Work at SourceForge, help us to make it a better place! We have an immediate need for a Support Technician in our San Francisco or Denver office.

Close

Creatin External CA from ejbca.sh

2013-01-21
2013-02-18
  • Hello,

    i´ve just intalled ejbca v4.0.10 and i was wondering if exist the posibility of creating a new CA with the option "Signed by an external CA". It looks like it´s possible only if this is done in Admin Console. I thought i could deal with this creating a SUBCA signed by a EJBACA CA and the call the WS method caRenewCertRequest(). This fuction set the CA to "Waiting for Activation" state, but all attemps in set one certificate signed by a W2008 PKI fail: "Could not Create ExternalCAService". Is there any option to deal with this..??

    Thanks 

     

  • Anonymous
    2013-01-22

    Hi,
    This is technically feasible but unless there are some very special requirements I would stick to the GUI/CLI methods.
    Anyway, it is not clear when you get the error.  The entire stack-trace is needed.

    Cheers
    Anders
    tech support

     
  • Here is the StackTrace:

    [#|2013-01-21T16:14:37.907+0100|INFO|sun-appserver2.1|com.sun.xml.ws.server.sei.EndpointMethodHandler|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8181-2;|Could not Create ExternalCAService 1046427939.
    org.ejbca.core.EjbcaException: Could not Create ExternalCAService 1046427939.
            at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.receiveResponse(CAAdminSessionBean.java:1024)
            at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
            at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57)
            at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
            at java.lang.reflect.Method.invoke(Method.java:616)
            at com.sun.enterprise.security.application.EJBSecurityManager.runMethod(EJBSecurityManager.java:1011)
            at com.sun.enterprise.security.SecurityUtil.invoke(SecurityUtil.java:175)
            at com.sun.ejb.containers.BaseContainer.invokeTargetBeanMethod(BaseContainer.java:2920)
            at com.sun.ejb.containers.BaseContainer.intercept(BaseContainer.java:4011)
            at com.sun.ejb.containers.EJBLocalObjectInvocationHandler.invoke(EJBLocalObjectInvocationHandler.java:197)
            at com.sun.ejb.containers.EJBLocalObjectInvocationHandlerDelegate.invoke(EJBLocalObjectInvocationHandlerDelegate.java:83)
            at $Proxy57.receiveResponse(Unknown Source)
            at org.ejbca.core.protocol.ws.EjbcaWSHelper.caCertResponse(EjbcaWSHelper.java:800)
            at org.ejbca.core.protocol.ws.EjbcaWS.caCertResponse(EjbcaWS.java:860)

    As you can see, the problem occurs calling the receiveResponse method, once the CSR is generated and well formated by an external PKI this method crashes. The cause is because the function receiveResponse evaluates if the ca is signed by an external CA, but usinf ejbca.sh it´s is not posible because ejbca.sh ca init command only accepts ROOT CA or SUBCA profiles and when SUBCA is selected, the paramter <signedby> must correspond to an EJBCA existing CA id, otherwise it doesn´t work.

    What do you mean GUI/CLI ?? Is there any way to connect to EJBCA besides ejbca.sh and EjbcaWS?? i was lookig for aditonal documentation for the EJB based client but no result.

    Is there any way to obtain the state of a CA without using the admin console¿?

    Thank you very much.

    Regards, Emiliano

     

  • Anonymous
    2013-01-24

    "What do you mean GUI/CLI ?? Is there any way to connect to EJBCA besides ejbca.sh and EjbcaWS?? i was lookig for aditonal documentation for the EJB based client but no result."

    Surfing to http://ejbca_host:8080/ejbca with a web-browser should give an answer to that :-)

    Cheers,
    Anders
    tech support

     
  • thanks but.. i´m trying to create a java based client, avoiding browsers.. and that was the first step i performed in the begining of my EJBCA quest..

    Bye

     

  • Anonymous
    2013-01-24

    Hi Emiliano,

    EJBCA was designed for the web.
    I don't know how you could create profiles without a browser to take one example.

    If the Java approach is the only possible, studying the code is AFAIK the only way forward.

    Cheers,
    Anders
    tech support