How to set up user to get p12 for clientToolBox certificate issuing.

[Santiago]

Hi,

I recently started using EJBCA to set up a PKI in a project I am working on. I decided to use the Bitnami EJBCA container (which is similar to PrimeKey container but it has a package manager). I set up everything successfully but now I need to find a way to issue certificates via console (in order to automate it in the future).

For that I carried out the following steps:

1. I downloaded the p12 file for superadmin to access the admin page: https://localhost:8443/ejbca/adminweb (Note that it is in localhost as it is a container with exposed ports)
2. I created a csr in order to test the certificate issuing
3. I created a end entity profile that only requires serialnumber as CN
4. I created an end entity named test and batch created its p12 file

Now I try to execute the ClientToolBox with the following command:

./ejbcaClientToolBox.sh EjbcaWsRaCli pkcs10req test test ./csr.csr PEM cert.cert

where csr.csr is the CSR and cert.cert is the output certificate.

the configuration I have for the tool is the following:

# Property file for the web service client. Used to specify
# URL to web service and path to keystore.

# Web Service URL. Important the hostname MUST match the CN of the server certificate.
# The wsdl schema location is the URL below with '?wsdl' in the end.
# For example: https://localhost:8443/ejbca/ejbcaws/ejbcaws?wsdl
#
# default: https://localhost:8443/ejbca/ejbcaws/ejbcaws
# for standalone ejbcaws.war deployment use: https://localhost:8443/ejbcaws/ejbcaws
ejbcawsracli.url = https://localhost:8442/ejbca/ejbcaws/ejbcaws

# Path to the keystore used to authenticate the client to the Web Service. 
# The keystore can be:
# 1. a java keystore (.jks). If ejbcawsracli.truststore.path is not set the CA certificate of the tomcat server certificate must be in in its truststore, and the server certificate is validated against this.
# 2. a PKCS12 keystore (.p12). If ejbcawsracli.truststore.path is not set an acceptAll truststore policy will then be used so the servers certificate is not verified against a truststore.
#default : keystore.jks
ejbcawsracli.keystore.path = ./test.p12

# A shared library path to a PKCS#11 so a HSM or smartcard could be used. If ejbcawsracli.truststore.path is not set an acceptAll truststore policy will then be used so the servers certificate is not verified against a truststore.
#ejbcawsracli.p11.sharedlibrary = /usr/lib/libaetpkss.so
# The slot number/index/label to be used
#ejbcawsracli.p11.slot = 0
#ejbcawsracli.p11.slot = slotlabel
# The type of the above label
#ejbcawsracli.p11.slotlabeltype = SLOT_NUMBER
#ejbcawsracli.p11.slotlabeltype = SLOT_INDEX
#ejbcawsracli.p11.slotlabeltype = SLOT_LABEL

#Password to unlock the keystore. 
# Comment out this to prompt for every time the client starts.
ejbcawsracli.keystore.password = test

# Path to the truststore used to authenticate the Web Services server certificate.
# If not set settings from the keystore is used, see ejbcawsracli.keystore.path
#default: not set 
#ejbcawsracli.truststore.path=

I get the following error:

javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
org.ejbca.ui.cli.ErrorAdminCommandException: javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
    at org.ejbca.core.protocol.ws.client.PKCS10ReqCommand.execute(PKCS10ReqCommand.java:121)
    at org.ejbca.core.protocol.ws.client.ejbcawsracli.main(ejbcawsracli.java:38)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:78)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:567)
    at org.ejbca.ui.cli.EjbcaWsRaCli.execute(EjbcaWsRaCli.java:37)
    at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
    at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:70)
Caused by: javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
    at org.apache.cxf.jaxws.ServiceImpl.initialize(ServiceImpl.java:162)
    at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:128)
    at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:82)
    at javax.xml.ws.Service.<init>(Service.java:35)
    at org.ejbca.core.protocol.ws.client.gen.EjbcaWSService.<init>(EjbcaWSService.java:58)
    at org.ejbca.core.protocol.ws.client.EJBCAWSRABaseCommand.getEjbcaRAWS(EJBCAWSRABaseCommand.java:218)
    at org.ejbca.core.protocol.ws.client.EJBCAWSRABaseCommand.getEjbcaRAWS(EJBCAWSRABaseCommand.java:201)
    at org.ejbca.core.protocol.ws.client.PKCS10ReqCommand.execute(PKCS10ReqCommand.java:87)
    ... 8 more
Caused by: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
    at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:87)
    at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:217)
    at org.apache.cxf.jaxws.ServiceImpl.initialize(ServiceImpl.java:160)
    ... 15 more
Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://localhost:8442/ejbca/ejbcaws/ejbcaws?wsdl'.: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching localhost found.
    at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2198)
    at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2390)
    at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2422)
    at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:266)
    at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:165)
    at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:85)
    ... 17 more
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative DNS name matching localhost found.
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:369)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:312)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:199)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1498)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1404)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:441)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:412)
    at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:574)
    at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1653)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1577)
    at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:224)
    at java.xml/com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:676)
    at java.xml/com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(XMLVersionDetector.java:150)
    at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:860)
    at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:824)
    at java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
    at java.xml/com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:246)
    at java.xml/com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:339)
    at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2188)
    ... 22 more
Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.
    at java.base/sun.security.util.HostnameChecker.matchDNS(HostnameChecker.java:212)
    at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:103)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:452)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:426)
    at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1476)
    at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1443)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
    ... 46 more

I suppose that the error is because the p12 file (which it's CN is probably not localhost) but I need guidance in how to create a proper p12 file.

Best Regards,

[Tomas Gustavsson]

Your issue is a classic TLS connection issue:

Caused by: java.security.cert.CertificateException: No subject alternative DNS name matching localhost found.

That means that the server you are connecting to, does not use the hostname "localhost" in it's TLS server certificate. Check the TLS certificate of the server, and configure ejbcawsracli.properties to use the hostname the server claims to have in the WS URL.

[Santiago]

Dear Tomas,

First of all, thank you for your fast reply.

Please forgive my ignorance, but I'm not sure on how to check the WS URL on the TLS certificate.

What I'm checking is the certificate I get when connecting to the adminweb via the browser.

Can you please extend a bit more how to check the hostname on the certificate?

Best Regards,

EDIT:

Dear Tomas,

I tried now with another server and creating another user, with no success. I still have the same error.

javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
org.ejbca.ui.cli.ErrorAdminCommandException: javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
    at org.ejbca.core.protocol.ws.client.PKCS10ReqCommand.execute(PKCS10ReqCommand.java:121)
    at org.ejbca.core.protocol.ws.client.ejbcawsracli.main(ejbcawsracli.java:38)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
    at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:78)
    at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
    at java.base/java.lang.reflect.Method.invoke(Method.java:567)
    at org.ejbca.ui.cli.EjbcaWsRaCli.execute(EjbcaWsRaCli.java:37)
    at org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
    at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:70)
Caused by: javax.xml.ws.WebServiceException: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
    at org.apache.cxf.jaxws.ServiceImpl.initialize(ServiceImpl.java:162)
    at org.apache.cxf.jaxws.ServiceImpl.<init>(ServiceImpl.java:128)
    at org.apache.cxf.jaxws.spi.ProviderImpl.createServiceDelegate(ProviderImpl.java:82)
    at javax.xml.ws.Service.<init>(Service.java:35)
    at org.ejbca.core.protocol.ws.client.gen.EjbcaWSService.<init>(EjbcaWSService.java:58)
    at org.ejbca.core.protocol.ws.client.EJBCAWSRABaseCommand.getEjbcaRAWS(EJBCAWSRABaseCommand.java:218)
    at org.ejbca.core.protocol.ws.client.EJBCAWSRABaseCommand.getEjbcaRAWS(EJBCAWSRABaseCommand.java:201)
    at org.ejbca.core.protocol.ws.client.PKCS10ReqCommand.execute(PKCS10ReqCommand.java:87)
    ... 8 more
Caused by: org.apache.cxf.service.factory.ServiceConstructionException: Failed to create service.
    at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:87)
    at org.apache.cxf.jaxws.ServiceImpl.initializePorts(ServiceImpl.java:217)
    at org.apache.cxf.jaxws.ServiceImpl.initialize(ServiceImpl.java:160)
    ... 15 more
Caused by: javax.wsdl.WSDLException: WSDLException: faultCode=PARSER_ERROR: Problem parsing 'https://10.11.1.31:9443/ejbca/ejbcaws/ejbcaws?wsdl'.: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 10.11.1.31 found
    at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2198)
    at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2390)
    at com.ibm.wsdl.xml.WSDLReaderImpl.readWSDL(WSDLReaderImpl.java:2422)
    at org.apache.cxf.wsdl11.WSDLManagerImpl.loadDefinition(WSDLManagerImpl.java:266)
    at org.apache.cxf.wsdl11.WSDLManagerImpl.getDefinition(WSDLManagerImpl.java:165)
    at org.apache.cxf.wsdl11.WSDLServiceFactory.<init>(WSDLServiceFactory.java:85)
    ... 17 more
Caused by: javax.net.ssl.SSLHandshakeException: No subject alternative names matching IP address 10.11.1.31 found
    at java.base/sun.security.ssl.Alert.createSSLException(Alert.java:131)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:369)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:312)
    at java.base/sun.security.ssl.TransportContext.fatal(TransportContext.java:307)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:654)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.onCertificate(CertificateMessage.java:473)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.consume(CertificateMessage.java:369)
    at java.base/sun.security.ssl.SSLHandshake.consume(SSLHandshake.java:396)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:480)
    at java.base/sun.security.ssl.HandshakeContext.dispatch(HandshakeContext.java:458)
    at java.base/sun.security.ssl.TransportContext.dispatch(TransportContext.java:199)
    at java.base/sun.security.ssl.SSLTransport.decode(SSLTransport.java:171)
    at java.base/sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1498)
    at java.base/sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1404)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:441)
    at java.base/sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:412)
    at java.base/sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:574)
    at java.base/sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:183)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream0(HttpURLConnection.java:1653)
    at java.base/sun.net.www.protocol.http.HttpURLConnection.getInputStream(HttpURLConnection.java:1577)
    at java.base/sun.net.www.protocol.https.HttpsURLConnectionImpl.getInputStream(HttpsURLConnectionImpl.java:224)
    at java.xml/com.sun.org.apache.xerces.internal.impl.XMLEntityManager.setupCurrentEntity(XMLEntityManager.java:676)
    at java.xml/com.sun.org.apache.xerces.internal.impl.XMLVersionDetector.determineDocVersion(XMLVersionDetector.java:150)
    at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:860)
    at java.xml/com.sun.org.apache.xerces.internal.parsers.XML11Configuration.parse(XML11Configuration.java:824)
    at java.xml/com.sun.org.apache.xerces.internal.parsers.XMLParser.parse(XMLParser.java:141)
    at java.xml/com.sun.org.apache.xerces.internal.parsers.DOMParser.parse(DOMParser.java:246)
    at java.xml/com.sun.org.apache.xerces.internal.jaxp.DocumentBuilderImpl.parse(DocumentBuilderImpl.java:339)
    at com.ibm.wsdl.xml.WSDLReaderImpl.getDocument(WSDLReaderImpl.java:2188)
    ... 22 more
Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 10.11.1.31 found
    at java.base/sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:165)
    at java.base/sun.security.util.HostnameChecker.match(HostnameChecker.java:101)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:452)
    at java.base/sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:426)
    at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkAdditionalTrust(SSLContextImpl.java:1476)
    at java.base/sun.security.ssl.AbstractTrustManagerWrapper.checkServerTrusted(SSLContextImpl.java:1443)
    at java.base/sun.security.ssl.CertificateMessage$T12CertificateConsumer.checkServerCerts(CertificateMessage.java:638)
    ... 46 more

The content of the certificate used is the following:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            55:56:64:09:27:49:30:af:ab:9e:19:0a:98:60:25:07:f0:d9:27:d9
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: UID = c-0gpu28lhtt2vp6wwj, CN = ManagementCA, O = EJBCA Container Quickstart
        Validity
            Not Before: Oct  7 14:05:05 2021 GMT
            Not After : Oct  7 14:05:04 2023 GMT
        Subject: CN = Registrator
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (3072 bit)
                Modulus:
                    00:d2:6c:9a:29:b9:e6:03:54:48:26:77:20:53:ce:
                    18:2e:ea:30:fb:19:d1:7f:b5:7a:ed:62:59:99:93:
                    15:de:2d:1a:95:28:5e:7b:5e:ac:2e:83:4d:fd:67:
                    0f:4e:f7:bf:c0:73:31:95:61:7e:b1:64:f2:91:d8:
                    1e:b4:40:42:e2:71:c3:ad:75:6e:d7:36:0e:bb:e8:
                    4e:38:bd:d7:b8:f4:52:a1:0d:b4:4d:bf:b0:39:71:
                    cb:1f:2a:2f:54:b4:79:72:ac:a3:1f:93:4b:60:32:
                    1e:83:0b:31:b5:70:b9:53:4a:ca:3c:b2:b0:8b:15:
                    48:47:be:d3:cf:e2:11:26:50:2a:cd:0f:b8:a1:d5:
                    38:d2:50:7e:dd:35:54:99:09:c5:f7:46:7b:87:b3:
                    aa:6e:21:21:44:79:99:29:52:8c:22:4d:ca:7c:95:
                    ac:33:8e:0d:6d:a2:21:b6:df:c7:b4:cf:be:ad:d7:
                    ca:56:a3:23:a9:a6:54:fa:52:e2:db:60:35:82:a2:
                    4f:12:11:38:20:60:e0:89:26:97:f7:ae:52:b0:71:
                    aa:87:3d:8c:ee:6f:19:93:a0:43:12:bb:50:05:49:
                    ee:cc:98:19:59:37:9b:1c:95:dc:79:a3:5f:0c:17:
                    74:5b:e5:35:a2:90:7d:cf:1c:4e:46:cc:01:4d:00:
                    bd:f3:29:e7:24:c4:61:fe:03:e6:b8:4e:25:b0:e5:
                    74:53:0c:0e:36:ac:ab:4c:d0:ba:ed:eb:fa:f1:c9:
                    6c:97:fb:08:1a:40:bd:0e:36:ab:fb:4d:12:38:38:
                    23:f3:38:6d:08:79:4a:81:07:22:db:13:c0:5f:49:
                    8f:32:72:94:0b:2b:cb:ae:98:90:06:80:03:9d:dd:
                    b3:71:5e:c7:ae:4a:66:0e:b8:42:a1:99:78:db:e8:
                    2d:10:d2:7b:0c:83:64:ba:76:5b:e0:dd:94:45:4f:
                    ea:2e:a4:93:e1:9d:04:86:62:3b:08:5d:bf:b8:8b:
                    7f:b5:fc:87:47:e2:84:5d:a0:2f
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: critical
                CA:FALSE
            X509v3 Authority Key Identifier: 
                keyid:41:6C:92:E4:D1:36:EE:3E:69:9F:34:1B:C1:B1:0E:E6:0D:4C:E4:09

            X509v3 Subject Alternative Name: 
                DNS:10.11.1.31, IP Address:10.11.1.31
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, E-mail Protection
            X509v3 Subject Key Identifier: 
                0B:68:01:9B:9F:B4:A5:89:43:E2:D4:14:29:25:8E:4C:65:5A:43:2D
            X509v3 Key Usage: critical
                Digital Signature, Non Repudiation, Key Encipherment
    Signature Algorithm: sha256WithRSAEncryption
         20:49:99:d7:62:3c:91:cd:42:21:1e:4d:4a:fe:d2:f7:1b:79:
         ee:ef:82:76:82:2e:cc:3f:11:f4:6d:82:b5:3e:07:93:c5:1c:
         8c:f8:f6:1d:60:29:d0:c1:a7:c8:e6:c3:2a:3b:cc:dd:cf:80:
         64:31:41:22:db:6c:a0:cb:bd:b9:61:0b:40:d8:1d:6e:38:03:
         cf:76:78:2a:db:7c:6c:a7:11:19:3c:a3:9b:1e:fe:1b:6b:01:
         d4:e2:31:e0:a4:c0:1d:e8:5e:f9:b6:9d:e7:42:b2:a1:c6:ec:
         b5:c7:e7:48:b4:82:b3:45:eb:0a:4f:74:e6:76:72:b2:22:dd:
         d1:f7:ac:ea:72:6d:7b:28:42:b4:87:9a:91:6f:71:d4:3c:4d:
         06:0e:7e:ca:59:25:6e:33:4d:02:f2:86:ff:0c:90:04:6e:5d:
         ee:63:b9:ad:fb:6a:ca:56:6d:e6:65:e5:7e:e9:dc:04:4d:e1:
         00:98:eb:e6:e2:0b:63:4d:9d:af:28:ab:b6:43:03:75:87:eb:
         99:48:8c:9c:e0:f0:21:35:c8:32:49:a9:e6:95:27:f2:bf:14:
         49:d4:a5:04:c6:a8:7a:f1:27:85:62:79:5b:f2:20:87:e9:f3:
         35:29:59:db:eb:16:3d:12:3a:ec:18:a6:6f:f1:d2:65:c6:3d:
         ae:ec:d2:4f:8d:27:24:34:84:92:72:79:a8:ca:b1:09:85:1f:
         7d:7d:fa:8e:f8:e2:fc:0e:ed:ca:1f:4c:6c:76:8f:27:1d:5a:
         0f:4f:55:b3:7e:73:9d:a2:d4:a1:95:3e:2c:74:e7:a1:d6:a9:
         86:ff:c3:03:4f:56:ed:c3:79:65:a2:e8:b0:96:ee:b3:1d:89:
         56:61:1c:c1:83:74:a5:cc:07:33:de:8a:0a:1b:e3:30:17:33:
         18:13:6d:8a:64:ec:6e:b2:1d:d3:52:f3:05:77:76:5d:6e:3d:
         e3:83:4e:ba:82:54:9e:d5:5d:5f:57:2e:40:66:dd:c4:6e:21:
         d8:a9:67:b1:9e:a3
-----BEGIN CERTIFICATE-----
MIIEozCCAwugAwIBAgIUVVZkCSdJMK+rnhkKmGAlB/DZJ9kwDQYJKoZIhvcNAQEL
BQAwYTEjMCEGCgmSJomT8ixkAQEME2MtMGdwdTI4bGh0dDJ2cDZ3d2oxFTATBgNV
BAMMDE1hbmFnZW1lbnRDQTEjMCEGA1UECgwaRUpCQ0EgQ29udGFpbmVyIFF1aWNr
c3RhcnQwHhcNMjExMDA3MTQwNTA1WhcNMjMxMDA3MTQwNTA0WjAWMRQwEgYDVQQD
DAtSZWdpc3RyYXRvcjCCAaIwDQYJKoZIhvcNAQEBBQADggGPADCCAYoCggGBANJs
mim55gNUSCZ3IFPOGC7qMPsZ0X+1eu1iWZmTFd4tGpUoXnterC6DTf1nD073v8Bz
MZVhfrFk8pHYHrRAQuJxw611btc2DrvoTji917j0UqENtE2/sDlxyx8qL1S0eXKs
ox+TS2AyHoMLMbVwuVNKyjyysIsVSEe+08/iESZQKs0PuKHVONJQft01VJkJxfdG
e4ezqm4hIUR5mSlSjCJNynyVrDOODW2iIbbfx7TPvq3XylajI6mmVPpS4ttgNYKi
TxIROCBg4Ikml/euUrBxqoc9jO5vGZOgQxK7UAVJ7syYGVk3mxyV3HmjXwwXdFvl
NaKQfc8cTkbMAU0AvfMp5yTEYf4D5rhOJbDldFMMDjasq0zQuu3r+vHJbJf7CBpA
vQ42q/tNEjg4I/M4bQh5SoEHItsTwF9JjzJylAsry66YkAaAA53ds3Fex65KZg64
QqGZeNvoLRDSewyDZLp2W+DdlEVP6i6kk+GdBIZiOwhdv7iLf7X8h0fihF2gLwID
AQABo4GdMIGaMAwGA1UdEwEB/wQCMAAwHwYDVR0jBBgwFoAUQWyS5NE27j5pnzQb
wbEO5g1M5AkwGwYDVR0RBBQwEoIKMTAuMTEuMS4zMYcECgsBHzAdBgNVHSUEFjAU
BggrBgEFBQcDAgYIKwYBBQUHAwQwHQYDVR0OBBYEFAtoAZuftKWJQ+LUFCkljkxl
WkMtMA4GA1UdDwEB/wQEAwIF4DANBgkqhkiG9w0BAQsFAAOCAYEAIEmZ12I8kc1C
IR5NSv7S9xt57u+CdoIuzD8R9G2CtT4Hk8UcjPj2HWAp0MGnyObDKjvM3c+AZDFB
IttsoMu9uWELQNgdbjgDz3Z4Ktt8bKcRGTyjmx7+G2sB1OIx4KTAHehe+bad50Ky
ocbstcfnSLSCs0XrCk905nZysiLd0fes6nJteyhCtIeakW9x1DxNBg5+ylklbjNN
AvKG/wyQBG5d7mO5rftqylZt5mXlfuncBE3hAJjr5uILY02dryirtkMDdYfrmUiM
nODwITXIMkmp5pUn8r8USdSlBMaoevEnhWJ5W/Igh+nzNSlZ2+sWPRI67Bimb/HS
ZcY9ruzST40nJDSEknJ5qMqxCYUffX36jvji/A7tyh9MbHaPJx1aD09Vs35znaLU
oZU+LHTnodaphv/DA09W7cN5ZaLosJbusx2JVmEcwYN0pcwHM96KChvjMBczGBNt
imTsbrId01LzBXd2XW4944NOuoJUntVdX1cuQGbdxG4h2KlnsZ6j
-----END CERTIFICATE-----

As you can see, the IP used (10.11.1.31) is in the Alternative Names part.

Any idea?

Best Regards,

[Tomas Gustavsson]

If you go in your web browser to the admin Web you can inspect the certificate.
Click on the padlock->connection secure (or not secure)->more information->view certificate, check the "common name" value.

See screenshots.

[Santiago]

Dear Tomas,

Thank you very much for your help, I managed to solve the issue. Now I tried to execute again the same command, but unfortunately I got another error, this time regarding the access rules (or at least I think so).

The error is the following:

./ejbcaClientToolBox.sh EjbcaWsRaCli pkcs10req test test /home/sdevicente/tests/FACENDO/demostrador/pki/csr.csr PEM cert
oct 08, 2021 10:09:18 A. M. org.apache.cxf.wsdl.service.factory.ReflectionServiceFactoryBean buildServiceFromWSDL
INFORMACIÓN: Creating Service {http://ws.protocol.core.ejbca.org/}EjbcaWSService from WSDL: https://10.11.1.31:9443/ejbca/ejbcaws/ejbcaws?wsdl
Error : Administrator is not authorized to resource /administrator. Msg: .

The content of the configuration file is the following:

cat ejbcawsracli.properties 
# Property file for the web service client. Used to specify
# URL to web service and path to keystore.

# Web Service URL. Important the hostname MUST match the CN of the server certificate.
# The wsdl schema location is the URL below with '?wsdl' in the end.
# For example: https://localhost:8443/ejbca/ejbcaws/ejbcaws?wsdl
#
# default: https://localhost:8443/ejbca/ejbcaws/ejbcaws
# for standalone ejbcaws.war deployment use: https://localhost:8443/ejbcaws/ejbcaws
ejbcawsracli.url = https://10.11.1.31:9443/ejbca/ejbcaws/ejbcaws

# Path to the keystore used to authenticate the client to the Web Service. 
# The keystore can be:
# 1. a java keystore (.jks). If ejbcawsracli.truststore.path is not set the CA certificate of the tomcat server certificate must be in in its truststore, and the server certificate is validated against this.
# 2. a PKCS12 keystore (.p12). If ejbcawsracli.truststore.path is not set an acceptAll truststore policy will then be used so the servers certificate is not verified against a truststore.
#default : keystore.jks
ejbcawsracli.keystore.path = ../registrator.p12

# A shared library path to a PKCS#11 so a HSM or smartcard could be used. If ejbcawsracli.truststore.path is not set an acceptAll truststore policy will then be used so the servers certificate is not verified against a truststore.
#ejbcawsracli.p11.sharedlibrary = /usr/lib/libaetpkss.so
# The slot number/index/label to be used
#ejbcawsracli.p11.slot = 0
#ejbcawsracli.p11.slot = slotlabel
# The type of the above label
#ejbcawsracli.p11.slotlabeltype = SLOT_NUMBER
#ejbcawsracli.p11.slotlabeltype = SLOT_INDEX
#ejbcawsracli.p11.slotlabeltype = SLOT_LABEL

#Password to unlock the keystore. 
# Comment out this to prompt for every time the client starts.
ejbcawsracli.keystore.password = test

# Path to the truststore used to authenticate the Web Services server certificate.
# If not set settings from the keystore is used, see ejbcawsracli.keystore.path
#default: not set 
#ejbcawsracli.truststore.path=

I think it's strange, because the user registrator is in a role with the following access rules (see screenshots).

Thanks again for your help and best regards,

[Tomas Gustavsson]

The role access rules seems to have Deny on everything except Administrator, so that role will not be able to issue a certificate from a CSR.

For the role, you mean the certificate serial number is the one on your p12 file? The other entry with "CLI" is only a username/password member, for running the local CLI (ejbca.sh).

[Santiago]

Thank you Tomas, after trying a few things I discovered the error as an internal configuration problem with the certificate. Now everything is fine.

[Raul Bove]

Hi Santiago, sorry to contact you, but I am facing exactly the same problems you had with the EJBCA.
Could you tell me please, the steps you had to do with your certitifcate to go around your problem?
I would apreciate you for a soon response.
Thank you!

[Santiago]

Hi Raul,

Many things have been discussed in this thread. Could you please point me to the precise problem you have right now? I would be glad to help if I'm able to.