( i.e.
>> <passwd> <caname> <status> etc etc ?? ).
>> If yes, which is the pasword ??
>> Is the one-time password used to crypt the .p12 file created when
>> "adding" a new end-entity ??
>> If yes, where can i find it ??
>>     
>
> The password is simply any password you want to set. It can be a random
> string, or a fixed password.
>
>   
Hi Tomas,
i made some tests using your tips in this way:
1) Download from the GUI the user-cert in PEM format
2) copied it to the server which is running the new ejbca install ( with 
postgresql )
3) tried to import the cert with the corresponding CA

i used this command

./ejbca.sh ca importcert arussos "" OvpnCA ACTIVE 
arussos@... arussos.pem "Ovpn Client Generator NG" "OpenVPNNG"

As you can see, i used an empty password and issued also End Entity 
Profile ( Ovpn Client Generator NG ) and the Certificate Profile ( 
OpenVPNNG ).

Unfortunately it exit with this error:

"Error: Autogenerated password must have password==null"

I think it complains about the fact that i set up the "End Entity 
Profile" with the "Autogenerated Pasword" selected, is it true ???

Also, if i import the cert without the "End Entity Profile" and the 
"Autogenerated Pasword", it successfully import it; but, obviously, when 
i look at the user "End Entity Profile" from the GUI it sees it as "EMPTY".

Is there a way to solve this problem ???

Thanks a lot,

--Andrea

Yes, that should be easy to fix, simply use something not empty, or 
temporarily remove the "autogenerated" feature from the profile.


Cheers,
Tomas


Andrea wrote:
> Tomas Gustavsson ha scritto:
>> Andrea wrote:
>>  
>>> Tomas Gustavsson ha scritto:
>>>    
>>>> Aha. The certificates, and revocation information, are stored in the
>>>> table CertificateData. The user information is stored in the table
>>>> UserData.
>>>>
>>>> If you did not use KeyRecovery, where the private key is generated and
>>>> kept by the CA, this is all you need.
>>>> You can even search for the users in the GUI, download the certificate
>>>> and not down the username and revocation information, and then import
>>>> the certificates using the 'bin/ejbca.sh ca importcert' command.
>>>>         
>>> ...You mean download the user-cert in PEM format from the GUI and then
>>> re-import it in the new CA as is ??
>>>     
>>
>> Yes. This way has been used to migrate from other CA products to EJBCA,
>> so it should work for migration from another EJBCA as well :-)
>>
>>
>>  
>>>> This command does not need much information:
>>>> -----
>>>> $ bin/ejbca.sh ca  importcert
>>>> Description: Imports a certificate file to the database
>>>> Usage: ca importcert <username> <password> <caname> <status> <email>
>>>> <certificate file> <endentityprofile> [<certificateprofile>]
>>>>         
>>> using importcert do i need to provide all the above parameters ?? ( i.e.
>>> <passwd> <caname> <status> etc etc ?? ).
>>> If yes, which is the pasword ??
>>> Is the one-time password used to crypt the .p12 file created when
>>> "adding" a new end-entity ??
>>> If yes, where can i find it ??
>>>     
>>
>> The password is simply any password you want to set. It can be a random
>> string, or a fixed password.
>>
>>   
> Hi Tomas,
> i made some tests using your tips in this way:
> 1) Download from the GUI the user-cert in PEM format
> 2) copied it to the server which is running the new ejbca install ( with 
> postgresql )
> 3) tried to import the cert with the corresponding CA
> 
> i used this command
> 
> ./ejbca.sh ca importcert arussos "" OvpnCA ACTIVE 
> arussos@... arussos.pem "Ovpn Client Generator NG" "OpenVPNNG"
> 
> As you can see, i used an empty password and issued also End Entity 
> Profile ( Ovpn Client Generator NG ) and the Certificate Profile ( 
> OpenVPNNG ).
> 
> Unfortunately it exit with this error:
> 
> "Error: Autogenerated password must have password==null"
> 
> I think it complains about the fact that i set up the "End Entity 
> Profile" with the "Autogenerated Pasword" selected, is it true ???
> 
> Also, if i import the cert without the "End Entity Profile" and the 
> "Autogenerated Pasword", it successfully import it; but, obviously, when 
> i look at the user "End Entity Profile" from the GUI it sees it as "EMPTY".
> 
> Is there a way to solve this problem ???
> 
> Thanks a lot,
> 
> --Andrea