Menu
▾
▴
ejbca-develop — Development discussions
You can subscribe to this list here.
| 2001 |
Jan
|
Feb
|
Mar
|
Apr
|
May
|
Jun
|
Jul
|
Aug
|
Sep
|
Oct
|
Nov
(1) |
Dec
(3) |
|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 2002 |
Jan
(3) |
Feb
(2) |
Mar
(8) |
Apr
(3) |
May
(6) |
Jun
(1) |
Jul
(15) |
Aug
(6) |
Sep
|
Oct
(10) |
Nov
(2) |
Dec
(4) |
| 2003 |
Jan
(1) |
Feb
(7) |
Mar
(3) |
Apr
(6) |
May
(7) |
Jun
(5) |
Jul
(5) |
Aug
(25) |
Sep
(14) |
Oct
(2) |
Nov
|
Dec
(2) |
| 2004 |
Jan
(7) |
Feb
(4) |
Mar
(12) |
Apr
(16) |
May
(43) |
Jun
(56) |
Jul
(43) |
Aug
(40) |
Sep
(66) |
Oct
(12) |
Nov
(26) |
Dec
(10) |
| 2005 |
Jan
(13) |
Feb
(33) |
Mar
(16) |
Apr
(7) |
May
(10) |
Jun
(34) |
Jul
(41) |
Aug
(8) |
Sep
(4) |
Oct
(32) |
Nov
(20) |
Dec
(25) |
| 2006 |
Jan
(30) |
Feb
(101) |
Mar
(5) |
Apr
(75) |
May
(74) |
Jun
(22) |
Jul
(6) |
Aug
(70) |
Sep
(19) |
Oct
(21) |
Nov
(31) |
Dec
(50) |
| 2007 |
Jan
(15) |
Feb
(20) |
Mar
(24) |
Apr
(33) |
May
(13) |
Jun
(18) |
Jul
(13) |
Aug
(7) |
Sep
(63) |
Oct
(68) |
Nov
(29) |
Dec
(68) |
| 2008 |
Jan
(30) |
Feb
(33) |
Mar
(30) |
Apr
(103) |
May
(78) |
Jun
(48) |
Jul
(72) |
Aug
(24) |
Sep
(62) |
Oct
(63) |
Nov
(70) |
Dec
(37) |
| 2009 |
Jan
(34) |
Feb
(35) |
Mar
(64) |
Apr
(34) |
May
(34) |
Jun
(58) |
Jul
(30) |
Aug
(30) |
Sep
(46) |
Oct
(52) |
Nov
(12) |
Dec
(23) |
| 2010 |
Jan
(121) |
Feb
(18) |
Mar
(53) |
Apr
(62) |
May
(62) |
Jun
(20) |
Jul
(33) |
Aug
(20) |
Sep
(36) |
Oct
(35) |
Nov
(44) |
Dec
(63) |
| 2011 |
Jan
(19) |
Feb
(32) |
Mar
(94) |
Apr
(41) |
May
(47) |
Jun
(25) |
Jul
(34) |
Aug
(20) |
Sep
(9) |
Oct
(41) |
Nov
(33) |
Dec
(24) |
| 2012 |
Jan
(12) |
Feb
(36) |
Mar
(48) |
Apr
(32) |
May
(20) |
Jun
(15) |
Jul
(32) |
Aug
(13) |
Sep
(33) |
Oct
(54) |
Nov
(25) |
Dec
(16) |
| 2013 |
Jan
(45) |
Feb
(39) |
Mar
(38) |
Apr
(50) |
May
(29) |
Jun
(30) |
Jul
(33) |
Aug
(12) |
Sep
(9) |
Oct
(25) |
Nov
(29) |
Dec
(20) |
| 2014 |
Jan
(25) |
Feb
(19) |
Mar
(16) |
Apr
(33) |
May
(27) |
Jun
(37) |
Jul
(29) |
Aug
(27) |
Sep
(37) |
Oct
(58) |
Nov
(109) |
Dec
(26) |
| 2015 |
Jan
(4) |
Feb
(35) |
Mar
(22) |
Apr
(35) |
May
(28) |
Jun
(20) |
Jul
(4) |
Aug
(16) |
Sep
(37) |
Oct
(13) |
Nov
(13) |
Dec
(14) |
| 2016 |
Jan
(22) |
Feb
(7) |
Mar
(23) |
Apr
(30) |
May
(10) |
Jun
(10) |
Jul
(15) |
Aug
(12) |
Sep
(22) |
Oct
(31) |
Nov
(5) |
Dec
(5) |
| 2017 |
Jan
(30) |
Feb
(25) |
Mar
(28) |
Apr
(4) |
May
(19) |
Jun
(13) |
Jul
(7) |
Aug
(1) |
Sep
(2) |
Oct
(5) |
Nov
(12) |
Dec
(2) |
| 2018 |
Jan
(7) |
Feb
|
Mar
(7) |
Apr
(2) |
May
(8) |
Jun
(18) |
Jul
(6) |
Aug
(3) |
Sep
(15) |
Oct
(33) |
Nov
(13) |
Dec
(7) |
| 2019 |
Jan
(5) |
Feb
(7) |
Mar
(30) |
Apr
(5) |
May
(4) |
Jun
(69) |
Jul
(86) |
Aug
(22) |
Sep
(6) |
Oct
(7) |
Nov
(5) |
Dec
(3) |
| 2020 |
Jan
(10) |
Feb
(12) |
Mar
(22) |
Apr
(5) |
May
(1) |
Jun
(4) |
Jul
(6) |
Aug
|
Sep
(9) |
Oct
|
Nov
|
Dec
(1) |
| 2021 |
Jan
(4) |
Feb
(11) |
Mar
(7) |
Apr
(7) |
May
|
Jun
(3) |
Jul
(10) |
Aug
(6) |
Sep
|
Oct
|
Nov
(18) |
Dec
(2) |
| 2022 |
Jan
(1) |
Feb
(1) |
Mar
|
Apr
|
May
|
Jun
(2) |
Jul
|
Aug
(4) |
Sep
|
Oct
|
Nov
|
Dec
|
| 2023 |
Jan
|
Feb
|
Mar
|
Apr
(1) |
May
(1) |
Jun
|
Jul
|
Aug
(5) |
Sep
|
Oct
|
Nov
|
Dec
|
|
From: Tahmim A. S. <sh...@ti...> - 2016-07-11 08:22:06
|
Hi, I have setup an externalRA server with the GUI. The GUI doesn't use HTTPS, just normal HTTP. But I encountered the following issue: When I open the RA-Gui page and select Create Browser Certificate, and input a username and password, it responds saying "Key generation using 'keygen' is not supported in the current browser on this platform." In Firefox I also got this respond, but the certificate is created successfully. Another thing I found in the log that, in KeyGenServlet I got base64 encoded string in ((String[])keygenObject)[0] while requesting from Firefox, but empty string when I send request from Chrome. NB: Firefox version: 47. Chrome version: 51.0.2704.106 your help will be very much appreciated. |
|
From: Ngoc K. Vu <ngo...@gm...> - 2016-07-10 15:49:13
|
Dear all. We are using EJBCA 3.10.3 for CA and OCSP service, LDAP to store issued certificates. Now we need to renew CA to upgrade using SHA-2. The problem is how we renew CA and keep CRL, OCSP still contain old certificates. Is there anyone did this before ? Please give us a help. Thanks a lot. -- ==================== Best regards and thanks. Vu Ngoc Kha (Mr.) |
|
From: Tomas G. <to...@pr...> - 2016-07-07 06:41:59
|
Hi, I have added an updated cert-cvc library for download. Forgot about this one for a while, so it's a bit delayed. It is available for download at the download page [1]. Cert-cvc is a java development library for EU EAC ePassport and eID certificates, fully supporting EAC 2.10. The only news in this release is that it is updated to work with the latest release (1.54) of the BouncyCastle [2] crypto libs. [1]: https://www.ejbca.org/download.html [2]: https://www.bouncycastle.org/ Regards, The EJBCA Dev team |
|
From: Shoubhik B. <sb...@gm...> - 2016-07-04 11:43:12
|
In the following steps, could you please tell me if EJBCA 4_0_16 supports triple-DES for the 5th step? - Requester sends GetCACert message to SCEP URL - Either CA or RA responds with single DER-encoded X.509 certificate DER-encoded 'degenerate' PKCS#7 SignedData message with an X.509 certificate chain (CA -> RA) - Requester checks if CA certificate is trusted by prompting user with message digest of X.509 certificate - Requester constructs a PKCS#10 certificate signing request (CSR) - Requester constructs a PKCS#7 EnvelopedData object using the DER-encoded CSR and encrypts the envelope encryption key (DES or Triple-DES) using the message recipient's public key (either the CA, or an RA with a keyEncipherment KeyUsage extension) |
|
From: Tomas G. <to...@pr...> - 2016-07-04 06:53:10
|
Hi Gregory, You are right that the WS API is more targeted for RA functionality. CMP have pretty good open source support both in C (cmpforopenssl) and Java (BouncyCastle), and would make it easy to automate things in a relatively secure way. If the environment is secure you can HTTP POST. It still requires to register the end entities first. This can be scripted of course, so if you have a production line you can script creating 1M end entities numbered 1-1M, then simply http post to get the certificates. Another way, by simple tweaking is to use the "DemoCertreqServlet" which simply does what you want without any aithorization. Cheers, Tomas ----- Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information. https://www.primekey.se/technologies/products-overview/ https://www.primekey.se/service-support/support/ On 2016-07-02 13:48, LANDAIS Gregory wrote: > Hi, > > I am evaluating EJBCA to see if it will fit my current needs. This needs > includes the possibility to automate the signing of CSR generated by > users. My "users" will be systems that I will plug to my isolated and > trusted network, they will automatically generate key pairs, the > corresponding CSR, submit it for signing before leaving into the wild > with their certificate. > > I had a look at the SOAP API but it seems it is more focused on RA and > CA functionality (e.g. it requires authentication with certificate that > my systems don't have yet). > > I had a look at SCEP and CMP protocols but open-source implementations > seems outdated/hard to get working and they seems overkill for what I > want to do. > > I though about manually sending HTTP POST requests to the public web > interface but maybe there is a better way ? > > > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Tomas G. <to...@pr...> - 2016-07-04 06:46:53
|
Hi Tom, How are you trying to validate your certificates? The certificates themselves have nothing to do with the validity of CRLs and OCSP responses. CRLs and OCSP responses have their own validity period. From the messages you provide it looks like you have clock missmatch somewhere on the validating client. The only way CRLs or OCSP responses can have different validity for different certificates is if they are issued from different CAs for example. For example: > CRL has expired or is not yet valid Shows the _CRL_, not the certificate has an invalid validity time. The _CRL_ is the same (really the same file) regardless if a certificate you are trying to validate is revoked or not. Regards, Tomas ********** PrimeKey Solutions AB Lundagatan 16, 171 63 Solna, Sweden Mob: +46 (0)707421096 Internet: www.primekey.se Twitter: twitter.com/primekeyPKI ********** On 2016-07-01 17:55, Tom wrote: > Dear All, > > I have implemented a EJBCA CA with CRL and OCSP validation and have the > following problem: > > The expired certificates have error when trying to validate: > * CRL processing error > Issuer: c=XX, o=ABC, cn=abc.com > This update: 20160701105720Z > Next update: 20160702105720Z > CRL has expired or is not yet valid > > * OCSP response has expired or is not yet valid > > This problem does not occur with the revoked certificates, these are > validated correctly. > > Someone has an idea that can be causing this? > Thanks. > > Regards, > Enzo > > -- > Sent from ProtonMail <https://protonmail.com>. > > > > > ------------------------------------------------------------------------------ > Attend Shape: An AT&T Tech Expo July 15-16. Meet us at AT&T Park in San > Francisco, CA to explore cutting-edge tech and listen to tech luminaries > present their vision of the future. This family event has something for > everyone, including kids. Get more information and register today. > http://sdm.link/attshape > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: LANDAIS G. <gla...@as...> - 2016-07-02 11:48:41
|
Hi, I am evaluating EJBCA to see if it will fit my current needs. This needs includes the possibility to automate the signing of CSR generated by users. My "users" will be systems that I will plug to my isolated and trusted network, they will automatically generate key pairs, the corresponding CSR, submit it for signing before leaving into the wild with their certificate. I had a look at the SOAP API but it seems it is more focused on RA and CA functionality (e.g. it requires authentication with certificate that my systems don't have yet). I had a look at SCEP and CMP protocols but open-source implementations seems outdated/hard to get working and they seems overkill for what I want to do. I though about manually sending HTTP POST requests to the public web interface but maybe there is a better way ? |
|
From: Tom <kr...@pr...> - 2016-07-01 15:55:32
|
Dear All, I have implemented a EJBCA CA with CRL and OCSP validation and have the following problem: The expired certificates have error when trying to validate: * CRL processing error Issuer: c=XX, o=ABC, cn=abc.com This update: 20160701105720Z Next update: 20160702105720Z CRL has expired or is not yet valid * OCSP response has expired or is not yet valid This problem does not occur with the revoked certificates, these are validated correctly. Someone has an idea that can be causing this? Thanks. Regards, Enzo -- Sent from [ProtonMail](https://protonmail.com). |
|
From: Tomas G. <to...@pr...> - 2016-06-17 08:27:28
|
We were initially planning around now, but with the current work load it's impossible to estimate. Sorry. Cheers, Tomas On 2016-06-17 09:40, Willi Trace wrote: > Hi Tomas, > > Do you have any expected date, when will it happen? > > Best regards, > Willi > > On Friday, June 17, 2016, Tomas Gustavsson <to...@pr... > <mailto:to...@pr...>> wrote: > > > Hi Will, > > Yes there are plans for a new Community version. We've been too busy > lately in order to be able to get it out. > > Regards, > Tomas > > On 2016-06-16 18:11, Willi Trace wrote: > > Dear all, > > > > do you have any information if there is a plan for new EJBCA Community > > Edition with support of current Java version and Wildfly > application server? > > > > Best regards, > > Willi > > > > > > > ------------------------------------------------------------------------------ > > What NetFlow Analyzer can do for you? Monitors network bandwidth > and traffic > > patterns at an interface-level. Reveals which users, apps, and > protocols are > > consuming the most bandwidth. Provides multi-vendor support for > NetFlow, > > J-Flow, sFlow and other flows. Make informed decisions using > capacity planning > > reports. http://sdm.link/zohomanageengine > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... <javascript:;> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and > traffic > patterns at an interface-level. Reveals which users, apps, and > protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using > capacity planning > reports. http://sdm.link/zohomanageengine > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... <javascript:;> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity planning > reports. http://sdm.link/zohomanageengine > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Willi T. <wil...@gm...> - 2016-06-17 07:40:08
|
Hi Tomas, Do you have any expected date, when will it happen? Best regards, Willi On Friday, June 17, 2016, Tomas Gustavsson <to...@pr...> wrote: > > Hi Will, > > Yes there are plans for a new Community version. We've been too busy > lately in order to be able to get it out. > > Regards, > Tomas > > On 2016-06-16 18:11, Willi Trace wrote: > > Dear all, > > > > do you have any information if there is a plan for new EJBCA Community > > Edition with support of current Java version and Wildfly application > server? > > > > Best regards, > > Willi > > > > > > > ------------------------------------------------------------------------------ > > What NetFlow Analyzer can do for you? Monitors network bandwidth and > traffic > > patterns at an interface-level. Reveals which users, apps, and protocols > are > > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning > > reports. http://sdm.link/zohomanageengine > > > > > > > > _______________________________________________ > > Ejbca-develop mailing list > > Ejb...@li... <javascript:;> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and > traffic > patterns at an interface-level. Reveals which users, apps, and protocols > are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning > reports. http://sdm.link/zohomanageengine > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... <javascript:;> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Tomas G. <to...@pr...> - 2016-06-17 07:36:31
|
Hi Will, Yes there are plans for a new Community version. We've been too busy lately in order to be able to get it out. Regards, Tomas On 2016-06-16 18:11, Willi Trace wrote: > Dear all, > > do you have any information if there is a plan for new EJBCA Community > Edition with support of current Java version and Wildfly application server? > > Best regards, > Willi > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity planning > reports. http://sdm.link/zohomanageengine > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Willi T. <wil...@gm...> - 2016-06-16 16:12:03
|
Dear all, do you have any information if there is a plan for new EJBCA Community Edition with support of current Java version and Wildfly application server? Best regards, Willi |
|
From: Tomas G. <to...@pr...> - 2016-06-07 19:45:15
|
You can create a new CA using the same private key. However changing DN really is, in PKI theory, a new CA. There is an ICAO feature called CA Name change, you can check it out. Check "CA Name Change" in User Guide, https://www.ejbca.org/docs/userguide.html#Managing%20CAs Cheers, Tomas --- Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information. https://www.primekey.se/technologies/products-overview/ https://www.primekey.se/service-support/support/ On 2016-06-07 20:33, Chirpy Soft wrote: > Hello all, > > Is there a way to change the SubjectDN of a CA for e.g. using the > ejbca-ejb-cli.jar? We want to know if there is an easier alternative to > creating a new CA with the same private key so that in production we can > avoid redirecting all the external sources pointing to the original CA, > reconnecting the end entity profiles etc. > > Thank you. > Igor > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Chirpy S. <chi...@gm...> - 2016-06-07 18:33:08
|
Hello all, Is there a way to change the SubjectDN of a CA for e.g. using the ejbca-ejb-cli.jar? We want to know if there is an easier alternative to creating a new CA with the same private key so that in production we can avoid redirecting all the external sources pointing to the original CA, reconnecting the end entity profiles etc. Thank you. Igor |
|
From: Ralf H. <rh...@hc...> - 2016-06-02 09:46:08
|
Hi, try this: SELECT serialNumber, subjectDN, FROM_UNIXTIME(revocationDate/1000) as revoked from CertificateData where revocationDate != '-1' regards Von: Ivan R [mailto:iva...@gm...] Gesendet: Donnerstag, 2. Juni 2016 10:46 An: ejb...@li... Betreff: Re: [Ejbca-develop] What is the meaning of the status integers in the certificateData table in the DB? Hi, Thanks for the reply. Do you also happen to know the logic behind how the date is transformed into the integer? For example "1464853664953" this is supposed to be the date today and time should be from some time this morning. On Wed, Jun 1, 2016 at 8:21 PM, Ralf Hornik <rh...@hc...> wrote: Hi, There is a column „revocation_date“ that is -1 if not revoked and a timestamp if is Cheers Von: Ivan R [mailto:iva...@gm...] Gesendet: Mittwoch, 1. Juni 2016 17:05 An: ejb...@li... Betreff: [Ejbca-develop] What is the meaning of the status integers in the certificateData table in the DB? I'm looking for a way to detect if a certificate was revoked. Ideally if it was revoked recently.Is there anything from which I can read up on the status meanings? Also I intend to delete some certificates when they've been been just made and revoked without ever being used. Is there any underlying risk when doing that? ------------------------------------------------------------------------------ What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic patterns at an interface-level. Reveals which users, apps, and protocols are consuming the most bandwidth. Provides multi-vendor support for NetFlow, J-Flow, sFlow and other flows. Make informed decisions using capacity planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e _______________________________________________ Ejbca-develop mailing list Ejb...@li... https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Ivan R <iva...@gm...> - 2016-06-02 08:46:30
|
Hi, Thanks for the reply. Do you also happen to know the logic behind how the date is transformed into the integer? For example "1464853664953" this is supposed to be the date today and time should be from some time this morning. On Wed, Jun 1, 2016 at 8:21 PM, Ralf Hornik <rh...@hc...> wrote: > Hi, > > > > There is a column „revocation_date“ that is -1 if not revoked and a > timestamp if is > > Cheers > > > > *Von:* Ivan R [mailto:iva...@gm...] > *Gesendet:* Mittwoch, 1. Juni 2016 17:05 > *An:* ejb...@li... > *Betreff:* [Ejbca-develop] What is the meaning of the status integers in > the certificateData table in the DB? > > > > I'm looking for a way to detect if a certificate was revoked. Ideally if > it was revoked recently.Is there anything from which I can read up on the > status meanings? > > > > Also I intend to delete some certificates when they've been been just made > and revoked without ever being used. Is there any underlying risk when > doing that? > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and > traffic > patterns at an interface-level. Reveals which users, apps, and protocols > are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > |
|
From: Ralf H. <rh...@hc...> - 2016-06-01 17:40:17
|
Hi, There is a column „revocation_date“ that is -1 if not revoked and a timestamp if is Cheers Von: Ivan R [mailto:iva...@gm...] Gesendet: Mittwoch, 1. Juni 2016 17:05 An: ejb...@li... Betreff: [Ejbca-develop] What is the meaning of the status integers in the certificateData table in the DB? I'm looking for a way to detect if a certificate was revoked. Ideally if it was revoked recently.Is there anything from which I can read up on the status meanings? Also I intend to delete some certificates when they've been been just made and revoked without ever being used. Is there any underlying risk when doing that? |
|
From: Ivan R <iva...@gm...> - 2016-06-01 15:05:24
|
I'm looking for a way to detect if a certificate was revoked. Ideally if it was revoked recently.Is there anything from which I can read up on the status meanings? Also I intend to delete some certificates when they've been been just made and revoked without ever being used. Is there any underlying risk when doing that? |
|
From: Donabedian, V. L (2443782) <v.d...@be...> - 2016-05-30 13:14:23
|
Good day: Can you kindly please remove me from the list? My email is: v.d...@be... Thank you, Vahe |
|
From: Christian F. <pu...@fe...> - 2016-05-27 12:25:27
|
Am 27.05.2016 um 13:10 schrieb Tomas Gustavsson: > > This seems to be with signing, and related to the CAs private key, not > the CSR. Are you trying to create a EC signature with an RSA key? Tomas, thank you very much, that was the reason for signing failure. Solution: I created a new CA in EJBCA which uses EC instead og RSA. This CA is usable for signing EC certificates. best regards Christian |
|
From: Tomas G. <to...@pr...> - 2016-05-27 11:10:31
|
This seems to be with signing, and related to the CAs private key, not the CSR. Are you trying to create a EC signature with an RSA key? On 2016-05-27 12:15, Christian Felsing wrote: > Hello, > > EJBCA 6.3.1.1 throws an exception when trying to sign following request: > > > -----BEGIN CERTIFICATE REQUEST----- > MIHkMIGLAgEAMCkxFDASBgNVBAoMC2ZlbHNpbmcubmV0MREwDwYDVQQDDAhoc20t > MDAwMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCHNouS8915Fx4Clxs2hVkmM > ZEfxYJWGGNos7g2UHff6FIwaVD4iNWFtC9CO5Rpd4EAbvh/HesvYDVMW5TNYuu6g > ADAKBggqhkjOPQQDAgNIADBFAiEAukkckN3DWJkAee5cI8Iew/S8huzUvmHx3AuJ > vlcZAFgCICS8kGnWS0r8zvOPu5NmCYCAL/RbiQAR6f6wANhOjaEX > -----END CERTIFICATE REQUEST----- > > Request contains following data: > > ---cut here--- > Certificate Request: > Data: > Version: 0 (0x0) > Subject: O=felsing.net, CN=hsm-0003 > Subject Public Key Info: > Public Key Algorithm: id-ecPublicKey > Public-Key: (256 bit) > pub: > 04:19:72:96:7c:05:9c:f1:e4:1c:56:4c:d3:92:35: > 86:87:7d:15:ab:50:2b:1f:eb:fa:30:9c:78:a9:9d: > 6f:68:8e:66:a6:3b:1f:db:ea:33:83:10:1b:98:0d: > 94:a3:a3:2c:7f:44:0a:ff:d4:3f:9e:5d:d9:99:c1: > 8f:06:95:1b:df > ASN1 OID: prime256v1 > NIST CURVE: P-256 > Attributes: > a0:00 > Signature Algorithm: ecdsa-with-SHA256 > 30:45:02:20:4d:fd:a8:e3:03:a5:cd:f8:27:c2:c2:b3:fb:66: > cb:2b:9c:c8:73:aa:4f:6c:27:7f:8f:63:10:41:da:a2:3b:23: > 02:21:00:a0:10:33:a7:e8:04:2b:42:3c:f6:c6:b6:18:c2:ec: > 74:21:b9:8c:54:fd:33:c0:76:41:37:16:4f:62:2a:57:37 > ---cut here--- > > > > ---cut here--- > Exception: > org.cesecore.certificates.certificate.CertificateCreateException: > org.bouncycastle.operator.OperatorCreationException: cannot create > signer: can't identify EC private key. > at > org.cesecore.certificates.certificate.CertificateCreateSessionBean.createCertificate(CertificateCreateSessionBean.java:510) > at > org.cesecore.certificates.certificate.CertificateCreateSessionBean.createCertificate(CertificateCreateSessionBean.java:199) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) > at > org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) > at > org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) > at > org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInCallerTx(CMTTxInterceptor.java:258) > at > org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:347) > at > org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:243) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:43) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) > at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185) > at > org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) > at > org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:73) > at > org.cesecore.certificates.certificate.CertificateCreateSessionLocal$$$view32.createCertificate(Unknown > Source) > at > org.ejbca.core.ejb.ca.sign.SignSessionBean.createCertificate(SignSessionBean.java:405) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) > at > org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53) > at > org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) > at > org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:280) > at > org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:345) > at > org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:243) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:43) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) > at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185) > at > org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288) > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61) > at > org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:73) > at > org.ejbca.core.ejb.ca.sign.SignSessionLocal$$$view96.createCertificate(Unknown > Source) > at org.ejbca.ui.web.RequestHelper.pkcs10CertRequest(RequestHelper.java:236) > at org.ejbca.ui.web.RequestHelper.pkcs10CertRequest(RequestHelper.java:275) > at org.ejbca.ui.web.pub.RequestInstance.pkcs10Req(RequestInstance.java:650) > at org.ejbca.ui.web.pub.RequestInstance.doPost(RequestInstance.java:427) > at org.ejbca.ui.web.pub.CertReqServlet.doPost(CertReqServlet.java:117) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:754) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:847) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) > at > org.owasp.filters.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:198) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) > at org.owasp.filters.ClickjackFilter.doFilter(ClickjackFilter.java:36) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:420) > at > org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) > at > org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50) > at > org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344) > at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490) > at > org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420) > at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926) > at java.lang.Thread.run(Thread.java:745) > Caused by: org.bouncycastle.operator.OperatorCreationException: cannot > create signer: can't identify EC private key. > at > org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown > Source) > at > org.cesecore.certificates.ca.X509CA.generateCertificate(X509CA.java:1049) > at org.cesecore.certificates.ca.X509CA.generateCertificate(X509CA.java:652) > at > org.cesecore.certificates.certificate.CertificateCreateSessionBean.createCertificate(CertificateCreateSessionBean.java:396) > ... 127 more > Caused by: java.security.InvalidKeyException: can't identify EC private key. > at > org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil.generatePrivateKeyParameter(Unknown > Source) > at > org.bouncycastle.jcajce.provider.asymmetric.ec.SignatureSpi.engineInitSign(Unknown > Source) > at java.security.Signature$Delegate.engineInitSign(Signature.java:1174) > at java.security.Signature.initSign(Signature.java:527) > ... 131 more > ---cut here--- > > > I consider this problem is caused by BouncyCastle, but is has impact to > EJBCA. > > best regards > Christian Felsing > > > ------------------------------------------------------------------------------ > What NetFlow Analyzer can do for you? Monitors network bandwidth and traffic > patterns at an interface-level. Reveals which users, apps, and protocols are > consuming the most bandwidth. Provides multi-vendor support for NetFlow, > J-Flow, sFlow and other flows. Make informed decisions using capacity > planning reports. https://ad.doubleclick.net/ddm/clk/305295220;132659582;e > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Christian F. <pu...@fe...> - 2016-05-27 10:35:10
|
Hello,
EJBCA 6.3.1.1 throws an exception when trying to sign following request:
-----BEGIN CERTIFICATE REQUEST-----
MIHkMIGLAgEAMCkxFDASBgNVBAoMC2ZlbHNpbmcubmV0MREwDwYDVQQDDAhoc20t
MDAwMzBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABCHNouS8915Fx4Clxs2hVkmM
ZEfxYJWGGNos7g2UHff6FIwaVD4iNWFtC9CO5Rpd4EAbvh/HesvYDVMW5TNYuu6g
ADAKBggqhkjOPQQDAgNIADBFAiEAukkckN3DWJkAee5cI8Iew/S8huzUvmHx3AuJ
vlcZAFgCICS8kGnWS0r8zvOPu5NmCYCAL/RbiQAR6f6wANhOjaEX
-----END CERTIFICATE REQUEST-----
Request contains following data:
---cut here---
Certificate Request:
Data:
Version: 0 (0x0)
Subject: O=felsing.net, CN=hsm-0003
Subject Public Key Info:
Public Key Algorithm: id-ecPublicKey
Public-Key: (256 bit)
pub:
04:19:72:96:7c:05:9c:f1:e4:1c:56:4c:d3:92:35:
86:87:7d:15:ab:50:2b:1f:eb:fa:30:9c:78:a9:9d:
6f:68:8e:66:a6:3b:1f:db:ea:33:83:10:1b:98:0d:
94:a3:a3:2c:7f:44:0a:ff:d4:3f:9e:5d:d9:99:c1:
8f:06:95:1b:df
ASN1 OID: prime256v1
NIST CURVE: P-256
Attributes:
a0:00
Signature Algorithm: ecdsa-with-SHA256
30:45:02:20:4d:fd:a8:e3:03:a5:cd:f8:27:c2:c2:b3:fb:66:
cb:2b:9c:c8:73:aa:4f:6c:27:7f:8f:63:10:41:da:a2:3b:23:
02:21:00:a0:10:33:a7:e8:04:2b:42:3c:f6:c6:b6:18:c2:ec:
74:21:b9:8c:54:fd:33:c0:76:41:37:16:4f:62:2a:57:37
---cut here---
---cut here---
Exception:
org.cesecore.certificates.certificate.CertificateCreateException:
org.bouncycastle.operator.OperatorCreationException: cannot create
signer: can't identify EC private key.
at
org.cesecore.certificates.certificate.CertificateCreateSessionBean.createCertificate(CertificateCreateSessionBean.java:510)
at
org.cesecore.certificates.certificate.CertificateCreateSessionBean.createCertificate(CertificateCreateSessionBean.java:199)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53)
at
org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53)
at
org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
at
org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInCallerTx(CMTTxInterceptor.java:258)
at
org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:347)
at
org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:243)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:43)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)
at
org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
at
org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:73)
at
org.cesecore.certificates.certificate.CertificateCreateSessionLocal$$$view32.createCertificate(Unknown
Source)
at
org.ejbca.core.ejb.ca.sign.SignSessionBean.createCertificate(SignSessionBean.java:405)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53)
at
org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.invocation.WeavedInterceptor.processInvocation(WeavedInterceptor.java:53)
at
org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:21)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
at
org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:53)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInOurTx(CMTTxInterceptor.java:280)
at
org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:345)
at
org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:243)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:43)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:59)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:55)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.as.ee.component.TCCLInterceptor.processInvocation(TCCLInterceptor.java:45)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:185)
at
org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185)
at
org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:288)
at
org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:61)
at
org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:73)
at
org.ejbca.core.ejb.ca.sign.SignSessionLocal$$$view96.createCertificate(Unknown
Source)
at org.ejbca.ui.web.RequestHelper.pkcs10CertRequest(RequestHelper.java:236)
at org.ejbca.ui.web.RequestHelper.pkcs10CertRequest(RequestHelper.java:275)
at org.ejbca.ui.web.pub.RequestInstance.pkcs10Req(RequestInstance.java:650)
at org.ejbca.ui.web.pub.RequestInstance.doPost(RequestInstance.java:427)
at org.ejbca.ui.web.pub.CertReqServlet.doPost(CertReqServlet.java:117)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:754)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:847)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:295)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
at
org.owasp.filters.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:198)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
at org.owasp.filters.ClickjackFilter.doFilter(ClickjackFilter.java:36)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:246)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:214)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:231)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:149)
at
org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:420)
at
org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)
at
org.jboss.as.jpa.interceptor.WebNonTxEmCloserValve.invoke(WebNonTxEmCloserValve.java:50)
at
org.jboss.as.web.security.SecurityContextAssociationValve.invoke(SecurityContextAssociationValve.java:169)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:150)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:97)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:102)
at
org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:344)
at org.apache.coyote.ajp.AjpProcessor.process(AjpProcessor.java:490)
at
org.apache.coyote.ajp.AjpProtocol$AjpConnectionHandler.process(AjpProtocol.java:420)
at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:926)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.bouncycastle.operator.OperatorCreationException: cannot
create signer: can't identify EC private key.
at
org.bouncycastle.operator.jcajce.JcaContentSignerBuilder.build(Unknown
Source)
at
org.cesecore.certificates.ca.X509CA.generateCertificate(X509CA.java:1049)
at org.cesecore.certificates.ca.X509CA.generateCertificate(X509CA.java:652)
at
org.cesecore.certificates.certificate.CertificateCreateSessionBean.createCertificate(CertificateCreateSessionBean.java:396)
... 127 more
Caused by: java.security.InvalidKeyException: can't identify EC private key.
at
org.bouncycastle.jcajce.provider.asymmetric.util.ECUtil.generatePrivateKeyParameter(Unknown
Source)
at
org.bouncycastle.jcajce.provider.asymmetric.ec.SignatureSpi.engineInitSign(Unknown
Source)
at java.security.Signature$Delegate.engineInitSign(Signature.java:1174)
at java.security.Signature.initSign(Signature.java:527)
... 131 more
---cut here---
I consider this problem is caused by BouncyCastle, but is has impact to
EJBCA.
best regards
Christian Felsing
|
|
From: Tomas G. <to...@pr...> - 2016-05-10 15:59:07
|
Hi, Debug statements is an easy way if course. Importing into Eclipse (you should use svn so you get the eclipse project files), and running JBoss in eclipse in debug mode is the advanced way. Regards, Tomas On 2016-05-10 10:52, Ivan R wrote: > Hello, > > I want to follow some of the logic and do a little debugging. I tried to > import ejbca 6.3.1 in Eclipse however I couldn't get it to work. > Currently I'm just adding logs around the code and using "ant > ejbca.ear" and then moving the file to the jboss' deploy folder so I > can view the log. Is there a more efficient way to do it? > > Regards, > Ivan > > > ------------------------------------------------------------------------------ > Mobile security can be enabling, not merely restricting. Employees who > bring their own devices (BYOD) to work are irked by the imposition of MDM > restrictions. Mobile Device Manager Plus allows you to control only the > apps on BYO-devices by containerizing them, leaving personal data untouched! > https://ad.doubleclick.net/ddm/clk/304595813;131938128;j > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Ivan R <iva...@gm...> - 2016-05-10 08:52:07
|
Hello, I want to follow some of the logic and do a little debugging. I tried to import ejbca 6.3.1 in Eclipse however I couldn't get it to work. Currently I'm just adding logs around the code and using "ant ejbca.ear" and then moving the file to the jboss' deploy folder so I can view the log. Is there a more efficient way to do it? Regards, Ivan |
|
From: Tomas G. <to...@pr...> - 2016-05-10 08:40:27
|
Hi, It's best to have a matching topic in the email subject for each different topic. Regards, Tomas On May 10, 2016 8:56:38 AM GMT+02:00, Ivan R <iva...@gm...> wrote: >Hi Thomas, > >Thanks for the reply it cleared things up quite a bit. I have a few >more >questions regarding debugging and database installation.Would the >proper >way to ask be to ask in a reply such as this one or is it better to ask >in >a separate mail? > >Regards, >Ivan > >On Mon, May 9, 2016 at 5:30 PM, Tomas Gustavsson <to...@pr...> >wrote: > >> >> Hi Ivan, >> >> This is a great place to ask. Parsing an end entity profile XML is a >bit >> tricky unfortunately, but others have proven it can be done :-) >> >> The XML is a direct representation of the internal format, so no >human >> readable formatting done. >> >> This part from the javadoc should help you. Unless you use Java, then >> you can simply load the XML into an EndEntity class that you can find >in >> EJBCA. >> >> >> ----- >> * The algorithm for constants in the EndEntityProfile is: >> * Values are stored as 100*parameternumber+parameter, so the first >> COMMONNAME value is 105, the second 205 etc. >> * Use flags are stored as 10000+100*parameternumber+parameter, so >the >> first USE_COMMONNAME value is 10105, the second 10205 etc. >> * Required flags are stored as 20000+100*parameternumber+parameter, >so >> the first REQUIRED_COMMONNAME value is 20105, the second 20205 etc. >> * Modifyable flags are stored as >30000+100*parameternumber+parameter, >> so the first MODIFYABLE_COMMONNAME value is 30105, the second 30205 >etc. >> * >> * Parsing an exported End Entity Profile XML: >> * In the EndEntityProfile XML there is for example a field >> SUBJECTDNFIELDORDER which contains the defined DN components. >> * The algorithm is: >> * 100*parameter + size >> * >> * So for example if SUBJECTDNFIELDORDER contains the two values >"500, >> 1100" this means there is one CN and one OU. >> * Numbers are defined in src/java/profilemappings.properties and >CN=5 >> and OU=11, so 100*5+0 = 500 and 100*11+0 = 1100. >> * If there would be two OU fields there would also be one 1101 >> (100*11+1) in the SUBJECTDNFIELDORDER. >> * >> * You can see if the first CN field is required by finding a key in >the >> XML with the formula: >> * 20000+100*0+5 = 20005 >> * if the value of this key is true, the first CN field is required >and >> not optional. >> * etc, for the second CN field (if there was a second one in >> SUBJECTDNFIELDORDER) it would be 20000+100*1+5. >> ----- >> >> Regards, >> Tomas >> ----- >> Save time and money with an Enterprise support subscription. Please >see >> www.primekey.se for more information. >> https://www.primekey.se/technologies/products-overview/ >> https://www.primekey.se/service-support/support/ >> >> On 2016-05-09 09:10, Ivan R wrote: >> > Hi, >> > I get an end entity profile xml using the WSs and want to parse it >in >> > order to create a similar form to the one on the site elsewhere. >I've >> > looked around however I couldn't find documentation on how to do >that. >> > Any useful links or tips? >> > >> > Sorry if this isn't the place to ask and thanks in advance. >> > >> > Best Regards, >> > Ivan >> > >> > >> > >> >------------------------------------------------------------------------------ >> > Find and fix application performance issues faster with >Applications >> Manager >> > Applications Manager provides deep performance insights into >multiple >> tiers of >> > your business applications. It resolves application problems >quickly and >> > reduces your MTTR. Get your free trial! >> > https://ad.doubleclick.net/ddm/clk/302982198;130105516;z >> > >> > >> > >> > _______________________________________________ >> > Ejbca-develop mailing list >> > Ejb...@li... >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > >> >> >> >------------------------------------------------------------------------------ >> Find and fix application performance issues faster with Applications >> Manager >> Applications Manager provides deep performance insights into multiple >> tiers of >> your business applications. It resolves application problems quickly >and >> reduces your MTTR. Get your free trial! >> https://ad.doubleclick.net/ddm/clk/302982198;130105516;z >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > >------------------------------------------------------------------------ > >------------------------------------------------------------------------------ >Mobile security can be enabling, not merely restricting. Employees who >bring their own devices (BYOD) to work are irked by the imposition of >MDM >restrictions. Mobile Device Manager Plus allows you to control only the >apps on BYO-devices by containerizing them, leaving personal data >untouched! >https://ad.doubleclick.net/ddm/clk/304595813;131938128;j > >------------------------------------------------------------------------ > >_______________________________________________ >Ejbca-develop mailing list >Ejb...@li... >https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
106 messages has been excluded from this view by a project administrator.
