Unable to issue a certificate with a new root CA #732

tmontney · 2024-12-05T06:06:10Z

tmontney
Dec 5, 2024

New to EJBCA, standing up a fresh docker instance. I'm trying to replace the stock root CA with my own and replace the WildFly admin cert. When creating the CA, I created a new crypto token and replicated the settings from the stock CA (aside from the subject DN and CRL validation data).

When making a new request for a "Server" subtype and selecting my new root CA, I change the key algorithm and set a common name. At the bottom, the download buttons are greyed out. If I hit "Reset", I get "An unexpected problem has occurred: badly formatted directory string". If I try the same values but targeting the stock CA, download buttons work normally.

Answered by tmontney

Dec 6, 2024

I went back and looked at this tutorial again: https://docs.keyfactor.com/ejbca/latest/tutorial-start-out-with-ejbca-docker-container#id-(9.1.1)Tutorial-StartoutwithEJBCADockercontainer-Step5-IssueSuperAdmincertificate

I'm not supposed to enter a formatted DN, just the value for CN. If I put something like "myserver" instead of "CN=myserver", the cert can be downloaded. Dumb mistake.

A few things to note:

The UI shouldn't throw an error like that upon hitting "Reset"
The UI seems to be inconsistent on validation.
1. Enter "CN=123" for CN, buttons remain disabled
2. Remove "CN=", buttons are enabled.
3. Append that value back, buttons remain enabled.
Buttons remain enabled when leaving the …

View full answer

primetomas · 2024-12-05T07:27:44Z

primetomas
Dec 5, 2024
Maintainer

Can you provide a screenshot of this?

0 replies

tmontney · 2024-12-06T05:21:31Z

tmontney
Dec 6, 2024
Author

Here's my attempt to issue a test CA server cert from my test CA:

Buttons at the bottom are disabled. When I hit "reset", I get this:

Tailing the docker container gives me this stack trace: https://pastebin.com/2Ni5T7wv

Here's my crypto token:

And here's my test CA:

0 replies

tmontney · 2024-12-06T05:34:08Z

tmontney
Dec 6, 2024
Author

I went back and looked at this tutorial again: https://docs.keyfactor.com/ejbca/latest/tutorial-start-out-with-ejbca-docker-container#id-(9.1.1)Tutorial-StartoutwithEJBCADockercontainer-Step5-IssueSuperAdmincertificate

I'm not supposed to enter a formatted DN, just the value for CN. If I put something like "myserver" instead of "CN=myserver", the cert can be downloaded. Dumb mistake.

A few things to note:

The UI shouldn't throw an error like that upon hitting "Reset"
The UI seems to be inconsistent on validation.
1. Enter "CN=123" for CN, buttons remain disabled
2. Remove "CN=", buttons are enabled.
3. Append that value back, buttons remain enabled.
Buttons remain enabled when leaving the required "Provide User Credentials" fields empty. If you attempt to download the certificate, each field appends additional HTML "Value is required". While this prevents the user from proceeding, it's inconsistent with disabling the buttons. (For example, either the buttons should become disabled, or error text appears in all cases.)

0 replies

primetomas · 2024-12-06T07:58:53Z

primetomas
Dec 6, 2024
Maintainer

Great you got it working. Thanks for the feedback on inconsistensies. I'll provide that back to development.

0 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unable to issue a certificate with a new root CA #732

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 4 comments

{{title}}

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

Select a reply

Unable to issue a certificate with a new root CA #732

tmontney Dec 5, 2024

Replies: 4 comments

primetomas Dec 5, 2024 Maintainer

tmontney Dec 6, 2024 Author

tmontney Dec 6, 2024 Author

primetomas Dec 6, 2024 Maintainer

tmontney
Dec 5, 2024

primetomas
Dec 5, 2024
Maintainer

tmontney
Dec 6, 2024
Author

tmontney
Dec 6, 2024
Author

primetomas
Dec 6, 2024
Maintainer