Re: [Ejbca-develop] Superadmin renewal problem

[Randy Yu <yu...@ec...>]

Thanks Tomas.  We have renewed the superadmin ca before, but that was when our self signed CA that was used to sign the superadmin was not expired.  What would be the best case to create a superadmin when the CA that signs it is now expired?

-----Original Message-----
From: Tomas Gustavsson [mailto:to...@pr...] 
Sent: January-20-16 11:07 AM
To: ejb...@li...
Subject: Re: [Ejbca-develop] Superadmin renewal problem


https://www.ejbca.org/docs/userguide.html#Renewing%20Superadmin

Regards,
Tomas
Save time and money with an Enterprise support subscription. Please see www.primekey.se for more information.
https://www.primekey.se/technologies/products-overview/
https://www.primekey.se/service-support/support/

On 2016-01-20 16:19, Randy Yu wrote:
> I don’t believe you can renew the admin CA via batch.  If I’m missing 
> something please let me know.  Has anyone run into this problem 
> before, or is there a way to sign new superadmin users with other CA’s 
> even though I am unable to access the superadmin UI currently?
> 
>  
> 
>  
> 
> *From:*Ralf Hornik [mailto:rh...@hc...]
> *Sent:* November-06-15 3:10 PM
> *To:* ejb...@li...
> *Subject:* Re: [Ejbca-develop] Superadmin renewal problem
> 
>  
> 
> Cant you renew the Admin CA via batch?
> 
> Von meinem Windows Phone gesendet
> 
> ----------------------------------------------------------------------
> --
> 
> *Von: *Randy Yu <mailto:yu...@ec...>
> *Gesendet: *‎06.‎11.‎2015 18:00
> *An: *ejb...@li...
> <mailto:ejb...@li...>
> *Betreff: *Re: [Ejbca-develop] Superadmin renewal problem
> 
> Apologize for bumping this message.  Has anyone else encountered this 
> combination before?  Thanks.
> 
>  
> 
> *From:*Randy Yu [mailto:yu...@ec...]
> *Sent:* November-02-15 9:30 AM
> *To:* ejb...@li...
> <mailto:ejb...@li...>
> *Subject:* [Ejbca-develop] Superadmin renewal problem
> 
>  
> 
> Looking for help on a superadmin renewal issue in EJBCA 4.0.16.
> 
>  
> 
> The initial EJBCA CA created in our EJBCA instance is expired, and was 
> the CA used to sign the superadmin user.  The superadmin user key is 
> also expired so I no longer can gain access to the administration 
> section of EJBCA web interface.  Trying to reset the superadmin 
> password results in the following stack trace.  Would the expired self 
> signed CA be the reason for this, and does re-gaining access to the 
> administration section require generating a new self signed CA?  
> Thanks in advance for any input.
> 
>  
> 
> An error happened, setting status to FAILED.
> 
> javax.ejb.EJBException: Signing CA CN=someCA,O=some,C=US is not active.
> 
>         at
> org.ejbca.core.ejb.ca.sign.RSASignSessionBean.createCertificate(RSASig
> nSessionBean.java:420)
> 
>         at
> org.ejbca.core.ejb.ca.sign.RSASignSessionBean.createCertificate(RSASig
> nSessionBean.java:214)
> 
>         at
> org.ejbca.core.ejb.ca.sign.RSASignSessionBean.createCertificate(RSASig
> nSessionBean.java:232)
> 
>         at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> 
>         at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.j
> ava:39)
> 
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
> orImpl.java:25)
> 
>         at java.lang.reflect.Method.invoke(Method.java:597)
> 
>         at
> org.jboss.aop.joinpoint.MethodInvocation.invokeTarget(MethodInvocation
> .java:122)
> 
>         at
> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.j
> ava:111)
> 
>         at
> org.jboss.ejb3.EJBContainerInvocationWrapper.invokeNext(EJBContainerIn
> vocationWrapper.java:69)
> 
>         at
> org.jboss.ejb3.interceptors.aop.InterceptorSequencer.invoke(Intercepto
> rSequencer.java:73)
> 
>         at
> org.jboss.ejb3.interceptors.aop.InterceptorSequencer.aroundInvoke(Inte
> rceptorSequencer.java:59)
> 
>         at sun.reflect.GeneratedMethodAccessor377.invoke(Unknown 
> Source)
> 
>         at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccess
> orImpl.java:25)
> 
>         at java.lang.reflect.Method.invoke(Method.java:597)
> 
>         at
> org.jboss.aop.advice.PerJoinpointAdvice.invoke(PerJoinpointAdvice.java
> :174)
> 
>         at
> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.j
> ava:102)
> 
>         at
> org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.fillMetho
> d(InvocationContextInterceptor.java:72)
> 
>         at
> org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContext
> Interceptor_z_fillMethod_7578460.invoke(InvocationContextInterceptor_z
> _fillMethod_7578460.java)
> 
>         at
> org.jboss.aop.joinpoint.MethodInvocation.invokeNext(MethodInvocation.j
> ava:102)
> 
>         at
> org.jboss.ejb3.interceptors.aop.InvocationContextInterceptor.setup(Inv
> ocationContextInterceptor.java:88)
> 
>         at
> org.jboss.aop.advice.org.jboss.ejb3.interceptors.aop.InvocationContext
> Interceptor_z_setup_7578460.invoke(InvocationContex
> 
>  
> 
> So it’s stating the self signed CA is offline.  But if I try to either 
> activate or deactivate the self signed CA from command line, it 
> doesn’t work.
> 
>  
> 
> [root@server]# ./ejbca.sh ca activateca someCA
> 
> Enter authorization code:
> 
>  
> 
> CA or CAToken must be offline to be activated.
> 
>  
> 
> [root@server]# ./ejbca.sh ca deactivateca someCA
> 
> CA or CAToken must be active to be put offline.
> 
>  
> 
> 
> 
> ----------------------------------------------------------------------
> --------
> Site24x7 APM Insight: Get Deep Visibility into Application Performance 
> APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month 
> Monitor end-to-end web transactions and take corrective actions now 
> Troubleshoot faster and improve end-user experience. Signup Now!
> http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
> 
> 
> 
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 

------------------------------------------------------------------------------
Site24x7 APM Insight: Get Deep Visibility into Application Performance APM + Mobile APM + RUM: Monitor 3 App instances at just $35/Month Monitor end-to-end web transactions and take corrective actions now Troubleshoot faster and improve end-user experience. Signup Now!
http://pubads.g.doubleclick.net/gampad/clk?id=267308311&iu=/4140
_______________________________________________
Ejbca-develop mailing list
Ejb...@li...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop