Menu
▾
▴
ejbca-develop — Development discussions
You can subscribe to this list here.
| 2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
(3) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2002 |
Jan
(3) |
Feb
(2) |
Mar
(8) |
Apr
(3) |
May
(6) |
Jun
(1) |
Jul
(15) |
Aug
(6) |
Sep
|
Oct
(10) |
Nov
(2) |
Dec
(4) |
| 2003 |
Jan
(1) |
Feb
(7) |
Mar
(3) |
Apr
(6) |
May
(7) |
Jun
(5) |
Jul
(5) |
Aug
(25) |
Sep
(14) |
Oct
(2) |
Nov
|
Dec
(2) |
| 2004 |
Jan
(7) |
Feb
(4) |
Mar
(12) |
Apr
(16) |
May
(43) |
Jun
(56) |
Jul
(43) |
Aug
(40) |
Sep
(66) |
Oct
(12) |
Nov
(26) |
Dec
(10) |
| 2005 |
Jan
(13) |
Feb
(33) |
Mar
(16) |
Apr
(7) |
May
(10) |
Jun
(34) |
Jul
(41) |
Aug
(8) |
Sep
(4) |
Oct
(32) |
Nov
(20) |
Dec
(25) |
| 2006 |
Jan
(30) |
Feb
(101) |
Mar
(5) |
Apr
(75) |
May
(74) |
Jun
(22) |
Jul
(6) |
Aug
(70) |
Sep
(19) |
Oct
(21) |
Nov
(31) |
Dec
(50) |
| 2007 |
Jan
(15) |
Feb
(20) |
Mar
(24) |
Apr
(33) |
May
(13) |
Jun
(18) |
Jul
(13) |
Aug
(7) |
Sep
(63) |
Oct
(68) |
Nov
(29) |
Dec
(68) |
| 2008 |
Jan
(30) |
Feb
(33) |
Mar
(30) |
Apr
(103) |
May
(78) |
Jun
(48) |
Jul
(72) |
Aug
(24) |
Sep
(62) |
Oct
(63) |
Nov
(70) |
Dec
(37) |
| 2009 |
Jan
(34) |
Feb
(35) |
Mar
(64) |
Apr
(34) |
May
(34) |
Jun
(58) |
Jul
(30) |
Aug
(30) |
Sep
(46) |
Oct
(52) |
Nov
(12) |
Dec
(23) |
| 2010 |
Jan
(121) |
Feb
(18) |
Mar
(53) |
Apr
(62) |
May
(62) |
Jun
(20) |
Jul
(33) |
Aug
(20) |
Sep
(36) |
Oct
(35) |
Nov
(44) |
Dec
(63) |
| 2011 |
Jan
(19) |
Feb
(32) |
Mar
(94) |
Apr
(41) |
May
(47) |
Jun
(25) |
Jul
(34) |
Aug
(20) |
Sep
(9) |
Oct
(41) |
Nov
(33) |
Dec
(24) |
| 2012 |
Jan
(12) |
Feb
(36) |
Mar
(48) |
Apr
(32) |
May
(20) |
Jun
(15) |
Jul
(32) |
Aug
(13) |
Sep
(33) |
Oct
(54) |
Nov
(25) |
Dec
(16) |
| 2013 |
Jan
(45) |
Feb
(39) |
Mar
(38) |
Apr
(50) |
May
(29) |
Jun
(30) |
Jul
(33) |
Aug
(12) |
Sep
(9) |
Oct
(25) |
Nov
(29) |
Dec
(20) |
| 2014 |
Jan
(25) |
Feb
(19) |
Mar
(16) |
Apr
(33) |
May
(27) |
Jun
(37) |
Jul
(29) |
Aug
(27) |
Sep
(37) |
Oct
(58) |
Nov
(109) |
Dec
(26) |
| 2015 |
Jan
(4) |
Feb
(35) |
Mar
(22) |
Apr
(35) |
May
(28) |
Jun
(20) |
Jul
(4) |
Aug
(16) |
Sep
(37) |
Oct
(13) |
Nov
(13) |
Dec
(14) |
| 2016 |
Jan
(22) |
Feb
(7) |
Mar
(23) |
Apr
(30) |
May
(10) |
Jun
(10) |
Jul
(15) |
Aug
(12) |
Sep
(22) |
Oct
(31) |
Nov
(5) |
Dec
(5) |
| 2017 |
Jan
(30) |
Feb
(25) |
Mar
(28) |
Apr
(4) |
May
(19) |
Jun
(13) |
Jul
(7) |
Aug
(1) |
Sep
(2) |
Oct
(5) |
Nov
(12) |
Dec
(2) |
| 2018 |
Jan
(7) |
Feb
|
Mar
(7) |
Apr
(2) |
May
(8) |
Jun
(18) |
Jul
(6) |
Aug
(3) |
Sep
(15) |
Oct
(33) |
Nov
(13) |
Dec
(7) |
| 2019 |
Jan
(5) |
Feb
(7) |
Mar
(30) |
Apr
(5) |
May
(4) |
Jun
(69) |
Jul
(86) |
Aug
(22) |
Sep
(6) |
Oct
(7) |
Nov
(5) |
Dec
(3) |
| 2020 |
Jan
(10) |
Feb
(12) |
Mar
(22) |
Apr
(5) |
May
(1) |
Jun
(4) |
Jul
(6) |
Aug
|
Sep
(9) |
Oct
|
Nov
|
Dec
(1) |
| 2021 |
Jan
(4) |
Feb
(11) |
Mar
(7) |
Apr
(7) |
May
|
Jun
(3) |
Jul
(10) |
Aug
(6) |
Sep
|
Oct
|
Nov
(18) |
Dec
(2) |
| 2022 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(1) |
Jun
|
Jul
|
Aug
(5) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Nikita B. <nik...@gs...> - 2017-02-09 13:10:49
|
Hi,
Thanks for the pointers.
I am using EJBCA 6.3.1.1 Community (r21429)
I tried clientToolBox today on this version of EJBCA.
My command looked : ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq mgmtUser
"CN=mgmtUser,C=SE" NULL ICA12 "Client EndEntity Profile" "Client Cert
Profile" ./csr.pem PKCS10 PEM NONE .
which generated the mgmtUser.pem certificate file. However this certificate
did not have the subjectDN overriden. It was same 'CN=mgmtUser,C=SE' given
in the request and not the one given while creating CSR.
Again, when trying this same csr file with public web call, it returned
overridden subjectDN in certificate.
I tried then the DER format for the above request:
./ejbcaClientToolBox.sh EjbcaWsRaCli certreq mgmtUser "CN=mgmtUser,C=SE"
NULL ICA12 "Client EndEntity Profile" "Client Cert Profile" ./dercsr.der
PKCS10 DER NONE .
However it returned:
com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received
SOAP Fault from server: Unmarshalling Error: Illegal character ((CTRL-CHAR,
code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to find
more detail regarding exact cause of the failure.
org.ejbca.ui.cli.ErrorAdminCommandException:
com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received
SOAP Fault from server: Unmarshalling Error: Illegal character ((CTRL-CHAR,
code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to find
more detail regarding exact cause of the failure.
at
org.ejbca.core.protocol.ws.client.CertificateRequestCommand.execute(CertificateRequestCommand.java:146)
at
org.ejbca.core.protocol.ws.client.ejbcawsracli.main(ejbcawsracli.java:36)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.ejbca.ui.cli.EjbcaWsRaCli.execute(EjbcaWsRaCli.java:36)
at
org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:66)
Caused by: com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client
received SOAP Fault from server: Unmarshalling Error: Illegal character
((CTRL-CHAR, code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to find
more detail regarding exact cause of the failure.
at
com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:178)
at
com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:116)
at
com.sun.xml.internal.ws.client.sei.StubHandler.readResponse(StubHandler.java:238)
at
com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(DatabindingImpl.java:189)
at
com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(DatabindingImpl.java:276)
at
com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:104)
at
com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:77)
at
com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147)
at com.sun.proxy.$Proxy32.certificateRequest(Unknown Source)
at
org.ejbca.core.protocol.ws.client.CertificateRequestCommand.execute(CertificateRequestCommand.java:111)
... 8 more
I did make sure that the CSR generated is in proper DER format. However
will look into it more.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | [image: G]
G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
<http://www.gslab.com/>
On Thu, Feb 9, 2017 at 2:46 PM, Tomas Gustavsson <to...@pr...> wrote:
>
> What version of EJBCA are you using btw?
>
> I'm using this WS command:
>
> ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq req9
> "CN=req9,O=Edited,C=SE" NULL ManagementCA User Client ./p10.der PKCS10
> DER NONE .
>
> My CSR have subjectDN:
> C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=req9
>
> If I have enabled "Allow Subject DN Override by CSR" in the Certificate
> Profile "Client". My issued certificate gets the DN from the p10.
>
> If you try using clientToolBox first, than you will know if/how the
> feature works, and then you can try to translate it to SOAP-UI (you can
> even debug log the full soap messages).
>
> Regards,
> Tomas
> ---
> RSA Conference 2017
> ------------------------------------------------------------------
> San Francisco | February 13-17 | Moscone Center
> Come visit us in booth #627 at RSA Conference 2017!
>
> Want a free expo pass?
> Go to https://www.rsaconference.com/events/us17/register
> and use the code: XE7PRMKEY
>
> On 2017-02-08 14:35, Nikita Bedmutha wrote:
> > Serious apologies for sending incomplete data. Well, I observed the
> > Debug logs for both the calls, call from web service and call from
> > public web. Here are my observations:
> >
> > 1. For the pkcs10Request webservice call through SOAP UI, the INFO log
> > has an entry:
> > CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=AdminUser,O=My
> > Organization,C=SE;-759363256;;user1;subjectdn=CN=user1,OU=
> GSL,C=IN;requestX500name=null;certprofile=1681037015;
> keyusage=-1;notbefore=;notafter=;sequence=;publickey=
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZi
> j4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzP
> ylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/
> 4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+
> Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhK
> bVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyE
> GY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB
> >
> > where, requestX500name=null
> >
> > 2. For public web 'Create Certificate from CSR' call:
> > CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;RequestInstance:
> > 123.252.222.122;-759363256;;user1;subjectdn=CN=user1,OU=
> GSL,C=IN;requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK;
> certprofile=1681037015;keyusage=-1;notbefore=;
> notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ
> 8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6Tdqdu
> A0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqT
> u6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/
> g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9W
> CXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVY
> uo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB
> >
> > where, requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK
> >
> > Both the calls use same CSR, also same certificate profile is being used
> > in both cases and the public key extracted from CSR also looks same.
> >
> > However, in case of public web call we see a log statement, 'Using
> > X509Name from request instead of user's registered.' which is missing in
> > webservice call log and only 'Using subjectDN: CN=user1,OU=GSL,C=IN' can
> > be seen.
> > I suspect this could be because requestX500name is null in case of
> > webservice call.
> >
> > However, we are using same CSR and so this behaviour is bit confusing.
> > If this info can help. Thanks.
> >
> > Regards,
> > Nikita Bedmutha
> > Software Engineer | m: +91 94042 02790 | G
> > G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
> > <http://www.gslab.com/>
> > On Wed, Feb 8, 2017 at 3:21 PM, Tomas Gustavsson <to...@pr...
> > <mailto:to...@pr...>> wrote:
> >
> >
> > I can only re-iterate here:
> >
> > ---
> > Debug logging will show in detail all decisions egarding override or
> not
> > that is takes during certificate issuance.
> > ---
> >
> > For more information about logging, how to configure debug etc, see
> > https://www.ejbca.org/docs/adminguide.html#Logging
> > <https://www.ejbca.org/docs/adminguide.html#Logging>
> >
> > /Tomas
> >
> > On 2017-02-08 10:10, Nikita Bedmutha wrote:
> > > Hi,
> > >
> > > I know this must be the very basic requirement to get the
> certificate
> > > with subject DN overridden. But I have tried my best with all
> settings
> > > but no clue whats going wrong.
> > > I have a user 'user1' which is created with a 'Client endentity
> > profile'
> > > which uses default cert profile as 'Client Cert Profile'. This
> > > certificate profile has 'Allow subject DN override by CSR' and
> 'Allow
> > > subject DN override by End Entity Information' checked. In the case
> > > where both are checked, documentation says that DN will be
> > overriden by CSR.
> > >
> > > Now I make this SOAP call for pkcs10Request:
> > > Body:
> > > <soapenv:Envelope
> > > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
> > <http://schemas.xmlsoap.org/soap/envelope/>"
> > > xmlns:ws="http://ws.protocol.core.ejbca.org/
> > <http://ws.protocol.core.ejbca.org/>">
> > > <soapenv:Header/>
> > > <soapenv:Body>
> > > <ws:pkcs10Request>
> > > <!--Optional:-->
> > > <arg0>user1</arg0>
> > > <!--Optional:-->
> > > <arg1>password</arg1>
> > > <!--Optional:-->
> > > <arg2>-----BEGIN CERTIFICATE REQUEST-----
> > > MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH
> > > DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw
> > > DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ
> > > nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF
> > > Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0
> > > 2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB
> > > fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW
> > > LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA
> > > AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk
> > > RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp
> > > 1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC
> > > EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z
> > > ++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/
> > > fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu
> > > -----END CERTIFICATE REQUEST-----</arg2>
> > > <!--Optional:-->
> > > <arg3></arg3>
> > > <!--Optional:-->
> > > <arg4>CERTIFICATE</arg4>
> > > </ws:pkcs10Request>
> > > </soapenv:Body>
> > > </soapenv:Envelope>
> > >
> > >
> > > I even made call without '-----BEGIN CERTIFICATE REQUEST-----' and
> > > '-----END CERTIFICATE REQUEST-----' but no success.
> > > In both cases, the certificate generated still uses the subject DN
> > which
> > > was used while creating the user. I tried this webservice call
> using
> > > SOAP-UI as well as eclipse code. Only when the call is made using
> > public
> > > web 'Create certificate from CSR' or cli command, the subject DN is
> > > overriden. For some reason unable to achieve it through web service
> > > call. Kindly guide me if I am doing anything wrong here.
> > >
> > >
> > >
> > > Regards,
> > > Nikita Bedmutha
> > > Software Engineer | m: +91 94042 02790 | G
> > > G <http://www.linkedin.com/in/nikitabedmutha
> > <http://www.linkedin.com/in/nikitabedmutha>>reat Software Laboratory
> > > <http://www.gslab.com/>
> > >
> > >
> > > On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson <
> to...@pr... <mailto:to...@pr...>
> > > <mailto:to...@pr... <mailto:to...@pr...>>> wrote:
> > >
> > >
> > > This is very common to do this using WS so there is probably
> > something
> > > wrong with your call. Are you using the correct certificate
> > profile in
> > > your WS call?
> > >
> > > Debug logging will show in detail all decisions egarding
> > override or not
> > > that is takes during certificate issuance.
> > >
> > > Regards,
> > > Tomas
> > > ---
> > > RSA Conference 2017
> > > ------------------------------------------------------------
> ------
> > > San Francisco | February 13-17 | Moscone Center
> > > Come visit us in booth #627 at RSA Conference 2017!
> > >
> > > Want a free expo pass?
> > > Go to https://www.rsaconference.com/events/us17/register
> > <https://www.rsaconference.com/events/us17/register>
> > > <https://www.rsaconference.com/events/us17/register
> > <https://www.rsaconference.com/events/us17/register>>
> > > and use the code: XE7PRMKEY
> > >
> > > On 2017-02-02 04:44, Nikita Bedmutha wrote:
> > > > Sorry for spamming, but just correcting the query:
> > > >
> > > > I want to make a certificate request which uses the subject
> > DN from CSR
> > > > and not the registered end entity subject DN . I am using the
> > > > certificate profile which has 'Allow subject DN override by
> CSR'
> > > > checked. However the web service requests 'pkcs10Request' as
> > well as
> > > > 'certificateRequest' do not return certificates with subject
> DN
> > > > overridden by the CSR but uses the registered DN only.
> > > >
> > > > On the other hand, using the same CSR, the public web call
> > 'Create
> > > > Certificate from CSR' as well as the 'createcert' CLI
> > command generates
> > > > a certificate which has the subject DN overridden by the CSR.
> > > >
> > > > Your inputs would really be very helpful.
> > > > Thanks.
> > > >
> > > > Regards,
> > > > Nikita Bedmutha
> > > >
> > > >
> > > >
> > > > On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha
> > > > <nik...@gs...
> > <mailto:nik...@gs...> <mailto:nik...@gs...
> > <mailto:nik...@gs...>>
> > > <mailto:nik...@gs...
> > <mailto:nik...@gs...>
> > > <mailto:nik...@gs... <mailto:
> nik...@gs...>>>> wrote:
> > > >
> > > > Hi,
> > > >
> > > > I have a user(end-entity) created using a certificate
> profile which
> > > > has 'Allow Subject DN override' checked. This end-entity
> is
> > > > registered with Token as User Generated.
> > > > When I use 'Create Certificate from CSR' option on
> public web, I get
> > > > the certificate with the subject DN used while creating
> the CSR and
> > > > not the registered DN.
> > > > Now I want to achieve same using web service call. I
> tried the
> > > > 'certificateRequest' and 'pkcs10' request with the same
> CSR that I
> > > > used in previous Public web call. But in the web service
> call case,
> > > > I get certificate with the registered DN and not
> overridden by the CSR.
> > > >
> > > > Kindly guide me how to achieve this.
> > > >
> > > > Thanks and Regards,
> > > > Nikita
> > > >
> > > >
> > > >
> > > >
> > > >
> > > ------------------------------------------------------------
> ------------------
> > > > Check out the vibrant tech community on one of the world's
> most
> > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Ejbca-develop mailing list
> > > > Ejb...@li...
> > <mailto:Ejb...@li...>
> > > <mailto:Ejb...@li...
> > <mailto:Ejb...@li...>>
> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
> > > >
> > >
> > > ------------------------------------------------------------
> ------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > > _______________________________________________
> > > Ejbca-develop mailing list
> > > Ejb...@li...
> > <mailto:Ejb...@li...>
> > > <mailto:Ejb...@li...
> > <mailto:Ejb...@li...>>
> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
> > >
> > >
> > >
> > >
> > >
> > ------------------------------------------------------------
> ------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > >
> > >
> > >
> > > _______________________________________________
> > > Ejbca-develop mailing list
> > > Ejb...@li...
> > <mailto:Ejb...@li...>
> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> > >
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> > <mailto:Ejb...@li...>
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >
> >
> >
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
|
|
From: Tomas G. <to...@pr...> - 2017-02-09 09:16:59
|
What version of EJBCA are you using btw? I'm using this WS command: ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq req9 "CN=req9,O=Edited,C=SE" NULL ManagementCA User Client ./p10.der PKCS10 DER NONE . My CSR have subjectDN: C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=req9 If I have enabled "Allow Subject DN Override by CSR" in the Certificate Profile "Client". My issued certificate gets the DN from the p10. If you try using clientToolBox first, than you will know if/how the feature works, and then you can try to translate it to SOAP-UI (you can even debug log the full soap messages). Regards, Tomas --- RSA Conference 2017 ------------------------------------------------------------------ San Francisco | February 13-17 | Moscone Center Come visit us in booth #627 at RSA Conference 2017! Want a free expo pass? Go to https://www.rsaconference.com/events/us17/register and use the code: XE7PRMKEY On 2017-02-08 14:35, Nikita Bedmutha wrote: > Serious apologies for sending incomplete data. Well, I observed the > Debug logs for both the calls, call from web service and call from > public web. Here are my observations: > > 1. For the pkcs10Request webservice call through SOAP UI, the INFO log > has an entry: > CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=AdminUser,O=My > Organization,C=SE;-759363256;;user1;subjectdn=CN=user1,OU=GSL,C=IN;requestX500name=null;certprofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB > > where, requestX500name=null > > 2. For public web 'Create Certificate from CSR' call: > CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;RequestInstance: > 123.252.222.122;-759363256;;user1;subjectdn=CN=user1,OU=GSL,C=IN;requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK;certprofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB > > where, requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK > > Both the calls use same CSR, also same certificate profile is being used > in both cases and the public key extracted from CSR also looks same. > > However, in case of public web call we see a log statement, 'Using > X509Name from request instead of user's registered.' which is missing in > webservice call log and only 'Using subjectDN: CN=user1,OU=GSL,C=IN' can > be seen. > I suspect this could be because requestX500name is null in case of > webservice call. > > However, we are using same CSR and so this behaviour is bit confusing. > If this info can help. Thanks. > > Regards, > Nikita Bedmutha > Software Engineer | m: +91 94042 02790 | G > G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory > <http://www.gslab.com/> > On Wed, Feb 8, 2017 at 3:21 PM, Tomas Gustavsson <to...@pr... > <mailto:to...@pr...>> wrote: > > > I can only re-iterate here: > > --- > Debug logging will show in detail all decisions egarding override or not > that is takes during certificate issuance. > --- > > For more information about logging, how to configure debug etc, see > https://www.ejbca.org/docs/adminguide.html#Logging > <https://www.ejbca.org/docs/adminguide.html#Logging> > > /Tomas > > On 2017-02-08 10:10, Nikita Bedmutha wrote: > > Hi, > > > > I know this must be the very basic requirement to get the certificate > > with subject DN overridden. But I have tried my best with all settings > > but no clue whats going wrong. > > I have a user 'user1' which is created with a 'Client endentity > profile' > > which uses default cert profile as 'Client Cert Profile'. This > > certificate profile has 'Allow subject DN override by CSR' and 'Allow > > subject DN override by End Entity Information' checked. In the case > > where both are checked, documentation says that DN will be > overriden by CSR. > > > > Now I make this SOAP call for pkcs10Request: > > Body: > > <soapenv:Envelope > > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/ > <http://schemas.xmlsoap.org/soap/envelope/>" > > xmlns:ws="http://ws.protocol.core.ejbca.org/ > <http://ws.protocol.core.ejbca.org/>"> > > <soapenv:Header/> > > <soapenv:Body> > > <ws:pkcs10Request> > > <!--Optional:--> > > <arg0>user1</arg0> > > <!--Optional:--> > > <arg1>password</arg1> > > <!--Optional:--> > > <arg2>-----BEGIN CERTIFICATE REQUEST----- > > MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH > > DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw > > DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ > > nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF > > Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0 > > 2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB > > fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW > > LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA > > AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk > > RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp > > 1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC > > EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z > > ++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/ > > fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu > > -----END CERTIFICATE REQUEST-----</arg2> > > <!--Optional:--> > > <arg3></arg3> > > <!--Optional:--> > > <arg4>CERTIFICATE</arg4> > > </ws:pkcs10Request> > > </soapenv:Body> > > </soapenv:Envelope> > > > > > > I even made call without '-----BEGIN CERTIFICATE REQUEST-----' and > > '-----END CERTIFICATE REQUEST-----' but no success. > > In both cases, the certificate generated still uses the subject DN > which > > was used while creating the user. I tried this webservice call using > > SOAP-UI as well as eclipse code. Only when the call is made using > public > > web 'Create certificate from CSR' or cli command, the subject DN is > > overriden. For some reason unable to achieve it through web service > > call. Kindly guide me if I am doing anything wrong here. > > > > > > > > Regards, > > Nikita Bedmutha > > Software Engineer | m: +91 94042 02790 | G > > G <http://www.linkedin.com/in/nikitabedmutha > <http://www.linkedin.com/in/nikitabedmutha>>reat Software Laboratory > > <http://www.gslab.com/> > > > > > > On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson <to...@pr... <mailto:to...@pr...> > > <mailto:to...@pr... <mailto:to...@pr...>>> wrote: > > > > > > This is very common to do this using WS so there is probably > something > > wrong with your call. Are you using the correct certificate > profile in > > your WS call? > > > > Debug logging will show in detail all decisions egarding > override or not > > that is takes during certificate issuance. > > > > Regards, > > Tomas > > --- > > RSA Conference 2017 > > ------------------------------------------------------------------ > > San Francisco | February 13-17 | Moscone Center > > Come visit us in booth #627 at RSA Conference 2017! > > > > Want a free expo pass? > > Go to https://www.rsaconference.com/events/us17/register > <https://www.rsaconference.com/events/us17/register> > > <https://www.rsaconference.com/events/us17/register > <https://www.rsaconference.com/events/us17/register>> > > and use the code: XE7PRMKEY > > > > On 2017-02-02 04:44, Nikita Bedmutha wrote: > > > Sorry for spamming, but just correcting the query: > > > > > > I want to make a certificate request which uses the subject > DN from CSR > > > and not the registered end entity subject DN . I am using the > > > certificate profile which has 'Allow subject DN override by CSR' > > > checked. However the web service requests 'pkcs10Request' as > well as > > > 'certificateRequest' do not return certificates with subject DN > > > overridden by the CSR but uses the registered DN only. > > > > > > On the other hand, using the same CSR, the public web call > 'Create > > > Certificate from CSR' as well as the 'createcert' CLI > command generates > > > a certificate which has the subject DN overridden by the CSR. > > > > > > Your inputs would really be very helpful. > > > Thanks. > > > > > > Regards, > > > Nikita Bedmutha > > > > > > > > > > > > On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha > > > <nik...@gs... > <mailto:nik...@gs...> <mailto:nik...@gs... > <mailto:nik...@gs...>> > > <mailto:nik...@gs... > <mailto:nik...@gs...> > > <mailto:nik...@gs... <mailto:nik...@gs...>>>> wrote: > > > > > > Hi, > > > > > > I have a user(end-entity) created using a certificate profile which > > > has 'Allow Subject DN override' checked. This end-entity is > > > registered with Token as User Generated. > > > When I use 'Create Certificate from CSR' option on public web, I get > > > the certificate with the subject DN used while creating the CSR and > > > not the registered DN. > > > Now I want to achieve same using web service call. I tried the > > > 'certificateRequest' and 'pkcs10' request with the same CSR that I > > > used in previous Public web call. But in the web service call case, > > > I get certificate with the registered DN and not overridden by the CSR. > > > > > > Kindly guide me how to achieve this. > > > > > > Thanks and Regards, > > > Nikita > > > > > > > > > > > > > > > > > ------------------------------------------------------------------------------ > > > Check out the vibrant tech community on one of the world's most > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > > > > > _______________________________________________ > > > Ejbca-develop mailing list > > > Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> > > > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > <mailto:Ejb...@li... > <mailto:Ejb...@li...>> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>> > > > > > > > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Tomas G. <to...@pr...> - 2017-02-09 08:33:45
|
Right, currently only SHA256 is available. Do you have a standard use case where SHA-384 is needed? To motivate adding the feature. Adding algorithms for "soft" keystores are actually quite simple, only with HSMs is it more tricky since currently PSS requires java patches to work with HSMs for that algorithm. Regards, Tomas --- Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information. https://www.primekey.se/technologies/products-overview/ https://www.primekey.se/service-support/support/ On 2017-02-08 18:07, Bruce Bernstein wrote: > Has anyone been able to coerce ejbca community edition to issue > certificates signed with RSASSA-PSS format SHA-384? It seems from the > docs that this is only available with the enterprise edition using HSM. > We need a software solution, preferably with software encoding. Any > pointers would be appreciated. > > Thanks, > Bruce > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Bruce B. <br...@id...> - 2017-02-08 17:35:21
|
Has anyone been able to coerce ejbca community edition to issue certificates signed with RSASSA-PSS format SHA-384? It seems from the docs that this is only available with the enterprise edition using HSM. We need a software solution, preferably with software encoding. Any pointers would be appreciated. Thanks, Bruce |
|
From: Nikita B. <nik...@gs...> - 2017-02-08 13:35:40
|
Serious apologies for sending incomplete data. Well, I observed the Debug logs for both the calls, call from web service and call from public web. Here are my observations: 1. For the pkcs10Request webservice call through SOAP UI, the INFO log has an entry: CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=AdminUser,O=My Organization,C=SE;-759363256;;user1;subjectdn=CN=user1,OU=GS L,C=IN;requestX500name=null;certprofile=1681037015;keyusage= -1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBg kqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4d Cd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjr IkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTX lLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkM hDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE 29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJr nC/7TBVYijU0u6bwIDAQAB where, requestX500name=null 2. For public web 'Create Certificate from CSR' call: CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;RequestInstance: 123.252.222.122;-759363256;;user1;subjectdn=CN=user1,OU=GSL, C=IN;requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK;certp rofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence= ;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6 J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlA zoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5 L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjind NARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6 JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2 zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB where, requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK Both the calls use same CSR, also same certificate profile is being used in both cases and the public key extracted from CSR also looks same. However, in case of public web call we see a log statement, 'Using X509Name from request instead of user's registered.' which is missing in webservice call log and only 'Using subjectDN: CN=user1,OU=GSL,C=IN' can be seen. I suspect this could be because requestX500name is null in case of webservice call. However, we are using same CSR and so this behaviour is bit confusing. If this info can help. Thanks. Regards, Nikita Bedmutha Software Engineer | m: +91 94042 02790 | [image: G] G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory <http://www.gslab.com/> On Wed, Feb 8, 2017 at 3:21 PM, Tomas Gustavsson <to...@pr...> wrote: > > I can only re-iterate here: > > --- > Debug logging will show in detail all decisions egarding override or not > that is takes during certificate issuance. > --- > > For more information about logging, how to configure debug etc, see > https://www.ejbca.org/docs/adminguide.html#Logging > > /Tomas > > On 2017-02-08 10:10, Nikita Bedmutha wrote: > > Hi, > > > > I know this must be the very basic requirement to get the certificate > > with subject DN overridden. But I have tried my best with all settings > > but no clue whats going wrong. > > I have a user 'user1' which is created with a 'Client endentity profile' > > which uses default cert profile as 'Client Cert Profile'. This > > certificate profile has 'Allow subject DN override by CSR' and 'Allow > > subject DN override by End Entity Information' checked. In the case > > where both are checked, documentation says that DN will be overriden by > CSR. > > > > Now I make this SOAP call for pkcs10Request: > > Body: > > <soapenv:Envelope > > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" > > xmlns:ws="http://ws.protocol.core.ejbca.org/"> > > <soapenv:Header/> > > <soapenv:Body> > > <ws:pkcs10Request> > > <!--Optional:--> > > <arg0>user1</arg0> > > <!--Optional:--> > > <arg1>password</arg1> > > <!--Optional:--> > > <arg2>-----BEGIN CERTIFICATE REQUEST----- > > MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH > > DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw > > DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ > > nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF > > Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0 > > 2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB > > fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW > > LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA > > AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk > > RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp > > 1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC > > EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z > > ++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/ > > fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu > > -----END CERTIFICATE REQUEST-----</arg2> > > <!--Optional:--> > > <arg3></arg3> > > <!--Optional:--> > > <arg4>CERTIFICATE</arg4> > > </ws:pkcs10Request> > > </soapenv:Body> > > </soapenv:Envelope> > > > > > > I even made call without '-----BEGIN CERTIFICATE REQUEST-----' and > > '-----END CERTIFICATE REQUEST-----' but no success. > > In both cases, the certificate generated still uses the subject DN which > > was used while creating the user. I tried this webservice call using > > SOAP-UI as well as eclipse code. Only when the call is made using public > > web 'Create certificate from CSR' or cli command, the subject DN is > > overriden. For some reason unable to achieve it through web service > > call. Kindly guide me if I am doing anything wrong here. > > > > > > > > Regards, > > Nikita Bedmutha > > Software Engineer | m: +91 94042 02790 | G > > G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory > > <http://www.gslab.com/> > > > > > > On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson <to...@pr... > > <mailto:to...@pr...>> wrote: > > > > > > This is very common to do this using WS so there is probably > something > > wrong with your call. Are you using the correct certificate profile > in > > your WS call? > > > > Debug logging will show in detail all decisions egarding override or > not > > that is takes during certificate issuance. > > > > Regards, > > Tomas > > --- > > RSA Conference 2017 > > ------------------------------------------------------------------ > > San Francisco | February 13-17 | Moscone Center > > Come visit us in booth #627 at RSA Conference 2017! > > > > Want a free expo pass? > > Go to https://www.rsaconference.com/events/us17/register > > <https://www.rsaconference.com/events/us17/register> > > and use the code: XE7PRMKEY > > > > On 2017-02-02 04:44, Nikita Bedmutha wrote: > > > Sorry for spamming, but just correcting the query: > > > > > > I want to make a certificate request which uses the subject DN > from CSR > > > and not the registered end entity subject DN . I am using the > > > certificate profile which has 'Allow subject DN override by CSR' > > > checked. However the web service requests 'pkcs10Request' as well > as > > > 'certificateRequest' do not return certificates with subject DN > > > overridden by the CSR but uses the registered DN only. > > > > > > On the other hand, using the same CSR, the public web call 'Create > > > Certificate from CSR' as well as the 'createcert' CLI command > generates > > > a certificate which has the subject DN overridden by the CSR. > > > > > > Your inputs would really be very helpful. > > > Thanks. > > > > > > Regards, > > > Nikita Bedmutha > > > > > > > > > > > > On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha > > > <nik...@gs... <mailto:nik...@gs...> > > <mailto:nik...@gs... > > <mailto:nik...@gs...>>> wrote: > > > > > > Hi, > > > > > > I have a user(end-entity) created using a certificate profile > which > > > has 'Allow Subject DN override' checked. This end-entity is > > > registered with Token as User Generated. > > > When I use 'Create Certificate from CSR' option on public web, > I get > > > the certificate with the subject DN used while creating the > CSR and > > > not the registered DN. > > > Now I want to achieve same using web service call. I tried the > > > 'certificateRequest' and 'pkcs10' request with the same CSR > that I > > > used in previous Public web call. But in the web service call > case, > > > I get certificate with the registered DN and not overridden by > the CSR. > > > > > > Kindly guide me how to achieve this. > > > > > > Thanks and Regards, > > > Nikita > > > > > > > > > > > > > > > > > ----------------------------------------------------------- > ------------------- > > > Check out the vibrant tech community on one of the world's most > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > > > > > _______________________________________________ > > > Ejbca-develop mailing list > > > Ejb...@li... > > <mailto:Ejb...@li...> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > > > > ----------------------------------------------------------- > ------------------- > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > > > > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > |
|
From: Tomas G. <to...@pr...> - 2017-02-08 09:52:07
|
I can only re-iterate here: --- Debug logging will show in detail all decisions egarding override or not that is takes during certificate issuance. --- For more information about logging, how to configure debug etc, see https://www.ejbca.org/docs/adminguide.html#Logging /Tomas On 2017-02-08 10:10, Nikita Bedmutha wrote: > Hi, > > I know this must be the very basic requirement to get the certificate > with subject DN overridden. But I have tried my best with all settings > but no clue whats going wrong. > I have a user 'user1' which is created with a 'Client endentity profile' > which uses default cert profile as 'Client Cert Profile'. This > certificate profile has 'Allow subject DN override by CSR' and 'Allow > subject DN override by End Entity Information' checked. In the case > where both are checked, documentation says that DN will be overriden by CSR. > > Now I make this SOAP call for pkcs10Request: > Body: > <soapenv:Envelope > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" > xmlns:ws="http://ws.protocol.core.ejbca.org/"> > <soapenv:Header/> > <soapenv:Body> > <ws:pkcs10Request> > <!--Optional:--> > <arg0>user1</arg0> > <!--Optional:--> > <arg1>password</arg1> > <!--Optional:--> > <arg2>-----BEGIN CERTIFICATE REQUEST----- > MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH > DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw > DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ > nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF > Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0 > 2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB > fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW > LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA > AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk > RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp > 1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC > EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z > ++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/ > fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu > -----END CERTIFICATE REQUEST-----</arg2> > <!--Optional:--> > <arg3></arg3> > <!--Optional:--> > <arg4>CERTIFICATE</arg4> > </ws:pkcs10Request> > </soapenv:Body> > </soapenv:Envelope> > > > I even made call without '-----BEGIN CERTIFICATE REQUEST-----' and > '-----END CERTIFICATE REQUEST-----' but no success. > In both cases, the certificate generated still uses the subject DN which > was used while creating the user. I tried this webservice call using > SOAP-UI as well as eclipse code. Only when the call is made using public > web 'Create certificate from CSR' or cli command, the subject DN is > overriden. For some reason unable to achieve it through web service > call. Kindly guide me if I am doing anything wrong here. > > > > Regards, > Nikita Bedmutha > Software Engineer | m: +91 94042 02790 | G > G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory > <http://www.gslab.com/> > > > On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson <to...@pr... > <mailto:to...@pr...>> wrote: > > > This is very common to do this using WS so there is probably something > wrong with your call. Are you using the correct certificate profile in > your WS call? > > Debug logging will show in detail all decisions egarding override or not > that is takes during certificate issuance. > > Regards, > Tomas > --- > RSA Conference 2017 > ------------------------------------------------------------------ > San Francisco | February 13-17 | Moscone Center > Come visit us in booth #627 at RSA Conference 2017! > > Want a free expo pass? > Go to https://www.rsaconference.com/events/us17/register > <https://www.rsaconference.com/events/us17/register> > and use the code: XE7PRMKEY > > On 2017-02-02 04:44, Nikita Bedmutha wrote: > > Sorry for spamming, but just correcting the query: > > > > I want to make a certificate request which uses the subject DN from CSR > > and not the registered end entity subject DN . I am using the > > certificate profile which has 'Allow subject DN override by CSR' > > checked. However the web service requests 'pkcs10Request' as well as > > 'certificateRequest' do not return certificates with subject DN > > overridden by the CSR but uses the registered DN only. > > > > On the other hand, using the same CSR, the public web call 'Create > > Certificate from CSR' as well as the 'createcert' CLI command generates > > a certificate which has the subject DN overridden by the CSR. > > > > Your inputs would really be very helpful. > > Thanks. > > > > Regards, > > Nikita Bedmutha > > > > > > > > On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha > > <nik...@gs... <mailto:nik...@gs...> > <mailto:nik...@gs... > <mailto:nik...@gs...>>> wrote: > > > > Hi, > > > > I have a user(end-entity) created using a certificate profile which > > has 'Allow Subject DN override' checked. This end-entity is > > registered with Token as User Generated. > > When I use 'Create Certificate from CSR' option on public web, I get > > the certificate with the subject DN used while creating the CSR and > > not the registered DN. > > Now I want to achieve same using web service call. I tried the > > 'certificateRequest' and 'pkcs10' request with the same CSR that I > > used in previous Public web call. But in the web service call case, > > I get certificate with the registered DN and not overridden by the CSR. > > > > Kindly guide me how to achieve this. > > > > Thanks and Regards, > > Nikita > > > > > > > > > > > ------------------------------------------------------------------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > <mailto:Ejb...@li...> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop> > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Nikita B. <nik...@gs...> - 2017-02-08 09:40:34
|
Hi, I know this must be the very basic requirement to get the certificate with subject DN overridden. But I have tried my best with all settings but no clue whats going wrong. I have a user 'user1' which is created with a 'Client endentity profile' which uses default cert profile as 'Client Cert Profile'. This certificate profile has 'Allow subject DN override by CSR' and 'Allow subject DN override by End Entity Information' checked. In the case where both are checked, documentation says that DN will be overriden by CSR. Now I make this SOAP call for pkcs10Request: Body: <soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ws="http://ws.protocol.core.ejbca.org/"> <soapenv:Header/> <soapenv:Body> <ws:pkcs10Request> <!--Optional:--> <arg0>user1</arg0> <!--Optional:--> <arg1>password</arg1> <!--Optional:--> <arg2>-----BEGIN CERTIFICATE REQUEST----- MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0 2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp 1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z ++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/ fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu -----END CERTIFICATE REQUEST-----</arg2> <!--Optional:--> <arg3></arg3> <!--Optional:--> <arg4>CERTIFICATE</arg4> </ws:pkcs10Request> </soapenv:Body> </soapenv:Envelope> I even made call without '-----BEGIN CERTIFICATE REQUEST-----' and '-----END CERTIFICATE REQUEST-----' but no success. In both cases, the certificate generated still uses the subject DN which was used while creating the user. I tried this webservice call using SOAP-UI as well as eclipse code. Only when the call is made using public web 'Create certificate from CSR' or cli command, the subject DN is overriden. For some reason unable to achieve it through web service call. Kindly guide me if I am doing anything wrong here. Regards, Nikita Bedmutha Software Engineer | m: +91 94042 02790 | [image: G] G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory <http://www.gslab.com/> On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson <to...@pr...> wrote: > > This is very common to do this using WS so there is probably something > wrong with your call. Are you using the correct certificate profile in > your WS call? > > Debug logging will show in detail all decisions egarding override or not > that is takes during certificate issuance. > > Regards, > Tomas > --- > RSA Conference 2017 > ------------------------------------------------------------------ > San Francisco | February 13-17 | Moscone Center > Come visit us in booth #627 at RSA Conference 2017! > > Want a free expo pass? > Go to https://www.rsaconference.com/events/us17/register > and use the code: XE7PRMKEY > > On 2017-02-02 04:44, Nikita Bedmutha wrote: > > Sorry for spamming, but just correcting the query: > > > > I want to make a certificate request which uses the subject DN from CSR > > and not the registered end entity subject DN . I am using the > > certificate profile which has 'Allow subject DN override by CSR' > > checked. However the web service requests 'pkcs10Request' as well as > > 'certificateRequest' do not return certificates with subject DN > > overridden by the CSR but uses the registered DN only. > > > > On the other hand, using the same CSR, the public web call 'Create > > Certificate from CSR' as well as the 'createcert' CLI command generates > > a certificate which has the subject DN overridden by the CSR. > > > > Your inputs would really be very helpful. > > Thanks. > > > > Regards, > > Nikita Bedmutha > > > > > > > > On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha > > <nik...@gs... <mailto:nik...@gs...>> wrote: > > > > Hi, > > > > I have a user(end-entity) created using a certificate profile which > > has 'Allow Subject DN override' checked. This end-entity is > > registered with Token as User Generated. > > When I use 'Create Certificate from CSR' option on public web, I get > > the certificate with the subject DN used while creating the CSR and > > not the registered DN. > > Now I want to achieve same using web service call. I tried the > > 'certificateRequest' and 'pkcs10' request with the same CSR that I > > used in previous Public web call. But in the web service call case, > > I get certificate with the registered DN and not overridden by the > CSR. > > > > Kindly guide me how to achieve this. > > > > Thanks and Regards, > > Nikita > > > > > > > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Tomas G. <to...@pr...> - 2017-02-08 08:18:40
|
Hi, I think this was answered in IRC. Cheers, Tomas On 2017-02-07 18:56, Walter Goulet wrote: > Hi all, > > > > First time EJBCA user here. Quick question on using ejbca.sh to create a > subCA. I don't see a way via the script to set the name constraints that > should be included in a subCA certificate when creating it with > ./ejbca.sh ca init. It can be set in Admin-GUI, but for my needs I have > to use the script interface. Any suggestions? > > > > Thanks, > > > > Description: Venafi_email_signature_logo Walter Goulet | Product > Manager - Cloud | office: 385.315.3734 | wal...@ve... > <mailto:wal...@ve...> | www.venafi.com <http://www.venafi.com/> > > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Walter G. <wal...@ve...> - 2017-02-07 17:56:48
|
Hi all, First time EJBCA user here. Quick question on using ejbca.sh to create a subCA. I don't see a way via the script to set the name constraints that should be included in a subCA certificate when creating it with ./ejbca.sh ca init. It can be set in Admin-GUI, but for my needs I have to use the script interface. Any suggestions? Thanks, Walter Goulet | Product Manager - Cloud | office: 385.315.3734 | <mailto:wal...@ve...> wal...@ve... | <http://www.venafi.com/> www.venafi.com |
|
From: Tomas G. <to...@pr...> - 2017-02-03 00:05:18
|
This is very common to do this using WS so there is probably something wrong with your call. Are you using the correct certificate profile in your WS call? Debug logging will show in detail all decisions egarding override or not that is takes during certificate issuance. Regards, Tomas --- RSA Conference 2017 ------------------------------------------------------------------ San Francisco | February 13-17 | Moscone Center Come visit us in booth #627 at RSA Conference 2017! Want a free expo pass? Go to https://www.rsaconference.com/events/us17/register and use the code: XE7PRMKEY On 2017-02-02 04:44, Nikita Bedmutha wrote: > Sorry for spamming, but just correcting the query: > > I want to make a certificate request which uses the subject DN from CSR > and not the registered end entity subject DN . I am using the > certificate profile which has 'Allow subject DN override by CSR' > checked. However the web service requests 'pkcs10Request' as well as > 'certificateRequest' do not return certificates with subject DN > overridden by the CSR but uses the registered DN only. > > On the other hand, using the same CSR, the public web call 'Create > Certificate from CSR' as well as the 'createcert' CLI command generates > a certificate which has the subject DN overridden by the CSR. > > Your inputs would really be very helpful. > Thanks. > > Regards, > Nikita Bedmutha > > > > On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha > <nik...@gs... <mailto:nik...@gs...>> wrote: > > Hi, > > I have a user(end-entity) created using a certificate profile which > has 'Allow Subject DN override' checked. This end-entity is > registered with Token as User Generated. > When I use 'Create Certificate from CSR' option on public web, I get > the certificate with the subject DN used while creating the CSR and > not the registered DN. > Now I want to achieve same using web service call. I tried the > 'certificateRequest' and 'pkcs10' request with the same CSR that I > used in previous Public web call. But in the web service call case, > I get certificate with the registered DN and not overridden by the CSR. > > Kindly guide me how to achieve this. > > Thanks and Regards, > Nikita > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Tomas G. <to...@pr...> - 2017-02-02 16:48:57
|
Hi,
After a too long silence the EJBCA Team is very pleased to release EJBCA
Community 6.5.0. We acknowledge that this release has been due for a
long time, and
we are working hard to increase communication in the future. So continue
to monitor this space.
This release has primarily focused on tuning up the UI and responding to
security developments in the Java EE world in the last few months.
We've shifted plenty of focus to QA during this period, so this version
is the most stable we've released yet.
All in all, we've fixed 145 new features in this specific release, bugs
and improvements. The delta from the latest Community release are
hundreds of more issues.
A selection of noteworthy improvements.
Administration UI:
- Certificate profiles can now be set to restrict key algorithms,
curves (for EC) and key length.
- The CSCA "CA Name Change" feature from ICAO 9303 7th part 12 has been
implemented.
- Fixed a possible information leakage in the administrative web in
regards to certificate and end entity profiles.
- Auditor default role has been given access to additional pages in the UI
- The Auditor Role has been extended, and now has read access to End
Entities, all configurations and roles.
- Granular control has been added to DN and SAN elements in End
Entity Profiles. Entered values can be controlled using regular expressions.
- Most of the UI has been given read-only rights, and a new role
template (named Auditor) can be created and built upon
to allow an auditor to view but not modify.
- Custom Certificate Extensions and Extended Key Usages can now
be added on the fly from the UI, so no longer is a JBoss
restart required when new ones are added.
General Cryptography:
- The underlying BouncyCastle library has been upgraded to version 1.54
Documentation:
- All return and error codes from the CMP servlet have been documented.
OCSP:
- OCSP responder can now cache the revocation status of client
certificates (used to sign requests) for limited time periods.
- X-Forwarded-For is now logged if present in OCSP requests
External RA:
- CMP Proxy now checks for message signatures, HMAC and checks
revocation status for signing certificates, relieving the CA of handling
unauthorized messages.
General:
- WildFly8 and WildFly9 are now supported platforms.
- Upgrade procedure has been improved, and EJBCA now tracks its
own version, allowing many steps that were previously
performed as part of manual upgrades to be performed automatically
instead.
- Much security hardening and improvements.
- Upgraded internal libraries
You can also see a summary of all changes from the last Community
release in the download section.
https://sourceforge.net/projects/ejbca/files/ejbca6/ejbca_6_5_0/
Read the full change log for details, and see the UPGRADE document for
all functionality changes and upgrade instructions. These are both
available in the download package.
Regards,
The EJBCA Team
--
RSA Conference 2017
------------------------------------------------------------------
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!
Want a free expo pass?
Go to https://www.rsaconference.com/events/us17/register
and use the code: XE7PRMKEY
|
|
From: Nikita B. <nik...@gs...> - 2017-02-02 12:44:23
|
Sorry for spamming, but just correcting the query: I want to make a certificate request which uses the subject DN from CSR and not the registered end entity subject DN . I am using the certificate profile which has 'Allow subject DN override by CSR' checked. However the web service requests 'pkcs10Request' as well as 'certificateRequest' do not return certificates with subject DN overridden by the CSR but uses the registered DN only. On the other hand, using the same CSR, the public web call 'Create Certificate from CSR' as well as the 'createcert' CLI command generates a certificate which has the subject DN overridden by the CSR. Your inputs would really be very helpful. Thanks. Regards, Nikita Bedmutha On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha <nik...@gs...> wrote: > Hi, > > I have a user(end-entity) created using a certificate profile which has > 'Allow Subject DN override' checked. This end-entity is registered with > Token as User Generated. > When I use 'Create Certificate from CSR' option on public web, I get the > certificate with the subject DN used while creating the CSR and not the > registered DN. > Now I want to achieve same using web service call. I tried the > 'certificateRequest' and 'pkcs10' request with the same CSR that I used in > previous Public web call. But in the web service call case, I get > certificate with the registered DN and not overridden by the CSR. > > Kindly guide me how to achieve this. > > Thanks and Regards, > Nikita > > |
|
From: Tomas G. <to...@pr...> - 2017-02-01 16:48:04
|
Hi Marc, If you send an OCSP request asking for status of the Sub CA certificate, it should be answered by the Root CA. In order for the Root CA to answer, it needs to have an OCSP Key Binding, and an OCSP signing certificate issued by the Root CA (or asking a responder directly on the Root CA server). In order to get proper OCSP reponses from the Sub CA repsonder you should query about status of a leaf certificate issued by the Sub CA. Cheers, Tomas --- RSA Conference 2017 ------------------------------------------------------------------ San Francisco | February 13-17 | Moscone Center Come visit us in booth #627 at RSA Conference 2017! Want a free expo pass? Go to https://www.rsaconference.com/events/us17/register and use the code: XE7PRMKEY On 2017-01-31 14:10, Marc Pailloux wrote: > > > Hello, > > I have an interrogation about OCSP and the way it works with an > External Root CA. > > I use the default OCSP with the CA (no external OCSP responder). > My CA architecture is a Root CA genereted on another EJBCA > instance, that signed the SubCA installed on the instance doing also the > OCSP. > I created a user certificate for the test under that SubCA. > > I imported back the root public CA as an external Certificate, > so here is what I have as CAs: > Images intégrées 1 > > > However, when i try to use OCSP on a reverse proxy, I have an > error message on the EJBCA logs : > 13:28:16,136 INFO > [org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean] > (http--0.0.0.0-18080-6) Received OCSP request for certificate with > serNo: 3e3bb7fa6bbbe5ae, and issuerNameHash: > f644d454ac3dd1cf400698318b5b8357afafad7c. Client ip 192.168.91.5. > 13:28:16,139 ERROR > [org.cesecore.certificates.ocsp.OcspResponseGeneratorSessionBean] > (http--0.0.0.0-18080-6) Unable to find CA certificate by issuer name > hash: f644d454ac3dd1cf400698318b5b8357afafad7c, or even the default > responder: . > > This certificate is the SubCA certificate. > > For what I understand about OCSP and EJBCA, it means that the > SubCA certificate was not registered on the CA hash table and cannot be > found. Any reason for that ? > I tried a configuration were the root CA is on the same instance > and it works perfectly but it is not my desired architecture. > > Thanks for the help > > Best Regards > > Marc Pailloux > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Nikita B. <nik...@gs...> - 2017-02-01 11:42:40
|
Hi, I have a user(end-entity) created using a certificate profile which has 'Allow Subject DN override' checked. This end-entity is registered with Token as User Generated. When I use 'Create Certificate from CSR' option on public web, I get the certificate with the subject DN used while creating the CSR and not the registered DN. Now I want to achieve same using web service call. I tried the 'certificateRequest' and 'pkcs10' request with the same CSR that I used in previous Public web call. But in the web service call case, I get certificate with the registered DN and not overridden by the CSR. Kindly guide me how to achieve this. Thanks and Regards, Nikita |
|
From: Marc P. <liv...@gm...> - 2017-01-31 13:10:26
|
Hello,
I have an interrogation about OCSP and the way it works with an
External Root CA.
I use the default OCSP with the CA (no external OCSP responder).
My CA architecture is a Root CA genereted on another EJBCA
instance, that signed the SubCA installed on the instance doing also the
OCSP.
I created a user certificate for the test under that SubCA.
I imported back the root public CA as an external Certificate, so
here is what I have as CAs:
[image: Images intégrées 1]
However, when i try to use OCSP on a reverse proxy, I have an error
message on the EJBCA logs :
13:28:16,136 INFO [org.cesecore.certificates.ocsp.
OcspResponseGeneratorSessionBean] (http--0.0.0.0-18080-6) Received OCSP
request for certificate with serNo: 3e3bb7fa6bbbe5ae, and issuerNameHash:
f644d454ac3dd1cf400698318b5b8357afafad7c. Client ip 192.168.91.5.
13:28:16,139 ERROR [org.cesecore.certificates.ocsp.
OcspResponseGeneratorSessionBean] (http--0.0.0.0-18080-6) Unable to find CA
certificate by issuer name hash: f644d454ac3dd1cf400698318b5b8357afafad7c,
or even the default responder: .
This certificate is the SubCA certificate.
For what I understand about OCSP and EJBCA, it means that the SubCA
certificate was not registered on the CA hash table and cannot be found.
Any reason for that ?
I tried a configuration were the root CA is on the same instance
and it works perfectly but it is not my desired architecture.
Thanks for the help
Best Regards
Marc Pailloux
|
|
From: Nikita B. <nik...@gs...> - 2017-01-25 08:36:36
|
Thanks a lot! Regards, Nikita Bedmutha Software Engineer | m: +91 94042 02790 | [image: G] G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory <http://www.gslab.com/> On Wed, Jan 25, 2017 at 1:35 PM, Tomas Gustavsson <to...@pr...> wrote: > > Hi, > > Check the documentation for the "Key Recovery" feature. This is what you > are looking for. > > Regards, > Tomas > --- > RSA Conference 2017 > ------------------------------------------------------------------ > San Francisco | February 13-17 | Moscone Center > Come visit us in booth #627 at RSA Conference 2017! > > Want a free expo pass? > Go to https://www.rsaconference.com/events/us17/register > and use the code: XE7PRMKEY > > On 2017-01-25 06:36, Nikita Bedmutha wrote: > > Hi, > > > > As per my knowledge after using EJBCA, it seems that EJBCA stores only > > the CA key pairs in the database in the form of soft crypto > > token(keystore). The scenario where user makes request to server for > > keystore generation(p12), a P12 file is returned, but EJBCA doesnt seem > > to store it back on its side. So it must be generating this P12 on the > > fly and returning. > > On checking the database, only user certificates can be found. > > So is it possible to store the user key material(keypair) in database in > > EJBCA. If so, how? Also please correct me if my above understanding is > > wrong. > > Thanks. > > > > > > Regards, > > Nikita Bedmutha > > Software Engineer | m: +91 94042 02790 | G > > G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory > > <http://www.gslab.com/> > > > > > > > > ------------------------------------------------------------ > ------------------ > > Check out the vibrant tech community on one of the world's most > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------ > ------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Tomas G. <to...@pr...> - 2017-01-25 08:05:19
|
Hi, Check the documentation for the "Key Recovery" feature. This is what you are looking for. Regards, Tomas --- RSA Conference 2017 ------------------------------------------------------------------ San Francisco | February 13-17 | Moscone Center Come visit us in booth #627 at RSA Conference 2017! Want a free expo pass? Go to https://www.rsaconference.com/events/us17/register and use the code: XE7PRMKEY On 2017-01-25 06:36, Nikita Bedmutha wrote: > Hi, > > As per my knowledge after using EJBCA, it seems that EJBCA stores only > the CA key pairs in the database in the form of soft crypto > token(keystore). The scenario where user makes request to server for > keystore generation(p12), a P12 file is returned, but EJBCA doesnt seem > to store it back on its side. So it must be generating this P12 on the > fly and returning. > On checking the database, only user certificates can be found. > So is it possible to store the user key material(keypair) in database in > EJBCA. If so, how? Also please correct me if my above understanding is > wrong. > Thanks. > > > Regards, > Nikita Bedmutha > Software Engineer | m: +91 94042 02790 | G > G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory > <http://www.gslab.com/> > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Tomas G. <to...@pr...> - 2017-01-25 07:57:16
|
> So does that mean the certificateRequest() call marks the user NEW each > time we make the call? Correct. It's inside a transaction so not visible from the outside. You can read about it in the WS API documentation. https://www.ejbca.org/docs/ws/org/ejbca/core/protocol/ws/client/gen/EjbcaWS.html Regards, Tomas --- Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information. https://www.primekey.se/technologies/products-overview/ https://www.primekey.se/service-support/support/ On 2017-01-25 06:27, Nikita Bedmutha wrote: > Hi, > > When I tried the SOAP based web service call 'certificateRequest' > through SOAPUI and java code in eclipse to sign a CSR, > we have to send user data(end-entity) i.e. UserDataVOWS along with the > caName and CSR. This call returns a certificate > signed by the requested CA. It seems that, a new end entity(user) is > created on the fly during this call and then certificate > is signed for it and returned. > Now if we make repetitive same calls, without changing user, certificate > is generated each time. > When observed in database, the UserData has that user entry in it, and > seems that user data row is overwritten > each time we make the call. Also the count of certificates issued to > this user increases. > > Now when I try to achieve the same thing using web GUI of EJBCA, hitting > the request for Create Certificate from > CSR for the same user used using SOAPUI, it returns : > 'Wrong user status! To generate a certificate for a user the user must > have status New, Failed or In process.' > > When checked, the user has status 40 (GENERATED), and hence it failed. > > So does that mean the certificateRequest() call marks the user NEW each > time we make the call? > > > Regards, > Nikita Bedmutha > Software Engineer | m: +91 94042 02790 | G > G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory > <http://www.gslab.com/> > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Nikita B. <nik...@gs...> - 2017-01-25 05:56:05
|
Hi, When I tried the SOAP based web service call 'certificateRequest' through SOAPUI and java code in eclipse to sign a CSR, we have to send user data(end-entity) i.e. UserDataVOWS along with the caName and CSR. This call returns a certificate signed by the requested CA. It seems that, a new end entity(user) is created on the fly during this call and then certificate is signed for it and returned. Now if we make repetitive same calls, without changing user, certificate is generated each time. When observed in database, the UserData has that user entry in it, and seems that user data row is overwritten each time we make the call. Also the count of certificates issued to this user increases. Now when I try to achieve the same thing using web GUI of EJBCA, hitting the request for Create Certificate from CSR for the same user used using SOAPUI, it returns : 'Wrong user status! To generate a certificate for a user the user must have status New, Failed or In process.' When checked, the user has status 40 (GENERATED), and hence it failed. So does that mean the certificateRequest() call marks the user NEW each time we make the call? Regards, Nikita Bedmutha Software Engineer | m: +91 94042 02790 | [image: G] G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory <http://www.gslab.com/> |
|
From: Nikita B. <nik...@gs...> - 2017-01-25 05:36:25
|
Hi, As per my knowledge after using EJBCA, it seems that EJBCA stores only the CA key pairs in the database in the form of soft crypto token(keystore). The scenario where user makes request to server for keystore generation(p12), a P12 file is returned, but EJBCA doesnt seem to store it back on its side. So it must be generating this P12 on the fly and returning. On checking the database, only user certificates can be found. So is it possible to store the user key material(keypair) in database in EJBCA. If so, how? Also please correct me if my above understanding is wrong. Thanks. Regards, Nikita Bedmutha Software Engineer | m: +91 94042 02790 | [image: G] G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory <http://www.gslab.com/> |
|
From: Tomas G. <to...@pr...> - 2017-01-23 11:56:04
|
An old school SOAP WS without the SOAP overhead, possible to debug and test. Doesn't sound bad at all :-). Looks like what SOAP should have been from the beginning. Cheers, Tomas On 2017-01-23 10:09, Anders Rundgren wrote: > This could maybe be of interest for future EJBCA developments. > > https://cyberphone.github.io/doc/web/REST-in-peace.html > > Enjoy! > Anders > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Anders R. <and...@gm...> - 2017-01-23 09:09:31
|
This could maybe be of interest for future EJBCA developments. https://cyberphone.github.io/doc/web/REST-in-peace.html Enjoy! Anders |
|
From: Tomas G. <to...@pr...> - 2017-01-19 13:59:28
|
Hi, EJBCA 6.3.1.1 should work with WildFly 8 and 9. Only a couple of small web page bugs with WildFly 10. EJBCA 6.5.0 will be released in the beginning of February. Cheers, Tomas --- RSA Conference 2017 ------------------------------------------------------------------ San Francisco | February 13-17 | Moscone Center Come visit us in booth #627 at RSA Conference 2017! Want a free expo pass? Go to https://www.rsaconference.com/events/us17/register and use the code: XE7PRMKEY On 2017-01-19 14:01, Nikita Bedmutha wrote: > Hi, > I had few queries regarding EJBCA 6.3.1.1 community version and the > application server it works on. > Is EJBCA 6.3.1.1 community version supported on Wildfly? The > documentation link for EJBCA 6.3.1.1 > (https://www.ejbca.org/older_releases/ejbca_6_3/htdocs/docs/installation.html > <https://www.ejbca.org/older_releases/ejbca_6_3/htdocs/docs/installation.html>) > does not mention about Wildfly and documents the Jboss configuration > only. > 1) So can we use EJBCA 6.3.1.1 with any of Wildfly 8/9/10 versions? > 2) Also, are there any plans for next community release of EJBCA? If > so, when will that be? > Thanks. > > Regards, > Nikita Bedmutha > Software Engineer | m: +91 94042 02790 | G > G <http://www.linkedin.com/in/nikitabedmutha>reat Software > Laboratory <http://www.gslab.com/> > > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Nikita B. <nik...@gs...> - 2017-01-19 13:01:44
|
> > Hi, > I had few queries regarding EJBCA 6.3.1.1 community version and the > application server it works on. > Is EJBCA 6.3.1.1 community version supported on Wildfly? The documentation > link for EJBCA 6.3.1.1 (https://www.ejbca.org/older_ > releases/ejbca_6_3/htdocs/docs/installation.html) does not mention about > Wildfly and documents the Jboss configuration only. > 1) So can we use EJBCA 6.3.1.1 with any of Wildfly 8/9/10 versions? > 2) Also, are there any plans for next community release of EJBCA? If so, > when will that be? > Thanks. > > Regards, > Nikita Bedmutha > Software Engineer | m: +91 94042 02790 | [image: G] > G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory > <http://www.gslab.com/> > > |
|
From: Tomas G. <to...@pr...> - 2017-01-18 08:06:31
|
Hi Johan, Yes EJBCA Enteprise gets continuous updates with security fixes as it is penetration tested. The changelog mentions this, although very details are revealed on the specifics of security fixes. Regards, Tomas On 2017-01-17 10:25, CLIER, JOHAN wrote: > Hello, > > I was wondering about the security updates for the community edition. > As far as I know from Sourceforge, the current version 6.3.1.1 is from > 2015 and has not been updated for potential security issues. > > I also did not found any list of the security issues for the Enterprise > Edition. > Is it available when buying the Enterprise Edition? > > Thanks > > Johan Clier > > > > ------------------------------------------------------------------------------ > Check out the vibrant tech community on one of the world's most > engaging tech sites, SlashDot.org! http://sdm.link/slashdot > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
106 messages has been excluded from this view by a project administrator.
