Replace ManagementCA

[jyrire]

Hi,

i'm not able to find how to replace the selfsigned ManagementCA created during the installation
I create the new root CA and client cert with cn=pkiadmin
I add them to Super Amininistrator Role

X509: CN, Common name | JuwaraRootCA-G1R | Equal, case sens. | pkiadmin |  
X509: CN, Common name | ManagementCA | Equal, case sens. | SuperAdmin |

I can't remove the cn=SuperAdmin signed by selfsigned ManagementCA
"Authorization denied, Grant access of the current administrator ...."

and when close the web browser and start the new session its still send to me the ManagementCA

%curl -iv https://ejbca.srk.juwara.ee/ejbca/adminweb
...
Server certificate:

• subject: UID=c-zWjYy5SGuYvWdoPqXGP2468cawh81uCA; CN=debian; O=Example CA; C=SE
  ...

%ejbca.sh roles

The following commands are available:
addrole Adds an administrative role.
addrolemember Adds a member to a role.
changerule Changes an access rule
listadmins Lists admins in a role.
listroles Lists admin roles
listrules Lists access rules for a role
removeadmin Removes an admin
removerole Remove admin role

i can add role member
but not remove,
and even not the list of the role members

My goal is to remove existing ManagementCA
and replace it with certs issued by this EJBCA (so certs already in key and trust stores)

Regards

Juri

[jyrire]

Hi
actually with ejbca.sh i can list and remove members from role
ejbca.sh roles removeadmin

but after removing the SuperAdmin from Super admins role
i'm not able to login to admin web at all
ejbca sends the ManagementCA certs
%curl -iv https://ejbca.srk.juwara.ee/ejbca/adminweb
...
Server certificate:
subject: UID=c-zWjYy5SGuYvWdoPqXGP2468cawh81uCA; CN=debian; O=Example CA; C=SE
...

how to replace admin web ManagementCA?

Regards
Juri

[primetomas]

You are not so concerned about the server certificate itself. What you need to do is to add your new CA to the truststore, so it shows as "accepted CAs" when you connect, so you get to choose your new client certificate with logging into the admin UI.

Check using the "ant javatruststore" command. For example "Adding in Other Management CAs to the Key StoreLink to Adding in Other Management CAs to the Key Store" here: https://doc.primekey.com/ejbca/ejbca-installation/installing-ejbca/install-ejbca-as-a-ca-without-a-management-ca

Or:
https://doc.primekey.com/ejbca/troubleshooting-guide/installation-and-deployment#InstallationandDeployment-IgetanerrormessagewhenaccessingtheCAUI

[jyrire]

Dear Tomas
thank you, a'm aware about docs you are refered
but

1. ant is not installed in docker image
   so should i install it?

only jks file is

sh-4.4$ find / -name "*jks" 2>/dev/null
/mnt/persistent/secrets/tls/ejbca-node1/server.jks

and i do not know the password to use keytool

sh-4.4$ keytool -list -keystore /mnt/persistent/secrets/tls/ejbca-node1/server.jks
Enter keystore password:
keytool error: java.io.IOException: Keystore was tampered with, or password was incorrect

foo123 and ejbca are not correct passwords

there are no JBOSS_HOME enviroment variable
So is the EJBCA only usable for Java developers?

but anyway wildfly-26.1.3.Final/standalone/configuration/ doesn't have keystore folder

I have also 2.5.0 software appliance but unfortunatelly its useless
because its not accept the OTP from console, so only thing that i can do with it just remove it

and only firefox asking the client certificate when i connect to ejbca
safari, chrome, edge on mac and chrome edge on windows even doesnt ask the client certificate just show that cno lient sertificate was present regadless that client sertificate is added to keychain and certificate storage

Regards

Juri

[primetomas]

I didn't know you were on container.
https://hub.docker.com/r/keyfactor/ejbca-ce, Directories of importance, describes truststore.jks and password. You need to provide one that contains preferable both the old and your new CA certificate.
If you have a software appliance, the web UI allows you to add additional CA certificates. If you have problems with that support can help you. Adding additional (external) CA certificates to truststore is a standard use case.

[jyrire]

Hi Tomas

actually i have 3 installations
bitnami VM
docker buided with docker-compse from
https://doc.primekey.com/ejbca/tutorials-and-guides/tutorial-start-out-with-ejbca-docker-container
2.5.0 appliance

And all have different issues,
but lets start with docker
in docker-compose.yml i had used
passwords are not set
PASSWORD_ENCRYPTION_KEY
CA_KEYSTOREPASS
EJBCA_CLI_DEFAULTPASSWORD

in your video: https://www.youtube.com/watch?v=x-kEqPrz1g0
you are also do not set passwords

what is the default values for:
PASSWORD_ENCRYPTION_KEY
CA_KEYSTOREPASS

And are they stored in MarinaDB?

Regards
Juri

[primetomas]

These fields are not relevant for the truststore.