Menu
▾
▴
Re: [Ejbca-develop] FW: Configuring TLS on the Unid lookup server
|
From: Tomas G. <to...@pr...> - 2010-12-15 11:35:10
|
Hi, You are reading the wrong section of the manual. What you are mentioning about TLS is for TLS (http/ssl) security, not for the OCSP responder. I don't think you should read about the Unid lookup server, because I don't think you will be using that. Unid is specific norwegian standard are you really going to use that? You should set up the OCSP responder without bothering about SSL/TLS. You have not set up the OCSP responder completely, you have two errors: 1. 11:09:13,325 ERROR [SigningEntityContainer] No valid keys. Key directory /home/ejbca/ejbca_3_11_0/conf/keys. No P11 defined. I.e. not _OCSP_ signing keys (forget about tomcat.jks here). 2. 11:09:13,332 ERROR [OCSPServletBase] Unable to find CA certificate by issuer name hash: 6055f04403b0015556e9745444f567d20ec033a5, or even the default responder: CN=Credit Security Limtied Root CA,O=Credit Security Limited,C=GB. I.e. you don't have this CA certificate in the OCSP database. Cheers, Tomas ----- PrimeKey Solutions offers commercial EJBCA and SignServer support subscriptions and training courses. Please see www.primekey.se or contact in...@pr... for more information. http://www.primekey.se/Services/Support/ http://www.primekey.se/Services/Training/ On 12/15/2010 12:15 PM, Damien Boileau wrote: > Hi, > > Under the documentation on www.ejbca.org <http://www.ejbca.org> it > states that I need to create a certificate for the external ocsp server > with Key usage: Digital Signature, Key Encipherment, Extended key usage: > 'TLS server'. > > I do not appear to have a TLS Server option within my extended key > usage. Please can someone tell me what I need to add into > extendedkeyusage.properties to enable this option. > > Once I have created the certificate, do I place the file within (on ocsp > server) $EJB_HOME/p12 directory (called tomcat.jks) along with the > truststore.jks (From root ca) and run ant ocsp-deploy. I am get this > error message when querying the ocsp on the external VA at present. > > Thanks for all your help. > > Regards Damien > > s_4_2_3_GA date=200905191306)] Started in 23s:263ms > > 11:09:12,822 INFO [SigningEntityContainer] No card password specified. > > 11:09:13,325 WARN [SigningEntityContainer] You have not specified > ocsp.p11.p11p > > assword at build time. So you need to do a manual activation. > > 11:09:13,325 ERROR [SigningEntityContainer] No valid keys. Key directory > /home/e > > jbca/ejbca_3_11_0/conf/keys. No P11 defined. > > 11:09:13,331 INFO [OCSPServletBase] Received OCSP request for > certificate with > > serNo: 3451e68df88d3fc0, and issuerNameHash: > 6055f04403b0015556e9745444f567d20ec > > 033a5. Client ip 172.16.9.3. > > 11:09:13,332 ERROR [OCSPServletBase] Unable to find CA certificate by > issuer nam > > e hash: 6055f04403b0015556e9745444f567d20ec033a5, or even the default > responder: > > CN=Credit Security Limtied Root CA,O=Credit Security Limited,C=GB. > > 11:09:13,332 ERROR [OCSPServletBase] Unable to find CA certificate and > key to ge > > nerate OCSP response. > > 11:09:13,332 ERROR [OCSPServletBase] Error processing OCSP request. > Message: Una > > ble to find CA certificate and key to generate OCSP response.. > > javax.servlet.ServletException: Unable to find CA certificate and key to > generat > > e OCSP response. > > at org.ejbca.ui.web.protocol.OCSPServletBase.serviceOCSP(OCSPServletBase > > .java:836) > > at org.ejbca.ui.web.protocol.OCSPServletBase.doPost(OCSPServletBase.java > > :348) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:710) > > at javax.servlet.http.HttpServlet.service(HttpServlet.java:803) > > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl > > icationFilterChain.java:290) > > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF > > ilterChain.java:206) > > at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFi > > lter.java:96) > > at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Appl > > icationFilterChain.java:235) > > at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationF > > ilterChain.java:206) > > at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperV > > alve.java:230) > > at org.apache.catalina.core.StandardContextValve.invoke(StandardContextV > > alve.java:175) > > at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(Securit > > yAssociationValve.java:182) > > at org.apache.catalina.authenticator.AuthenticatorBase.invoke(Authentica > > torBase.java:432) > > at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValv > > e.java:84) > > at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.j > > ava:127) > > at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.j > > ava:102) > > at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedC > > onnectionValve.java:157) > > at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineVal > > ve.java:109) > > at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.jav > > a:262) > > at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java > > :844) > > at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.proce > > ss(Http11Protocol.java:583) > > at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:44 > > 6) > > at java.lang.Thread.run(Thread.java:636) > > > > ------------------------------------------------------------------------------ > Lotusphere 2011 > Register now for Lotusphere 2011 and learn how > to connect the dots, take your collaborative environment > to the next level, and enter the era of Social Business. > http://p.sf.net/sfu/lotusphere-d2d > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop |