i´ve just intalled ejbca v4.0.10 and i was wondering if exist the posibility of creating a new CA with the option "Signed by an external CA". It looks like it´s possible only if this is done in Admin Console. I thought i could deal with this creating a SUBCA signed by a EJBACA CA and the call the WS method caRenewCertRequest(). This fuction set the CA to "Waiting for Activation" state, but all attemps in set one certificate signed by a W2008 PKI fail: "Could not Create ExternalCAService". Is there any option to deal with this..??
This is technically feasible but unless there are some very special requirements I would stick to the GUI/CLI methods.
Anyway, it is not clear when you get the error. The entire stack-trace is needed.
Here is the StackTrace:
[#|2013-01-21T16:14:37.907+0100|INFO|sun-appserver2.1|com.sun.xml.ws.server.sei.EndpointMethodHandler|_ThreadID=14;_ThreadName=httpSSLWorkerThread-8181-2;|Could not Create ExternalCAService 1046427939.
org.ejbca.core.EjbcaException: Could not Create ExternalCAService 1046427939.
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at $Proxy57.receiveResponse(Unknown Source)
As you can see, the problem occurs calling the receiveResponse method, once the CSR is generated and well formated by an external PKI this method crashes. The cause is because the function receiveResponse evaluates if the ca is signed by an external CA, but usinf ejbca.sh it´s is not posible because ejbca.sh ca init command only accepts ROOT CA or SUBCA profiles and when SUBCA is selected, the paramter <signedby> must correspond to an EJBCA existing CA id, otherwise it doesn´t work.
What do you mean GUI/CLI ?? Is there any way to connect to EJBCA besides ejbca.sh and EjbcaWS?? i was lookig for aditonal documentation for the EJB based client but no result.
Is there any way to obtain the state of a CA without using the admin console¿?
Thank you very much.
"What do you mean GUI/CLI ?? Is there any way to connect to EJBCA besides ejbca.sh and EjbcaWS?? i was lookig for aditonal documentation for the EJB based client but no result."
Surfing to http://ejbca_host:8080/ejbca with a web-browser should give an answer to that :-)
thanks but.. i´m trying to create a java based client, avoiding browsers.. and that was the first step i performed in the begining of my EJBCA quest..
EJBCA was designed for the web.
I don't know how you could create profiles without a browser to take one example.
If the Java approach is the only possible, studying the code is AFAIK the only way forward.