Unable to access REST API due to bad certificate

[lakshya-chopra]

Hello,

I am using EJBCA version 9.0.0 via a docker based environmemt. Now the default CA used by EJBCA for it's REST clients & Web UI is the ManagementCA, that lacks a SubjectAlternativeName - thus, causing errors when accessed by cURL.

To replace the default CA

1. I created a new CA via OpenSSL and imported its PKCS#12 into EJBCA.

2. Added its keystore (.jks) & truststore to:

/opt/keyfactor/wildfly-33.0.0.Final/standalone/configuration

inside the EJBCA container.

3. Modified standalone.xml to use the new CA’s keystore & truststore.

Restarted the container, but the changes are still not reflected.

My question: Is there any easier way to do this? Am i even doing it correctly? In the EJBCA's logs, I noticed that it is taking the server's keystore from /opt/keyfactor/secrets/persistent/tls/ejbca-node1/, so maybe I'm wrong.

Your help will be appreciated :)

[primetomas]

I don’t think this is the problem, the CA doesn’t need an alt name. What error do you get from curl?

[lakshya-chopra]

This is the error I got from curl:

cmd:

curl -X GET "https://localhost/ejbca/ejbca-rest-api/v1/ca" \
--cacert ManagementCA.cacert.pem --cert client.crt --key client.key

Result:

curl: (60) SSL: no alternative certificate subject name matches target host name 'localhost'
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.