|

»

Problems on ejbca ca importcvca command

View: New views

4 Messages — Rating Filter: Alert me

	Problems on ejbca ca importcvca command by khsheh :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message I use ejbca 3.9.0 and have the following problems: 1. I created 2 CVC self signed root CAs by ejbca, one with RSA and other with ECDSA signing algorithms. Then I exported the CA keystores of them to PKCS8 files and also downloaded the CVC certs of them. I then use the following commands. The import for RSA CA is successful but the import for ECDSA CA failed. ejbca ca importcvca rsacvca rsacvca.pkcs8 resacvca.crt.cer "C=SE,CN=RSACVCA" Using JBoss JNDI provider... Testing keys with algorithm: RSA Uisng passed in self signed certificate. ejbca ca importcvca eccvca eccvca.pkcs8 eccvca.crt.cer "C=SE,CN=ECCVCA" Using JBoss JDNI provder ... Testing keys with algorithm: ECDSA java.security.InvalidKeyException: Supplied key (org.bouncycastle.jce.provider.JCEECPrivateKey) is not a RSAPrivateKey instance Do you know why the import for ECDSA CA is not succesful? Is it a limitation of ejbca? Moreover, in the Admin page Import CA Keystore, the input field is PKCS12. But for CVC cert, the Export CA Keystore is only PKCS8. Thus, I cannot use the Admin page Import CA Keystore. Is it normal for ejbca or a new version of ejbca will support PKCS8? 2. My contractor provided me a set of CVC RSA 1024 certs and keys. I want to import it to ejbca but have the following errors: ejbca ca importcvca cvcatest1 cvca1024.pkcs8 p_cvca.cvcert "C=SE,CN=CVCATEST1" Using JBoss JNDI provider... Testing keys with algorithm: RSA java.security.InvalidKeyException: Not possible to sign and then verify with key pair. But if I use the X.509 cert (i.e. cvca1024.crt) instead of the cvc cert (i.e. p_cvca.cvcert), the import is successful: ejbca ca importcvca cvcatest1 cvca1024.pkcs8 cvca1024.crt "C=SE,CN=CVCATEST1" Using JBoss JNDI provider... Testing keys with algorithm: RSA Using passed in self signed certificate. Why I have to use the X.509 cert instead of CVC cert? How to solve the problem? Thank you.
	Re: Problems on ejbca ca importcvca command by Tomas Gustavsson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, in short. It looks to me it is a limitation that you can not import ECC CVCAs in EJBCA currently. I opened this issue for that, sorry for the inconvenience: https://jira.primekey.se/browse/ECA-1458 (there will be several ecc improvements in the next release). Second, for CVCAs you have to use the command line to import the CVCA. The GUI will only accept p12 files, which can not be used for CVC. For your issue nr 1, it should work if the pkcs8 and the cv certificate have the correct corresponding keys. The error message says that ejbca ca not sign with the private key and verify with the public. Is it the correct cv certtificate? The JBoss server.log file will contain a more detailed error message. Also if if is possible for you, you can email me the keys and certificates (test keys I guess) and I can test it. Regards, Tomas ----- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@... for more information. http://www.primekey.se/Services/Support/ http://www.primekey.se/Services/Training/ khsheh wrote: > I use ejbca 3.9.0 and have the following problems: > > 1. I created 2 CVC self signed root CAs by ejbca, one with RSA and other > with ECDSA signing algorithms. Then I exported the CA keystores of them to > PKCS8 files and also downloaded the CVC certs of them. I then use the > following commands. The import for RSA CA is successful but the import for > ECDSA CA failed. > > ejbca ca importcvca rsacvca rsacvca.pkcs8 resacvca.crt.cer "C=SE,CN=RSACVCA" > Using JBoss JNDI provider... > Testing keys with algorithm: RSA > Uisng passed in self signed certificate. > > ejbca ca importcvca eccvca eccvca.pkcs8 eccvca.crt.cer "C=SE,CN=ECCVCA" > Using JBoss JDNI provder ... > Testing keys with algorithm: ECDSA > java.security.InvalidKeyException: Supplied key > (org.bouncycastle.jce.provider.JCEECPrivateKey) is not a RSAPrivateKey > instance > > Do you know why the import for ECDSA CA is not succesful? Is it a limitation > of ejbca? > Moreover, in the Admin page Import CA Keystore, the input field is PKCS12. > But for CVC cert, the Export CA Keystore is only PKCS8. Thus, I cannot use > the Admin page Import CA Keystore. Is it normal for ejbca or a new version > of ejbca will support PKCS8? > > 2. My contractor provided me a set of CVC RSA 1024 certs and keys. I want to > import it to ejbca but have the following errors: > > ejbca ca importcvca cvcatest1 cvca1024.pkcs8 p_cvca.cvcert > "C=SE,CN=CVCATEST1" > Using JBoss JNDI provider... > Testing keys with algorithm: RSA > java.security.InvalidKeyException: Not possible to sign and then verify with > key pair. > > But if I use the X.509 cert (i.e. cvca1024.crt) instead of the cvc cert > (i.e. p_cvca.cvcert), the import is successful: > ejbca ca importcvca cvcatest1 cvca1024.pkcs8 cvca1024.crt > "C=SE,CN=CVCATEST1" > Using JBoss JNDI provider... > Testing keys with algorithm: RSA > Using passed in self signed certificate. > > Why I have to use the X.509 cert instead of CVC cert? How to solve the > problem? > > Thank you. ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Ejbca-develop mailing list Ejbca-develop@... https://lists.sourceforge.net/lists/listinfo/ejbca-develop
	Re: Problems on ejbca ca importcvca command by khsheh :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Thanks Tomas! I can now import my RSA CVCA after correcting my private key pkcs8 file. Regards, Wilson. khsheh wrote: I use ejbca 3.9.0 and have the following problems: 1. I created 2 CVC self signed root CAs by ejbca, one with RSA and other with ECDSA signing algorithms. Then I exported the CA keystores of them to PKCS8 files and also downloaded the CVC certs of them. I then use the following commands. The import for RSA CA is successful but the import for ECDSA CA failed. ejbca ca importcvca rsacvca rsacvca.pkcs8 resacvca.crt.cer "C=SE,CN=RSACVCA" Using JBoss JNDI provider... Testing keys with algorithm: RSA Uisng passed in self signed certificate. ejbca ca importcvca eccvca eccvca.pkcs8 eccvca.crt.cer "C=SE,CN=ECCVCA" Using JBoss JDNI provder ... Testing keys with algorithm: ECDSA java.security.InvalidKeyException: Supplied key (org.bouncycastle.jce.provider.JCEECPrivateKey) is not a RSAPrivateKey instance Do you know why the import for ECDSA CA is not succesful? Is it a limitation of ejbca? Moreover, in the Admin page Import CA Keystore, the input field is PKCS12. But for CVC cert, the Export CA Keystore is only PKCS8. Thus, I cannot use the Admin page Import CA Keystore. Is it normal for ejbca or a new version of ejbca will support PKCS8? 2. My contractor provided me a set of CVC RSA 1024 certs and keys. I want to import it to ejbca but have the following errors: ejbca ca importcvca cvcatest1 cvca1024.pkcs8 p_cvca.cvcert "C=SE,CN=CVCATEST1" Using JBoss JNDI provider... Testing keys with algorithm: RSA java.security.InvalidKeyException: Not possible to sign and then verify with key pair. But if I use the X.509 cert (i.e. cvca1024.crt) instead of the cvc cert (i.e. p_cvca.cvcert), the import is successful: ejbca ca importcvca cvcatest1 cvca1024.pkcs8 cvca1024.crt "C=SE,CN=CVCATEST1" Using JBoss JNDI provider... Testing keys with algorithm: RSA Using passed in self signed certificate. Why I have to use the X.509 cert instead of CVC cert? How to solve the problem? Thank you.
	Re: Problems on ejbca ca importcvca command by Tomas Gustavsson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Great! khsheh wrote: > Thanks Tomas! I can now import my RSA CVCA after correcting my private key > pkcs8 file. > > Regards, > Wilson. > > > khsheh wrote: > >>I use ejbca 3.9.0 and have the following problems: >> >>1. I created 2 CVC self signed root CAs by ejbca, one with RSA and other >>with ECDSA signing algorithms. Then I exported the CA keystores of them to >>PKCS8 files and also downloaded the CVC certs of them. I then use the >>following commands. The import for RSA CA is successful but the import for >>ECDSA CA failed. >> >>ejbca ca importcvca rsacvca rsacvca.pkcs8 resacvca.crt.cer >>"C=SE,CN=RSACVCA" >>Using JBoss JNDI provider... >>Testing keys with algorithm: RSA >>Uisng passed in self signed certificate. >> >>ejbca ca importcvca eccvca eccvca.pkcs8 eccvca.crt.cer "C=SE,CN=ECCVCA" >>Using JBoss JDNI provder ... >>Testing keys with algorithm: ECDSA >>java.security.InvalidKeyException: Supplied key >>(org.bouncycastle.jce.provider.JCEECPrivateKey) is not a RSAPrivateKey >>instance >> >>Do you know why the import for ECDSA CA is not succesful? Is it a >>limitation of ejbca? >>Moreover, in the Admin page Import CA Keystore, the input field is PKCS12. >>But for CVC cert, the Export CA Keystore is only PKCS8. Thus, I cannot use >>the Admin page Import CA Keystore. Is it normal for ejbca or a new version >>of ejbca will support PKCS8? >> >>2. My contractor provided me a set of CVC RSA 1024 certs and keys. I want >>to import it to ejbca but have the following errors: >> >>ejbca ca importcvca cvcatest1 cvca1024.pkcs8 p_cvca.cvcert >>"C=SE,CN=CVCATEST1" >>Using JBoss JNDI provider... >>Testing keys with algorithm: RSA >>java.security.InvalidKeyException: Not possible to sign and then verify >>with key pair. >> >>But if I use the X.509 cert (i.e. cvca1024.crt) instead of the cvc cert >>(i.e. p_cvca.cvcert), the import is successful: >>ejbca ca importcvca cvcatest1 cvca1024.pkcs8 cvca1024.crt >>"C=SE,CN=CVCATEST1" >>Using JBoss JNDI provider... >>Testing keys with algorithm: RSA >>Using passed in self signed certificate. >> >>Why I have to use the X.509 cert instead of CVC cert? How to solve the >>problem? >> >>Thank you. >> > > ------------------------------------------------------------------------------ Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference _______________________________________________ Ejbca-develop mailing list Ejbca-develop@... https://lists.sourceforge.net/lists/listinfo/ejbca-develop