Menu
▾
▴
Re: [Ejbca-develop] Error in the OCSP Responder
|
From: M.G.R <mg....@ni...> - 2013-01-10 06:26:02
|
Hi Juan, What ur saying is 1. creating CA using EJBCA GUI and publish the CA 2. Create the user certificate under that CA(i.e user certificate issued by the published CA) and doing the testing. This was working for me also. But I am asking that I have a CA which is not issued and published by ejbca that CA issued n no of certificates. whether it is possible to handle this by the OCSP Responder of ejbca (i.e Validate the issued user certtifcate which is published by external CA). If possible means how? Juan Caracoche-2 wrote: > > You are a lucky guy!. Yesterday I spent 2 hour reading the installation > Instructions and in 1 hour I got the OCSP working in the first attempt > (weird on systems world!) > > I wrote down all the steeps to replicate the installation in other > environment. Here are the steps done (assuming you have done the Jboss and > EJBCA installation property) : > > ON OCSP NODE 1 and 2 > =================== > > 1- DB Creation > > mysql> create database ejbca; > mysql> create user ejbca; > mysql> grant all on ejbca.* to 'ejbca'@'%' identified by 'ejbca'; > mysql> grant all on ejbca.* to 'ejbca'@'localhost' identified by 'ejbca'; > mysql> flush privileges; > > 2- Edit Properties files > > $ cd > $ mkdir -p ejbca-custom/conf > $ cp ejbca/conf/ejbca.properties.sample ejbca-custom/conf/ejbca.properties > $ vi ejbca-custom/conf/ejbca.properties > > appserver.home=/home/jboss/jboss > ejbca.productionmode=ocsp > > $ cp ejbca/conf/database.properties.sample > ejbca-custom/conf/database.properties > $ vi ejbca-custom/conf/database.properties > > datasource.jndi-name=EjbcaDS > database.name=mysql > database.url=jdbc:mysql://localhost:3306/ejbca > database.driver=com.mysql.jdbc.Driver > database.username=ejbca > database.password=ejbca > > $ cp ejbca/conf/ocsp.properties.sample ejbca-custom/conf/ocsp.properties > $ vi ejbca-custom/conf/ocsp.properties > > ocsp.defaultresponder=CN=ocsp.example.com,L=Buenos Aires,C=AR > ocsp.restrictsignatures=true > ocsp.restrictsignaturesbymethod=issuer > ocsp.signtrustdir=/home/jboss/ejbca/cas > ocsp.signtrustvalidtime=1800 > ocsp.keys.dir=/home/jboss/ejbca/keys > ocsp.keys.storePassword=ejbca > ocsp.keys.keyPassword=ejbca > > $ mkdir /home/jboss/ejbca/keys > $ mkdir /home/jboss/ejbca/cas > > > $ cp ejbca/conf/web.properties.sample ejbca-custom/conf/web.properties > $ vi ejbca-custom/conf/web.properties > > httpsserver.hostname=ocsp.buenosaires.gob.ar > httpsserver.dn=CN=${httpsserver.hostname},L=Buenos Aires,C=AR > > > 3- Create cert for OCSP > a) Create a User Profile (OCSP) > - From Admin CA Web Console > - Go Edit End Entity Profiles > - Write OCSP in Add Profile edit box and press Add > - Select the OCSP from the list and press Edit End Entity Profile > - Select OCSPSIGNER on Default Certificate Profile > - In Available Certificate Profiles choose OCSPSIGNER > - In Available CAs select what you want > - In Default Token seleccionar P12 file (I will use soft tokens) > - In Available Tokens seleccionar p12, jks y pem > - Save > b) Create a user with this new profile > - From Admin CA Web Console > - Go Add End Entity > - Select OCSP as End Entity > - username: ocsp > - password: ejbca > - CN: ocsp.example.com > - Certificate Profile: OCSPSIGNER > - Token P12 file > - Add > c) Generate the cert > - From Public CA's web > - Create Browser Certificate > - login ocsp/ejbca > - Select 2048bits for key lenght > - P12 as token > - Gen cert > > 4- Install the cert in OCSP > - Copy the generated cert in /home/jboss/ejbca/keys > - Copy CA cert (PEM format) in /home/jboss/ejbca/cas > > 5- Build > $ cd > $ cd ejbca > $ ant bootstarp > # service jboss start > $ ant install > # service jboss stop > $ ant va-deploy > # service jboss start > > IN THE CA > ========= > > 1- Config VA-PUBLISHER > > $ cp ejbca/conf/va-publisher.properties.sample > ejbca-custom/conf/va-publisher.properties > $ vi ejbca-custom/conf/va-publisher.properties > > ocsp-datasource.jndi-name=OcspDS > ocsp-database.url=jdbc:mysql://ocsp1.example.com:3306/ejbca > ocsp-database.driver=com.mysql.jdbc.Driver > ocsp-database.username=ejbca > ocsp-database.password=ejbca > > > 2- Deploy changes > > $ ant deploy > > (If you have more than 1 OCSP) > > $ cp $JBOSS_HOME/server/default/deploy/ocsp-ds.xml > $JBOSS_HOME/server/default/deploy/ocsp2-ds.xml > $ vi $JBOSS_HOME/server/default/deploy/ocsp2-ds.xml > > <jndi-name>Ocsp2DS</jndi-name> > <connection-url>jdbc:mysql://ocsp2.example.com:3306/ejbca > </connection-url> > Agragado del DS para el OCSP-2 > > > 3- Create Publisher > In the CA you should add as many publisher as OCSP responders you have > > - From Admin CA Web Console > - Go to Edit Publishers > - Enter name OCSPX (where X is the OCSP number) and press Add > - Select the publisher and press Edit Publisher > - Select Publisher Type as Validation Authority Publisher > - Select "No direct publishing, only use queue", "Use queue for CRLs", > "Use > queue for certificates" > - Save > > 4- Attach the publisher with the profiles > - From Admin CA Web Console > - Edit Certificate Profile > - Select your profile > - Press Edit > - In Publishers Seleccionar Select OCSPX (all X) > - Save > > 5- Create/Modify Publishing Service > - From Admin CA Web Console > - Go Edit Services > - Enter name Re-Publisher > - Press Add > - Select Republisher and press Edit > - Select Publish Queue Process Service > - Select all queues > - Period: 2 minutes > - Check Active > - Save > > DB Migration baseline > ================ > On CA DB node > # mysqldump -p --compress ejbca CertificateData > CertificateData.dat > # mysqldump -p --compress ejbca CRLData > CRLData.dat > > # cat CertificateData.dat | mysql -h ocsp1 -u ejbca -b ejbca -p > # cat CRLData.dat | mysql -h ocsp1 -u ejbca -b ejbca -p > > > > TEST > ==== > I tested with this command > > $ openssl ocsp -url > http://ocsp1.example.com:8080/ejbca/publicweb/status/ocsp -issuer > CA.cacert.pem -cert user.pem > > > > > 2013/1/9 M.G.R <mg....@ni...> > >> >> while requesting for validating the certificate issued by external CA >> using >> openssl OCSP client shows the following error in the OCSP server side >> >> ERROR [org.ejbca.ui.web.protocol.OCSPServletBase] (http-0.0.0.0-8080-1) >> Error processing OCSP request. Message: java.lang.RuntimeException: >> java.lang.NullPointerException. >> >> & >> >> Shows the following error in the client side >> >> Error querying OCSP responsder >> >> is there any way to trace the problem. please help me. >> >> >> Thanks in advance. >> >> -- >> View this message in context: >> http://old.nabble.com/Error-in-the-OCSP-Responder-tp34877232p34877232.html >> Sent from the EjbCA - Dev mailing list archive at Nabble.com. >> >> >> >> ------------------------------------------------------------------------------ >> Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery >> and much more. Keep your Java skills current with LearnJavaNow - >> 200+ hours of step-by-step video tutorials by Java experts. >> SALE $49.99 this month only -- learn more at: >> http://p.sf.net/sfu/learnmore_122612 >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > > > > -- > > > > Juan Caracoche | Business Developer > jua...@re... > Mobile: +54.911.4198.8941 > www.redb.ee > > ------------------------------------------------------------------------------ > Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery > and much more. Keep your Java skills current with LearnJavaNow - > 200+ hours of step-by-step video tutorials by Java experts. > SALE $49.99 this month only -- learn more at: > http://p.sf.net/sfu/learnmore_122612 > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > -- View this message in context: http://old.nabble.com/Error-in-the-OCSP-Responder-tp34877232p34881530.html Sent from the EjbCA - Dev mailing list archive at Nabble.com. |
