Re: [Ejbca-develop] Adding admin user certificates

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Michael Postmann wrote:
> Thanks for the suggestion.
> 
> However I'm not able to import the CA-Certificate into the truststore.
> The SubCA was created in EJBCA.
> 
> I opened the corresponding crypto token and downloaded the public key aliased "defaultKey" and got a file in ".pem" format.
> I transferred this file back to the server and tried to import it using keytool, but only got an error message:
> 
> ---SNIP---
> # keytool -import -trustcacerts -file /tmp/defaultKey.pem -keystore p12/truststore.jks -storepass changeit -alias pkiadminuserca
> keytool error: java.lang.Exception: Input not an X.509 certificate
> ---SNAP---

For the browser to present a client cert for selection by the user it has to
build the full chain against one of the client cert trust anchors sent by the
server.

You can observe what the server sends as client cert CA trust anchors by running

openssl s_client -connect server.example.com:8443

So you have to:

1. Make sure that truststore.jks contains the root CA needed to validate the
client cert.

2. You browser knows the root CA needed to validate the client cert as trusted
and knows the sub CA cert (imported without trust flags).

> I do not have to import the private key of the SubCA into the truststore,
> do I?

truststore.jks should not contain private keys!
And tomcat.jks just contains the server's private key.

Ciao, Michael.