SmartCard Authorization Denied

2011-08-12
2013-02-18
  • Goran Djordjevic

    Dear All,

    I generated RootCA and SubCA certificates using pkcs11 enabled smart cards
    (the keys and generated certs are stored inside smart cards).

    Also I generated User certificate (signed by SubCA) using pkcs11 enabled smart card.
    (the public/private key pair and certificate are loaded inside smart card).
    (CN=Nemanja Dokic)

    The RootCA certificate (CN=RootCA telo) and User cerrificate (CN=Nemanja Dokic) are stored in the same card.

    The owner of User Certificate (CN=Nemanja Dokic) has role of SuperAdmin (it is defined using Admin GUI).

    When I tried to start Admin GUI, using the smart card with user certificate and Mozilla Firefox, I got error message:
    Authorization Denied
    Cause : Your certificate does not belong to any user. Issuer CN=RootCA telo, L=Beograd,C=RS, serialNo 5aeb09455aaa3d54.

    Inside the smart cards are two certificates:
    - RootCA certificate (CN=RootCA telo) and
    - User certificate (CN=Nemanja Dokic).

    It seems the Firefox only analyzed the first certificate (CN=RootCA telo)
    and skip the second SuperAdmin certificate (CN=Nemanja Dokic).

    Could you help me to fix the problem?

    Best Regards,
    Goran

     
  • Anonymous - 2011-08-12

    A few questions here:
    - Didn't you get a certificate GUI request in Firefox?  What does it say?
    - Don't you need the subCA in the card or Firefox truststore as well?

    Anders

     
  • Goran Djordjevic

    Dear Anders,

    I imported certificate chains inside the certificate store of Firefox and JBoss application server.

    I tested the identical configuration on three computers (one computer with 32 bits Vista a two computers with Windows 7 32bits OS).

    It works correctly in two computers (Vista and Windows 7)

    Inside two computers where ejbca works correctly
    when I activated the Admin GUI:
    - Firefox generated window for enering PIN
    - After I entered the PIN there is shown window
      where it is possible to select certificate.
      In cards there are two certificates:
           * RootCA certificate (CN=RootCA telo)
           * SuperAdmin User certificate (CN=Nemanja Dokic)
      When I select SupeAdmin Certificate (CN=Nemanja Dokic) everything works correcty.

    The problem is present on only one computer (Windows 7).
    When I activated the Admin GUI:
    - Firefox generated window for enering PIN
    - After I entered the PIN there is not shown window for selection certificate
      but now is shown message:
    Authorization Denied Cause :
    Your certificate does not belong to any user. Issuer CN=RootCA telo, L=Beograd,C=RS, serialNo 5aeb09455aaa3d54.

    Maybe Firefox caused the problem.
    Even I cleaned cache of Firefox (option: Tools->Clear Recent History…) but nothing changes.

    Best Regards,
    Goran Djordjevic.

     
  • Anonymous - 2011-08-12

    Hi Goran,
    This is not really a EJBCA problem … but have you checked Tools->Options->Advanced->Encryption?
    There is a radiobutton saying select cert everytime.  It should be active.
    I assume that you do not get an option to select the ROOT certificate?
    Does https to 8442 work on all computers?

    Anders

     
  • Goran Djordjevic

    Dear Anders,

    I will check is radio button
    Ask me every time
    selected.

    Maybe it caused the problem.

    Thank you very much for your help.

    Best Regards,
    Goran Djordjevic

     
  • Goran Djordjevic

    Dear Anders,

    You are right.

    The radio button
    Ask me every time
    was not selected
    and it caused the problem.

    Thank you very much for your help.

    Best Regards,
    Goran Djordjevic

     

Log in to post a comment.