Due to some negligence on my part, both the superadmin user cert and the default AdminCA1 CA have expired, before I created admin users signed by my own CA's.
I can't login to the web console, so I'm stuck with CLI, and best as I can tell the "ca renewca" addition is destined for 5.0. I'm running EJBCA 4.0.10.
The only thing I can think of is creating a new user signed by my own CA's, assuming I can do that all via the command line. Is that valid? I'd really appreciate some guidance before embarking down this path.
thanks!
mike
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Due to some negligence on my part, both the superadmin user cert and the default AdminCA1 CA have expired, before I created admin users signed by my own CA's.
I can't login to the web console, so I'm stuck with CLI, and best as I can tell the "ca renewca" addition is destined for 5.0. I'm running EJBCA 4.0.10.
The only thing I can think of is creating a new user signed by my own CA's, assuming I can do that all via the command line. Is that valid? I'd really appreciate some guidance before embarking down this path.
Thanks Anders, not so much lucky as dumb i'm afraid. :(
Unfortunately when I run the "bin/ejbca.sh batch" command, it tells me that AdminCA1 is offline, and after further investigation AdminCA1 isn't really offline but has expired. Both AdminCA1 and superadmin expired on March 17th. Any other ideas?
thanks
mike
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks Anders, not so much lucky as dumb i'm afraid. :(
Unfortunately when I run the "bin/ejbca.sh batch" command,
it tells me that AdminCA1 is offline, and after further investigation
AdminCA1 isn't really offline but has expired.
Both AdminCA1 and superadmin expired on March 17th. Any other ideas?
Hi Michael,
I was maybe a bit too quick.
bin/ejbca.sh ra adduser michael michaelpwd "cn=michael" null YourCA null 1 P12 ENDUSER EMPTY
bin/ejbca.sh ra setclearpwd michael michaelpwd
bin/ejbca.sh batch michael
bin/ejbca.sh admins addadmin "Temporary Super Administrator Group" AdminCA WITHCOMMONNAME EQUALCASEINS michael
Thanks again, I've gone through this but still can't login. It still wants a cert signed by the expired AdminCA1 CA, which I can't give it since it's expired.
I think the only thing to do now is to create a new keystore based on my own CA's. Both the EJBCA's docs and the excellent online book (http://majic.rs/book/free-software-x509-cookbook/setting-up-ejbca-as-certification-authority#Issuing_New_Super-administrator_Key_and_Certificate) only show this being done with the UI (which I can't use). Is there a way to do this via the command line?
Alternatively, i've exported my own CA's to PKCS12 files. Since I don't have many signed certs yet, might it be simpler to create the EJBCA installation from scratch, using my own CA's?
thanks!
mike
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Thanks again, I've gone through this but still can't login. It still wants a cert signed by the expired AdminCA1 CA, which I can't give it since it's expired.
I think the only thing to do now is to create a new keystore based on my own CA's. Both the EJBCA's docs and the excellent online book (http://majic.rs/book/free-software-x509-cookbook/setting-up-ejbca-as-certification-authority#Issuing_New_Super-administrator_Key_and_Certificate) only show this being done with the UI (which I can't use). Is there a way to do this via the command line?
Alternatively, i've exported my own CA's to PKCS12 files. Since I don't have many signed certs yet, might it be simpler to create the EJBCA installation from scratch, using my own CA's?
The problem is probably that the p12/truststore.jks doesn't include your new CA. Add it, and do ant deploy and hopefully you're back!
Due to some negligence on my part, both the superadmin user cert and the default AdminCA1 CA have expired, before I created admin users signed by my own CA's.
I can't login to the web console, so I'm stuck with CLI, and best as I can tell the "ca renewca" addition is destined for 5.0. I'm running EJBCA 4.0.10.
The only thing I can think of is creating a new user signed by my own CA's, assuming I can do that all via the command line. Is that valid? I'd really appreciate some guidance before embarking down this path.
thanks!
mike
On 2013-03-20 19:44, Michael Hart wrote:
You are a lucky guy :-) Here it is:
http://www.ejbca.org/userguide.html#Renewing%20Superadmin
Cheers
Anders
tech support
Thanks Anders, not so much lucky as dumb i'm afraid. :(
Unfortunately when I run the "bin/ejbca.sh batch" command, it tells me that AdminCA1 is offline, and after further investigation AdminCA1 isn't really offline but has expired. Both AdminCA1 and superadmin expired on March 17th. Any other ideas?
thanks
mike
On 2013-03-21 14:01, Michael Hart wrote:
Hi Michael,
I was maybe a bit too quick.
bin/ejbca.sh ra adduser michael michaelpwd "cn=michael" null YourCA null 1 P12 ENDUSER EMPTY
bin/ejbca.sh ra setclearpwd michael michaelpwd
bin/ejbca.sh batch michael
bin/ejbca.sh admins addadmin "Temporary Super Administrator Group" AdminCA WITHCOMMONNAME EQUALCASEINS michael
Then import p12/michael.p12 in your browser
Cheers,
Anders
tech support
Thanks again, I've gone through this but still can't login. It still wants a cert signed by the expired AdminCA1 CA, which I can't give it since it's expired.
I think the only thing to do now is to create a new keystore based on my own CA's. Both the EJBCA's docs and the excellent online book (http://majic.rs/book/free-software-x509-cookbook/setting-up-ejbca-as-certification-authority#Issuing_New_Super-administrator_Key_and_Certificate) only show this being done with the UI (which I can't use). Is there a way to do this via the command line?
Alternatively, i've exported my own CA's to PKCS12 files. Since I don't have many signed certs yet, might it be simpler to create the EJBCA installation from scratch, using my own CA's?
thanks!
mike
On 2013-03-21 19:21, Michael Hart wrote:
The problem is probably that the p12/truststore.jks doesn't include your new CA. Add it, and do ant deploy and hopefully you're back!
Cheers
Anders
tech support