Hi all,
Following the OCSP/VA official documentation, I am trying to setup an external OCSP responder/VA for an EJBCA CA server that is on a protected network.
The CA certificates, CRLs and user certificates seem to be correctly published to the OCSP and the /crls/search.cfi and /certificates/search.cgi do present the crls/CA certificates.
I am now trying to setup the AdminGUI, but I am unable to access it, I get the following error message:
I used the following commands to import the ManagementCA CA certificate and assign a role to the certificate:
jboss@ra:/opt/ejbca$ bin/ejbca.sh ca importcacert ManagementCA ManagementCA.cacert.pem
Imported CA ManagementCA
jboss@ra:/opt/ejbca$ bin/ejbca.sh roles addadmin "Super Administrator Role" Man
agementCA WITH_COMMONNAME TYPE_EQUALCASE 'Baptiste Grenier'
No database integrity protection available in this version of EJBCA.
jboss@ra:/opt/ejbca$ bin/ejbca.sh ca info ManagementCA
CA name: ManagementCA
CA type: 1
CA ID: -379989233
CA CRL Expiration Period: 0
CA CRL Issue Interval: 0
CA Description: CA created by certificate import.
This is a Root CA.
Size of chain: 1
Root CA DN: CN=ManagementCA,O=XXXXX,C=FR
Root CA id: -379989233
Certificate valid from: Fri Mar 21 11:24:26 CET 2014
Certificate valid to: Mon Mar 18 11:24:26 CET 2024
Root CA key algorithm: RSA
Root CA key size: 2048
jboss@ra:/opt/ejbca$ bin/ejbca.sh roles listadmins 'Super Administrator Role'
No database integrity protection available in this version of EJBCA.
"ManagementCA" WITH_COMMONNAME TYPE_EQUALCASE "Baptiste Grenier"
I also published the user certificate to the OCSP responder (using the republish button on the certificate page).
I think that the problem might be an incorect configuration of the keystores.
I created a servercert keystore signed by the management CA used for the tomcat.jks, but for me it wasn't clear at all how the p12/truststore.jks has to be created... I tried to copy the one from the CA server (containing the certificate for the ManagementCA generated by ant) but I am very doubtfull about the fact that this is correct...
It is also completely unclear if a VA/OCSP responder can be used as a RA service, allowing users to retrieve their certificates and request new ones using self registration, the web gui of the VA seems to offer all the required components, but I wonder if it just a side effect ot the setup or if they can effectively be used... :/ Will we need to install an external-ra GUI for the users or will the external VA/OCSP be sufficient?
Thanks for any help!
Best,
Baptiste
Last edit: Baptiste Grenier 2014-04-16
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
To solve the first error:
An End Entity needs to exist in the database (or you need to configure to not require user cert in database in web.properties).
Hi all,
Following the OCSP/VA official documentation, I am trying to setup an external OCSP responder/VA for an EJBCA CA server that is on a protected network.
The CA certificates, CRLs and user certificates seem to be correctly published to the OCSP and the /crls/search.cfi and /certificates/search.cgi do present the crls/CA certificates.
I am now trying to setup the AdminGUI, but I am unable to access it, I get the following error message:
I used the following commands to import the ManagementCA CA certificate and assign a role to the certificate:
I also published the user certificate to the OCSP responder (using the republish button on the certificate page).
I think that the problem might be an incorect configuration of the keystores.
I created a servercert keystore signed by the management CA used for the tomcat.jks, but for me it wasn't clear at all how the p12/truststore.jks has to be created... I tried to copy the one from the CA server (containing the certificate for the ManagementCA generated by ant) but I am very doubtfull about the fact that this is correct...
It is also completely unclear if a VA/OCSP responder can be used as a RA service, allowing users to retrieve their certificates and request new ones using self registration, the web gui of the VA seems to offer all the required components, but I wonder if it just a side effect ot the setup or if they can effectively be used... :/ Will we need to install an external-ra GUI for the users or will the external VA/OCSP be sufficient?
Thanks for any help!
Best,
Baptiste
Last edit: Baptiste Grenier 2014-04-16
To solve the first error:
An End Entity needs to exist in the database (or you need to configure to not require user cert in database in web.properties).
The VA/OCSP can not be used as an RA.
Cheers,
Tomas
Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information.
http://www.primekey.se/Products/EJBCA+PKI/
http://www.primekey.se/Services/Support/