In SignServer you will need to first make sure you have setup a crypto worker and configured it to use either a keystore crypto token or a PKCS#11 crypto token where you will have you keys.
Then you can add a TimeStampSigner.
You then need to generate the key-pair that you would like to use and to generate a certificate signing request (CSR) for it to bring to EJBCA.
In EJBCA you will need to make sure you have configured a certificate profile appropriate for time-stamping. From my head, that means you will need to mark the Extended Key Usage (EKU) as 'Criticial' and to make sure only 'Time-stamping' is selected
In the end you will install/import the certificate to your TimeStampSigner.
Here are the steps i have done -
1. I have created a crytotoken in ejbca (p12 file ) and configured in the Signserver.
2. Both the Worker and Token status are active
Later i have started Default TimeStamperSigner.
I have created CSR in Signerserver using openssl.
This CSR i have sent to EJBCA and create a PEM( endentity as mentioned in the your earlier post)
This PEM file i have installed in the TimeStamperSigner.
After that I am still getting this is
Error: no a signer certificate have been uploaded to this signer.
certificate chain not available.
If you look at the CryptoToken tab of your CryptoTokenP12 worker can you see that you have a key with alias "jioroad"?
It looks like it is not there with the error message "No key available for purpose: jioroad"
Also if you have made some changes to you CryptoTokenP12 worker you could try to reload your CryptoTokenP12 worker by selecting it and using "Reload" or "Reload from database".
Cheers,
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Your CryptoTokenP12 points out a keystore file with the KEYSTOREPATH worker property. You will need the password for that keystore file.
Unless it is one of the sample keystores you get with SignSever then I can not know what the password is. If it one of the sample ones, try with "foo123".
Or if it is a keystore you got from EJBCA then the password would be what you configured your end entity with.
Cheers,
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have installed EJBCA and Signserver in different machines.
I have used the default configuration of the signserver as mentioned in the docs works fine.
I need help in creating new certificates in EJBCA and setup timestamp in the signserver.
Last edit: Venkatesh Pendlikal 2019-10-09
Hi Venkatesh,
If you use the latest version (5.2.0.Beta1) you can also see this instructions for how to setting up workers using the new Administration Web interface:
https://doc.primekey.com/signserver/signserver-operations/worker-setup/quick-start-demo-setup-using-administration-web
Cheers,
Markus
PrimeKey Solutions
Thanks markus for sharing details. I have signed EJBCA certificate to the timestampserver.
I am getting an error "Certificate chain not available"
Hi Markus.
Here are the steps i have done -
1. I have created a crytotoken in ejbca (p12 file ) and configured in the Signserver.
2. Both the Worker and Token status are active
After that I am still getting this is
Error: no a signer certificate have been uploaded to this signer.
certificate chain not available.
Can you pls suggest me if i have missed anything?
Last edit: Venkatesh Pendlikal 2019-10-11
If you look at the CryptoToken tab of your CryptoTokenP12 worker can you see that you have a key with alias "jioroad"?
It looks like it is not there with the error message "No key available for purpose: jioroad"
Also if you have made some changes to you CryptoTokenP12 worker you could try to reload your CryptoTokenP12 worker by selecting it and using "Reload" or "Reload from database".
Cheers,
Markus
Hi Markus,
I have created the CryptoTokenP12 of my own. Then i am able to create worker properly. But i am not getting default password?
Can you pls let me know how we can get the default password for cryptotokenp12?
I am using EJBCA to get the crypto token
Last edit: Venkatesh Pendlikal 2019-11-20
Hi Venkatesh,
Your CryptoTokenP12 points out a keystore file with the KEYSTOREPATH worker property. You will need the password for that keystore file.
Unless it is one of the sample keystores you get with SignSever then I can not know what the password is. If it one of the sample ones, try with "foo123".
Or if it is a keystore you got from EJBCA then the password would be what you configured your end entity with.
Cheers,
Markus
Hi Markus,
Thanks for the suggestion.
Finally i am able to configure and successfully able to test.
Defaultkey value will be the "CN name"
Hi, please provide me with the steps to follow for the configuration you have made?
Best regards.