Re: [Ejbca-develop] [External] ERR_BAD_SSL_CLIENT_AUTH_CERT

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Hi Jeremy,

I would recommend using the EJBCA CLI (opt/ejbca/bin). You need SSH or physical access to your user management PKI machine. The basic commands look like this:

# Set status to NEW, renew user with password
$EjbcaCli ra setendentitystatus $EE_USER 10
$EjbcaCli ra setclearpwd $EE_USER $EE_PASS
$EjbcaCli batch $EE_USER

# Extract certificate hex serial number by Common Name (CN), register the user for a specific role (Administrator)
Serial=$(keytool -list -v -keystore $Keystore -storepass $Password | grep -A 5 CN=$Username | grep "Serial number:" | cut -f3 -d" ")
$EjbcaCli roles addrolemember --caname $CaName --role "$Userrole" --value $Serial --with WITH_SERIALNUMBER --description "$Username $Timestamp"

Here is how we at Commend automated these tasks with two separated scripts.

pki-user-management$       ./ejbca-enrole-cert.sh user password [ECDSA/RSA] [2048/4096/secp384r1]
pki-user-registration$     ./ejbca-register-user-cert.sh user-common-name user-role keystore.p12 password [caname] [dryrun]

#!/bin/bash

# MIT License
# Copyright © 2020 Commend International, author: Benjamin Moser
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom
# the Software is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
# AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
#
# Script to (re)enrole ejbca management user certificate
#

USAGE=$'
Script to (re)enrole ejbca management user certificate

requires:
* conf/batchtool.properties
* keys.alg=RSA
* keys.spec=2048
* ejbca-cli

Usage: ./ejbca-enrole-cert.sh user password [ECDSA/RSA] [2048/4096/secp384r1]
'

if [[ $# -lt 2 ]];
then
        echo "$USAGE"
        exit 1
fi

# Config
EjbcaCli="/opt/ejbca/ejbca/bin/ejbca.sh"
BatchCfg="/opt/ejbca/ejbca/conf/batchtool.properties"
Backup=`tr -dc '0-9' < /dev/urandom | head -c8`
EE_USER=$1
EE_PASS=$2
EE_KEYALG=$3
EE_KEYSPEC=$4

echo EJBCA user certificate enrolement ...

if [[ ! "$EE_USER" =~ ^[a-zA-Z.0-9_-]{4,200}$ ]] || [[ ! "$EE_PASS" =~ ^.{4,64}$ ]];
then
        echo "Error: invalid entity user or password"
        echo "$USAGE"
        exit 1
fi

$EjbcaCli ra setendentitystatus $EE_USER 10

retVal=$?
if [ $retVal -ne 0 ];
then
        echo "Error: EJBCA user certificate enrolement failed! Couldn't set entity status!"
        exit 1
fi

$EjbcaCli ra setclearpwd $EE_USER $EE_PASS

retVal=$?
if [ $retVal -ne 0 ];
then
        echo "Error: EJBCA user certificate enrolement failed! Couldn't set credentials!"
        exit 1
fi

# Check that the file "key_pass.txt" is present, if not create it with default user/pwd:
if [ ! -f $BatchCfg ]
then
    echo "Error: EJBCA user certificate enrolement failed! Couldn't find batch file $BatchCfg!"
    exit 1
fi

if [ ! -z $EE_KEYALG ] && [ ! -z $EE_KEYSPEC ]
then
    cp $BatchCfg "$BatchCfg.$Backup"
    echo "Batchtool.properties file $BatchCfg.$Backup backup created"
    sed -i "s/^keys.alg=.*$/keys.alg=${EE_KEYALG}/g" $BatchCfg
    sed -i "s/^keys.spec=.*$/keys.spec=${EE_KEYSPEC}/g" $BatchCfg
    echo "Batchtool.properties file $BatchCfg has been modified succesfully"
    cat $BatchCfg
fi

# batch command doesn't return an error, but find+grep status does
$EjbcaCli batch $EE_USER

# restore batch config file
if [ -f "$BatchCfg.$Backup" ];
then
    echo "Batchtool.properties file $BatchCfg.$Backup backup restored"
    cp "$BatchCfg.$Backup" $BatchCfg
    cat $BatchCfg
fi

$EjbcaCli ra findendentity --username $EE_USER | grep "Status: 40"
retVal=$?
if [ $retVal -ne 0 ];
then
    echo "Error: EJBCA user certificate enrolement failed!"
    exit 1
fi

echo EJBCA user certificate enrolement done!

#!/bin/bash

# MIT License
# Copyright © 2020 Commend International, author: Benjamin Moser
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without
# restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom
# the Software is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE
# AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE,
# ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

USAGE=$'
Utility to register a EJBCA user certificate to access CA/RA/VA WebUI

requires:
* user certificate
* ejbca-cli
* keytool
* config

Usage: ./ejbca-register-user-cert.sh user-common-name user-role keystore.p12 password [caname] [dryrun]
'

# Config
EjbcaCli="/opt/ejbca/ejbca/bin/ejbca.sh"
KeystoreDir="/opt/ejbca/ejbca/p12"
Timestamp=$(date)

Username=$1
Userrole=$2
Keystore=$3
Password=$4
CaName=$5
DryRun=$6

if [[ ! "$Username" =~ ^[a-zA-Z0-9_-]{4,200}$ ]] || [[ ! "$Password" =~ ^.{12,64}$ ]];
then
        echo "Error: invalid user or password"
        echo "$USAGE"
        exit 1
fi

if [[ ! "$Keystore" =~ ^[a-zA-Z0-9_-]{4,200}.(p12|jks)$ ]];
then
        echo "Error: invalid keystore file name"
        echo "$USAGE"
        exit 1
fi

Keystore="$KeystoreDir/$3"

if ! [[ -f "$Keystore" ]];
then
                echo -e "Error: $Keystore file not found!"
                echo "$USAGE"
                exit 1;
fi

# User role may include space in it name
if [[ ! "$Userrole" =~ ^([a-zA-Z0-9_-]| ){4,200}$ ]];
then
        echo "Error: invalid user role = $Userrole"
        echo "$USAGE"
        exit 1
fi

if [[ -z "$CaName" ]];
then
        CaName=$'CommendManagementCA'
fi

if [[ ! "$CaName" =~ ^[a-zA-Z0-9_-]{4,200}$ ]];
then
        echo "Error: invalid ca name"
        echo "$USAGE"
        exit 1
fi

if [[ -n "$DryRun" ]] && [[ "$DryRun" == "dryrun" ]];
then
        # override call to EJBCA
        EjbcaCli="echo run $EjbcaCli"
fi

# Extract certificate hex serial number by Common Name (CN)
Serial=$(keytool -list -v -keystore $Keystore -storepass $Password | grep -A 5 CN=$Username | grep "Serial number:" | cut -f3 -d" ")

if [[ ! "$Serial" =~ ^[a-fA-FZ0-9]{4,200}$ ]];
then
        echo "Error: invalid serial extracted "
        echo "$USAGE"
                keyttool --help
        exit 1
fi

# Register user for a specific role
$EjbcaCli roles addrolemember --caname $CaName --role "$Userrole" --value $Serial --with WITH_SERIALNUMBER --description "$Username $Timestamp"

retVal=$?
if [ $retVal -ne 0 ];
then
                echo "Error: EJBCA user certificate registration failed!"
                echo "$USAGE"

                $EjbcaCli roles addrolemember --help
                exit 1
fi

echo "EJBCA user certificate registration finished!"

With best regards,

Benjamin Moser
Lead Security Architect and
Open Source Software Officer

Commend International GmbH
5020 Salzburg, Saalachstrasse 51
T +43-662-85 62 25
F +43-662-85 62 26

b....@co...<mailto:b....@co...>
www.commend.com<http://www.commend.com/>

Security and Communication by Commend

FN 178618z / LG Salzburg

From: Jeremy Hansen via Ejbca-develop <ejb...@li...>
Date: Saturday, 26. August 2023 at 11:32
To: ejb...@li... <ejb...@li...>
Cc: Jeremy Hansen <je...@sk...>
Subject: [External] [Ejbca-develop] ERR_BAD_SSL_CLIENT_AUTH_CERT

CAUTION: This email originated from outside of the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
It looks like my client certs may have expired for my EJBCA installation.  Can anyone point me in the right direction on how to regenerate this without access to the web interface?

Thanks
-jeremy