Re-generate CSR from existing CA

[hoihochan]

Hello, I have a CA on EJBCA that is signed by an external CA and has previously generated a CSR before.

However we would like to correct the Subject DN and re-issue a new CSR - what is the correct way to do such? I tried to re-issue the CSR using the "Make Certificate Request" button from the Certificate Authority page for my CA but I got a cryptic error:

Administrator is not authorized to resource /cryptotoken/keys/generate/[redacted]

[primetomas]

Make sure the signature key field is not set to "genrate a new key" when clicking the make request button. It should be the current CA signing key in order to just generate a new CSR without renewing the keys.

[hoihochan]

Thanks but I don't see the "signature key field" anywhere in the "Edit CA" page - I am on EJBCA 7.3.1.1.

Ref: https://doc.primekey.com/ejbca/ejbca-operations/ejbca-operations-guide/ca-operations-guide/managing-cas/creating-an-issuing-ca-signed-by-an-external-root

[primetomas]

I thought you had an existing CA and wanted to create a new CSR for that existing CA?

To create a new CA requires superadmin privileges.

7.3 is way old though, I don't remember what it looks like there. Perhaps you should upgrade to the latest version first, and then re-create your CA.

[hoihochan]

No we have an existing CA and want to re-create the CSR from the same CA but with a slightly modified subject DN.

[hoihochan]

Looks like it's impossible to modify a CA's subject DN after it's been created so the only way is to create a new CA with a corrected subject DN and re-use the existing keys from the same crypto token.

[primetomas]

Correct, theoretically a CA is defined by "issuer", meaning that a changed CA DN is a new CA. There is one exception which is ICAO 9303 CA Name Change. https://docs.keyfactor.com/ejbca/latest/epassport-pki