Menu
▾
▴
ejbca-develop
|
From: M.G.R <mg....@ni...> - 2013-02-20 06:43:40
|
I have setup the External OCSP Responder by using the OCSP Installation guide. but while publish using the Publisher Type -> Validation Authority Publisher with ocsp database is not updating. So I have manually inserted the CA certificate and user certificate issued by that CA. Then, I have requested for the OCSP Response using openssl ocsp client. It shows the following error. Please give any soln for this issue. Input Error: $ openssl ocsp -issuer AdminCA1.pem -cert ramesh.pem -url http://10.163.14.120:8080/ejbca/publicweb/status/ocsp -respout resp.der -no_cert_verify Error querying OCSP responsder Output Error: 2013-02-20 10:30:13,674 INFO [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] (http-0.0.0.0-8080-1) No card password specified. 2013-02-20 10:30:14,175 WARN [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] (http-0.0.0.0-8080-1) You have not specified ocsp.p11.p11password at build time. So you need to do a manual activation. 2013-02-20 10:30:14,175 ERROR [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] (http-0.0.0.0-8080-1) No valid keys. Key directory /home/otc/ejbca/jboss-5.1.0.GA/bin/keys. No P11 defined. 2013-02-20 10:30:14,175 INFO [org.ejbca.ui.web.protocol.OCSPServletBase] (http-0.0.0.0-8080-1) Received OCSP request for certificate with serNo: 33f74ee237b19e46, and issuerNameHash: 4145f8a5ccf07e01ebf1d22d40a1e29392b1e02e. Client ip 10.163.14.120. 2013-02-20 10:30:14,186 INFO [org.ejbca.ui.web.protocol.OCSPServletBase] (http-0.0.0.0-8080-1) Adding status information (good) for certificate with serial '33f74ee237b19e46' from issuer 'CN=AdminCA1,O=EJBCA Sample,C=SE'. 2013-02-20 10:30:24,188 ERROR [org.ejbca.ui.web.protocol.OCSPServletBase] (http-0.0.0.0-8080-1) Error processing OCSP request. Message: No ocsp signing key for caid -1688117755. org.ejbca.core.model.ca.caadmin.extendedcaservices.ExtendedCAServiceNotActiveException: No ocsp signing key for caid -1688117755 at org.ejbca.core.protocol.ocsp.standalonesession.StandAloneSession.extendedService(StandAloneSession.java:390) at org.ejbca.ui.web.protocol.OCSPServletStandAlone.extendedService(OCSPServletStandAlone.java:131) at org.ejbca.ui.web.protocol.OCSPServletBase.signOCSPResponse(OCSPServletBase.java:228) at org.ejbca.ui.web.protocol.OCSPServletBase.serviceOCSP(OCSPServletBase.java:934) at org.ejbca.ui.web.protocol.OCSPServletBase.doPost(OCSPServletBase.java:380) at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433) at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126) at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70) at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330) at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829) at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598) at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) at java.lang.Thread.run(Thread.java:679) -- View this message in context: http://old.nabble.com/External-OCSP-Responder-issue-tp35044907p35044907.html Sent from the EjbCA - Dev mailing list archive at Nabble.com. |
|
From: Tomas G. <to...@pr...> - 2013-02-20 16:06:39
|
You have probably inserted the certificates wrongly in the database. There is no signing certificate and key picked up for that CA. A debug log, during startup, will tell you very much what the responder is picking up. The VA publisher is working if you configure it correctly. You need to add it as a "CRL Publisher" in "Edit Certificate Authorities", I think this is what it says in the installation guide. Also the certificate profile used to issue the responder certificate needs a VA publisher (the same) configured in "Edit Certificate Profiles". Cheers, Tomas ** VISIT US AT RSA EXPO - BOOTH #459 ** **** FREE EXPO PASS CODE: FXE13PKS **** https://ae.rsaconference.com/US13/portal/login.ww ********** PrimeKey Solutions AB Anderstorpsvägen 16, 171 54 Solna, Sweden Mob: +46 (0)707421096 Internet: www.primekey.se Twitter: twitter.com/primekeyPKI ********** On 02/20/2013 07:43 AM, M.G.R wrote: > > I have setup the External OCSP Responder by using the OCSP Installation > guide. but while publish using the Publisher Type -> Validation Authority > Publisher with ocsp database is not updating. So I have manually inserted > the CA certificate and user certificate issued by that CA. > Then, I have requested for the OCSP Response using openssl ocsp client. It > shows the following error. > > Please give any soln for this issue. > > Input Error: > > $ openssl ocsp -issuer AdminCA1.pem -cert ramesh.pem -url > http://10.163.14.120:8080/ejbca/publicweb/status/ocsp -respout resp.der > -no_cert_verify > Error querying OCSP responsder > > Output Error: > > 2013-02-20 10:30:13,674 INFO > [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] > (http-0.0.0.0-8080-1) No card password specified. > 2013-02-20 10:30:14,175 WARN > [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] > (http-0.0.0.0-8080-1) You have not specified ocsp.p11.p11password at build > time. So you need to do a manual activation. > 2013-02-20 10:30:14,175 ERROR > [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] > (http-0.0.0.0-8080-1) No valid keys. Key directory > /home/otc/ejbca/jboss-5.1.0.GA/bin/keys. No P11 defined. > 2013-02-20 10:30:14,175 INFO [org.ejbca.ui.web.protocol.OCSPServletBase] > (http-0.0.0.0-8080-1) Received OCSP request for certificate with serNo: > 33f74ee237b19e46, and issuerNameHash: > 4145f8a5ccf07e01ebf1d22d40a1e29392b1e02e. Client ip 10.163.14.120. > 2013-02-20 10:30:14,186 INFO [org.ejbca.ui.web.protocol.OCSPServletBase] > (http-0.0.0.0-8080-1) Adding status information (good) for certificate with > serial '33f74ee237b19e46' from issuer 'CN=AdminCA1,O=EJBCA Sample,C=SE'. > 2013-02-20 10:30:24,188 ERROR [org.ejbca.ui.web.protocol.OCSPServletBase] > (http-0.0.0.0-8080-1) Error processing OCSP request. Message: No ocsp > signing key for caid -1688117755. > org.ejbca.core.model.ca.caadmin.extendedcaservices.ExtendedCAServiceNotActiveException: > No ocsp signing key for caid -1688117755 > at > org.ejbca.core.protocol.ocsp.standalonesession.StandAloneSession.extendedService(StandAloneSession.java:390) > at > org.ejbca.ui.web.protocol.OCSPServletStandAlone.extendedService(OCSPServletStandAlone.java:131) > at > org.ejbca.ui.web.protocol.OCSPServletBase.signOCSPResponse(OCSPServletBase.java:228) > at > org.ejbca.ui.web.protocol.OCSPServletBase.serviceOCSP(OCSPServletBase.java:934) > at > org.ejbca.ui.web.protocol.OCSPServletBase.doPost(OCSPServletBase.java:380) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at > org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433) > at > org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92) > at > org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126) > at > org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598) > at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) > at java.lang.Thread.run(Thread.java:679) > |
