Does EJBCA enable to use one user for creating certificates? Since my previous CA is going to expire, I'd like to use EJBCA for the new CA. Since 1000+ certificates have been given out with the expiring CA, all of them need to be regenerated.
Br,
Alo
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Short answer yes. You can use a single user (end entity in EJBCA) for all certificates, one end entity per certificate, or a combination. You can do almost anything you want.
Cheers,
Tomas
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Ok, but how can I configure EJBCA so that I can use only one user to generate certificates?
At the moment I have the following configuration:
RA Functions->Add End Entity:
End Entity Profile: ssl_server
Username: test
Password: test
Batch generation: checked
Subject DN Attributes:
=====================
C: EE
L: City
O: Test company
OU: Test company
Certificate profile: ssl_server
CA: TestCA
Token: PEM
The first certificate has CN field test1 and the second certificate has CN field test2. I could add the first certificate successfully but when I tried to add the second certificate, the following error occurred: "End entity already exists, choose another Username."
Anders, what do you mean by "You just edit the end-entity for each new certificate"?. I'm trying to create a lot of certificates with just ONE user and password and just generate them with the bin/ejbca.sh batch command.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Created a new end-entity with the username test and password test (CN: test cert1)
on the command line I ran the following command:
bin/ejbca.sh batch test
Generating keys in directory /opt/ejbca/p12.
Loading configuration from defaults.
Generating RSA keys of size 2048 for test.
Created Keystore for 'test'.
New user generated successfully - test.
If I search test user status, then I get status NEW for this user.
bin/ejbca.sh ra findendentity test
Found end entity:
Username: test
Password: test
DN: "CN=test cert1,OU=Test unit,O=Test company,L=City,C=EE"
Alt Name: "null"
Directory Attributes: ""
E-Mail: null
Status: 10
Type: 1
Token Type: 4
End Entity Profile ID: 503291280
Certificate Profile ID: 163070057
Hard Token Issuer ID: 0
Created: Mon Apr 21 12:51:11 GMT+00:00 2014
Modified: Mon Apr 21 12:56:16 GMT+00:00 2014
Tried to create another certificate with the same username and the same password but with a different CN (test cert2).
When I hit Add from GUI, then I got this "End entity already exists, choose another Username." error.
I don't get where or what did I do wrong.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Does EJBCA enable to use one user for creating certificates? Since my previous CA is going to expire, I'd like to use EJBCA for the new CA. Since 1000+ certificates have been given out with the expiring CA, all of them need to be regenerated.
Br,
Alo
Short answer yes. You can use a single user (end entity in EJBCA) for all certificates, one end entity per certificate, or a combination. You can do almost anything you want.
Cheers,
Tomas
Ok, but how can I configure EJBCA so that I can use only one user to generate certificates?
At the moment I have the following configuration:
RA Functions->Add End Entity:
End Entity Profile: ssl_server
Username: test
Password: test
Batch generation: checked
Subject DN Attributes:
=====================
C: EE
L: City
O: Test company
OU: Test company
Certificate profile: ssl_server
CA: TestCA
Token: PEM
The first certificate has CN field test1 and the second certificate has CN field test2. I could add the first certificate successfully but when I tried to add the second certificate, the following error occurred: "End entity already exists, choose another Username."
Entityprofile is added as an attachment.
Br,
Alo
Last edit: aloeee 2014-04-21
You just edit the end-entity for each new certificate
Cheers
Anders
Anders, what do you mean by "You just edit the end-entity for each new certificate"?. I'm trying to create a lot of certificates with just ONE user and password and just generate them with the bin/ejbca.sh batch command.
You need to something like
http://ejbca.org/docs/userguide.html#Renewing%20Superadmin
but also perform edituser commands to change CN
Cheers
Anders
Does this mean that I always need to change the user status to NEW before I can create another certificate with the same user and password?
Yes, it does
Anders
I tried this:
on the command line I ran the following command:
bin/ejbca.sh batch test
Generating keys in directory /opt/ejbca/p12.
Loading configuration from defaults.
Generating RSA keys of size 2048 for test.
Created Keystore for 'test'.
New user generated successfully - test.
If I search test user status, then I get status NEW for this user.
bin/ejbca.sh ra findendentity test
Found end entity:
Username: test
Password: test
DN: "CN=test cert1,OU=Test unit,O=Test company,L=City,C=EE"
Alt Name: "null"
Directory Attributes: ""
E-Mail: null
Status: 10
Type: 1
Token Type: 4
End Entity Profile ID: 503291280
Certificate Profile ID: 163070057
Hard Token Issuer ID: 0
Created: Mon Apr 21 12:51:11 GMT+00:00 2014
Modified: Mon Apr 21 12:56:16 GMT+00:00 2014
When I hit Add from GUI, then I got this "End entity already exists, choose another Username." error.
I don't get where or what did I do wrong.
Search end entities
select for edit
change CN
save
I think you can do this from the CLI as well
Good luck
Anders