Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

OCSP responder : ERROR [SigningEntityContainer] No valid keys. ... No P11 defined

Help
Ben etoo
2013-09-12
2013-11-19
  • Ben etoo
    Ben etoo
    2013-09-12

    Hi everyone,

    I had already install EJBCA on a dedicated host.
    Now, I set up an OCSP responder on a second host. I followed instructions described in :
    http://ejbca.org/installation-ocsp.html#Building%20and%20configuring%20EJBCA

    I generated the OCSP signer end entity on CA. I had put the certificate .p12 on the OCSP host in /home/ejbca/keys.

    I always see this error message on jboss logs :
    ERROR [SigningEntityContainer] No valid keys. Key directory /home/ejbca/keys. No P11 defined.

    When I try to request the responder, i have the same errors :
    16:25:36,163 ERROR [SigningEntityContainer] No valid keys. Key directory /home/ejbca/keys. No P11 defined.
    16:25:36,189 ERROR [OCSPServletBase] Unable to find CA certificate and key to generate OCSP response.
    16:25:36,190 ERROR [OCSPServletBase] Error processing OCSP request. Message: Unable to find CA certificate and key to generate OCSP response..
    javax.servlet.ServletException: Unable to find CA certificate and key to generate OCSP response.

    I don't understand the "Responder signing keys" section on ejbca.org.

    Can you explain me how to generate the good certificate for the OCSP responder.
    Which files have to be on the keys directory ?
    How I can have the CA certificate on the OCSP database ?

    Thanks for your help.

    Regards,

    Benetoo

     
  • Do you have the CA and OCSP responder certificates in the database on the OCSP responder?

    Otherwise debug logging in JBoss server.log will give you more details on what is found and loaded loaded at startup of the responder.

    Cheers,
    Tomas

     
  • Ben etoo
    Ben etoo
    2013-09-12

    Thanks for your answer.

    No they are not in the ocsp database.
    So i have to publish them on the OCSP responder and I should see them on the CertificateData table ?

    I will try to activate debug in jboss-log4j.xml for more details.

    Regards,

    Benetoo

     
  • Ben etoo
    Ben etoo
    2013-09-13

    I have published the OCSP certificate.
    How can I publish the CA certificate on the ocsp database ?

    Can you help me to activate debug on jboss ?

    Regards,

    Benetoo

     
  • Select the OCSP publisher as "CRL Publisher" in the CA (Edit CA).

    Read about some log4j configuration of JBoss in:
    http://wiki.ejbca.org/ejbca-install#toc4

    Cheers,
    Tomas

     
  • Ben etoo
    Ben etoo
    2013-11-19

    Hi everyone,

    Thank you again for your help.
    I have a question link to the OCSP responder database :
    If I create a new CA with OCSP publication in the CA profile, the CA certificate is automatically published on the ocsp database during the creation.
    I we want to import an existing CA in EJBCA, it means "import CA certificate" on the adminweb interface. How can I publish the CA certificate on the OCSP database ?
    In general, how can we publish on OCSP responder the CA certificate of an existing CA ?
    Thanks.

    Regards,

    Benetoo