Not able to renew superadmin certificate

[younid]

Hello,

We have an EJBCA 6.5 running for long time and connected to an HSM.
Currently we are no more able to renew superadmin certificate.
We face an error : ManagementCA.signKey is not available

When using the command ejbca.sh cryptotoken listkeys we see all existing keys from other CAs but not the keys of the management CA.
On the HSM side we an list all keys and then we see the ManagementCA.signKey and others.
All was working well until now and we wonder why we have this issue and how to fix it.

Could you please help to find a solution to fix the situation for this EJBCA instance ?
Is there any way to recovered the Management CA with all its keys visible inside the keys list command and then be able to regenerate the superadmin certificate ?

Thanks in advance for your help.

Regards

[primetomas]

Assuming it's the Sun PKCS11 provider, you can use "clientToolBox PKCS11HSMKeyTool" to more directly interact with the HSM for trouble shooting.
When it comes to this P11 provider, it requires a certificate object, which is the public key for the Sun P11 Provider. Was this certificate removed from the HSM for some reason?

[younid]

Hello @primetomas ,

Thank you for your help.
I just checked with my colegues and they said we are using HSM Luna with lunacm client.
They check access to the HSM from EJBCA configuration and all is good.
They also verified the present of the key pair related to Management CA insidethe HSM secrets. It exists and seen by lunacm with the same CO used by the EJBCA. They did several checks with CPL support to make sure HSM is correct and keys are safe.

Then they don't understand how it is possible to see other keys from EJBCA but not the one to be attached to crytoToken used for Management CA.

Used command to list the keys is the following one:
./bin/ejbca.sh cryptotoken listkeys "Management CA" --clipassword=xxxxx

Regards

[primetomas]

Did you upgrade Java? There has been changes done in JDK that affects the SunP11 provider negatively.

There is debug logging in EJBCA that will display a lot what EJBCA sees. There is also debug logging of Java SunP11 that you can enable to understand exactly what that does.

What are the key algorithms?

[younid]

Java is not updated
Could you please help to activate debug mode for EJBCA (we are running it as K8S pod) ?
Do you know how to activate debug mode for Java SunP11 ?

Used key algo = ECDSA prime256v1
Hereafter are the keys list from HSM and from the EJBCA cryptoToken

[bob@ejbca-7cc5797c9-nq5qw bin]$ ./cmu list
handle=2000001 label=TEST.signKey
handle=2000002 label=ManagementCA.testKey
handle=2000003 label=ManagementCA.signKey3
handle=2000004 label=priv-ManagementCA.testKey
handle=2000005 label=priv-ManagementCA.signKey3
handle=2000006 label=ManagementCA.defaultKey
handle=2000007 label=priv-ManagementCA.defaultKey
handle=2000008 label=ManagementCA.signKey.2000008
handle=2000009 label=priv-ManagementCA.signKey.2000009
handle=2000010 label=ManagementCA.testKey.2000010
handle=2000011 label=priv-ManagementCA.testKey.2000011
handle=2000012 label=priv-ManagementCA.testKey.2000012
handle=2000013 label=ManagementCA.testKey.2000013
handle=2000014 label=priv-ManagementCA.signKey
handle=2000015 label=ManagementCA.signKey
handle=2000016 label=priv-ManagementCA.defaultKey.2000016
handle=2000017 label=ManagementCA.defaultKey.2000017
...
handle=2000030 label=priv-TEST.signKey

[bob@ejbca-7cc5797c9-nq5qw bin]$
[bob@ejbca-7cc5797c9-c5d2q ejbca-ce-6.5.0.5]$ ./bin/ejbca.sh cryptotoken listkeys "Management CA" --clipassword=XXXX

CryptoToken name: "Management CA"
CryptoToken id: 1125390565
ALIAS ALGORITHM SPECIFICATION SUBJECTKEYID
ManagementCA.signKey3 ECDSA prime256v1 9cdbea0ad5b41a8589f297daeb196f170fe023a7
TEST.signKey ECDSA prime256v1 801d966613b867ba60938e97a685f3215ee193d0
[bob@ejbca-7cc5797c9-c5d2q ejbca-ce-6.5.0.5]$

Thanks

[younid]

Hi @primetomas,

We finally found the root cause why the CT does not see the keys : it's due to the CKA_ID attribute which is the same on several key pair.
The error visible in EJBCA logs

[java] 09:38:40.076 [main] ERROR org.ejbca.ui.cli.ca.CaInitCommand - Crypto token was unavailable: java.security.ProviderException: java.security.KeyStoreException:

invalid KeyStore state: found 2 private keys sharing CKA_ID ManagementCA.signKey

Thanks for your support

Regards