From: Johan E. <ejb...@pr...> - 2009-03-19 16:25:16
|
Andrea skrev: > Johan Eklund ha scritto: > >> Andrea skrev: >> >>> Johan Eklund ha scritto: >>> >>> >>>> Andrea skrev: >>>> >>>> >>>>> Johan Eklund ha scritto: >>>>> >>>>> >>>>>> Andrea skrev: >>>>>> >>>>>> >>>>>>> Andrea ha scritto: >>>>>>> >>>>>>> >>>>>>> >>>>>>>> Johan Eklund ha scritto: >>>>>>>> >>>>>>>> >>>>>>>>> Andrea skrev: >>>>>>>>> >>>>>>>>> >>>>>>>>>> Johan Eklund ha scritto: >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>>> Andrea skrev: >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>>> Tomas Gustavsson ha scritto: >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>>> Hi, yes I meant the wrong superadmin certificate. If the >>>>>>>>>>>>> client >>>>>>>>>>>>> certificate is not available at all it usually gives a >>>>>>>>>>>>> message like >>>>>>>>>>>>> that. This would also be the case if there is a missmatch >>>>>>>>>>>>> between the >>>>>>>>>>>>> server certificate (tomcat.jks) and the superadmin.p12, so >>>>>>>>>>>>> that the >>>>>>>>>>>>> browser does not send the superadmin certificate at all to >>>>>>>>>>>>> the server. >>>>>>>>>>>>> You can usually figure out this if for example configuring >>>>>>>>>>>>> Firefox to >>>>>>>>>>>>> always ask which certificate to use. If firefox then does >>>>>>>>>>>>> not ask for >>>>>>>>>>>>> any certificate you don't have a matching superadmin >>>>>>>>>>>>> certificate. >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> Andrea wrote: >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>>> Tomas Gustavsson ha scritto: >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>>> Couldn't bad cert alert be because the wrong superadmin >>>>>>>>>>>>>>> cert was used? I have a feeling this is what I get when >>>>>>>>>>>>>>> using the wrong superadmincert... >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> Johan Eklund <ejb...@pr...> wrote: >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> This is the CN of the tomcat-user.. but you have to >>>>>>>>>>>>>>>> generate a new certificate and deploy this new one. >>>>>>>>>>>>>>>> Check the user guide for instructions on how to renew >>>>>>>>>>>>>>>> the SSL certificate. >>>>>>>>>>>>>>>> /Johan >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Andrea skrev: >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Johan Eklund ha scritto: >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Hi Andrea, >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Since you copied the entire database, the CA stored in >>>>>>>>>>>>>>>>>> the database is already "imported". >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> "ssl_error_bad_cert_alert" might be caused by the name >>>>>>>>>>>>>>>>>> in the SSL server certificate not being the same on >>>>>>>>>>>>>>>>>> the new machine.. >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> Best Regards, >>>>>>>>>>>>>>>>>> Johan >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Hi Johan, thanks a lot your answer !! >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> As regards to SSL error, how can i verify and solve >>>>>>>>>>>>>>>>> this ??? >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> --Andrea >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> Apps built with the Adobe(R) Flex(R) framework and Flex >>>>>>>>>>>>>>>>> Builder(TM) are >>>>>>>>>>>>>>>>> powering Web 2.0 with engaging, cross-platform >>>>>>>>>>>>>>>>> capabilities. Quickly and >>>>>>>>>>>>>>>>> easily build your RIAs with Flex Builder, the >>>>>>>>>>>>>>>>> Eclipse(TM)based development >>>>>>>>>>>>>>>>> software that enables intelligent coding and >>>>>>>>>>>>>>>>> step-through debugging. >>>>>>>>>>>>>>>>> Download the free 60 day trial. >>>>>>>>>>>>>>>>> http://p.sf.net/sfu/www-adobe-com >>>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>>> Ejbca-develop mailing list >>>>>>>>>>>>>>>>> Ejb...@li... >>>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> -- >>>>>>>>>>>>>>>> PrimeKey Solutions offers a commercial EJBCA support >>>>>>>>>>>>>>>> subscription and training for EJBCA. Please see >>>>>>>>>>>>>>>> www.primekey.se or contact in...@pr... for more >>>>>>>>>>>>>>>> information. >>>>>>>>>>>>>>>> http://download.primekey.se/documents/ejbca_subscription.pdf >>>>>>>>>>>>>>>> http://download.primekey.se/documents/ejbca_training.pdf >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Apps built with the Adobe(R) Flex(R) framework and Flex >>>>>>>>>>>>>>>> Builder(TM) are >>>>>>>>>>>>>>>> powering Web 2.0 with engaging, cross-platform >>>>>>>>>>>>>>>> capabilities. Quickly and >>>>>>>>>>>>>>>> easily build your RIAs with Flex Builder, the >>>>>>>>>>>>>>>> Eclipse(TM)based development >>>>>>>>>>>>>>>> software that enables intelligent coding and >>>>>>>>>>>>>>>> step-through debugging. >>>>>>>>>>>>>>>> Download the free 60 day trial. >>>>>>>>>>>>>>>> http://p.sf.net/sfu/www-adobe-com_______________________________________________ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Ejbca-develop mailing list >>>>>>>>>>>>>>>> Ejb...@li... >>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> Apps built with the Adobe(R) Flex(R) framework and Flex >>>>>>>>>>>>>>>> Builder(TM) are >>>>>>>>>>>>>>>> powering Web 2.0 with engaging, cross-platform >>>>>>>>>>>>>>>> capabilities. Quickly and >>>>>>>>>>>>>>>> easily build your RIAs with Flex Builder, the >>>>>>>>>>>>>>>> Eclipse(TM)based development >>>>>>>>>>>>>>>> software that enables intelligent coding and >>>>>>>>>>>>>>>> step-through debugging. >>>>>>>>>>>>>>>> Download the free 60 day trial. >>>>>>>>>>>>>>>> http://p.sf.net/sfu/www-adobe-com >>>>>>>>>>>>>>>> ------------------------------------------------------------------------ >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>>>> Ejbca-develop mailing list >>>>>>>>>>>>>>>> Ejb...@li... >>>>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>>>> >>>>>>>>>>>>>> Hi again, and thanks for your responses; now i'm not in >>>>>>>>>>>>>> office any more till Monday.....so i'll test your hints on >>>>>>>>>>>>>> that day.... >>>>>>>>>>>>>> >>>>>>>>>>>>>> But what do you mean Tomas when you say the wrong >>>>>>>>>>>>>> superadmincert ?? is the superadmin.p12 file ?? if this is >>>>>>>>>>>>>> the case i copied it ( all the dir p12 ) from the original >>>>>>>>>>>>>> EJBCA install to the one on the new server before doing >>>>>>>>>>>>>> "ant deploy" >>>>>>>>>>>>>> >>>>>>>>>>>>>> --Andrea >>>>>>>>>>>>>> >>>>>>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>>>>>> >>>>>>>>>>>>>> Apps built with the Adobe(R) Flex(R) framework and Flex >>>>>>>>>>>>>> Builder(TM) are >>>>>>>>>>>>>> powering Web 2.0 with engaging, cross-platform >>>>>>>>>>>>>> capabilities. Quickly and >>>>>>>>>>>>>> easily build your RIAs with Flex Builder, the >>>>>>>>>>>>>> Eclipse(TM)based development >>>>>>>>>>>>>> software that enables intelligent coding and step-through >>>>>>>>>>>>>> debugging. >>>>>>>>>>>>>> Download the free 60 day trial. >>>>>>>>>>>>>> http://p.sf.net/sfu/www-adobe-com >>>>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>>>> Ejbca-develop mailing list >>>>>>>>>>>>>> Ejb...@li... >>>>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>>> >>>>>>>>>>>> Ok, i tryed with a total fresh new install on the backup >>>>>>>>>>>> server but with the conf and src directory ( of ejbca ) of >>>>>>>>>>>> the production server; >>>>>>>>>>>> >>>>>>>>>>>> made: >>>>>>>>>>>> 1 ) ant bootstrap >>>>>>>>>>>> 2 ) started jboss >>>>>>>>>>>> 3 ) ant installl >>>>>>>>>>>> 4 ) stopped jboss >>>>>>>>>>>> 5 ) ant deploy >>>>>>>>>>>> >>>>>>>>>>>> Then with the new superadmin.p12 i succesfully entered the >>>>>>>>>>>> admin webUI. >>>>>>>>>>>> >>>>>>>>>>>> Then i exported the profiles in the production server ( with >>>>>>>>>>>> ./ejbca ca exportprofiles ) and succesfully imported with >>>>>>>>>>>> ./ejbca.sh ca importprofiles. >>>>>>>>>>>> >>>>>>>>>>>> Now i'm trying to export and import users cert; i did this: >>>>>>>>>>>> then >>>>>>>>>>>> from the webUI i went to the "list/edit end entities", >>>>>>>>>>>> selected one entity to make a test, and then >>>>>>>>>>>> "View_Certificates"; then click on "Download PEM file" and >>>>>>>>>>>> downloaded the correposding pem file. >>>>>>>>>>>> >>>>>>>>>>>> The problem arise when i tryed to import it in the "new >>>>>>>>>>>> install": >>>>>>>>>>>> >>>>>>>>>>>> the command-help says this: >>>>>>>>>>>> ###################### >>>>>>>>>>>> ./ejbca.sh ca importcert >>>>>>>>>>>> >>>>>>>>>>>> Usage: importcert <username> <password> <caname> <status> >>>>>>>>>>>> <certificate file> [<endentityprofile> | <endentityprofile> >>>>>>>>>>>> <certificateprofile>] >>>>>>>>>>>> ###################### >>>>>>>>>>>> >>>>>>>>>>>> MY BIG problem now seem to be the "password": which password >>>>>>>>>>>> is this ?? >>>>>>>>>>>> >>>>>>>>>>>> Thanks a lot in advance, >>>>>>>>>>>> >>>>>>>>>>>> --Andrea >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>>> ------------------------------------------------------------------------------ >>>>>>>>>>>> >>>>>>>>>>>> Apps built with the Adobe(R) Flex(R) framework and Flex >>>>>>>>>>>> Builder(TM) are >>>>>>>>>>>> powering Web 2.0 with engaging, cross-platform capabilities. >>>>>>>>>>>> Quickly and >>>>>>>>>>>> easily build your RIAs with Flex Builder, the >>>>>>>>>>>> Eclipse(TM)based development >>>>>>>>>>>> software that enables intelligent coding and step-through >>>>>>>>>>>> debugging. >>>>>>>>>>>> Download the free 60 day trial. >>>>>>>>>>>> http://p.sf.net/sfu/www-adobe-com >>>>>>>>>>>> _______________________________________________ >>>>>>>>>>>> Ejbca-develop mailing list >>>>>>>>>>>> Ejb...@li... >>>>>>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>>>>>>>> >>>>>>>>>>>> >>>>>>>>>>> I can see why this is a bit confusing. =) The password isn't >>>>>>>>>>> used for anything unless you change the status of the user to >>>>>>>>>>> NEW and generate new certificates, so set it to any random >>>>>>>>>>> string. >>>>>>>>>>> >>>>>>>>>>> /Johan >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> ..opps, sorry for the precedent mail; i agree with you it was >>>>>>>>>> just a bit confusing...... >>>>>>>>>> i tryed with a random string as you said, but i got: >>>>>>>>>> >>>>>>>>>> "Error: Invalid certificate or certificate not issued by >>>>>>>>>> specified CA: TrustAnchor found but certificate validation >>>>>>>>>> failed." >>>>>>>>>> >>>>>>>>>> Is this related with the fact that i set up a new ejbca >>>>>>>>>> install ?; i used the conf files of the original server ( the >>>>>>>>>> name of the CA, it's time validity ...etc ) but the >>>>>>>>>> "superadmin.p12" and the "tomcat.jks" are new... >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Yes! If the entity you are trying to import is issued by for >>>>>>>>> example AdminCA1 and this also exists in the new EJBCA, but >>>>>>>>> with a different key it will not be pretty.. =/ >>>>>>>>> >>>>>>>>> >>>>>>>>>> In a precedent post i explained i tryed to use also the >>>>>>>>>> original version of these files but i could not get in the >>>>>>>>>> admin webUI; you suggested that was related to the CN of the >>>>>>>>>> tomcat-user. >>>>>>>>>> So you told me to generate a new certificate and deploy this >>>>>>>>>> new one ( IN THE NEW SERVER ?? ) >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Yes, on the new server! If you have a copied the exact >>>>>>>>> installation "orginalcaserver.company.com" to a new machine >>>>>>>>> "newcaserver.company.com", you have to change CN of the tomcat >>>>>>>>> user from "orginalcaserver.company.com" to >>>>>>>>> "newcaserver.company.com", enter a new passsword, set status to >>>>>>>>> NEW and then batch-generate a new certificate. >>>>>>>>> >>>>>>>>> >>>>>>>>>> I cheked the user guide for instructions on how to renew the >>>>>>>>>> SSL certificate, but ( OBVIOUSLY due to my errors in searching >>>>>>>>>> ) i was not able to find the correct procedure... >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Might be a bit hard to find.. =) >>>>>>>>> http://www.ejbca.org/manual.html#SSL%20certificate%20expire >>>>>>>>> >>>>>>>>> >>>>>>>>>> Finally i found how to generate a new certificate for >>>>>>>>>> superadmin, but when i type ( on the new server ): >>>>>>>>>> >>>>>>>>>> bin/ejbca.sh ra setuserstatus superadmin 10 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> it exit with errors dealing that connection to the database >>>>>>>>>> was refused..... >>>>>>>>>> >>>>>>>>>> >>>>>>>>> Is the database running? >>>>>>>>> >>>>>>>>> >>>>>>>>>> Which is the correct way on doing this ?? >>>>>>>>>> >>>>>>>>>> --Andrea >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> What was the exact error you got in your browser? Where you >>>>>>>>> using Firefox? Could you add an exception? >>>>>>>>> >>>>>>>>> Are all your certificates on the old machine issued by "AdminCA1"? >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> This is what i did: >>>>>>>> 1) Copied the ejbca/conf, /ejbca/src and /ejbca/p12 directories >>>>>>>> from the production server on the new-one >>>>>>>> 2) I did not use the default AdminCA1, but i set up a new >>>>>>>> CA-name that is OvpnCA: this on the original server, so the same >>>>>>>> thing is on the new one since i copied all conf-files >>>>>>>> 3) Made "ant deploy" in ejbca dir on the new-server which >>>>>>>> compile correctly >>>>>>>> 4) Copied all the dir jboss/server/default/data from the >>>>>>>> original server on the new-one ( i used the default >>>>>>>> HypersonicSQL DB ) >>>>>>>> 5) Started jboss >>>>>>>> >>>>>>>> Then i tryed to renew the SSl cert doing this: >>>>>>>> >>>>>>>> 1) go to ejbca/bin and then did >>>>>>>> ##### >>>>>>>> ./ejbca.sh ra setuserstatus superadmin 10 >>>>>>>> AND I GET >>>>>>>> >>>>>>>> Using JBoss JNDI provider... >>>>>>>> New status for user superadmin is 10 >>>>>>>> ###### >>>>>>>> then >>>>>>>> >>>>>>>> ./ejbca.sh ra setclearpwd tomcat serverpwd >>>>>>>> >>>>>>>> AND I GET >>>>>>>> >>>>>>>> Using JBoss JNDI provider... >>>>>>>> Setting clear text password serverpwd for user tomcat >>>>>>>> ###### >>>>>>>> >>>>>>>> Then >>>>>>>> >>>>>>>> ./ejbca.sh batch >>>>>>>> >>>>>>>> BUT I GET >>>>>>>> >>>>>>>> Using JBoss JNDI provider... >>>>>>>> 0 [main] INFO org.ejbca.ui.cli.batch.BatchMakeP12 - >>>>>>>> Generating keys in directory /usr/local/ejbca/bin/p12. >>>>>>>> 2 [main] INFO org.ejbca.ui.cli.batch.BatchMakeP12 - >>>>>>>> Generating for all NEW. >>>>>>>> 691 [main] INFO org.ejbca.ui.cli.batch.BatchMakeP12 - Batch >>>>>>>> generating 0 users. >>>>>>>> 691 [main] INFO org.ejbca.ui.cli.batch.BatchMakeP12 - >>>>>>>> Generating for all FAILED. >>>>>>>> 1265 [main] INFO org.ejbca.ui.cli.batch.BatchMakeP12 - Batch >>>>>>>> generating 0 users. >>>>>>>> >>>>>>>> SO THERE IS NOTHING IN THE DIR /usr/local/ejbca/bin/p12 >>>>>>>> >>>>>>>> How is the correct way of doing this ?? >>>>>>>> >>>>>>>> Why it seems that there's no tomcat users to set to NEW ?? >>>>>>>> >>>>>>>> --Andrea >>>>>>>> >>>>>>>> >>>>>>>> ------------------------------------------------------------------------------ >>>>>>>> >>>>>>>> Apps built with the Adobe(R) Flex(R) framework and Flex >>>>>>>> Builder(TM) are >>>>>>>> powering Web 2.0 with engaging, cross-platform capabilities. >>>>>>>> Quickly and >>>>>>>> easily build your RIAs with Flex Builder, the Eclipse(TM)based >>>>>>>> development >>>>>>>> software that enables intelligent coding and step-through >>>>>>>> debugging. >>>>>>>> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com >>>>>>>> _______________________________________________ >>>>>>>> Ejbca-develop mailing list >>>>>>>> Ejb...@li... >>>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> ...I have to do an "errata corrige": i did a mistake in doing >>>>>>> "./ejbca.sh ra setuserstatus superadmin 10" !! >>>>>>> >>>>>>> Obviously the right users is tomcat, so i startup again and now >>>>>>> did : >>>>>>> >>>>>>> ./ejbca.sh ra setuserstatus tomcat 10 >>>>>>> ./ejbca.sh ra setclearpwd tomcat serverpwd >>>>>>> ./ejbca.sh batch >>>>>>> cp p12/tomcat.jks >>>>>>> /usr/local/jboss/server/default/conf/keystore/keystore.jks >>>>>>> >>>>>>> Then restarted jboss >>>>>>> >>>>>>> ANYWAY THE PROBLEM PERSIST: >>>>>>> >>>>>>> When ( with firefox and after load the original superadmin.p12 ) >>>>>>> i try to go to the page >>>>>>> >>>>>>> "https://192.168.5.156:8443/ejbca/adminweb/index.jsp" >>>>>>> >>>>>>> It gives an error to connect to the ssl connection: >>>>>>> "ssl_error_certificate_unknown_alert" >>>>>>> >>>>>>> Is it possible that is due to the fact i use a new tomcat.jks BUT >>>>>>> the original superadmin.p12 ?? >>>>>>> >>>>>>> --Andrea >>>>>>> >>>>>>> >>>>>>> ------------------------------------------------------------------------------ >>>>>>> >>>>>>> Apps built with the Adobe(R) Flex(R) framework and Flex >>>>>>> Builder(TM) are >>>>>>> powering Web 2.0 with engaging, cross-platform capabilities. >>>>>>> Quickly and >>>>>>> easily build your RIAs with Flex Builder, the Eclipse(TM)based >>>>>>> development >>>>>>> software that enables intelligent coding and step-through debugging. >>>>>>> Download the free 60 day trial. http://p.sf.net/sfu/www-adobe-com >>>>>>> _______________________________________________ >>>>>>> Ejbca-develop mailing list >>>>>>> Ejb...@li... >>>>>>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>>>>>> >>>>>>> >>>>>> First try connecting to c instead (844*2*). This will only require >>>>>> server-side certificate, so if this doesn't work we can exclude >>>>>> the superadmin-cert. >>>>>> >>>>>> If this doesn't work: >>>>>> 1. Are you viewing this in firefox? >>>>>> 2. Have you made an exception for this site (check the link at the >>>>>> bottom of the error page) or added the issuing CA to the list of >>>>>> trusted CAs in Firefox list? >>>>>> >>>>>> /Johan >>>>>> >>>>>> >>>>>> >>>>> ..As a test i tryed ( prior receiving your answer ) to clear also >>>>> superadmin user: so i did the same procedure to re-new superadmin >>>>> and got a new superadmin.p12 file. >>>>> Stopped and restarted jboss... >>>>> >>>>> Now, if i connect to https://192.168.5.156:8442/ejbca/ i correctly >>>>> see to "Welcome to Ejbca" page, but when i try the "Administration" >>>>> link firefox says: >>>>> >>>>> >>>>> Authorization Denied >>>>> >>>>> >>>>> Cause : Client certificate required. >>>>> >>>>> >>>>> ...i cannot understand whre the problem lies >>>>> >>>>> --Andrea >>>>> >>>>> >>>> Did you change the port number to 8443 for accessing the admin web? >>>> 8442 does not ask the browser for a client certificate, but 8443 will. >>>> >>>> /Johan >>>> >>>> >>>> >>> No i did not change the port numbers; >>> As i told when i click on the "Administration" link in the "Welcome >>> to Ejbca" page ( http://192.168.5.156:8080/ejbca ) i'm asked to ( >>> i'll try to translate from italian to english what Firefox popup says ): >>> >>> ...This site ask for a client certificate: >>> localhost (:8443) >>> Organization: "EJBCA sample" >>> Published by: "Comune di Modena" >>> >>> ...Then ask to select the certificate which is the new >>> superadmin.p12 i got renewing the original one >>> >>> One strange thing: why firefox is telling me that the organization is >>> "EJBCA sample", instead of the correct "Comune di Modena" ?? >>> In the ejbca.properties file i configured the DN of the ca in this way: >>> >>> "ca.dn=CN=Ovpn CoMo CA,O=Comune di Modena,C=IT" >>> >>> and not use the dafault which is: >>> >>> "ca.dn=CN=AdminCA1,O=EJBCA Sample,C=SE" >>> >>> >>> --Andrea >>> >>> >>> >>> >> The tomcat.jks (the SSL server cert) you are using was generated when >> SubjectDN included "O=EJBCA Sample" during some installation. Either >> on the old machine or when you installed it on the new one. Changing >> this configuration will not change to content of the "tomcat" user in >> the database later, so if you regenerate this certificate and like to >> change the "O=", you have to edit the user as any other.. >> >> /J >> > Sorry Johan, do you mean that this is the problem ??? > > --Andrea > > Sorry I'm starting to get really confused what is and what is not done in this thread. The "EJBCA Sample" probably comes from conf/web.properties:"httpsserver.dn=CN=ca-server,O=EJBCA Sample,C=SE". Where you able to connect to http://192.168.5.156:8443/ejbca/adminweb/ or not? Or where you just confused by the "EJBCA Sample" text? /J -- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact in...@pr... for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf |