Unable to add imported rootCA to an end identity #284
-
|
I have imported a root CA into EJBCA, to be used for generating certs for client authentication (it's been used for that purpose so far). Ib have added the rootCA cert to Certificate authorities, created a certificate profile that lists client authentication as my use case, created an end identity profile that uses that cert profile and the said rootCA, but when I try to create the end entity - I get an empty list in the CA dropdown. am I missing something? I am rinning in via vontaoner using the latest version (7.11.0) |
Beta Was this translation helpful? Give feedback.
Replies: 2 comments 2 replies
-
|
How did you import the CA? Did you just import the CA certificate so it is labeled an "External CA" in EJBCA? |
Beta Was this translation helpful? Give feedback.
-
|
i have imported the CA, and marked it as an external CA Description | CA created by certificate import I also don't see it in the CA Activation screen. Could it perhaps be that since it does not have a Crypto Token is not considered Activated? And How would I create a token for an imported root CA cert? |
Beta Was this translation helpful? Give feedback.
-
|
A CA need a private key to sign with so a complete usable CA consists of a Crypto Token with the CAs private signing key, and the CAs certificate containing the public key. If you import only the CA certificates, the CA is "External" in EJBCA, meaning that it is a CA that is operated externally and issuing certificates take place there (externally). The imported CA certificate in EJBCA can only be used for verification, for example for SubCA certificates that is operated fully in the EJBCA. If you want to import a CA to be actually used in EJBCA you use the function "Import CA keystore" as opposed to "Import CA certificate". With that function you get an opportunity to import a keystore, PKCS#12 file, containing the CAs private key as well as the certificate. This can be used for example if you have a scripted OpenSSL CA that you want to make more controlled use of. There is some documentation, for example here: |
Beta Was this translation helpful? Give feedback.
-
|
Thank you very much - I understand now (it wasn't clear enough to me from the documentation). |
Beta Was this translation helpful? Give feedback.
A CA need a private key to sign with so a complete usable CA consists of a Crypto Token with the CAs private signing key, and the CAs certificate containing the public key.
If you import only the CA certificates, the CA is "External" in EJBCA, meaning that it is a CA that is operated externally and issuing certificates take place there (externally). The imported CA certificate in EJBCA can only be used for verification, for example for SubCA certificates that is operated fully in the EJBCA.
If you want to import a CA to be actually used in EJBCA you use the function "Import CA keystore" as opposed to "Import CA certificate". With that function you get an opportunity to import a keystore, …