Menu
▾
▴
Re: [Ejbca-develop] 'Allow Subject DN override' and web service call
|
From: Nikita B. <nik...@gs...> - 2017-02-09 13:10:49
|
Hi,
Thanks for the pointers.
I am using EJBCA 6.3.1.1 Community (r21429)
I tried clientToolBox today on this version of EJBCA.
My command looked : ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq mgmtUser
"CN=mgmtUser,C=SE" NULL ICA12 "Client EndEntity Profile" "Client Cert
Profile" ./csr.pem PKCS10 PEM NONE .
which generated the mgmtUser.pem certificate file. However this certificate
did not have the subjectDN overriden. It was same 'CN=mgmtUser,C=SE' given
in the request and not the one given while creating CSR.
Again, when trying this same csr file with public web call, it returned
overridden subjectDN in certificate.
I tried then the DER format for the above request:
./ejbcaClientToolBox.sh EjbcaWsRaCli certreq mgmtUser "CN=mgmtUser,C=SE"
NULL ICA12 "Client EndEntity Profile" "Client Cert Profile" ./dercsr.der
PKCS10 DER NONE .
However it returned:
com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received
SOAP Fault from server: Unmarshalling Error: Illegal character ((CTRL-CHAR,
code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to find
more detail regarding exact cause of the failure.
org.ejbca.ui.cli.ErrorAdminCommandException:
com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received
SOAP Fault from server: Unmarshalling Error: Illegal character ((CTRL-CHAR,
code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to find
more detail regarding exact cause of the failure.
at
org.ejbca.core.protocol.ws.client.CertificateRequestCommand.execute(CertificateRequestCommand.java:146)
at
org.ejbca.core.protocol.ws.client.ejbcawsracli.main(ejbcawsracli.java:36)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.ejbca.ui.cli.EjbcaWsRaCli.execute(EjbcaWsRaCli.java:36)
at
org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:66)
Caused by: com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client
received SOAP Fault from server: Unmarshalling Error: Illegal character
((CTRL-CHAR, code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to find
more detail regarding exact cause of the failure.
at
com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:178)
at
com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:116)
at
com.sun.xml.internal.ws.client.sei.StubHandler.readResponse(StubHandler.java:238)
at
com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(DatabindingImpl.java:189)
at
com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(DatabindingImpl.java:276)
at
com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:104)
at
com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:77)
at
com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147)
at com.sun.proxy.$Proxy32.certificateRequest(Unknown Source)
at
org.ejbca.core.protocol.ws.client.CertificateRequestCommand.execute(CertificateRequestCommand.java:111)
... 8 more
I did make sure that the CSR generated is in proper DER format. However
will look into it more.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | [image: G]
G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
<http://www.gslab.com/>
On Thu, Feb 9, 2017 at 2:46 PM, Tomas Gustavsson <to...@pr...> wrote:
>
> What version of EJBCA are you using btw?
>
> I'm using this WS command:
>
> ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq req9
> "CN=req9,O=Edited,C=SE" NULL ManagementCA User Client ./p10.der PKCS10
> DER NONE .
>
> My CSR have subjectDN:
> C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=req9
>
> If I have enabled "Allow Subject DN Override by CSR" in the Certificate
> Profile "Client". My issued certificate gets the DN from the p10.
>
> If you try using clientToolBox first, than you will know if/how the
> feature works, and then you can try to translate it to SOAP-UI (you can
> even debug log the full soap messages).
>
> Regards,
> Tomas
> ---
> RSA Conference 2017
> ------------------------------------------------------------------
> San Francisco | February 13-17 | Moscone Center
> Come visit us in booth #627 at RSA Conference 2017!
>
> Want a free expo pass?
> Go to https://www.rsaconference.com/events/us17/register
> and use the code: XE7PRMKEY
>
> On 2017-02-08 14:35, Nikita Bedmutha wrote:
> > Serious apologies for sending incomplete data. Well, I observed the
> > Debug logs for both the calls, call from web service and call from
> > public web. Here are my observations:
> >
> > 1. For the pkcs10Request webservice call through SOAP UI, the INFO log
> > has an entry:
> > CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=AdminUser,O=My
> > Organization,C=SE;-759363256;;user1;subjectdn=CN=user1,OU=
> GSL,C=IN;requestX500name=null;certprofile=1681037015;
> keyusage=-1;notbefore=;notafter=;sequence=;publickey=
> MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZi
> j4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzP
> ylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/
> 4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+
> Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhK
> bVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyE
> GY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB
> >
> > where, requestX500name=null
> >
> > 2. For public web 'Create Certificate from CSR' call:
> > CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;RequestInstance:
> > 123.252.222.122;-759363256;;user1;subjectdn=CN=user1,OU=
> GSL,C=IN;requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK;
> certprofile=1681037015;keyusage=-1;notbefore=;
> notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ
> 8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6Tdqdu
> A0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqT
> u6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/
> g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9W
> CXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVY
> uo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB
> >
> > where, requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK
> >
> > Both the calls use same CSR, also same certificate profile is being used
> > in both cases and the public key extracted from CSR also looks same.
> >
> > However, in case of public web call we see a log statement, 'Using
> > X509Name from request instead of user's registered.' which is missing in
> > webservice call log and only 'Using subjectDN: CN=user1,OU=GSL,C=IN' can
> > be seen.
> > I suspect this could be because requestX500name is null in case of
> > webservice call.
> >
> > However, we are using same CSR and so this behaviour is bit confusing.
> > If this info can help. Thanks.
> >
> > Regards,
> > Nikita Bedmutha
> > Software Engineer | m: +91 94042 02790 | G
> > G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
> > <http://www.gslab.com/>
> > On Wed, Feb 8, 2017 at 3:21 PM, Tomas Gustavsson <to...@pr...
> > <mailto:to...@pr...>> wrote:
> >
> >
> > I can only re-iterate here:
> >
> > ---
> > Debug logging will show in detail all decisions egarding override or
> not
> > that is takes during certificate issuance.
> > ---
> >
> > For more information about logging, how to configure debug etc, see
> > https://www.ejbca.org/docs/adminguide.html#Logging
> > <https://www.ejbca.org/docs/adminguide.html#Logging>
> >
> > /Tomas
> >
> > On 2017-02-08 10:10, Nikita Bedmutha wrote:
> > > Hi,
> > >
> > > I know this must be the very basic requirement to get the
> certificate
> > > with subject DN overridden. But I have tried my best with all
> settings
> > > but no clue whats going wrong.
> > > I have a user 'user1' which is created with a 'Client endentity
> > profile'
> > > which uses default cert profile as 'Client Cert Profile'. This
> > > certificate profile has 'Allow subject DN override by CSR' and
> 'Allow
> > > subject DN override by End Entity Information' checked. In the case
> > > where both are checked, documentation says that DN will be
> > overriden by CSR.
> > >
> > > Now I make this SOAP call for pkcs10Request:
> > > Body:
> > > <soapenv:Envelope
> > > xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
> > <http://schemas.xmlsoap.org/soap/envelope/>"
> > > xmlns:ws="http://ws.protocol.core.ejbca.org/
> > <http://ws.protocol.core.ejbca.org/>">
> > > <soapenv:Header/>
> > > <soapenv:Body>
> > > <ws:pkcs10Request>
> > > <!--Optional:-->
> > > <arg0>user1</arg0>
> > > <!--Optional:-->
> > > <arg1>password</arg1>
> > > <!--Optional:-->
> > > <arg2>-----BEGIN CERTIFICATE REQUEST-----
> > > MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH
> > > DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw
> > > DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ
> > > nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF
> > > Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0
> > > 2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB
> > > fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW
> > > LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA
> > > AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk
> > > RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp
> > > 1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC
> > > EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z
> > > ++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/
> > > fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu
> > > -----END CERTIFICATE REQUEST-----</arg2>
> > > <!--Optional:-->
> > > <arg3></arg3>
> > > <!--Optional:-->
> > > <arg4>CERTIFICATE</arg4>
> > > </ws:pkcs10Request>
> > > </soapenv:Body>
> > > </soapenv:Envelope>
> > >
> > >
> > > I even made call without '-----BEGIN CERTIFICATE REQUEST-----' and
> > > '-----END CERTIFICATE REQUEST-----' but no success.
> > > In both cases, the certificate generated still uses the subject DN
> > which
> > > was used while creating the user. I tried this webservice call
> using
> > > SOAP-UI as well as eclipse code. Only when the call is made using
> > public
> > > web 'Create certificate from CSR' or cli command, the subject DN is
> > > overriden. For some reason unable to achieve it through web service
> > > call. Kindly guide me if I am doing anything wrong here.
> > >
> > >
> > >
> > > Regards,
> > > Nikita Bedmutha
> > > Software Engineer | m: +91 94042 02790 | G
> > > G <http://www.linkedin.com/in/nikitabedmutha
> > <http://www.linkedin.com/in/nikitabedmutha>>reat Software Laboratory
> > > <http://www.gslab.com/>
> > >
> > >
> > > On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson <
> to...@pr... <mailto:to...@pr...>
> > > <mailto:to...@pr... <mailto:to...@pr...>>> wrote:
> > >
> > >
> > > This is very common to do this using WS so there is probably
> > something
> > > wrong with your call. Are you using the correct certificate
> > profile in
> > > your WS call?
> > >
> > > Debug logging will show in detail all decisions egarding
> > override or not
> > > that is takes during certificate issuance.
> > >
> > > Regards,
> > > Tomas
> > > ---
> > > RSA Conference 2017
> > > ------------------------------------------------------------
> ------
> > > San Francisco | February 13-17 | Moscone Center
> > > Come visit us in booth #627 at RSA Conference 2017!
> > >
> > > Want a free expo pass?
> > > Go to https://www.rsaconference.com/events/us17/register
> > <https://www.rsaconference.com/events/us17/register>
> > > <https://www.rsaconference.com/events/us17/register
> > <https://www.rsaconference.com/events/us17/register>>
> > > and use the code: XE7PRMKEY
> > >
> > > On 2017-02-02 04:44, Nikita Bedmutha wrote:
> > > > Sorry for spamming, but just correcting the query:
> > > >
> > > > I want to make a certificate request which uses the subject
> > DN from CSR
> > > > and not the registered end entity subject DN . I am using the
> > > > certificate profile which has 'Allow subject DN override by
> CSR'
> > > > checked. However the web service requests 'pkcs10Request' as
> > well as
> > > > 'certificateRequest' do not return certificates with subject
> DN
> > > > overridden by the CSR but uses the registered DN only.
> > > >
> > > > On the other hand, using the same CSR, the public web call
> > 'Create
> > > > Certificate from CSR' as well as the 'createcert' CLI
> > command generates
> > > > a certificate which has the subject DN overridden by the CSR.
> > > >
> > > > Your inputs would really be very helpful.
> > > > Thanks.
> > > >
> > > > Regards,
> > > > Nikita Bedmutha
> > > >
> > > >
> > > >
> > > > On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha
> > > > <nik...@gs...
> > <mailto:nik...@gs...> <mailto:nik...@gs...
> > <mailto:nik...@gs...>>
> > > <mailto:nik...@gs...
> > <mailto:nik...@gs...>
> > > <mailto:nik...@gs... <mailto:
> nik...@gs...>>>> wrote:
> > > >
> > > > Hi,
> > > >
> > > > I have a user(end-entity) created using a certificate
> profile which
> > > > has 'Allow Subject DN override' checked. This end-entity
> is
> > > > registered with Token as User Generated.
> > > > When I use 'Create Certificate from CSR' option on
> public web, I get
> > > > the certificate with the subject DN used while creating
> the CSR and
> > > > not the registered DN.
> > > > Now I want to achieve same using web service call. I
> tried the
> > > > 'certificateRequest' and 'pkcs10' request with the same
> CSR that I
> > > > used in previous Public web call. But in the web service
> call case,
> > > > I get certificate with the registered DN and not
> overridden by the CSR.
> > > >
> > > > Kindly guide me how to achieve this.
> > > >
> > > > Thanks and Regards,
> > > > Nikita
> > > >
> > > >
> > > >
> > > >
> > > >
> > > ------------------------------------------------------------
> ------------------
> > > > Check out the vibrant tech community on one of the world's
> most
> > > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > Ejbca-develop mailing list
> > > > Ejb...@li...
> > <mailto:Ejb...@li...>
> > > <mailto:Ejb...@li...
> > <mailto:Ejb...@li...>>
> > > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
> > > >
> > >
> > > ------------------------------------------------------------
> ------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > > _______________________________________________
> > > Ejbca-develop mailing list
> > > Ejb...@li...
> > <mailto:Ejb...@li...>
> > > <mailto:Ejb...@li...
> > <mailto:Ejb...@li...>>
> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> > > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
> > >
> > >
> > >
> > >
> > >
> > ------------------------------------------------------------
> ------------------
> > > Check out the vibrant tech community on one of the world's most
> > > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > >
> > >
> > >
> > > _______________________________________________
> > > Ejbca-develop mailing list
> > > Ejb...@li...
> > <mailto:Ejb...@li...>
> > > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> > >
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> > <mailto:Ejb...@li...>
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> > <https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
> >
> >
> >
> >
> >
> >
> > ------------------------------------------------------------
> ------------------
> > Check out the vibrant tech community on one of the world's most
> > engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> >
> >
> >
> > _______________________________________________
> > Ejbca-develop mailing list
> > Ejb...@li...
> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> >
>
> ------------------------------------------------------------
> ------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, SlashDot.org! http://sdm.link/slashdot
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
|
