Hello my dears,
i have changed something on my CA's crypto tokens. With keystore enrollment I get the following error.
...
EJBCA Certificate Enrollment Error
Username: lam.intern.example.com
Exception:
org.cesecore.certificates.certificate.CertificateCreateException: java.security.SignatureException: certificate does not verify with supplied key
...
Do you have any idea what I'm doing wrong?
Greetings from Stefan Harbich
Hello,
I can also no longer generate a CRL. Then the following error message appears:
...
2021-07-06 10:59:24,096 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-26) 2021-07-06 10:59:24+02:00;CRL_CREATION;FAILURE;CRL;CORE;CN=SuperAdmin;394721366;;;msg=Error creating CRL for CA ManagementCA, message: Error verifying CRL to be returned..
2021-07-06 10:59:24,097 ERROR [org.jboss.as.ejb3.invocation] (default task-26) WFLYEJB0034: EJB Invocation failed on component CrlCreateSessionBean for method public abstract byte[] org.cesecore.certificates.crl.CrlCreateSession.generateAndStoreCRL(org.cesecore.authentication.tokens.AuthenticationToken,org.cesecore.certificates.ca.CA,java.util.Collection,int,int) throws org.cesecore.keys.token.CryptoTokenOfflineException,org.cesecore.authorization.AuthorizationDeniedException: javax.ejb.EJBTransactionRolledbackException: Error creating CRL for CA ManagementCA, message: Error verifying CRL to be returned..
...
Greetings from Stefan Harbich
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
when I do the following
...
bin / ejbca.sh ca changecatoken --caname ManagementCA --cryptotoken signKey --execute
...
I get the following error message:
"CA 'ManagementCA' references crypto token '-367522817 (does not exist)'
New crypto token: signKey
CA token properties: null
Exception in thread "main" java.lang.IllegalArgumentException: Crypto Token with name signKey does not exist.
at org.ejbca.ui.cli.ca.CaChangeCryptoTokenCommand.execute (CaChangeCryptoTokenCommand.java:125)
at org.ejbca.ui.cli.infrastructure.command.PasswordUsingCommandBase.execute (PasswordUsingCommandBase.java:202)
at org.ejbca.ui.cli.infrastructure.library.CommandLibrary $ Branch.execute (CommandLibrary.java:287)
at org.ejbca.ui.cli.infrastructure.library.CommandLibrary $ Branch.execute (CommandLibrary.java:297)
at org.ejbca.ui.cli.infrastructure.library.CommandLibrary.findAndExecuteCommandFromParameters (CommandLibrary.java:78)
at org.ejbca.ui.cli.EjbcaEjbCli.main (EjbcaEjbCli.java:33) "
Do you have another idea?
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Before changing the crypto token, did you confirm that CryptoToken -367522817 does not exists ?
To create crypto token:
1. Under CA Functions click Crypto Tokens.
2. Click Create new ...
3. Enter name (for example CT_MGMT), password, type ... etc then click on Save.
4. Enter the keypair name signKey, select the algorithm and size then click Generate New Keypair.
5. Enter the keypair name defaultKey, select the algorithm and size then click Generate New Keypair.
6. Enter the keypair name testKey, select the algorithm and size then click Generate New Keypair.
Execute the command:
bin/ejbca.sh ca changecatoken --caname <CA_NAME> --cryptotoken <NEW_CRYPTO_TOKEN> --execute
where : <CA_NAME>: name of the management ca <NEW_CRYPTO_TOKEN>: name of the crypto token CT_MGMT for example.
Last edit: PKI_123 2021-07-13
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
okay I was able to create the crypto tokens and assign them to the ManagementCA. At the following command
...
root @ dsme01: / usr / share / pki / ejbca_ce_6_15_2_6 # bin / ejbca.sh ca renewca --caname ManagementCA
...
I get an error message
"Renew CA ManagementCA with the current key pair
Current certificate:
Serial number: 4e913d8a21ebf13fea7a8a886c807f0965cd762e
Issuer DN: CN = ManagementCA, OU = pki, O = harbich, DC = example, C = com
Subject DN: CN = ManagementCA, OU = pki, O = harbich, DC = example, C = com
Not Before: 2021-01-27 20: 28: 27 + 0100
Not After: 2031-01-25 20: 28: 27 + 0100
Subject key id: a55b16a879b685a87f9837ed54357d6420635322
ERROR: Could not create keys, crypto token was unavailable: CA token is offline for CA 'ManagementCA'.
New certificate created:
Serial number: 4e913d8a21ebf13fea7a8a886c807f0965cd762e
Issuer DN: CN = ManagementCA, OU = pki, O = harbich, DC = example, C = com
Subject DN: CN = ManagementCA, OU = pki, O = harbich, DC = example, C = com
Not Before: 2021-01-27 20: 28: 27 + 0100
Not After: 2031-01-25 20: 28: 27 + 0100
Subject key id: a55b16a879b685a87f9837ed54357d6420635322 "
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello,
I just can't do it anymore. Again new token created and again same error message. I think it has something to do with the revocation of the CA certificate? Okay new CA created. But now it doesn't work with the super admin access to the adminweb. No, a, no. . .
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello my dears,
i have changed something on my CA's crypto tokens. With keystore enrollment I get the following error.
...
EJBCA Certificate Enrollment Error
Username: lam.intern.example.com
Exception:
org.cesecore.certificates.certificate.CertificateCreateException: java.security.SignatureException: certificate does not verify with supplied key
...
Do you have any idea what I'm doing wrong?
Greetings from Stefan Harbich
Last edit: Stefan Harbich 2021-07-01
Hello,
unfortunately I can not find the error. Do you have a tip what I can do?
Greetings from Stefan Harbich
Hello,
I can also no longer generate a CRL. Then the following error message appears:
...
2021-07-06 10:59:24,096 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-26) 2021-07-06 10:59:24+02:00;CRL_CREATION;FAILURE;CRL;CORE;CN=SuperAdmin;394721366;;;msg=Error creating CRL for CA ManagementCA, message: Error verifying CRL to be returned..
2021-07-06 10:59:24,097 ERROR [org.jboss.as.ejb3.invocation] (default task-26) WFLYEJB0034: EJB Invocation failed on component CrlCreateSessionBean for method public abstract byte[] org.cesecore.certificates.crl.CrlCreateSession.generateAndStoreCRL(org.cesecore.authentication.tokens.AuthenticationToken,org.cesecore.certificates.ca.CA,java.util.Collection,int,int) throws org.cesecore.keys.token.CryptoTokenOfflineException,org.cesecore.authorization.AuthorizationDeniedException: javax.ejb.EJBTransactionRolledbackException: Error creating CRL for CA ManagementCA, message: Error verifying CRL to be returned..
...
Greetings from Stefan Harbich
It looks like you've changed the CA private key.
Try to renew your CA.
Hello,
OK. On the Administration page under CA Edit CA name: Management CA I see under Crypto Token [?] CryptoToken -367522817 not found.
What can I do now?
Greetings from Stefan Harbich
Well it seems that you've deleted the crypto token.
I would suggest that you create a new crypto token (with signKey, testKey and defaultKey)
With the command line link the new crypto token to the CA:
bin/ejbca.sh ca changecatoken --caname <CA_NAME> --cryptotoken <NEW_CRYPTO_TOKEN> --executeRenew the CA and revoke the old CA certificate.
Hello,
when I do the following
...
bin / ejbca.sh ca changecatoken --caname ManagementCA --cryptotoken signKey --execute
...
I get the following error message:
"CA 'ManagementCA' references crypto token '-367522817 (does not exist)'
New crypto token: signKey
CA token properties: null
Exception in thread "main" java.lang.IllegalArgumentException: Crypto Token with name signKey does not exist.
at org.ejbca.ui.cli.ca.CaChangeCryptoTokenCommand.execute (CaChangeCryptoTokenCommand.java:125)
at org.ejbca.ui.cli.infrastructure.command.PasswordUsingCommandBase.execute (PasswordUsingCommandBase.java:202)
at org.ejbca.ui.cli.infrastructure.library.CommandLibrary $ Branch.execute (CommandLibrary.java:287)
at org.ejbca.ui.cli.infrastructure.library.CommandLibrary $ Branch.execute (CommandLibrary.java:297)
at org.ejbca.ui.cli.infrastructure.library.CommandLibrary.findAndExecuteCommandFromParameters (CommandLibrary.java:78)
at org.ejbca.ui.cli.EjbcaEjbCli.main (EjbcaEjbCli.java:33) "
Do you have another idea?
Before changing the crypto token, did you confirm that CryptoToken -367522817 does not exists ?
To create crypto token:
1. Under CA Functions click Crypto Tokens.
2. Click Create new ...
3. Enter name (for example CT_MGMT), password, type ... etc then click on Save.
4. Enter the keypair name signKey, select the algorithm and size then click Generate New Keypair.
5. Enter the keypair name defaultKey, select the algorithm and size then click Generate New Keypair.
6. Enter the keypair name testKey, select the algorithm and size then click Generate New Keypair.
Execute the command:
bin/ejbca.sh ca changecatoken --caname <CA_NAME> --cryptotoken <NEW_CRYPTO_TOKEN> --executewhere :
<CA_NAME>: name of the management ca<NEW_CRYPTO_TOKEN>: name of the crypto token CT_MGMT for example.Last edit: PKI_123 2021-07-13
Hello,
okay I was able to create the crypto tokens and assign them to the ManagementCA. At the following command
...
root @ dsme01: / usr / share / pki / ejbca_ce_6_15_2_6 # bin / ejbca.sh ca renewca --caname ManagementCA
...
I get an error message
"Renew CA ManagementCA with the current key pair
Current certificate:
Serial number: 4e913d8a21ebf13fea7a8a886c807f0965cd762e
Issuer DN: CN = ManagementCA, OU = pki, O = harbich, DC = example, C = com
Subject DN: CN = ManagementCA, OU = pki, O = harbich, DC = example, C = com
Not Before: 2021-01-27 20: 28: 27 + 0100
Not After: 2031-01-25 20: 28: 27 + 0100
Subject key id: a55b16a879b685a87f9837ed54357d6420635322
ERROR: Could not create keys, crypto token was unavailable: CA token is offline for CA 'ManagementCA'.
New certificate created:
Serial number: 4e913d8a21ebf13fea7a8a886c807f0965cd762e
Issuer DN: CN = ManagementCA, OU = pki, O = harbich, DC = example, C = com
Subject DN: CN = ManagementCA, OU = pki, O = harbich, DC = example, C = com
Not Before: 2021-01-27 20: 28: 27 + 0100
Not After: 2031-01-25 20: 28: 27 + 0100
Subject key id: a55b16a879b685a87f9837ed54357d6420635322 "
Hello,
I just looked at the CA certificate and saw that it is blocked?
Oh what do I do now?
I think you should activate the CA:
CA Functions > CA Activation > Activate CA (Crypto token and CA Service Action)
Then try to renew again.
Hello,
I just can't do it anymore. Again new token created and again same error message. I think it has something to do with the revocation of the CA certificate? Okay new CA created. But now it doesn't work with the super admin access to the adminweb. No, a, no. . .
Humn,
The default ManagementCA crypto token come with this key: encryptKey.
you can try to generate it on the crypto token:
Enter the keypair name encryptKey, select the algorithm and size then click Generate New Keypair.
Then try to renew the CA again.
You might have to re-configure TLS once the Management CA is online again.
Last edit: PKI_123 2021-07-13