Happy New Year to everyone! First of all, I'm sorry because I'm not proficient in English.
I'm facing a problem regarding certification issue. This is my scenario: I installed a EJBCA v 6.5.0.5 server in a VM. I created the (default) Management CA and added a root (self-signed certificate) CA called "TESTROOTCA" and an intermediate CA called "TESTSUBCA" subordinate to TESTROOTCA. Then, I created (certification and end entity) profiles for certificates with "email and client authentication" extended key usage, issuing by TESTSUBCA.
In fact, TESTSUBCA can deliver such mentioned certificate after end entity enrollment, storing end entity private and public key certificates in a p12 file. But, my problem begins here: if I inspect p12 file (e.g. using openssl); EJBCA also store root CA public key certificate (i.e. TESTROOTCA certificate), but in this file I expected end entity certificates and all certificates needed in certificate chain validation (i.e. I expected end entity certificates, TESTROOTCA certificate AND TESTSUBCA certificate and last is missing in current generated p12 file).
How can I achieve this? What steps must be performed to create this particular p12 file? Expected p12 file must content: end entity private key, end entity public key certificate, TESTSUBCA certificate and TESTROOTCA certificate.
Please, feel free to ask more information as needed.
Thank you very much in advance and best regards,
Rafael
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Rafael,
we at our site can confirm the behaviour you are describing.
You can work around this by using a seperate keystore (the one you have created) and truststore (containing only the CA- and SUBCA certificates). To have seperate key- and truststores actually is quite normal since with your Truststore you normally want to verify the certificates on the other side of your SSL connection. Hope this helps, Goetz
Last edit: Götz Golla 2018-01-12
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Happy New Year to everyone! First of all, I'm sorry because I'm not proficient in English.
I'm facing a problem regarding certification issue. This is my scenario: I installed a EJBCA v 6.5.0.5 server in a VM. I created the (default) Management CA and added a root (self-signed certificate) CA called "TESTROOTCA" and an intermediate CA called "TESTSUBCA" subordinate to TESTROOTCA. Then, I created (certification and end entity) profiles for certificates with "email and client authentication" extended key usage, issuing by TESTSUBCA.
In fact, TESTSUBCA can deliver such mentioned certificate after end entity enrollment, storing end entity private and public key certificates in a p12 file. But, my problem begins here: if I inspect p12 file (e.g. using openssl); EJBCA also store root CA public key certificate (i.e. TESTROOTCA certificate), but in this file I expected end entity certificates and all certificates needed in certificate chain validation (i.e. I expected end entity certificates, TESTROOTCA certificate AND TESTSUBCA certificate and last is missing in current generated p12 file).
How can I achieve this? What steps must be performed to create this particular p12 file? Expected p12 file must content: end entity private key, end entity public key certificate, TESTSUBCA certificate and TESTROOTCA certificate.
Please, feel free to ask more information as needed.
Thank you very much in advance and best regards,
Rafael
Hi Rafael,
we at our site can confirm the behaviour you are describing.
You can work around this by using a seperate keystore (the one you have created) and truststore (containing only the CA- and SUBCA certificates). To have seperate key- and truststores actually is quite normal since with your Truststore you normally want to verify the certificates on the other side of your SSL connection. Hope this helps, Goetz
Last edit: Götz Golla 2018-01-12