Revoke certificate

[pragya1998hal]

I am using CMP configuration and selecting EndEntityCertificate as an authentication method.

I am trying to revoke certificate through code but getting error :

2025-07-31 04:10:00,628+0000 DEBUG [org.ejbca.core.protocol.cmp.authentication.EndEntityCertificateAuthenticationModule] (default task-4) The certificate in extraCert is active
2025-07-31 04:10:00,628+0000 DEBUG [org.ejbca.core.protocol.cmp.authentication.EndEntityCertificateAuthenticationModule] (default task-4) Certificate does not belong to user. Username='null', extraCert username='CLIENT'.
2025-07-31 04:10:00,628+0000 INFO [org.ejbca.core.protocol.cmp.RevocationMessageHandler] (default task-4) Failed to verify the signature in the PKIMessage
2025-07-31 04:10:00,629+0000 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-4) 2025-07-31 04:10:00+00:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;cmpProtocolSignErrorResponse;;;;resource0=/ca/-192328517
2025-07-31 04:10:00,629+0000 DEBUG [org.cesecore.audit.log.InternalSecurityEventsLoggerSessionBean] (default task-4) LogDevice: Log4jDevice Proc: 1
2025-07-31 04:10:00,629+0000 DEBUG [org.cesecore.keys.token.CryptoTokenSessionBean] (default task-4) CryptoToken with ID -609943690 will be checked for updates.
2025-07-31 04:10:00,629+0000 DEBUG [org.jboss.as.jpa] (default task-4) default task-4:transaction scoped EntityManager [ejbca.ear#ejbca]: reuse entity manager session already in tx Local transaction (delegate=TransactionImple < ac, BasicAction: 0:ffffac120002:-15353949:6889ed4c:1aaa status: ActionStatus.RUNNING >, owner=Local transaction context for provider JBoss JTA transaction provider)
2025-07-31 04:10:00,631+0000 DEBUG [org.cesecore.internal.CommonCacheBase] (default task-4) Update not needed SoftCryptoToken in cache. Digest was 1007358840, cacheEntry digest was 1007358840
2025-07-31 04:10:00,631+0000 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageHelper] (default task-4) Creating a signed error message with failInfo=2, failText=Failed to verify the signature in the PKIMessage
2025-07-31 04:10:00,632+0000 DEBUG [org.ejbca.core.protocol.cmp.CmpErrorResponseMessage] (default task-4) Create error message from requestType: 23
2025-07-31 04:10:00,633+0000 DEBUG [com.keyfactor.util.crypto.algorithm.AlgorithmTools] (default task-4) getSignAlgOidFromDigestAndKey: 1.2.840.113549.1.1.11
2025-07-31 04:10:00,633+0000 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageHelper] (default task-4) Signature algorithm: SHA256WithRSA, from signAlg SHA256WithRSA, request digest 2.16.840.1.101.3.4.2.1 and key algorithm: RSA
2025-07-31 04:10:00,633+0000 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageHelper] (default task-4) Selected signature alg oid: 1.2.840.113549.1.1.11, from signAlg SHA256WithRSA and key algorithm: RSA
2025-07-31 04:10:00,633+0000 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageHelper] (default task-4) Signing CMP message with signature alg: SHA256WithRSA
2025-07-31 04:10:00,640+0000 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (default task-4) Received a response message of type 'org.ejbca.core.protocol.cmp.CmpErrorResponseMessage' from CmpMessageHandler.
2025-07-31 04:10:00,641+0000 DEBUG [org.jboss.as.jpa] (default task-4) default task-4:transaction scoped EntityManager [ejbca.ear#ejbca]: closing entity managersession
2025-07-31 04:10:00,641+0000 DEBUG [org.jboss.jca.adapters.jdbc.local.LocalManagedConnectionFactory] (default task-4) java.sql.Connection#endRequest has been invoked

Can u guide me what the exact issue is how to resolve this issue?

[pragya1998hal]

@primetomas sir, please guide me

[primetomas]

You need to sign the request message and provide the signature certificate in extraCerts.

[pragya1998hal]

Sir Firstly I send cmp request on EJBCA for certificate creation through code. And in response I successfully get certificate.

In EJBCA I am using cmp cofiguration and selecting Authentication method as EndEntitycertificate.
Firstly I created Certificate Authority by name: ServerCA.
Then Created CertificateProfile as ServerCP.
Then created EndEntity Profile as SERVERS.
Then on EJBCA I created one Endentity certificate: with commonname: SERVERS, Username:SERVERS and password: SERVER.

After that I download and use that EndEntity certificate in our code and pass it in extraCerts field and put value in Issuer: ServerCA and subject: SERVERS.
And finaly send cmp request for certificate creation on EJBCA. My certificate created successfully, and I receive my certificated in response.

Now the certificate I get in response I saved that certificated. When I send revocation request, I send that certificated in exracerts field which I get in response for revocation as now I want to revoke that certificate. Now I pass issuer: ServerCA and subject: SERVERS

But getting Error:

2025-07-31 04:10:00,628+0000 DEBUG [org.ejbca.core.protocol.cmp.authentication.EndEntityCertificateAuthenticationModule] (default task-4) The certificate in extraCert is active
2025-07-31 04:10:00,628+0000 DEBUG [org.ejbca.core.protocol.cmp.authentication.EndEntityCertificateAuthenticationModule] (default task-4) Certificate does not belong to user. Username='null', extraCert username='SERVERS'.
2025-07-31 04:10:00,628+0000 INFO [org.ejbca.core.protocol.cmp.RevocationMessageHandler] (default task-4) Failed to verify the signature in the PKIMessage

Please guide me what I am doing wrong.

Previously same code worked fine but now I am facing issue. Is there any possibility of EJBCA server issue.

[pragya1998hal]

@primetomas sir, please guide me

[primetomas]

This error message only happens if the signature verification fails. https://github.com/Keyfactor/ejbca-ce/blob/main/modules/ejbca-ejb/src/org/ejbca/core/protocol/cmp/authentication/EndEntityCertificateAuthenticationModule.java#L494