Menu
▾
▴
Re: [Ejbca-develop] Trouble creating Internal Key Binding for OCSP Responder
|
From: <oh...@ya...> - 2019-06-26 11:02:41
|
Hi,
I ran into this problem AFTER I went through the process of configuring EJBCA to include a new CA's CRLs, so that is why I posted the msg below in this thread, but you are probably right that I should make a new thread for this, which I will do after this.
Thanks,
Jim
On Wednesday, June 26, 2019, 4:12:45 AM EDT, Tomas Gustavsson <to...@pr...> wrote:
Hi,
I think this is not related to the subject of this email right? In that
case could you start a new thread, otherwise it is likely that some
questions wrapped into the same thread (i.e. wrong subject) will get
lost in the mist :-)
Cheers,
TOmas
On 2019-06-25 22:16, ohaya--- via Ejbca-develop wrote:
> Hi,
>
> I tried adding a new CA/CRL:
>
> - I added the CA cert to EJBCA
> - I tried to import the CRL and didn't give any errors, but the CRL was
> not imported.
>
> I checked the logs and see this below. Why isn't it importing the CRL?
>
> 16:08:00,166 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default
> task-9) 2019-06-25
> 16:08:00-04:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;CN=SuperAdmin;;;;resource0=/ca/598150401
> 16:08:00,178 INFO [org.ejbca.core.ejb.crl.ImportCrlSessionBean] (default
> task-9) CA: CN=SimpleAuthorityCA,OU=simpleou,O=simpleo,C=US
> 16:08:00,181 INFO [org.cesecore.certificates.crl.CrlStoreSessionBean]
> (default task-9) Error retrieving CRL for issuer
> 'CN=SimpleAuthorityCA,OU=simpleou,O=simpleo,C=US' with CRL number 0.
> 16:08:00,181 INFO [org.ejbca.core.ejb.crl.ImportCrlSessionBean] (default
> task-9) Found 1 new entires in full CRL number 3 issued by
> 'CN=SimpleAuthorityCA,OU=simpleou,O=simpleo,C=US' compared to pr
> 16:08:00,183 INFO
> [org.cesecore.certificates.certificate.CertificateStoreSessionBean]
> (default task-9) Adding limited CertificateData entry with
> fingerprint=e0a287931576859f315d32ba0fc629e21ead7c0r=16B902B1B87,
> issuerDn='CN=SimpleAuthorityCA,OU=simpleou,O=simpleo,C=US'
> 16:08:00,183 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default
> task-9) 2019-06-25
> 16:08:00-04:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;CN=SuperAdmin;;;;resource0=/ca/598150401
> 16:08:00,190 ERROR [org.cesecore.certificates.crl.CrlStoreSessionBean]
> (default task-9) Error storing CRL with CRLNumber=3, issuerDN
> 'CN=SimpleAuthorityCA,OU=simpleou,O=simpleo,C=US'. : java.lang.eption
> at org.cesecore.certificates.crl.CRLData.setNextUpdate(CRLData.java:244)
> at org.cesecore.certificates.crl.CRLData.<init>(CRLData.java:86)
> at
> org.cesecore.certificates.crl.CrlStoreSessionBean.storeCRL(CrlStoreSessionBean.java:84)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
> at
> org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:90)
> at
> org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:101)
> at
> org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.as.ejb3.component.invocationmetrics.ExecutionTimeInterceptor.processInvocation(ExecutionTimeInterceptor.java:43)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.as.jpa.interceptor.SBInvocationInterceptor.processInvocation(SBInvocationInterceptor.java:47)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.as.ee.concurrent.ConcurrentContextInterceptor.processInvocation(ConcurrentContextInterceptor.java:45)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.invocation.InitialInterceptor.processInvocation(InitialInterceptor.java:40)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
> at
> org.jboss.as.ee.component.interceptors.ComponentDispatcherInterceptor.processInvocation(ComponentDispatcherInterceptor.java:52)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.as.ejb3.component.pool.PooledInstanceInterceptor.processInvocation(PooledInstanceInterceptor.java:51)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.as.ejb3.component.interceptors.AdditionalSetupInterceptor.processInvocation(AdditionalSetupInterceptor.java:54)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.invokeInCallerTx(CMTTxInterceptor.java:185)
> at org.jboss.as.ejb3.tx.CMTTxInterceptor.required(CMTTxInterceptor.java:364)
> at
> org.jboss.as.ejb3.tx.CMTTxInterceptor.processInvocation(CMTTxInterceptor.java:144)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
> at
> org.jboss.weld.module.ejb.AbstractEJBRequestScopeActivationInterceptor.aroundInvoke(AbstractEJBRequestScopeActivationInterceptor.java:72)
> at
> org.jboss.as.weld.ejb.EjbRequestScopeActivationInterceptor.processInvocation(EjbRequestScopeActivationInterceptor.java:89)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.as.ejb3.component.interceptors.CurrentInvocationContextInterceptor.processInvocation(CurrentInvocationContextInterceptor.java:41)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.as.ejb3.component.invocationmetrics.WaitTimeInterceptor.processInvocation(WaitTimeInterceptor.java:47)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.as.ejb3.security.SecurityContextInterceptor.processInvocation(SecurityContextInterceptor.java:100)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.as.ejb3.deployment.processors.StartupAwaitInterceptor.processInvocation(StartupAwaitInterceptor.java:22)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.as.ejb3.component.interceptors.ShutDownInterceptorFactory$1.processInvocation(ShutDownInterceptorFactory.java:64)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.as.ejb3.component.interceptors.LoggingInterceptor.processInvocation(LoggingInterceptor.java:67)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.as.ee.component.NamespaceContextInterceptor.processInvocation(NamespaceContextInterceptor.java:50)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.invocation.ContextClassLoaderInterceptor.processInvocation(ContextClassLoaderInterceptor.java:60)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at org.jboss.invocation.InterceptorContext.run(InterceptorContext.java:438)
> at
> org.wildfly.security.manager.WildFlySecurityManager.doChecked(WildFlySecurityManager.java:619)
> at
> org.jboss.invocation.AccessCheckingInterceptor.processInvocation(AccessCheckingInterceptor.java:57)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.invocation.ChainedInterceptor.processInvocation(ChainedInterceptor.java:53)
> at org.jboss.as.ee.component.ViewService$View.invoke(ViewService.java:198)
> at
> org.jboss.as.ee.component.ViewDescription$1.processInvocation(ViewDescription.java:185)
> at
> org.jboss.as.ee.component.ProxyInvocationHandler.invoke(ProxyInvocationHandler.java:81)
> at
> org.cesecore.certificates.crl.CrlStoreSessionLocal$$$view110.storeCRL(Unknown
> Source)
> at
> org.ejbca.core.ejb.crl.ImportCrlSessionBean.importCrl(ImportCrlSessionBean.java:159)
> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
> at
> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
> at
> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
> at java.lang.reflect.Method.invoke(Method.java:498)
> at
> org.jboss.as.ee.component.ManagedReferenceMethodInterceptor.processInvocation(ManagedReferenceMethodInterceptor.java:52)
> at
> org.jboss.invocation.InterceptorContext.proceed(InterceptorContext.java:422)
> at
> org.jboss.invocation.InterceptorContext$Invocation.proceed(InterceptorContext.java:509)
> at
> org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.doMethodInterception(Jsr299BindingsInterceptor.java:90)
> at
> org.jboss.as.weld.interceptors.Jsr299BindingsInterceptor.processInvocation(Jsr299BindingsInterceptor.java:101)
> at
> org.jboss.as.ee.component.interceptors.UserInterceptorFactory$1.processInvocation(UserInterceptorFactory.java:63)
> at org.jboss.invocation.InterceptorContext.pro
>
> W
> On Tuesday, June 25, 2019, 2:07:08 PM EDT, <oh...@ya...> wrote:
>
>
> Hi,
>
> FYI, I was able to use Adminweb to create a new CSR and then I issued a
> new signing cert with the OCSPSign purpose and I was then able to import
> into Adminweb, and I was able to test some good and bad requests (see
> below).
>
> I think that we will still need to be able use a cert/key pair that we
> generated outside of EJBCA (i.e., not create a CSR via Adminweb, etc.),
> so is there a way to do that?
>
>
> BTW, also, I am still not clear what we need to do incrementally to add
> more CRLs from different CAs? I mean for example, if there are 10 more
> CAs with CRLs and we want our EJBCA to do the OCSP responding for those,
> what are the steps we need to do to configure EJBCA to do that?
>
>
> Here's the test:
>
> E:\INSTALL-FILES\OPENSSL\OpenSSL-Win64\bin>openssl ocsp -CAfile
> ./rootCA.crt -issuer ./rootCA.crt -serial 0x8486394C03E1F5D9 -req_text
> -url http://192.168.0.28:8080/ejbca/publicweb/status/ocsp
> OCSP Request Data:
> Version: 1 (0x0)
> Requestor List:
> Certificate ID:
> Hash Algorithm: sha1
> Issuer Name Hash: 0C16107310427EA4ADB3C6436915CE44A15FFE55
> Issuer Key Hash: E2533BF85F8C7CA60A411BF5458B2DC3B5232B6E
> Serial Number: 8486394C03E1F5D9
> Request Extensions:
> OCSP Nonce:
> 041061AAC22F8FD77F35FEEA879361B29CD9
> Response verify OK
> 0x8486394C03E1F5D9: WARNING: Status times invalid.
> 388:error:2707307E:OCSP routines:OCSP_check_validity:status not yet
> valid:crypto\ocsp\ocsp_cl.c:320:
> revoked
> This Update: Jun 25 17:56:47 2019 GMT
> Reason: unspecified
> Revocation Time: May 26 12:30:44 2019 GMT
>
>
>
>
> On Tuesday, June 25, 2019, 1:37:30 PM EDT, <oh...@ya...> wrote:
>
>
> Hi,
>
> I am trying to create the Internal Key Binding for the OCSP Responder on
> the EJBCA that I just built.
>
> In the Adminweb, I have created the Internal Key Binding, but now I am
> trying to do the "Import externally issued certificate".
>
> I have the Internal Key Binding that I created in the OVA based system
> previously, and I was hoping that I wouldn't need to issue a new cert
> for this new system, so I was wondering if there is any way to get the
> private key from that OVA based system so that I can do the import into
> the new EJBCA configuration?
>
> Or, is the only way to create a new CSR on the new EJBCA, and then issue
> a new cert?
>
> Thanks,
> Jim
>
>
> _______________________________________________
> Ejbca-develop mailing list
> Ejb...@li...
> https://lists.sourceforge.net/lists/listinfo/ejbca-develop
>
_______________________________________________
Ejbca-develop mailing list
Ejb...@li...
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
|
