I had already install EJBCA on a dedicated host.
Now, I set up an OCSP responder on a second host. I followed instructions described in :
I generated the OCSP signer end entity on CA. I had put the certificate .p12 on the OCSP host in /home/ejbca/keys.
I always see this error message on jboss logs :
ERROR [SigningEntityContainer] No valid keys. Key directory /home/ejbca/keys. No P11 defined.
When I try to request the responder, i have the same errors :
16:25:36,163 ERROR [SigningEntityContainer] No valid keys. Key directory /home/ejbca/keys. No P11 defined.
16:25:36,189 ERROR [OCSPServletBase] Unable to find CA certificate and key to generate OCSP response.
16:25:36,190 ERROR [OCSPServletBase] Error processing OCSP request. Message: Unable to find CA certificate and key to generate OCSP response..
javax.servlet.ServletException: Unable to find CA certificate and key to generate OCSP response.
I don't understand the "Responder signing keys" section on ejbca.org.
Can you explain me how to generate the good certificate for the OCSP responder.
Which files have to be on the keys directory ?
How I can have the CA certificate on the OCSP database ?
Thanks for your help.
Do you have the CA and OCSP responder certificates in the database on the OCSP responder?
Otherwise debug logging in JBoss server.log will give you more details on what is found and loaded loaded at startup of the responder.
Thanks for your answer.
No they are not in the ocsp database.
So i have to publish them on the OCSP responder and I should see them on the CertificateData table ?
I will try to activate debug in jboss-log4j.xml for more details.
I have published the OCSP certificate.
How can I publish the CA certificate on the ocsp database ?
Can you help me to activate debug on jboss ?
Select the OCSP publisher as "CRL Publisher" in the CA (Edit CA).
Read about some log4j configuration of JBoss in:
Thank you again for your help.
I have a question link to the OCSP responder database :
If I create a new CA with OCSP publication in the CA profile, the CA certificate is automatically published on the ocsp database during the creation.
I we want to import an existing CA in EJBCA, it means "import CA certificate" on the adminweb interface. How can I publish the CA certificate on the OCSP database ?
In general, how can we publish on OCSP responder the CA certificate of an existing CA ?
I refer you to our documentation, http://www.ejbca.org/userguide-ocsp.html#Populating the OCSP responder database
Developer, Primekey Solutions
PrimeKey Solutions offers commercial EJBCA and SignServer support
subscriptions and training courses. Please see www.primekey.se or
contact email@example.com for more information.