Menu
▾
▴
Re: [Ejbca-develop] Trouble creating Internal Key Binding for OCSP Responder
|
From: Tomas G. <to...@pr...> - 2019-06-26 08:12:13
|
Hi, I think this is not related to the subject of this email right? In that case could you start a new thread, otherwise it is likely that some questions wrapped into the same thread (i.e. wrong subject) will get lost in the mist :-) Cheers, TOmas On 2019-06-25 22:16, ohaya--- via Ejbca-develop wrote: > Hi, > > I tried adding a new CA/CRL: > > - I added the CA cert to EJBCA > - I tried to import the CRL and didn't give any errors, but the CRL was > not imported. > > I checked the logs and see this below. Why isn't it importing the CRL? > > 16:08:00,166 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default > task-9) 2019-06-25 > 16:08:00-04:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;CN=SuperAdmin;;;;resource0=/ca/598150401 > 16:08:00,178 INFO [org.ejbca.core.ejb.crl.ImportCrlSessionBean] (default > task-9) CA: CN=SimpleAuthorityCA,OU=simpleou,O=simpleo,C=US > 16:08:00,181 INFO [org.cesecore.certificates.crl.CrlStoreSessionBean] > (default task-9) Error retrieving CRL for issuer > 'CN=SimpleAuthorityCA,OU=simpleou,O=simpleo,C=US' with CRL number 0. > 16:08:00,181 INFO [org.ejbca.core.ejb.crl.ImportCrlSessionBean] (default > task-9) Found 1 new entires in full CRL number 3 issued by > 'CN=SimpleAuthorityCA,OU=simpleou,O=simpleo,C=US' compared to pr > 16:08:00,183 INFO > [org.cesecore.certificates.certificate.CertificateStoreSessionBean] > (default task-9) Adding limited CertificateData entry with > fingerprint=e0a287931576859f315d32ba0fc629e21ead7c0r=16B902B1B87, > issuerDn='CN=SimpleAuthorityCA,OU=simpleou,O=simpleo,C=US' > 16:08:00,183 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default > task-9) 2019-06-25 > 16:08:00-04:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;CN=SuperAdmin;;;;resource0=/ca/598150401 > 16:08:00,190 ERROR [org.cesecore.certificates.crl.CrlStoreSessionBean] > (default task-9) Error storing CRL with CRLNumber=3, issuerDN > 'CN=SimpleAuthorityCA,OU=simpleou,O=simpleo,C=US'. : java.lang.eption > at org.cesecore.certificates.crl.CRLData.setNextUpdate(CRLData.java:244) > at org.cesecore.certificates.crl.CRLData.<init>(CRLData.java:86) > at > org.cesecore.certificates.crl.CrlStoreSessionBean.storeCRL(CrlStoreSessionBean.java:84) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509) > at > org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:90) > at > org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:101) > at > org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:45) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:40) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) > at > org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:52) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInCallerTx(CMTTxInterceptor.java:185) > at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:364) > at > org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:144) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509) > at > org.jboss.weld.module.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:72) > at > org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:89) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438) > at > org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:619) > at > org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53) > at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198) > at > org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185) > at > org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81) > at > org.cesecore.certificates.crl.CrlStoreSessionLocal$$$view110.storeCRL(Unknown > Source) > at > org.ejbca.core.ejb.crl.ImportCrlSessionBean.importCrl(ImportCrlSessionBean.java:159) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:498) > at > org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52) > at > org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422) > at > org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509) > at > org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:90) > at > org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:101) > at > org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63) > at org.jboss.invocation.InterceptorContext.pro > > W > On Tuesday, June 25, 2019, 2:07:08 PM EDT, <oh...@ya...> wrote: > > > Hi, > > FYI, I was able to use Adminweb to create a new CSR and then I issued a > new signing cert with the OCSPSign purpose and I was then able to import > into Adminweb, and I was able to test some good and bad requests (see > below). > > I think that we will still need to be able use a cert/key pair that we > generated outside of EJBCA (i.e., not create a CSR via Adminweb, etc.), > so is there a way to do that? > > > BTW, also, I am still not clear what we need to do incrementally to add > more CRLs from different CAs? I mean for example, if there are 10 more > CAs with CRLs and we want our EJBCA to do the OCSP responding for those, > what are the steps we need to do to configure EJBCA to do that? > > > Here's the test: > > E:\INSTALL-FILES\OPENSSL\OpenSSL-Win64\bin>openssl ocsp -CAfile > ./rootCA.crt -issuer ./rootCA.crt -serial 0x8486394C03E1F5D9 -req_text > -url http://192.168.0.28:8080/ejbca/publicweb/status/ocsp > OCSP Request Data: > Version: 1 (0x0) > Requestor List: > Certificate ID: > Hash Algorithm: sha1 > Issuer Name Hash: 0C16107310427EA4ADB3C6436915CE44A15FFE55 > Issuer Key Hash: E2533BF85F8C7CA60A411BF5458B2DC3B5232B6E > Serial Number: 8486394C03E1F5D9 > Request Extensions: > OCSP Nonce: > 041061AAC22F8FD77F35FEEA879361B29CD9 > Response verify OK > 0x8486394C03E1F5D9: WARNING: Status times invalid. > 388:error:2707307E:OCSP routines:OCSP_check_validity:status not yet > valid:crypto\ocsp\ocsp_cl.c:320: > revoked > This Update: Jun 25 17:56:47 2019 GMT > Reason: unspecified > Revocation Time: May 26 12:30:44 2019 GMT > > > > > On Tuesday, June 25, 2019, 1:37:30 PM EDT, <oh...@ya...> wrote: > > > Hi, > > I am trying to create the Internal Key Binding for the OCSP Responder on > the EJBCA that I just built. > > In the Adminweb, I have created the Internal Key Binding, but now I am > trying to do the "Import externally issued certificate". > > I have the Internal Key Binding that I created in the OVA based system > previously, and I was hoping that I wouldn't need to issue a new cert > for this new system, so I was wondering if there is any way to get the > private key from that OVA based system so that I can do the import into > the new EJBCA configuration? > > Or, is the only way to create a new CSR on the new EJBCA, and then issue > a new cert? > > Thanks, > Jim > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
