External OCSP/VA 6.0.4 problems accessing the Admin GUI

  • Baptiste Grenier

    Hi all,
    Following the OCSP/VA official documentation, I am trying to setup an external OCSP responder/VA for an EJBCA CA server that is on a protected network.

    The CA certificates, CRLs and user certificates seem to be correctly published to the OCSP and the /crls/search.cfi and /certificates/search.cgi do present the crls/CA certificates.

    I am now trying to setup the AdminGUI, but I am unable to access it, I get the following error message:

    15:44:55,067 INFO  [org.ejbca.core.ejb.ra.EndEntityManagementSessionBean] (http-- Your certificate does not belong to any user. Issuer CN=Manage
    mentCA,O=gnubila,C=FR, serialNo 415fe3c3639248b2.
    15:44:55,396 ERROR [errorpage.jsp] (http-- Certificate with SN 4710734163581487282 did not belong to user CN=ManagementCA,O=XXXXX,C=FR: java.l
    ang.RuntimeException: Certificate with SN 4710734163581487282 did not belong to user CN=ManagementCA,O=XXXXX,C=FR
            at org.ejbca.ui.web.admin.configuration.EjbcaWebBean.initialize(EjbcaWebBean.java:216) [classes:]
            at org.apache.jsp.index_jsp._jspService(index_jsp.java:84)
            at org.apache.jasper.runtime.HttpJspBase.service(HttpJspBase.java:70) [jbossweb-7.0.13.Final.jar:]
            at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) [jboss-servlet-api_3.0_spec-1.0.0.Final.jar:1.0.0.Final]
            at org.apache.jasper.servlet.JspServletWrapper.service(JspServletWrapper.java:369) [jbossweb-7.0.13.Final.jar:]

    I used the following commands to import the ManagementCA CA certificate and assign a role to the certificate:

    jboss@ra:/opt/ejbca$ bin/ejbca.sh ca importcacert ManagementCA ManagementCA.cacert.pem
    Imported CA ManagementCA
    jboss@ra:/opt/ejbca$ bin/ejbca.sh roles addadmin "Super Administrator Role" Man
    agementCA WITH_COMMONNAME TYPE_EQUALCASE 'Baptiste Grenier'
    No database integrity protection available in this version of EJBCA.
    jboss@ra:/opt/ejbca$ bin/ejbca.sh ca info ManagementCA
    CA name: ManagementCA
    CA type: 1
    CA ID: -379989233
    CA CRL Expiration Period: 0
    CA CRL Issue Interval: 0
    CA Description: CA created by certificate import.
    This is a Root CA.
    Size of chain: 1
    Root CA DN: CN=ManagementCA,O=XXXXX,C=FR
    Root CA id: -379989233
    Certificate valid from: Fri Mar 21 11:24:26 CET 2014
    Certificate valid to: Mon Mar 18 11:24:26 CET 2024
    Root CA key algorithm: RSA
    Root CA key size: 2048
    jboss@ra:/opt/ejbca$ bin/ejbca.sh roles listadmins 'Super Administrator Role'
    No database integrity protection available in this version of EJBCA.
    "ManagementCA" WITH_COMMONNAME TYPE_EQUALCASE "Baptiste Grenier"

    I also published the user certificate to the OCSP responder (using the republish button on the certificate page).

    I think that the problem might be an incorect configuration of the keystores.
    I created a servercert keystore signed by the management CA used for the tomcat.jks, but for me it wasn't clear at all how the p12/truststore.jks has to be created... I tried to copy the one from the CA server (containing the certificate for the ManagementCA generated by ant) but I am very doubtfull about the fact that this is correct...

    It is also completely unclear if a VA/OCSP responder can be used as a RA service, allowing users to retrieve their certificates and request new ones using self registration, the web gui of the VA seems to offer all the required components, but I wonder if it just a side effect ot the setup or if they can effectively be used... :/ Will we need to install an external-ra GUI for the users or will the external VA/OCSP be sufficient?

    Thanks for any help!


    Last edit: Baptiste Grenier 2014-04-16
  • Tomas Gustavsson

    To solve the first error:
    An End Entity needs to exist in the database (or you need to configure to not require user cert in database in web.properties).

    The VA/OCSP can not be used as an RA.


    Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information.


Get latest updates about Open Source Projects, Conferences and News.

Sign up for the SourceForge newsletter:

No, thanks