|

»

The Ext RA API & signing of message

View: New views

6 Messages — Rating Filter: Alert me

	The Ext RA API & signing of message by cristinapro :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, I have founded in documentation the following: "If message signing is used, must the RA servers certificate (used to sign the message) be an administrator in EJBCA". I have some question regarding this: 1)As the administrator flag was removed in version 3.9 how can the RA EndEntity can be an administrator? 2)For the ra.p12 certificate I get a certificate chain containing only one element, the root ca, because the other element has basicContraints set to -1. What is wrong with the ra certificate? Thank you, Cristina Prohaska
	Re: The Ext RA API & signing of message by Tomas Gustavsson :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, 1. You can simply add the end entity to an administrator group. I'm not 100% sure if this still applies though, so try it. 2. I'm not sure I understand the problem. I assume the root CA has basic constrints set to true. Doe sit have a path length constraint as well? the end entity certificate should have basic constraints = false. Cheers, Tomas ----- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@... for more information. http://www.primekey.se/Services/Support/ http://www.primekey.se/Services/Training/ cristinapro wrote: > Hi, > > I have founded in documentation the following: > > "If message signing is used, must the RA servers certificate (used to sign > the message) be an administrator in EJBCA". > > I have some question regarding this: > > 1)As the administrator flag was removed in version 3.9 how can the RA > EndEntity can be an administrator? > 2)For the ra.p12 certificate I get a certificate chain containing only one > element, the root ca, because the other element has basicContraints set to > -1. What is wrong with the ra certificate? > > Thank you, > Cristina Prohaska ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Ejbca-develop mailing list Ejbca-develop@... https://lists.sourceforge.net/lists/listinfo/ejbca-develop
	Re: The Ext RA API & signing of message by cristinapro :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, Thanks for the tip. I have managed to add the 'myra' end entity to an administrator group. I have signed the message using myra key & certificate. When ejbca ca load the submessages it gets: signature not valid. Must the end entity have a specific certificate profile so signature is valid? It uses ENDUSER for now. All I do for signing is to instantiate a SubMessage with the specific ra key and certificate. Is there an example of signing to try to test the signature ? Many thanks, Cristina Tomas Gustavsson wrote: Hi, 1. You can simply add the end entity to an administrator group. I'm not 100% sure if this still applies though, so try it. 2. I'm not sure I understand the problem. I assume the root CA has basic constrints set to true. Doe sit have a path length constraint as well? the end entity certificate should have basic constraints = false. Cheers, Tomas ----- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@primekey.se for more information. http://www.primekey.se/Services/Support/ http://www.primekey.se/Services/Training/ cristinapro wrote: > Hi, > > I have founded in documentation the following: > > "If message signing is used, must the RA servers certificate (used to sign > the message) be an administrator in EJBCA". > > I have some question regarding this: > > 1)As the administrator flag was removed in version 3.9 how can the RA > EndEntity can be an administrator? > 2)For the ra.p12 certificate I get a certificate chain containing only one > element, the root ca, because the other element has basicContraints set to > -1. What is wrong with the ra certificate? > > Thank you, > Cristina Prohaska ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Ejbca-develop mailing list Ejbca-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ejbca-develop
	Re: The Ext RA API & signing of message by Johan Eklund :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi Christina, Is both myra and the server-side keystore issued by the same CA as described in chapter 4 of extra/doc/external-ra-server.pdf? Best Regards, Johan cristinapro skrev: > Hi, > > Thanks for the tip. I have managed to add the 'myra' end entity to an > administrator group. > I have signed the message using myra key & certificate. > When ejbca ca load the submessages it gets: signature not valid. > > Must the end entity have a specific certificate profile so signature is > valid? It uses ENDUSER for now. > > All I do for signing is to instantiate a SubMessage with the specific ra > key and certificate. Is there an example of signing to try to test the > signature ? > > Many thanks, > Cristina > > > Tomas Gustavsson wrote: > >> Hi, >> >> 1. You can simply add the end entity to an administrator group. >> I'm not 100% sure if this still applies though, so try it. >> >> 2. I'm not sure I understand the problem. I assume the root CA has basic >> constrints set to true. Doe sit have a path length constraint as well? >> the end entity certificate should have basic constraints = false. >> >> Cheers, >> Tomas >> ----- >> PrimeKey Solutions offers a commercial EJBCA support subscription and >> training for EJBCA. Please see www.primekey.se or contact >> info@... for more information. >> http://www.primekey.se/Services/Support/ >> http://www.primekey.se/Services/Training/ >> >> >> cristinapro wrote: >> >>> Hi, >>> >>> I have founded in documentation the following: >>> >>> "If message signing is used, must the RA servers certificate (used to >>> sign >>> the message) be an administrator in EJBCA". >>> >>> I have some question regarding this: >>> >>> 1)As the administrator flag was removed in version 3.9 how can the RA >>> EndEntity can be an administrator? >>> 2)For the ra.p12 certificate I get a certificate chain containing only >>> one >>> element, the root ca, because the other element has basicContraints set >>> to >>> -1. What is wrong with the ra certificate? >>> >>> Thank you, >>> Cristina Prohaska >>> >> ------------------------------------------------------------------------------ >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 >> 30-Day >> trial. Simplify your report design, integration and deployment - and focus >> on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> _______________________________________________ >> Ejbca-develop mailing list >> Ejbca-develop@... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> >> >> > > -- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@... for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Ejbca-develop mailing list Ejbca-develop@... https://lists.sourceforge.net/lists/listinfo/ejbca-develop smime.p7s (3K) Download Attachment
	Re: The Ext RA API & signing of message by cristinapro :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi again, I have managed to move forward and have the signature verified. I need one more thing before managing to process the ra Message. I got this error at processing: Error CA 'AdminCA1' doesn't exists. This is strange as the AdminCA1 do exist and it is the one that has signed the certificate for RA endEntity, and the signature is valid now. Kind Regards, Cristina Hi, Thanks for the tip. I have managed to add the 'myra' end entity to an administrator group. I have signed the message using myra key & certificate. When ejbca ca load the submessages it gets: signature not valid. Must the end entity have a specific certificate profile so signature is valid? It uses ENDUSER for now. All I do for signing is to instantiate a SubMessage with the specific ra key and certificate. Is there an example of signing to try to test the signature ? Many thanks, Cristina Tomas Gustavsson wrote: Hi, 1. You can simply add the end entity to an administrator group. I'm not 100% sure if this still applies though, so try it. 2. I'm not sure I understand the problem. I assume the root CA has basic constrints set to true. Doe sit have a path length constraint as well? the end entity certificate should have basic constraints = false. Cheers, Tomas ----- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@primekey.se for more information. http://www.primekey.se/Services/Support/ http://www.primekey.se/Services/Training/ cristinapro wrote: > Hi, > > I have founded in documentation the following: > > "If message signing is used, must the RA servers certificate (used to sign > the message) be an administrator in EJBCA". > > I have some question regarding this: > > 1)As the administrator flag was removed in version 3.9 how can the RA > EndEntity can be an administrator? > 2)For the ra.p12 certificate I get a certificate chain containing only one > element, the root ca, because the other element has basicContraints set to > -1. What is wrong with the ra certificate? > > Thank you, > Cristina Prohaska ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Ejbca-develop mailing list Ejbca-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ejbca-develop
	Re: The Ext RA API & signing of message by cristinapro :: Rate this Message: Reply to Author \| View Threaded \| Show Only this Message Hi, we do not use RA SCep server, so we only have one certificate for the RA server. I use this for signing and this is also deployed as keystore/extrakeystore.p12 . Is this a misunderstanging from my side? We still get the error: Error CA 'AdminCA1' doesn't exists even if I have added both myra endEntity and AdminCA1 to the Administrator Group. Can you 'feel' what's missing in the configuration? Thanks, Cristina Johan Eklund wrote: Hi Christina, Is both myra and the server-side keystore issued by the same CA as described in chapter 4 of extra/doc/external-ra-server.pdf? Best Regards, Johan cristinapro skrev: > Hi, > > Thanks for the tip. I have managed to add the 'myra' end entity to an > administrator group. > I have signed the message using myra key & certificate. > When ejbca ca load the submessages it gets: signature not valid. > > Must the end entity have a specific certificate profile so signature is > valid? It uses ENDUSER for now. > > All I do for signing is to instantiate a SubMessage with the specific ra > key and certificate. Is there an example of signing to try to test the > signature ? > > Many thanks, > Cristina > > > Tomas Gustavsson wrote: > >> Hi, >> >> 1. You can simply add the end entity to an administrator group. >> I'm not 100% sure if this still applies though, so try it. >> >> 2. I'm not sure I understand the problem. I assume the root CA has basic >> constrints set to true. Doe sit have a path length constraint as well? >> the end entity certificate should have basic constraints = false. >> >> Cheers, >> Tomas >> ----- >> PrimeKey Solutions offers a commercial EJBCA support subscription and >> training for EJBCA. Please see www.primekey.se or contact >> info@primekey.se for more information. >> http://www.primekey.se/Services/Support/ >> http://www.primekey.se/Services/Training/ >> >> >> cristinapro wrote: >> >>> Hi, >>> >>> I have founded in documentation the following: >>> >>> "If message signing is used, must the RA servers certificate (used to >>> sign >>> the message) be an administrator in EJBCA". >>> >>> I have some question regarding this: >>> >>> 1)As the administrator flag was removed in version 3.9 how can the RA >>> EndEntity can be an administrator? >>> 2)For the ra.p12 certificate I get a certificate chain containing only >>> one >>> element, the root ca, because the other element has basicContraints set >>> to >>> -1. What is wrong with the ra certificate? >>> >>> Thank you, >>> Cristina Prohaska >>> >> ------------------------------------------------------------------------------ >> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 >> 30-Day >> trial. Simplify your report design, integration and deployment - and focus >> on >> what you do best, core application coding. Discover what's new with >> Crystal Reports now. http://p.sf.net/sfu/bobj-july >> _______________________________________________ >> Ejbca-develop mailing list >> Ejbca-develop@lists.sourceforge.net >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> >> >> > > -- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact info@primekey.se for more information. http://download.primekey.se/documents/ejbca_subscription.pdf http://download.primekey.se/documents/ejbca_training.pdf ------------------------------------------------------------------------------ Come build with us! The BlackBerry® Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9-12, 2009. Register now! http://p.sf.net/sfu/devconf _______________________________________________ Ejbca-develop mailing list Ejbca-develop@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/ejbca-develop