Exporting CA with ca.tokenpassword=null

[donusry-privoro]

Hi everyone. I recently inherited an old development PKI and have been tasked to bring it in line with our production one. Long story short it involves moving the sub CAs to their own machines. Originally we thought exporting was a lost cause due to no one knowing the password, but as it turns out the install.properties has ca.tokenpassword set to null. The issue is when I try to export and give it no password, then I get the following:

Export a token without password protection is not allowed.

Is there something I can do to get around this?

EJBCA 6.5.0.5

Thank you.

[primetomas]

If ca.tokenpassword in install.properties was set to null, only affects the initially created Management CA, not any Sub CAs that you subsequently created.
So the best quess is that you have either:

1. The default password in from cesecore.properties (see ca.keystorepass)
2. A password was defined when creating the SubCA, in which case this was set by someone who should have made a note of it

If "autoactivation" is enabled for the CA, the password is stored encrypted in the database and can be recovered. Let me know if the above does not fix it for you.

[donusry-privoro]

cesecore.properties file is not present. Every crypto token has auto-activation enabled. I do not see MariaDB or other DB running on the system, so I will assume it is using H2.

[mike-agrenius-kushner]

Check if it's in ejbca.properties instead, assuming that this might be an older installation which has been upgraded?

[donusry-privoro]

The only thing defined in there is appserver.home. This has not been updated since it was brought up back in 2017.

[primetomas]

Ok, your EJBCA is very old, so it may be slightly different. I hope you can adjust.
In CryptoTokenData in later versions of EJBCA, probably in CAData in your version(?), you have properties in the database.

mysql -u ejbca -p ejbca
select tokenProps from CryptoTokenData where tokenName='foobar';
You may have to look in CAData instead. If you are using H2 database, then find where the database files are stored, and you will be able to check the data in the fies directly with a text editor.

In tokenProps I have a base64 encoded field, you may have an field called "pin" in cleartext (don't remember from that version).

I do:

cat > a.b64
openssl base64 -d -in a.b64
And find:
pin=6bc841b2745e2c95e042a68b4777b34c
Here the hex data is the "encrypted" password. You can feed this into the java method StringTools.pbeDecryptStringWithSha256Aes192 to decrypt it. In my case I modified StringToolsTest to decrypt it...using the setting in my config files for the encryption key (which should be unique).

Not trivial I know, but it's shouldn't be trivial out-of-the-box to decrypt this.

[donusry-privoro]

Thank you for your reply, though I am unsure how to continue. I found ejbcadb.h2.db in the home directory. Opening it in a text editor yields what looks like XML, and searching for things like "pin=" or "CAData" doesn't reveal anything spectacular. I tried opening the H2 database with H2 Console and I don't see any tables other than INFORMATION_SCHEMA.

[donusry-privoro]

Progress has been made. I was able to get a password following your instructions. However, I am now getting a new exception when trying to export. Originally it was always Exception in thread "main" javax.ejb.EJBException: org.cesecore.keys.token.CryptoTokenAuthenticationFailedException: PKCS12 key store mac invalid - wrong password or corrupted file.

Now I am getting Exception in thread "main" javax.ejb.EJBException: org.bouncycastle.operator.OperatorCreationException: cannot create signer: Supplied key (org.bouncycastle.jcajce.provider.asymmetric.ec.BCECPrivateKey) is not a RSAPrivateKey instance

I hope this means the password I extracted worked, and there is now some other (hopefully trivial) issue to work through. Looks to be related to JCE provider.

[mike-agrenius-kushner]

Oh, you're in luck – this one is easy. The CA has an EC key set as its encryption key – one of those things we should really just not allow. As you may know, EC can't be used out of the box for encryption, so the solution is just to change the encryption key to an RSA key.

[primetomas]

Can you share the full stacktrace from server.log, that will show more details.

[donusry-privoro]

@primetomas here is a tail of my server.log. server.log

@kombatminipig I tried creating a new RSA 4096 keypair under the crypto token and I still wasn't able to export. Is there another encryption key that I need to change?

[primetomas]

Details how to fix the issue highlighted by @kombatminipig.
In the CA configuration you have a set of key aliases, one of them is called "keyEncryptKey". It can be either of two things:

• Either you have set the keyEncryptKey to an EC key, or you have "defaultKey" set to an EC key and no setting for "keyEncryptKey".

The solution should be to set keyEncryptKey eplicitly to be an RSA key.

[mike-agrenius-kushner]

Not much I can do with just that error message I'm afraid, but we do have a pretty solid guide for appserver setup: https://doc.primekey.com/ejbca/ejbca-installation/application-servers/wildfly-18-jboss-eap-7-3

Have you followed it?

[donusry-privoro]

Yeah. That's what I used. I'm going to run through it again today. I might have messed up the database and datasource parts of the guide. I didn't see examples for H2, so I winged it.

[donusry-privoro]

I followed the guide to setup WildFly 18 except I manually copied in the db and ds config into standalone.xml from old JBoss. I then followed the EJBCA upgrade guide. When I run standalone.xml now I get exceptions related to incorrect password for the keystore and truststore.

server.log

[donusry-privoro]

I was able to upgrade EJBCA enough to get a working command line, change the tokenprop, and export the CA. Thank you all so much for your help. Would have been nice to get the web interface working, but I will stop while I am ahead.

[mike-agrenius-kushner]

Then my work here is done.

/me flies off into the distance.