Re: [Ejbca-develop] Trouble creating Internal Key Binding for OCSP Responder

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

 Hi,

FYI, I was able to use Adminweb to create a new CSR and then I issued a new signing cert with the OCSPSign purpose and I was then able to import into Adminweb, and I was able to test some good and bad requests (see below).

I think that we will still need to be able use a cert/key pair that we generated outside of EJBCA (i.e., not create a CSR via Adminweb, etc.), so is there a way to do that?

BTW, also, I am still not clear what we need to do incrementally to add more CRLs from different CAs? I mean for example, if there are 10 more CAs with CRLs and we want our EJBCA to do the OCSP responding for those, what are the steps we need to do to configure EJBCA to do that?

Here's the test:

E:\INSTALL-FILES\OPENSSL\OpenSSL-Win64\bin>openssl ocsp -CAfile ./rootCA.crt -issuer ./rootCA.crt -serial 0x8486394C03E1F5D9 -req_text -url http://192.168.0.28:8080/ejbca/publicweb/status/ocsp
OCSP Request Data:
 Version: 1 (0x0)
 Requestor List:
 Certificate ID:
 Hash Algorithm: sha1
 Issuer Name Hash: 0C16107310427EA4ADB3C6436915CE44A15FFE55
 Issuer Key Hash: E2533BF85F8C7CA60A411BF5458B2DC3B5232B6E
 Serial Number: 8486394C03E1F5D9
 Request Extensions:
 OCSP Nonce:
 041061AAC22F8FD77F35FEEA879361B29CD9
Response verify OK
0x8486394C03E1F5D9: WARNING: Status times invalid.
388:error:2707307E:OCSP routines:OCSP_check_validity:status not yet valid:crypto\ocsp\ocsp_cl.c:320:
revoked
 This Update: Jun 25 17:56:47 2019 GMT
 Reason: unspecified
 Revocation Time: May 26 12:30:44 2019 GMT

     On Tuesday, June 25, 2019, 1:37:30 PM EDT, <oh...@ya...> wrote:  

 Hi,

I am trying to create the Internal Key Binding for the OCSP Responder on the EJBCA that I just built.

In the Adminweb, I have created the Internal Key Binding, but now I am trying to do the "Import externally issued certificate".  

I have the Internal Key Binding that I created in the OVA based system previously, and I was hoping that I wouldn't need to issue a new cert for this new system, so I was wondering if there is any way to get the private key from that OVA based system so that I can do the import into the new EJBCA configuration?

Or, is the only way to create a new CSR on the new EJBCA, and then issue a new cert?

Thanks,
Jim