Please assist me with the following:
I have three servers, all servers have jboss and EJBCA installed.
I have created a new RootCA1 and SubCA1 of RootCA1 on Sever1
I have also created SubCAs of SubCA1 on Server2 and Server3.
Server2 has SubCA11 and Server3 has SubCA12.
How do I establish trust between SubCA11 and SubCA12?
Below is an error message I got when the web browser with certificate issued by SubCA11 connect to application/ web server with certificate issued by SubCA12:
app1 uses an invalid security certificate.
The certificate is not trusted because no issuer chain was provided.
(Error code: sec_error_unknown_issuer)
Fully normal. You need to understand how your webserver handles trusted certificates. Install SubCA11 as a trusted CA in your webserver.
PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact firstname.lastname@example.org for more information.
Thank you for your response. How do I do that? How do I unsure that SubCA11 is part of certificate chain installed in the webserver?
How do I ensure trust between SubCA11 and SubCA12, since they are both signed by SubCA1?
The configuration is web-server-specific. In Tomcat you (usually) put all trusted CAs in a JKS-file referred to by "server.xml". This is for example used by EJBCA since JBoss uses Tomcat.
I will look into it, thank you. Where should I do the configuration? Is it on Server1(SubCA1)? Is there documentation that I can look into to get more understanding?
Since this is web-server-specific you should look into actual the web-server's guide for configuring SSL/TLS with client-certificate authentication.
I would say that it is non-trivial. If you use Tomcat looking into EJBCA/JBoss server.xml is also a possiblity.
I have imported the certificates into the truststore file defined in server.xml and I still get trust issues. Do i also need to import the certificates into java cacerts file?
The question is now: Do you get an EJBCA trust error or does it fail on TLS?
You can test this by logging in to https://yourhost:8443/
BTW, do you get the chance to select certificate?
Try with Firefox, Chrome require a bit more work.
I think you do not understand my problem.
I am trying make two external EJBCA subCA ( SubCA11 and SubCA12) to have trust. I don't have issues with accessing the admin web. This is the error message i get:
<IP ADDRESS> uses an invalid security certificate.
I tried reading online, and try other ways to solve the certificate chain issue but its not working.
It is true that I don't understand what your problem is :-)
You can login to the admin web with a certificate, yes?
So when do you get the error? And what kind of access do you do then? What client? what server?
I have 3 servers, all severs with JBOSS/EJBCA installed.
Yes i can logon to the admin web in all servers and create certificates.
Server1(CA1) - has signed server2(CA11) and server3(CA12) - which means that CA11 and CA12 are external subCAs of CA1.
I need certificates created from CA11 and CA12 to trust each other. How do i do that?
The error i posted i get it when use a webserver certificate created by server CA11 and a browser certificate created CA12 to establish a secure connection.
So the browser its complaining because it cannot see CA12 in a certificate chain. How do i ensure that i have a correct chain?
"I need certificates created from CA11 and CA12 to trust each other. How do i do that?"
I think this is somewhat strangely expressed. A server or client can be configured to trust one or more CAs.
If you want a Relying Party (server or client) to trust both CAs you need to put the root cert into a truststore.
The client must then contain the client-cert + its associated subCA cert.
Since we are talking about 2-way-auth the opposite is also valid. That is, if you create an TLS cert with CA11 the keystore must contain both CA11 + server-cert.
keytool -v -list -keystore mykeystore.p12 -storetype pkcs12 -storepass yourpassword
is very useful