Menu
▾
▴
Re: [Ejbca-develop] External OCSP Responder issue
|
From: Tomas G. <to...@pr...> - 2013-02-20 16:06:39
|
You have probably inserted the certificates wrongly in the database. There is no signing certificate and key picked up for that CA. A debug log, during startup, will tell you very much what the responder is picking up. The VA publisher is working if you configure it correctly. You need to add it as a "CRL Publisher" in "Edit Certificate Authorities", I think this is what it says in the installation guide. Also the certificate profile used to issue the responder certificate needs a VA publisher (the same) configured in "Edit Certificate Profiles". Cheers, Tomas ** VISIT US AT RSA EXPO - BOOTH #459 ** **** FREE EXPO PASS CODE: FXE13PKS **** https://ae.rsaconference.com/US13/portal/login.ww ********** PrimeKey Solutions AB Anderstorpsvägen 16, 171 54 Solna, Sweden Mob: +46 (0)707421096 Internet: www.primekey.se Twitter: twitter.com/primekeyPKI ********** On 02/20/2013 07:43 AM, M.G.R wrote: > > I have setup the External OCSP Responder by using the OCSP Installation > guide. but while publish using the Publisher Type -> Validation Authority > Publisher with ocsp database is not updating. So I have manually inserted > the CA certificate and user certificate issued by that CA. > Then, I have requested for the OCSP Response using openssl ocsp client. It > shows the following error. > > Please give any soln for this issue. > > Input Error: > > $ openssl ocsp -issuer AdminCA1.pem -cert ramesh.pem -url > http://10.163.14.120:8080/ejbca/publicweb/status/ocsp -respout resp.der > -no_cert_verify > Error querying OCSP responsder > > Output Error: > > 2013-02-20 10:30:13,674 INFO > [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] > (http-0.0.0.0-8080-1) No card password specified. > 2013-02-20 10:30:14,175 WARN > [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] > (http-0.0.0.0-8080-1) You have not specified ocsp.p11.p11password at build > time. So you need to do a manual activation. > 2013-02-20 10:30:14,175 ERROR > [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] > (http-0.0.0.0-8080-1) No valid keys. Key directory > /home/otc/ejbca/jboss-5.1.0.GA/bin/keys. No P11 defined. > 2013-02-20 10:30:14,175 INFO [org.ejbca.ui.web.protocol.OCSPServletBase] > (http-0.0.0.0-8080-1) Received OCSP request for certificate with serNo: > 33f74ee237b19e46, and issuerNameHash: > 4145f8a5ccf07e01ebf1d22d40a1e29392b1e02e. Client ip 10.163.14.120. > 2013-02-20 10:30:14,186 INFO [org.ejbca.ui.web.protocol.OCSPServletBase] > (http-0.0.0.0-8080-1) Adding status information (good) for certificate with > serial '33f74ee237b19e46' from issuer 'CN=AdminCA1,O=EJBCA Sample,C=SE'. > 2013-02-20 10:30:24,188 ERROR [org.ejbca.ui.web.protocol.OCSPServletBase] > (http-0.0.0.0-8080-1) Error processing OCSP request. Message: No ocsp > signing key for caid -1688117755. > org.ejbca.core.model.ca.caadmin.extendedcaservices.ExtendedCAServiceNotActiveException: > No ocsp signing key for caid -1688117755 > at > org.ejbca.core.protocol.ocsp.standalonesession.StandAloneSession.extendedService(StandAloneSession.java:390) > at > org.ejbca.ui.web.protocol.OCSPServletStandAlone.extendedService(OCSPServletStandAlone.java:131) > at > org.ejbca.ui.web.protocol.OCSPServletBase.signOCSPResponse(OCSPServletBase.java:228) > at > org.ejbca.ui.web.protocol.OCSPServletBase.serviceOCSP(OCSPServletBase.java:934) > at > org.ejbca.ui.web.protocol.OCSPServletBase.doPost(OCSPServletBase.java:380) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:637) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:717) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191) > at > org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433) > at > org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92) > at > org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126) > at > org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102) > at > org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330) > at > org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829) > at > org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598) > at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447) > at java.lang.Thread.run(Thread.java:679) > |
