new RA GUI + renew user certificate

[tlull]

Hello,
I'm running EJBCA version 7.11.0.
A normal user is able to logon to the new RA GUI. The web browser asks for the certificate to use for logon when opening the URL https://host:8443/ejbca/ra/
My plan is to create a role with minimal permissions so every user can renew its own certificate.
I have created a new role with the new RA GUI containing 2 permissions:

• "Create certificates"
• "...by using username and password"

This is fine.

Now a normal user sees exactly 3 menu entries in the RA GUI:

• Preferences
• Renew certificate
• Enroll -> Use username

When the user tries to renew its certificate using the new RA GUI then a box with the following message appears:
"Certificate can not be renewed."
The server log contains this error:
2023-04-04 14:18:55,713 ERROR [org.ejbca.ra.RaRenewBean] (default task-15) Failed to renew certificate for user XXX with serial number 7501717757895505480 and issuer CN=YYY,O=ZZZ,C=DE: org.ejbca.core.model.ca.AuthLoginException: Got request for user with invalid password: XXX.
But independently from the error everythings seem to be okay so far. The state of the user has changed to "new" and the user received an email with the new password.

Afterwards the user tries to download its new certificate using the new RA GUI. 2 error boxes appear:

• "You are not authorized to execute this operation"
• "An unexpected problem has occurred: Cannot invoke "org.cesecore.certificates.endentity.EndEntityInformation.getExtendedInformation()" because "this.endEntityInformation" is null"

The server log contains this error:

Caused by: java.lang.NullPointerException: Cannot invoke "org.cesecore.certificates.endentity.EndEntityInformation.getExtendedInformation()" because "this.endEntityInformation" is null
        at deployment.ejbca.ear.ra-gui.war//org.ejbca.ra.EnrollWithRequestIdBean.isPreSetKeyAlgorithmRendered(EnrollWithRequestIdBean.java:581)

So I have 3 questions:

• What I have done wrong?
• Is it possible for nomal users to renew its certificate?
• How can I get rid of the error messages?

Kind regards,
Torsten

[primetomas]

Hi,

Try the new EJBCA 8.0, it has improvements for using the RA web for public, it's used by default now for initial superadmin enrollment for example.

[rriemann]

Hi @tlull

We have the same server logs and upon certificate renewal, the user gets an error "certificate cannot be renewed". This is with EJBCA 9.1.1.

Did you solve your problem?

[primetomas]

I realize that you mention renew now. When going into renew, you do authenticate with the old client certificate to the RA right?

[tlull]

Hi @rriemann
we have setup an own GUI to create and renew certificates by the users so that minimal input is required and the number of wrong input can be reduced. That's why unfortunately I cannot say wether the problem is solved or not.