I have setup the required end entity and certificate profiles and I am using the ejbca.sh cli to register new end entitities and create certificates for these users.
The issue that I have is that despite multiple CAs being available to the end entity (as defined in the profile) there is no switch available (that I can see) within the ejbca.sh createcert command that allows you to specify the CA you would like to sign & issue the cert. It appears to always the default CA definded in the end entity profile
You should understand that options you have defined in end entity profile are specified when you are adding new entity into EJBCA through addendentity command.
Then you are issuing certificate to end entity as it is registered in EJBCA.
See in your example that you have in addendentity command switch to caname Issuing CA01. In that case when you issue certificate for that end entity, it would be issued from Issuing CA01.
So in general, these specifics must be configured on end entity level before issuing certificate.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi,
I am currently evaluating the community edition of EJBCA. I have setup a 3 tier PKI environment consisting of a root, a sub and 3 issuing CAs.
rootCA | -------------------SubCA------------------ | | | issuing1 issuing2 issuing3I have setup the required end entity and certificate profiles and I am using the ejbca.sh cli to register new end entitities and create certificates for these users.
The issue that I have is that despite multiple CAs being available to the end entity (as defined in the profile) there is no switch available (that I can see) within the ejbca.sh createcert command that allows you to specify the CA you would like to sign & issue the cert. It appears to always the default CA definded in the end entity profile
Below is the list of my commands I am issuing:
Does anyone know how I can overcome this restriction or if my process is wrong?
Last edit: Will Stezenko 2016-07-18
Hi Will,
You should understand that options you have defined in end entity profile are specified when you are adding new entity into EJBCA through addendentity command.
Then you are issuing certificate to end entity as it is registered in EJBCA.
See in your example that you have in addendentity command switch to caname Issuing CA01. In that case when you issue certificate for that end entity, it would be issued from Issuing CA01.
So in general, these specifics must be configured on end entity level before issuing certificate.