Menu
▾
▴
ejbca-develop
|
From: Michael P. <M.P...@pa...> - 2014-12-09 13:23:35
|
Hi! I've created a new internal RootCA for our company and a SubCA for issuing SSL Client certificates for accessing the EJBCA admin panel which will be provided to the individual users. I've created one such test certificate and imported it into my local Firefox keystore. When I now try to access the EJBCA-Admin GUI, Firefox asks me which certificate I'd like to use. However it only offers the "SuperAmin" certificate and not the one I've just created. Does EJBCA somehow tell the Browser to only ask the user for a limited set of certificates (e.g. signed by a specific CA)? Is this configurable? cheers nomike |
|
From: Tomas G. <to...@pr...> - 2014-12-09 13:45:14
|
You need to update the JBoss truststore to trust new CA certificates. http://ejbca.org/docs/userguide.html#Administrators%20issued%20by%20external%20CAs Regards, Tomas ----- Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information. http://www.primekey.se/Products/EJBCA+PKI/ http://www.primekey.se/Services/Support/ On 2014-12-09 14:23, Michael Postmann wrote: > Hi! > > I’ve created a new internal RootCA for our company and a SubCA for > issuing SSL Client certificates for accessing the EJBCA admin panel > which will be provided to the individual users. > > I’ve created one such test certificate and imported it into my local > Firefox keystore. When I now try to access the EJBCA-Admin GUI, Firefox > asks me which certificate I’d like to use. However it only offers the > “SuperAmin” certificate and not the one I’ve just created. > > Does EJBCA somehow tell the Browser to only ask the user for a limited > set of certificates (e.g. signed by a specific CA)? Is this configurable? > > cheers > > nomike > > > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Michael P. <M.P...@pa...> - 2014-12-09 14:44:01
|
Thanks for the suggestion. However I'm not able to import the CA-Certificate into the truststore. The SubCA was created in EJBCA. I opened the corresponding crypto token and downloaded the public key aliased "defaultKey" and got a file in ".pem" format. I transferred this file back to the server and tried to import it using keytool, but only got an error message: ---SNIP--- # keytool -import -trustcacerts -file /tmp/defaultKey.pem -keystore p12/truststore.jks -storepass changeit -alias pkiadminuserca keytool error: java.lang.Exception: Input not an X.509 certificate ---SNAP--- I do not have to import the private key of the SubCA into the truststore, do I? cheers nomike -----Ursprüngliche Nachricht----- Von: Tomas Gustavsson [mailto:to...@pr...] Gesendet: Dienstag, 9. Dezember 2014 14:45 An: ejb...@li... Betreff: Re: [Ejbca-develop] Adding admin user certificates You need to update the JBoss truststore to trust new CA certificates. http://ejbca.org/docs/userguide.html#Administrators%20issued%20by%20external%20CAs Regards, Tomas ----- Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information. http://www.primekey.se/Products/EJBCA+PKI/ http://www.primekey.se/Services/Support/ On 2014-12-09 14:23, Michael Postmann wrote: > Hi! > > I've created a new internal RootCA for our company and a SubCA for > issuing SSL Client certificates for accessing the EJBCA admin panel > which will be provided to the individual users. > > I've created one such test certificate and imported it into my local > Firefox keystore. When I now try to access the EJBCA-Admin GUI, > Firefox asks me which certificate I'd like to use. However it only > offers the "SuperAmin" certificate and not the one I've just created. > > Does EJBCA somehow tell the Browser to only ask the user for a limited > set of certificates (e.g. signed by a specific CA)? Is this configurable? > > cheers > > nomike > > > > ---------------------------------------------------------------------- > -------- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT > Server from Actuate! Instantly Supercharge Your Business Reports and > Dashboards with Interactivity, Sharing, Native Excel Exports, App > Integration & more Get technology previously reserved for > billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg. > clktrk > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Ejbca-develop mailing list Ejb...@li... https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Michael S. <mi...@st...> - 2014-12-09 14:54:38
Attachments:
smime.p7s
|
Michael Postmann wrote: > Thanks for the suggestion. > > However I'm not able to import the CA-Certificate into the truststore. > The SubCA was created in EJBCA. > > I opened the corresponding crypto token and downloaded the public key aliased "defaultKey" and got a file in ".pem" format. > I transferred this file back to the server and tried to import it using keytool, but only got an error message: > > ---SNIP--- > # keytool -import -trustcacerts -file /tmp/defaultKey.pem -keystore p12/truststore.jks -storepass changeit -alias pkiadminuserca > keytool error: java.lang.Exception: Input not an X.509 certificate > ---SNAP--- For the browser to present a client cert for selection by the user it has to build the full chain against one of the client cert trust anchors sent by the server. You can observe what the server sends as client cert CA trust anchors by running openssl s_client -connect server.example.com:8443 So you have to: 1. Make sure that truststore.jks contains the root CA needed to validate the client cert. 2. You browser knows the root CA needed to validate the client cert as trusted and knows the sub CA cert (imported without trust flags). > I do not have to import the private key of the SubCA into the truststore, > do I? truststore.jks should not contain private keys! And tomcat.jks just contains the server's private key. Ciao, Michael. |
|
From: Tomas G. <to...@pr...> - 2014-12-09 14:54:48
|
It's just that keytool needs the certificate in DER format, not PEM. There is also the command "ant javatruststore" in EJBCA. /Tomas On 2014-12-09 15:43, Michael Postmann wrote: > Thanks for the suggestion. > > However I'm not able to import the CA-Certificate into the truststore. > The SubCA was created in EJBCA. > > I opened the corresponding crypto token and downloaded the public key aliased "defaultKey" and got a file in ".pem" format. > I transferred this file back to the server and tried to import it using keytool, but only got an error message: > > ---SNIP--- > # keytool -import -trustcacerts -file /tmp/defaultKey.pem -keystore p12/truststore.jks -storepass changeit -alias pkiadminuserca > keytool error: java.lang.Exception: Input not an X.509 certificate > ---SNAP--- > > I do not have to import the private key of the SubCA into the truststore, do I? > > cheers > nomike > > -----Ursprüngliche Nachricht----- > Von: Tomas Gustavsson [mailto:to...@pr...] > Gesendet: Dienstag, 9. Dezember 2014 14:45 > An: ejb...@li... > Betreff: Re: [Ejbca-develop] Adding admin user certificates > > You need to update the JBoss truststore to trust new CA certificates. > > http://ejbca.org/docs/userguide.html#Administrators%20issued%20by%20external%20CAs > > Regards, > Tomas > ----- > Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information. > http://www.primekey.se/Products/EJBCA+PKI/ > http://www.primekey.se/Services/Support/ > > On 2014-12-09 14:23, Michael Postmann wrote: >> Hi! >> >> I've created a new internal RootCA for our company and a SubCA for >> issuing SSL Client certificates for accessing the EJBCA admin panel >> which will be provided to the individual users. >> >> I've created one such test certificate and imported it into my local >> Firefox keystore. When I now try to access the EJBCA-Admin GUI, >> Firefox asks me which certificate I'd like to use. However it only >> offers the "SuperAmin" certificate and not the one I've just created. >> >> Does EJBCA somehow tell the Browser to only ask the user for a limited >> set of certificates (e.g. signed by a specific CA)? Is this configurable? >> >> cheers >> >> nomike >> >> >> >> ---------------------------------------------------------------------- >> -------- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT >> Server from Actuate! Instantly Supercharge Your Business Reports and >> Dashboards with Interactivity, Sharing, Native Excel Exports, App >> Integration & more Get technology previously reserved for >> billion-dollar corporations, FREE >> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg. >> clktrk >> >> >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > ------------------------------------------------------------------------------ > Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server > from Actuate! Instantly Supercharge Your Business Reports and Dashboards > with Interactivity, Sharing, Native Excel Exports, App Integration & more > Get technology previously reserved for billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
|
From: Michael P. <M.P...@pa...> - 2014-12-09 16:05:21
|
I'm not sure in which format the key is: ---SNIP--- root@server /tmp # cat defaultKey.pem :( -----BEGIN PUBLIC KEY----- MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjth4dOk72dVII56T/EJ0 tmC11daQtJynfmrxcV0gDrxfd/6qTTlNY9jwcAo/C/q/5Cvon2nn7URILmDrlibv BiHS0ScHtA4OEj6y7pXil7Go59aO8n/qgr7NCGSYIEUVDa+6bCACTOISsEgzO6/L MUzNcSMHA4mI7DgQeffGBWrEsB9TlOHxBCnF3cqQ9aFGzp6Foewv4kk/iVff/eZm xKUk4OMTWgQadIQC/fpj0VyKAeppwwogJahV3GP6CPiALVPbiOvfBxMr6Pem1Udw NcNQSZ4ihgDDdIXbFXyqDjMoKQgF0D5PHUEOIfmZ08cgk9qULUK3OwBhgOwmCIPQ GQIDAQAB -----END PUBLIC KEY----- root@server /tmp # openssl x509 -in defaultKey.pem -inform PEM -out defaultKey.crt -outform DER unable to load certificate 140050112972616:error:0906D06C:PEM routines:PEM_read_bio:no start line:pem_lib.c:703:Expecting: TRUSTED CERTIFICATE 1 root@server /tmp # openssl x509 -in defaultKey.pem -inform DER -out defaultKey.crt -outform DER :( unable to load certificate 139951552452424:error:0D0680A8:asn1 encoding routines:ASN1_CHECK_TLEN:wrong tag:tasn_dec.c:1319: 139951552452424:error:0D07803A:asn1 encoding routines:ASN1_ITEM_EX_D2I:nested asn1 error:tasn_dec.c:381:Type=X509 ---SNAP--- Any suggestions? cheers nomike -----Ursprüngliche Nachricht----- Von: Tomas Gustavsson [mailto:to...@pr...] Gesendet: Dienstag, 9. Dezember 2014 15:55 An: ejb...@li... Betreff: Re: [Ejbca-develop] Adding admin user certificates It's just that keytool needs the certificate in DER format, not PEM. There is also the command "ant javatruststore" in EJBCA. /Tomas On 2014-12-09 15:43, Michael Postmann wrote: > Thanks for the suggestion. > > However I'm not able to import the CA-Certificate into the truststore. > The SubCA was created in EJBCA. > > I opened the corresponding crypto token and downloaded the public key aliased "defaultKey" and got a file in ".pem" format. > I transferred this file back to the server and tried to import it using keytool, but only got an error message: > > ---SNIP--- > # keytool -import -trustcacerts -file /tmp/defaultKey.pem -keystore > p12/truststore.jks -storepass changeit -alias pkiadminuserca keytool > error: java.lang.Exception: Input not an X.509 certificate > ---SNAP--- > > I do not have to import the private key of the SubCA into the truststore, do I? > > cheers > nomike > > -----Ursprüngliche Nachricht----- > Von: Tomas Gustavsson [mailto:to...@pr...] > Gesendet: Dienstag, 9. Dezember 2014 14:45 > An: ejb...@li... > Betreff: Re: [Ejbca-develop] Adding admin user certificates > > You need to update the JBoss truststore to trust new CA certificates. > > http://ejbca.org/docs/userguide.html#Administrators%20issued%20by%20ex > ternal%20CAs > > Regards, > Tomas > ----- > Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information. > http://www.primekey.se/Products/EJBCA+PKI/ > http://www.primekey.se/Services/Support/ > > On 2014-12-09 14:23, Michael Postmann wrote: >> Hi! >> >> I've created a new internal RootCA for our company and a SubCA for >> issuing SSL Client certificates for accessing the EJBCA admin panel >> which will be provided to the individual users. >> >> I've created one such test certificate and imported it into my local >> Firefox keystore. When I now try to access the EJBCA-Admin GUI, >> Firefox asks me which certificate I'd like to use. However it only >> offers the "SuperAmin" certificate and not the one I've just created. >> >> Does EJBCA somehow tell the Browser to only ask the user for a >> limited set of certificates (e.g. signed by a specific CA)? Is this configurable? >> >> cheers >> >> nomike >> >> >> >> --------------------------------------------------------------------- >> - >> -------- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT >> Server from Actuate! Instantly Supercharge Your Business Reports and >> Dashboards with Interactivity, Sharing, Native Excel Exports, App >> Integration & more Get technology previously reserved for >> billion-dollar corporations, FREE >> http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg. >> clktrk >> >> >> >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > ---------------------------------------------------------------------- > -------- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT > Server from Actuate! Instantly Supercharge Your Business Reports and > Dashboards with Interactivity, Sharing, Native Excel Exports, App > Integration & more Get technology previously reserved for > billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg. > clktrk _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > ---------------------------------------------------------------------- > -------- Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT > Server from Actuate! Instantly Supercharge Your Business Reports and > Dashboards with Interactivity, Sharing, Native Excel Exports, App > Integration & more Get technology previously reserved for > billion-dollar corporations, FREE > http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg. > clktrk _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > ------------------------------------------------------------------------------ Download BIRT iHub F-Type - The Free Enterprise-Grade BIRT Server from Actuate! Instantly Supercharge Your Business Reports and Dashboards with Interactivity, Sharing, Native Excel Exports, App Integration & more Get technology previously reserved for billion-dollar corporations, FREE http://pubads.g.doubleclick.net/gampad/clk?id=164703151&iu=/4140/ostg.clktrk _______________________________________________ Ejbca-develop mailing list Ejb...@li... https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
|
From: Michael S. <mi...@st...> - 2014-12-09 16:36:02
Attachments:
smime.p7s
|
Michael Postmann wrote: > I'm not sure in which format the key is: > ---SNIP--- > root@server /tmp # cat defaultKey.pem :( > -----BEGIN PUBLIC KEY----- > MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAjth4dOk72dVII56T/EJ0 > tmC11daQtJynfmrxcV0gDrxfd/6qTTlNY9jwcAo/C/q/5Cvon2nn7URILmDrlibv > BiHS0ScHtA4OEj6y7pXil7Go59aO8n/qgr7NCGSYIEUVDa+6bCACTOISsEgzO6/L > MUzNcSMHA4mI7DgQeffGBWrEsB9TlOHxBCnF3cqQ9aFGzp6Foewv4kk/iVff/eZm > xKUk4OMTWgQadIQC/fpj0VyKAeppwwogJahV3GP6CPiALVPbiOvfBxMr6Pem1Udw > NcNQSZ4ihgDDdIXbFXyqDjMoKQgF0D5PHUEOIfmZ08cgk9qULUK3OwBhgOwmCIPQ > GQIDAQAB > -----END PUBLIC KEY----- > root@server /tmp # openssl x509 -in defaultKey.pem -inform PEM -out defaultKey.crt -outform DER > unable to load certificate The BEGIN line indicates that this is a raw public key file and not a X.509 certificate. Ciao, Michael. |
