Import private key for external Certification Authorities

[oliviermartin]

A follow up from migrating my Samba AD PKI to EJBCA topic. I leave a new question in case it can help other people.
I have imported my User (intermediate) CA as the management CA in EJBCA with the command /opt/ejbca/bin/ejbca.sh ca importcacert.
Now if I want to provision new user with this sub-CA. I need its private key. The only way I can find to import the private key is with the command /opt/ejbca/bin/ejbca.sh ca restorekeystore.
I tried:

openssl pkcs12 -export -name userca -in /etc/pki/ca/user-signing-ca.crt -inkey /etc/pki/ca/user-signing-ca/private/user-signing-ca.key -passout pass: -out /tmp/userca.p12
sudo /opt/ejbca/bin/ejbca.sh ca restorekeystore UserCa /tmp/userca.p12 -s userca -e userca
Enter keystore password: 

Exception in thread "main" javax.ejb.EJBException: java.lang.NullPointerException: Cannot invoke "org.cesecore.certificates.ca.CACommon.getCAToken()" because "thisCa" is null

[oliviermartin]

Now, I understand the meaning of -s and -e. They are the names of EJBCA Crypto Token aliases - not the alias of the PKCS#12 file.
The issue seems my CA is an external CA and EJBCA does not seem to support adding crypto token to external CA. Is it correct?

[primetomas]

Yes External really means that the CA is operated somewhere else. It is just an imported CA certificate to be able to use that to verify certificate chains (such as externally issued administrator certificates). As it's only a certificate you can naturally not use that to sign other certificates.
If you really want to migrate in a Ca, including the private key into EJBCA you use "importca". There are examples here. https://docs.keyfactor.com/ejbca/latest/migrating-from-other-cas-to-ejbca

If you plan to run everything in EJBCA I would recommend to separate User certificates from PKI administrator certificates. It makes for good role and trust separation. It is easy as you can set up as many CAs that you need.

Perhaps:

• Install EJBCA with a new Managment CA and use that for PKI management
• import the CA used for AD into EJBCA (see the docs)

There is no need for CA admin certificates to be in EJBCA, and you can even make it security best practice by using an HSM for that from the get go.