I'm using EJBCA WS to create an external CA like this
First, I create an external CA by using WebService: createExternallySignedCa
EJBCA will response me a CSR
From this CSR, I will enroll certificate from an external CA => I got PKCS7 certificate chain.
From there, if I use EJBCA Admin web to upload PKCS7 file => it is ok [cid:image001.png@01D68AC2.55557240]
But, when I use EJBCA WS method caCertResponse, getting the following info and error:
2020-09-14 06:59:07,300 DEBUG [org.cesecore.util.CertTools] (default task-13) Adding to cacertmap with index 'CN=Management CA,O=Company Name,C=ISO 3166 Country Code'
2020-09-14 06:59:07,315 DEBUG [org.cesecore.util.CertTools] (default task-13) Looking in cacertmap for 'CN=Management CA,O=Company Name,C=ISO 3166 Country Code'
This is the first time calling orderCertificateChain => ok
2020-09-14 06:59:07,316 DEBUG [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (default task-13) Using CA certificate chain from parameter of size: 2
2020-09-14 06:59:07,316 DEBUG [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (default task-13) Picked up request certificate chain of size: 2
2020-09-14 06:59:07,317 DEBUG [org.cesecore.util.CertTools] (default task-13) Adding to cacertmap with index 'CN=Management CA,O=Company Name,C=ISO 3166 Country Code'
2020-09-14 06:59:07,317 DEBUG [org.cesecore.util.CertTools] (default task-13) Adding to cacertmap with index 'CN=Management CA,O=Company Name,C=ISO 3166 Country Code'
2020-09-14 06:59:07,317 DEBUG [org.cesecore.util.CertTools] (default task-13) Looking in cacertmap for 'CN=Management CA,O=Company Name,C=ISO 3166 Country Code'
2020-09-14 06:59:07,317 DEBUG [org.cesecore.util.CertTools] (default task-13) Looking in cacertmap for 'CN=testExternalCA02,O=MySSL,C=US
2020-09-14 06:59:07,317 DEBUG [org.cesecore.util.CertTools] (default task-13) Dumping keys of CA certificate map:
2020-09-14 06:59:07,317 DEBUG [org.cesecore.util.CertTools] (default task-13) CN=Management CA,O=Company Name,C=ISO 3166 Country Code
2020-09-14 06:59:07,317 DEBUG [org.ejbca.core.protocol.ws.EjbcaWS] (default task-13) EJBCA WebService error: java.security.cert.CertPathValidatorException: Error building certificate path. Could find certificate with SubjectDN CN=testExternalCA02,O= MySSL,C=US in certificate map. See debug log for details.
at org.cesecore.util.CertTools.orderCertificateChain(CertTools.java:4220)
at org.cesecore.util.CertTools.createCertChain(CertTools.java:4099)
at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.receiveResponse(CAAdminSessionBean.java:1223)
This is the second time calling orderCertificateChain and failed
I also checked the source code around this part, but it is quite complicated and I don't understand why EJBCA calling this method twice: orderCertificateChain. It is failed at the second time because EJBCA has modified the input after the first time called.
Please can you have a check. I'm ready to provide a source code to reproduce this error if needed.
It seems the cert you have received have an additional space in front of the organization. The received certificate from the Root CA must match the DN of the Sub CA you create. I don't thing the space in front of MySSL should be there.
CN=testExternalCA02,O= MySSL,C=US
Second thing, your Management CA has an invalid country code, I don't think this affect this specific issue. But you should consider remaking this.
"CN=Management CA,O=Company Name,C=ISO 3166 Country Code"
C should be a two letter ISO 3166 Country code, i.e. SE, US, DE, FR, etc.
thank you for your reply, actually i'm asking here for quick support because in order to work with primekey support, i must request another team to process that.
For the space at DN name, i just checked again, it is my typing error. You can see in the log of application, there is no space at that position
====================================
2020-09-14 06:59:07,317 DEBUG [org.cesecore.util.CertTools] (default task-13) Looking in cacertmap for 'CN=testExternalCA02,O=MySSL,C=US
====================================
For the second thing, i 've tried with another CA with valid Country code and still getting the same error
The weird thing i see here is in the log, we're executing orderCertificateChain method two times.
In my example, the input is cachain and contains user certificate and one root certificate in my input (totally two certificates)
EJBCA process like this: (I'm using EJBCA 7.4.0 Enterprise (r35253))
List<certificate> tmpchain = new ArrayList<>();
tmpchain.add(cacert);
//you can see line 1165 of CAAdminSessionBean.java
//cacert is the user certificate
.......
List<certificate> reqchain = CertTools.createCertChain(cachain, verifydate);
//you can see line 1182 of CAAdminSessionBean.java
//this createCertChain method will call orderCertificateChain for the first time
//reqchain will contain user certificate and root certificate
......
//you can see line 1222 of CAAdminSessionBean.java
tmpchain.addAll(reqchain); CertTools.createCertChain(cachain, verifydate);
The error come from this line
modify something to have input with three certificate => error as log</certificate></certificate>
How do you call caCertResponse. There are two parameters. One is the usercert and the other is the CA chain. I.e. the response certificate should not be part of the CA chain that you input.
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi all,
I'm using EJBCA WS to create an external CA like this
From there, if I use EJBCA Admin web to upload PKCS7 file => it is ok
[cid:image001.png@01D68AC2.55557240]
But, when I use EJBCA WS method caCertResponse, getting the following info and error:
2020-09-14 06:59:07,300 DEBUG [org.cesecore.util.CertTools] (default task-13) Adding to cacertmap with index 'CN=Management CA,O=Company Name,C=ISO 3166 Country Code'
2020-09-14 06:59:07,315 DEBUG [org.cesecore.util.CertTools] (default task-13) Looking in cacertmap for 'CN=Management CA,O=Company Name,C=ISO 3166 Country Code'
2020-09-14 06:59:07,316 DEBUG [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (default task-13) Using CA certificate chain from parameter of size: 2
2020-09-14 06:59:07,316 DEBUG [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (default task-13) Picked up request certificate chain of size: 2
2020-09-14 06:59:07,317 DEBUG [org.cesecore.util.CertTools] (default task-13) Adding to cacertmap with index 'CN=Management CA,O=Company Name,C=ISO 3166 Country Code'
2020-09-14 06:59:07,317 DEBUG [org.cesecore.util.CertTools] (default task-13) Adding to cacertmap with index 'CN=Management CA,O=Company Name,C=ISO 3166 Country Code'
2020-09-14 06:59:07,317 DEBUG [org.cesecore.util.CertTools] (default task-13) Looking in cacertmap for 'CN=Management CA,O=Company Name,C=ISO 3166 Country Code'
2020-09-14 06:59:07,317 DEBUG [org.cesecore.util.CertTools] (default task-13) Looking in cacertmap for 'CN=testExternalCA02,O=MySSL,C=US
2020-09-14 06:59:07,317 DEBUG [org.cesecore.util.CertTools] (default task-13) Dumping keys of CA certificate map:
2020-09-14 06:59:07,317 DEBUG [org.cesecore.util.CertTools] (default task-13) CN=Management CA,O=Company Name,C=ISO 3166 Country Code
2020-09-14 06:59:07,317 DEBUG [org.ejbca.core.protocol.ws.EjbcaWS] (default task-13) EJBCA WebService error: java.security.cert.CertPathValidatorException: Error building certificate path. Could find certificate with SubjectDN CN=testExternalCA02,O= MySSL,C=US in certificate map. See debug log for details.
at org.cesecore.util.CertTools.orderCertificateChain(CertTools.java:4220)
at org.cesecore.util.CertTools.createCertChain(CertTools.java:4099)
at org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean.receiveResponse(CAAdminSessionBean.java:1223)
I also checked the source code around this part, but it is quite complicated and I don't understand why EJBCA calling this method twice: orderCertificateChain. It is failed at the second time because EJBCA has modified the input after the first time called.
Please can you have a check. I'm ready to provide a source code to reproduce this error if needed.
Thanks and best regards!
Hi,
I see two strange things in your log.
It seems the cert you have received have an additional space in front of the organization. The received certificate from the Root CA must match the DN of the Sub CA you create. I don't thing the space in front of MySSL should be there.
CN=testExternalCA02,O= MySSL,C=US
Second thing, your Management CA has an invalid country code, I don't think this affect this specific issue. But you should consider remaking this.
"CN=Management CA,O=Company Name,C=ISO 3166 Country Code"
C should be a two letter ISO 3166 Country code, i.e. SE, US, DE, FR, etc.
Cheers,
Tomas
Save time and money with an Enterprise support subscription. Please see www.primekey.com for more information.
https://www.primekey.com/products/software/
Hi Tomas,
thank you for your reply, actually i'm asking here for quick support because in order to work with primekey support, i must request another team to process that.
For the space at DN name, i just checked again, it is my typing error. You can see in the log of application, there is no space at that position
====================================
2020-09-14 06:59:07,317 DEBUG [org.cesecore.util.CertTools] (default task-13) Looking in cacertmap for 'CN=testExternalCA02,O=MySSL,C=US
====================================
For the second thing, i 've tried with another CA with valid Country code and still getting the same error
The weird thing i see here is in the log, we're executing
orderCertificateChainmethod two times.In my example, the input is cachain and contains user certificate and one root certificate in my input (totally two certificates)
EJBCA process like this: (I'm using EJBCA 7.4.0 Enterprise (r35253))
List<certificate> tmpchain = new ArrayList<>();
tmpchain.add(cacert);
//you can see line 1165 of CAAdminSessionBean.java
//cacert is the user certificate
.......
List<certificate> reqchain = CertTools.createCertChain(cachain, verifydate);
//you can see line 1182 of CAAdminSessionBean.java
//this
createCertChainmethod will callorderCertificateChainfor the first time//reqchain will contain user certificate and root certificate
......
//you can see line 1222 of CAAdminSessionBean.java
tmpchain.addAll(reqchain);
CertTools.createCertChain(cachain, verifydate);
The error come from this line
modify something to have input with three certificate => error as log</certificate></certificate>
You can see the full log here
https://pastebin.com/GBTzxbR8
Please also check the my p7b in the attachment
Here it is
EJBCA 7.4.0 Enterprise (r35253)How do you call caCertResponse. There are two parameters. One is the usercert and the other is the CA chain. I.e. the response certificate should not be part of the CA chain that you input.
Hi Tomas,
It is great, i just removed the user certificate from certchains then it works.
The reason i put the whole cert chain to this method is signserver webservice has a similar function like this and it is ok with the full cert chain.
Thank you very much for your support!
Glad that it worked.
There is a JUnit regression test of caCertResponse, so I cheched how it was done there. (src/modules/systemtests).
Hi Tomas,
Yes, so sorry for missing that part.
Thanks and best regards!
Sorry, it was not meant as critisizm. I just put the information there so that you can find the test code in the future if needed.
Best Regards,
Tomas
Hi Tomas,
Fully agree with you about that