unique DN problem

Help
Wiktor
2012-11-16
2013-02-18
  • Wiktor
    Wiktor
    2012-11-16

    Hi,

    I've encountered following error while generating new certificate for the end entity:

    INFO   (http-w.x.y.z-443-5) User 'username_new' is not al
    lowed to use same subject DN as the user(s) 'username' is/are using. See setting for 'Enforce unique DN' in Edit Certificate Authorities.

    Steps that lead to an error:
    1) created the end entitiy called   username  (the dn consists of: cn,email,givenName,surname,O)
    2) generated certificate for that end entitiy
    3) revoked the certificate
    4) revoked and delete end entity via web panel (RA Functions)
    5) created new end entity called username_new (with the same DN fields as previously deleted one)
    6) error occurs while trying to generate new certificate (Public Web -> Create Keystore)

    Why the error still occurs, even though, the certificate was revoked and end entitiy was deleted?

    Thanks for Your help.

     
  • Go into "Edit CAs" and select Edit for your CA. Look at the field for "Enforce unique DN". Click on the question mark to bring up documentation for the this option.

    Cheers,
    Tomas


    PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact info@primekey.se for more information.
    http://www.primekey.se/Services/Support/
    http://www.primekey.se/Services/Training/

     
  • Wiktor
    Wiktor
    2012-11-21

    Hi,

    thanks for pointing the documentation. But why, even after revoking the Certificate and then deleting the EndEntity (I assume, probably wrongly, the deleting those two actually deletes them from DB (or just sets some status?)) the error still occurs? Right now, there is no user and certificate issued previously, so there should be no conflict, am I wrong?

    Best regards,
    W.

     

  • Anonymous
    2012-11-21

    The problem you ran into is due to the fact that EJBCA does not delete certificates and these are always associated with an EJBCA user so if you recreate the user you may run into conflicts unless you disable the check as Tomas described.

    Revoked certificates continue to live inside of EJBCA because they represent certificates that MUST be flagged by CRLs and OCSP.

    Cheers
    Anders
    tech support

     
  • Wiktor
    Wiktor
    2012-11-21

    Thanks for the explanation.

    Best regards,
    W.