Re: [Ejbca-develop] Trouble creating Internal Key Binding for OCSP Responder

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 2019-06-25 20:07, ohaya--- via Ejbca-develop wrote:
> Hi,
> 
> FYI, I was able to use Adminweb to create a new CSR and then I issued a
> new signing cert with the OCSPSign purpose and I was then able to import
> into Adminweb, and I was able to test some good and bad requests (see
> below).
> 
> I think that we will still need to be able use a cert/key pair that we
> generated outside of EJBCA (i.e., not create a CSR via Adminweb, etc.),
> so is there a way to do that?

I do not understand what you mean by this.
If you want the OCSP Key Binding in EJBCA to generate the key, why would
the CSR come from outside of EJBCA?
You can always issue certificates to CSRs with EJCBA...if you have a CSR...

> BTW, also, I am still not clear what we need to do incrementally to add
> more CRLs from different CAs? I mean for example, if there are 10 more
> CAs with CRLs and we want our EJBCA to do the OCSP responding for those,
> what are the steps we need to do to configure EJBCA to do that?

There is a service called "CRL Downloader" under Sevrices that can be
used to automate import/update of CRLs. It is documented among the
"Services".

> 
> 
> Here's the test:
> 
> E:\INSTALL-FILES\OPENSSL\OpenSSL-Win64\bin>openssl ocsp -CAfile
> ./rootCA.crt -issuer ./rootCA.crt -serial 0x8486394C03E1F5D9 -req_text
> -url http://192.168.0.28:8080/ejbca/publicweb/status/ocsp
> OCSP Request Data:
> Version: 1 (0x0)
> Requestor List:
> Certificate ID:
> Hash Algorithm: sha1
> Issuer Name Hash: 0C16107310427EA4ADB3C6436915CE44A15FFE55
> Issuer Key Hash: E2533BF85F8C7CA60A411BF5458B2DC3B5232B6E
> Serial Number: 8486394C03E1F5D9
> Request Extensions:
> OCSP Nonce:
> 041061AAC22F8FD77F35FEEA879361B29CD9
> Response verify OK
> 0x8486394C03E1F5D9: WARNING: Status times invalid.
> 388:error:2707307E:OCSP routines:OCSP_check_validity:status not yet
> valid:crypto\ocsp\ocsp_cl.c:320:
> revoked
> This Update: Jun 25 17:56:47 2019 GMT
> Reason: unspecified
> Revocation Time: May 26 12:30:44 2019 GMT
> 
> 
> 
> 
> On Tuesday, June 25, 2019, 1:37:30 PM EDT, <oh...@ya...> wrote:
> 
> 
> Hi,
> 
> I am trying to create the Internal Key Binding for the OCSP Responder on
> the EJBCA that I just built.
> 
> In the Adminweb, I have created the Internal Key Binding, but now I am
> trying to do the "Import externally issued certificate". 
> 
> I have the Internal Key Binding that I created in the OVA based system
> previously, and I was hoping that I wouldn't need to issue a new cert
> for this new system, so I was wondering if there is any way to get the
> private key from that OVA based system so that I can do the import into
> the new EJBCA configuration?
> 
> Or, is the only way to create a new CSR on the new EJBCA, and then issue
> a new cert?
> 
> Thanks,
> Jim
> 
> 
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
> 