Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

EJBCA superadmin.p12 has expired

Help
2014-01-23
2014-01-29
  • Scott Wilson
    Scott Wilson
    2014-01-23

    Hello and thanks in advance for any help!

    I am a contractor assigned to documenting the EJBCA environment within the company I am currently helping.

    I am new to EJBCA so please bare with me.

    I know the steps to creating a new superadmin.p12 should the old one expire or need to be renewed.

    ./ejbca.sh ra setuserstatus superadmin 10 // this sets its status to NEW so it can be changed
    ./ejbca.sh ra setclarpwd superadmin <my new="" password=""> // this sets the new password for superadmin
    ./ejbca.sh batch superadmin // this tells the batch to process the changes for superadmin, or user passed

    My questions are: The company has 2 ejbca servers that work in a load balanced env. Also there is an
    HSM managing the keystore. If I run the above commands on one of the ejbca servers, to generate a new
    superadmin.p12 file, to import into IT/OPS browsers for access to the Admin GUI....do the commands above,
    update that one ejbca server I ran it on, or does it go to the HSM and update the public/private key there,
    then puts the superadmin.p12 on the box I ran the scripts from.

    What I want to document and know is, if I run this on one box, will it impact the current running environment
    in any way, other than generate me a new superadmin key. Will all the existing keys etc. continue to work,
    without any further tasks needed. Will this new superadmin.p12, once imported into the IT/OPS browsers grant
    them access to both the ejbca servers admin gui?

    Again, thank you, in advance, for any help!

     
  • Quite advanced question, with load balancing etc. I can recommend an EJBCA training to learn more about clustering EJBCA :-)

    Don't knowing how their cuslter is set up, EJBCA should use a "shared database" clustering model, meaning that what you do in one EJBCA is reflected in the database on all other EJBCA nodes.
    There are hundreds of other different ways to do things tough, depending on specific requirements, and you can get it working according to how you want the work-flow, network layout etc to be.

    Cheers,
    Tomas


    PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.
    http://www.primekey.se/Services/Support/
    http://www.primekey.se/Services/Training/

     
  • Scott Wilson
    Scott Wilson
    2014-01-29

    Thank you, I was/am mainly concerned with the ramifications of running the:
    ./ejbca.sh ra setuserstatus superadmin 10 // this sets its status to NEW so it can be changed
    ./ejbca.sh ra setclarpwd superadmin // this sets the new password for superadmin
    ./ejbca.sh batch superadmin // this tells the batch to process the changes for superadmin, or user passed

    commands, if they impact anything currently runninging, or simply create a new superadmin. I'm looking into documenting and adding unique users to have for each admin.

    Thanks for your help!

     
  • It creates a new certificate only.