Error no client certificate or OAuth token received used for authentication

[raxo8]

Hi,
I have deployed ejbca using docker, deployment is successfully completed.
We are facing an issue while invoking the "certificateRequest" endpoint using the soap web service.
We also tested using the clienttool box which also returned the same error "no client certificate or OAuth token received used for authentication ".
Need your kind support.

ERROR :- ejbca | 2023-03-15 06:21:06,540+0000 DEBUG [org.ejbca.core.protocol.ws.logger.TransactionLogger] (default task-5) 2023-03-15 06:21:06.538+0000;eaafb7707f00000165f08f18b794be81;20;2;certificateRequest;org.cesecore.authorization.AuthorizationDeniedException: Error no client certificate or OAuth token received used for authentication.;${ADMIN_DN};${ADMIN_ISSUER_DN}

[primetomas]

Did you use TLS_SETUP_ENABLED="simple"? You should not use that when you want to use client certificate authentication.

[mharrisistl]

I was doing that yes, I have now started from scratch and used the following docker command:

docker run -it --rm -p 80:8080 -p 443:8443 -h mycahostname -e TLS_SETUP_ENABLED="true" keyfactor/ejbca-ce

Now I have got to a position where I can enrol new devices using the rest api, however only when I am using the ManagementCA.pem file and the SuperAdmin.p12 file. Trying to use a CA I have made ( using the youtube tutorials I have MyPKIRootCAG1 and MyPKISubCAG1 CA's ) and client certificate I have made ( made through web ui, enrol -> make new request -> key-pair generation by the CA ) either through Postman or using curl gives me this error:

`curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it.`

From what I understand, and I am learning as I go, the CA I have created will always have a self signed certificate in the chain. The root CA ( in my case MyPKIRootCAG1 ), has to be self signed, and so any sub CA's ( in my case MyPKISubCAG1 ) must contain a CA that's self signed in the chain. So how do I get around this issue ? Why does using the ManagementCA work as that is also self signed?

Do I have the wrong understanding, or am I missing a step?

[primetomas]

The issue is that if you create a new CA that (root) CA certificate need to be added to the WildFly truststore in order for client certificates issued by that to be used. In the TLS handshake the server sends "accepted CA certificates" to the client, which as the CAs for which the server accepts client certificates issued under. For the container you can modify the truststore, you'll find something about it in the dockerhub docs.

[mharrisistl]

Thanks for this. I will read into it and report back if I have any additional issues 👍

[primetomas]

You can connect using for example "openssl s_client", and it will show this. Quite educational for lower level TLS stuff. This specific topic is one thing that is a bit hidden and often comes up as questions.