Menu
▾
▴
Re: [Ejbca-develop] Error in the OCSP Responder
|
From: Tomas G. <to...@pr...> - 2013-01-10 13:33:47
|
You need to set up an OCSP responder and simply change the part where the OCSP signer certificate is issued. In the install docs it is issued by a CA in EJBCA, you need to get the OCSP signer certificate issued by your CA. On 01/10/2013 07:25 AM, M.G.R wrote: > > Hi Juan, > > What ur saying is > 1. creating CA using EJBCA GUI and publish the CA > 2. Create the user certificate under that CA(i.e user certificate issued by > the published CA) > > and doing the testing. This was working for me also. > > But I am asking that I have a CA which is not issued and published by ejbca > that CA issued n no of certificates. whether it is possible to handle this > by the OCSP Responder of ejbca (i.e Validate the issued user certtifcate > which is published by external CA). If possible means how? > > > > Juan Caracoche-2 wrote: >> >> You are a lucky guy!. Yesterday I spent 2 hour reading the installation >> Instructions and in 1 hour I got the OCSP working in the first attempt >> (weird on systems world!) >> >> I wrote down all the steeps to replicate the installation in other >> environment. Here are the steps done (assuming you have done the Jboss and >> EJBCA installation property) : >> >> ON OCSP NODE 1 and 2 >> =================== >> >> 1- DB Creation >> >> mysql> create database ejbca; >> mysql> create user ejbca; >> mysql> grant all on ejbca.* to 'ejbca'@'%' identified by 'ejbca'; >> mysql> grant all on ejbca.* to 'ejbca'@'localhost' identified by 'ejbca'; >> mysql> flush privileges; >> >> 2- Edit Properties files >> >> $ cd >> $ mkdir -p ejbca-custom/conf >> $ cp ejbca/conf/ejbca.properties.sample ejbca-custom/conf/ejbca.properties >> $ vi ejbca-custom/conf/ejbca.properties >> >> appserver.home=/home/jboss/jboss >> ejbca.productionmode=ocsp >> >> $ cp ejbca/conf/database.properties.sample >> ejbca-custom/conf/database.properties >> $ vi ejbca-custom/conf/database.properties >> >> datasource.jndi-name=EjbcaDS >> database.name=mysql >> database.url=jdbc:mysql://localhost:3306/ejbca >> database.driver=com.mysql.jdbc.Driver >> database.username=ejbca >> database.password=ejbca >> >> $ cp ejbca/conf/ocsp.properties.sample ejbca-custom/conf/ocsp.properties >> $ vi ejbca-custom/conf/ocsp.properties >> >> ocsp.defaultresponder=CN=ocsp.example.com,L=Buenos Aires,C=AR >> ocsp.restrictsignatures=true >> ocsp.restrictsignaturesbymethod=issuer >> ocsp.signtrustdir=/home/jboss/ejbca/cas >> ocsp.signtrustvalidtime=1800 >> ocsp.keys.dir=/home/jboss/ejbca/keys >> ocsp.keys.storePassword=ejbca >> ocsp.keys.keyPassword=ejbca >> >> $ mkdir /home/jboss/ejbca/keys >> $ mkdir /home/jboss/ejbca/cas >> >> >> $ cp ejbca/conf/web.properties.sample ejbca-custom/conf/web.properties >> $ vi ejbca-custom/conf/web.properties >> >> httpsserver.hostname=ocsp.buenosaires.gob.ar >> httpsserver.dn=CN=${httpsserver.hostname},L=Buenos Aires,C=AR >> >> >> 3- Create cert for OCSP >> a) Create a User Profile (OCSP) >> - From Admin CA Web Console >> - Go Edit End Entity Profiles >> - Write OCSP in Add Profile edit box and press Add >> - Select the OCSP from the list and press Edit End Entity Profile >> - Select OCSPSIGNER on Default Certificate Profile >> - In Available Certificate Profiles choose OCSPSIGNER >> - In Available CAs select what you want >> - In Default Token seleccionar P12 file (I will use soft tokens) >> - In Available Tokens seleccionar p12, jks y pem >> - Save >> b) Create a user with this new profile >> - From Admin CA Web Console >> - Go Add End Entity >> - Select OCSP as End Entity >> - username: ocsp >> - password: ejbca >> - CN: ocsp.example.com >> - Certificate Profile: OCSPSIGNER >> - Token P12 file >> - Add >> c) Generate the cert >> - From Public CA's web >> - Create Browser Certificate >> - login ocsp/ejbca >> - Select 2048bits for key lenght >> - P12 as token >> - Gen cert >> >> 4- Install the cert in OCSP >> - Copy the generated cert in /home/jboss/ejbca/keys >> - Copy CA cert (PEM format) in /home/jboss/ejbca/cas >> >> 5- Build >> $ cd >> $ cd ejbca >> $ ant bootstarp >> # service jboss start >> $ ant install >> # service jboss stop >> $ ant va-deploy >> # service jboss start >> >> IN THE CA >> ========= >> >> 1- Config VA-PUBLISHER >> >> $ cp ejbca/conf/va-publisher.properties.sample >> ejbca-custom/conf/va-publisher.properties >> $ vi ejbca-custom/conf/va-publisher.properties >> >> ocsp-datasource.jndi-name=OcspDS >> ocsp-database.url=jdbc:mysql://ocsp1.example.com:3306/ejbca >> ocsp-database.driver=com.mysql.jdbc.Driver >> ocsp-database.username=ejbca >> ocsp-database.password=ejbca >> >> >> 2- Deploy changes >> >> $ ant deploy >> >> (If you have more than 1 OCSP) >> >> $ cp $JBOSS_HOME/server/default/deploy/ocsp-ds.xml >> $JBOSS_HOME/server/default/deploy/ocsp2-ds.xml >> $ vi $JBOSS_HOME/server/default/deploy/ocsp2-ds.xml >> >> <jndi-name>Ocsp2DS</jndi-name> >> <connection-url>jdbc:mysql://ocsp2.example.com:3306/ejbca >> </connection-url> >> Agragado del DS para el OCSP-2 >> >> >> 3- Create Publisher >> In the CA you should add as many publisher as OCSP responders you have >> >> - From Admin CA Web Console >> - Go to Edit Publishers >> - Enter name OCSPX (where X is the OCSP number) and press Add >> - Select the publisher and press Edit Publisher >> - Select Publisher Type as Validation Authority Publisher >> - Select "No direct publishing, only use queue", "Use queue for CRLs", >> "Use >> queue for certificates" >> - Save >> >> 4- Attach the publisher with the profiles >> - From Admin CA Web Console >> - Edit Certificate Profile >> - Select your profile >> - Press Edit >> - In Publishers Seleccionar Select OCSPX (all X) >> - Save >> >> 5- Create/Modify Publishing Service >> - From Admin CA Web Console >> - Go Edit Services >> - Enter name Re-Publisher >> - Press Add >> - Select Republisher and press Edit >> - Select Publish Queue Process Service >> - Select all queues >> - Period: 2 minutes >> - Check Active >> - Save >> >> DB Migration baseline >> ================ >> On CA DB node >> # mysqldump -p --compress ejbca CertificateData > CertificateData.dat >> # mysqldump -p --compress ejbca CRLData > CRLData.dat >> >> # cat CertificateData.dat | mysql -h ocsp1 -u ejbca -b ejbca -p >> # cat CRLData.dat | mysql -h ocsp1 -u ejbca -b ejbca -p >> >> >> >> TEST >> ==== >> I tested with this command >> >> $ openssl ocsp -url >> http://ocsp1.example.com:8080/ejbca/publicweb/status/ocsp -issuer >> CA.cacert.pem -cert user.pem >> >> >> >> >> 2013/1/9 M.G.R <mg....@ni...> >> >>> >>> while requesting for validating the certificate issued by external CA >>> using >>> openssl OCSP client shows the following error in the OCSP server side >>> >>> ERROR [org.ejbca.ui.web.protocol.OCSPServletBase] (http-0.0.0.0-8080-1) >>> Error processing OCSP request. Message: java.lang.RuntimeException: >>> java.lang.NullPointerException. >>> >>> & >>> >>> Shows the following error in the client side >>> >>> Error querying OCSP responsder >>> >>> is there any way to trace the problem. please help me. >>> >>> >>> Thanks in advance. >>> >>> -- >>> View this message in context: >>> http://old.nabble.com/Error-in-the-OCSP-Responder-tp34877232p34877232.html >>> Sent from the EjbCA - Dev mailing list archive at Nabble.com. >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery >>> and much more. Keep your Java skills current with LearnJavaNow - >>> 200+ hours of step-by-step video tutorials by Java experts. >>> SALE $49.99 this month only -- learn more at: >>> http://p.sf.net/sfu/learnmore_122612 >>> _______________________________________________ >>> Ejbca-develop mailing list >>> Ejb...@li... >>> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >>> >> >> >> >> -- >> >> >> >> Juan Caracoche | Business Developer >> jua...@re... >> Mobile: +54.911.4198.8941 >> www.redb.ee >> >> ------------------------------------------------------------------------------ >> Master Java SE, Java EE, Eclipse, Spring, Hibernate, JavaScript, jQuery >> and much more. Keep your Java skills current with LearnJavaNow - >> 200+ hours of step-by-step video tutorials by Java experts. >> SALE $49.99 this month only -- learn more at: >> http://p.sf.net/sfu/learnmore_122612 >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> >> > |
