https://download.primekey.se/public/ejbcav6ce-vm.zip
EJBCA CE v6.2.0
v4.3.24 r98716 can import the ovf.
ERROR: Can only connect to localhost by: https://ejbca:8443/ejbca. Connect from other host result in ssl_error_bad_cert_alert.
FIX:
According to /home/ejbca/ejbca_ce_6_2_0/conf/web.properties.sample
The private port JBoss will listen on 8443 to https on, client cert required
https://ejbca:8443/ejbca/
https://ejbca:8443/ejbca/adminweb/
The public port JBoss will listen to http on 8080 (no SSL, no client cert)
http://ejbca:8080/ejbca/
http://ejbca:8080/ejbca/adminweb/ (Authorization faild, require client certificate)
The public port JBoss will listen to https on 8442, no client cert required
https://ejbca:8442/ejbca/
https://ejbca:8442/ejbca/adminweb/ (Authorization faild, require client certificate)
Admin Web always require client cert.
Public Web can be connected at http(8080) or https(8442).
CMP - Admin Guide
http://ejbca.org/docs/adminguide.html#CMP
Build cmpclient as decribed here:
http://mkl-note.blogspot.tw/2015/03/cmpforopenssl.html
In ./cmpforopenssl-code/src/openssl/app
- Get CA cert (ManagementCA.pem)
[EJBCA public Web] -> [Fetch CA certificates] -> [CA certificate: Download as PEM]
cp ~/Downloads/ManagementCA.pem .
Or, (not sure if this link works for all)
wget -O ManagementCA.pem "http://ejbca:8080/ejbca/publicweb/webdist/certdist?cmd=cacert&issuer=CN%3dManagementCA%2cO%3dEJBCA+Sample%2cC%3dSE&level=0" - Prepare environment for openssl
mkdir -p ../../../ssl; ln -s ../src/openssl/apps/openssl.cnf ssl
CMP for OpenSSL - Admin Guide
http://ejbca.org/docs/adminguide.html#CMP%20for%20OpenSSL
RA mode
- Generate private key
openssl genrsa -out key1.pem 2048 - Passed
$ ./openssl cmp -cmd ir -server localhost:8080 -path ejbca/publicweb/cmp/opensslra -srvcert ManagementCA.pem -user NewUser -pass password -certout clcert1.pem -newkey key1.pem -keyfmt PEM -certfmt PEM -subject "/CN=NewUser/O=My Organization/C=SE"
Using configuration from /home/ejbca/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
INFO: Sending Initialization Request
SUCCESS: validating protection of incoming message
INFO: Sending Certificate Confirm
SUCCESS: validating protection of incoming message
saving certificate to 'clcert1.pem'...
Client mode, HMAC password authentication
- Generate private key
openssl genrsa -out key2.pem 2048 - Passed
$ ./openssl cmp -cmd ir -server localhost:8080 -path ejbca/publicweb/cmp/opensslclient -srvcert ManagementCA.pem -user user1 -pass password -certout clcert2.pem -newkey key2.pem -keyfmt PEM -certfmt PEM -subject "/CN=user1/O=My Organization/C=SE"
Using configuration from /home/ejbca/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
INFO: Sending Initialization Request
SUCCESS: validating protection of incoming message
INFO: Sending Certificate Confirm
SUCCESS: validating protection of incoming message
saving certificate to 'clcert2.pem'...
- Generate private key
openssl genrsa -out key3.pem 2048 - Failed
$ ./openssl cmp -cmd ir -server localhost:8080 -path ejbca/publicweb/cmp/openssleec -srvcert ManagementCA.pem -cert clcert2.pem -key key2.pem -certout clcert3.pem -newkey key3.pem -keyfmt PEM -certfmt PEM -subject "/CN=user1/O=My Organization/C=SE"
Using configuration from /home/ejbca/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
INFO: Sending Initialization Request
140361658017440:error:3209608B:CMP routines:CMP_doInitialRequestSeq:pkibody error:cmp_ses.c:381:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: badRequest: Got request with status GENERATED (40), NEW, FAILED or INPROCESS required: user1."
$ bin/ejbca.sh ra setclearpwd user1 password
SETTING: --username as user1
SETTING: --password as password
Setting clear text password for user user1
$ bin/ejbca.sh ra setendentitystatus user1 10
SETTING: --username as user1
SETTING: -S as 10
New status for end entity user1 is 10- Passed
$ ./openssl cmp -cmd ir -server localhost:8080 -path ejbca/publicweb/cmp/openssleec -srvcert ManagementCA.pem -cert clcert2.pem -key key2.pem -certout clcert3.pem -newkey key3.pem -keyfmt PEM -certfmt PEM -subject "/CN=user1/O=My Organization/C=SE"
Using configuration from /home/ejbca/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
INFO: Sending Initialization Request
SUCCESS: validating protection of incoming message
INFO: Sending Certificate Confirm
SUCCESS: validating protection of incoming message
saving certificate to 'clcert3.pem'...
Client mode, Vendor certificate authentication
Not tested, for it's EJBCA Enterprise only
Using Key Update Request instead of Initial Request
RA-Failed
openssl cmp -cmd kur -server $SERVER:8080 -path ejbca/publicweb/cmp/opensslra -srvcert $CACERT -user NewUser -pass password -cert $MYCERT -key $MYKEY -certout ${MYCERT}1 -newkey $MYKEY -keyfmt PEM -certfmt PEM -subject "/CN=NewUser/O=My Organization/C=SE"
WARNING: can't open config file: /home/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
Using configuration from /home/prj/cmpforopenssl-code/src/../ssl/openssl.cnf
error loading the config file '/home/prj/cmpforopenssl-code/src/../ssl/openssl.cnf'
INFO: Sending Key Update Request
3075856008:error:3209708B:CMP routines:CMP_doKeyUpdateRequestSeq:pkibody error:cmp_ses.c:724:bodytype= 23, error="PKIStatus: rejection, PKIFailureInfo: badRequest: EndEnityCertificate authentication module is not configured. For a KeyUpdate request to be authentication in RA mode, EndEntityCertificate authentication module has to be set and config
openssl cmp -cmd kur -server 192.168.110.120:8080 -srvcert /etc/ipsec.d/cacerts/cacert.pem -cert /etc/ipsec.d/certs/mycert.pem.old -key /etc/ipsec.d/private/mykey.pem -certout /etc/ipsec.d/certs/mycert.pem -newkey /etc/ipsec.d/private/mykey.pem -keyfmt PEM -certfmt PEM -subject "/CN=NewUser/O=My Organization/C=SE" -user NewUser -pass password -path ejbca/publicweb/cmp/opensslra
Using configuration from /usr/openssl.cnf
INFO: Sending Key Update Request
1099268871952:error:3209708B:CMP routines:CMP_doKeyUpdateRequestSeq:pkibody error:cmp_ses.c:714:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: badRequest: 'CN=NewUser,O=My Organization,C=SE' is not an authorized administrator."
Verifications in EndEntityCertificate Authentication Module: Omit
openssl cmp -cmd kur -server 192.168.110.120:8080 -srvcert /etc/ipsec.d/cacerts/cacert.pem -cert /etc/ipsec.d/certs/mycert.pem.old -key /etc/ipsec.d/private/mykey.pem -certout /etc/ipsec.d/certs/mycert.pem -newkey /etc/ipsec.d/private/mykey.pem -keyfmt PEM -certfmt PEM -subject "/CN=NewUser/O=My Organization/C=SE" -user NewUser -pass password -path ejbca/publicweb/cmp/opensslra
Using configuration from /usr/openssl.cnf
INFO: Sending Key Update Request
1099117520656:error:3209708B:CMP routines:CMP_doKeyUpdateRequestSeq:pkibody error:cmp_ses.c:714:bodytype=23, error="PKIStatus: rejection, PKIFailureInfo: badRequest: Omitting some verifications can only be accepted in RA mode and when the CMP request has already been authenticated, for example, through the use of NestedMessageContent"