Asking Help about the how to generate the Certificate from the AuthKey? about x-road HOT 46 CLOSED

Hi @darapenhchet

A more detailed error message can be found in the /var/log/xroad/jetty/jetty.log log file. Have you checked the log file already?

Best regards,
Petteri

from x-road.

Thanks @petkivim ,

I checked it like this.

from x-road.

Hi @darapenhchet

According to the error message the key auth key does match with the certificate which indicates that the CSR file was generated using another key. Have you completed the steps listed below in this exact order:

1. Create auth key.
2. Generate CSR for the auth key.
3. Create a certificate using the CSR generated in step 2.
4. Import the certificate.

If you have deleted and recreated the auth key after generating the CSR, you must recreate the CSR and certificate too. One possible explanation for the error message is that the auth key has been recreated and therefore, the certificate does not correspond with the current key. Another alternative is, that the current configuration of your CA is not compatible with X-Road.

Best regards,
Petteri

from x-road.

Yes it looks like that Microsoft Windows Server not support the CSR that generated from the XRoad, so I create the new CSR File in Windows server and then create the Certificate from it. So maybe it does not work with XRoad.

Best Regards,
Dara Penhchet

from x-road.

Do you have any solution to make the CSR generated from the XRoad and will support with Windows Server Certificate Authority?

Best Regards,
Dara Penhchet

from x-road.

Unfortunately, creating a new CSR file on Windows server does not work. You must use the CSR file generated by the Security Server.

X-Road requires that the CA must be able to process CSRs conforming to PKCS10:

Certification Request Syntax Standard. RSA Laboratories, PKCS 10.

We have not tried to use certificates issued by a Windows server on X-Road. However, there's a Test-CA that you can use in test and development environments. The easiest way to install and configure it is to use this script. Another alternative to consider is EJBCA.

Best regards,
Petteri

from x-road.

So do you have any plan to try to use the Certificates issued by a Windows Server on X-Road?

Best Regards,
Dara Penhchet

from x-road.

The support is not limited to any specific technologies. However, X-Road requires that the CA is compliant with the two specifications listed below. Based on your description the problem seems to be related to PKCS 10 and Windows server.

• Certification Request Syntax Standard. RSA Laboratories, PKCS 10.
• X.509 Internet Public Key Infrastructure Online Certificate Status Protocol - OCSP. Internet Engineering Task Force, RFC 6960, 2013.

This requirement is also mentioned in the X-Road Architecture document.

By the way, have you tried both PEM and DER formats when creating the CSR on the Security Server?

Best regards,
Petteri

from x-road.

Yes I have tried both PEM and DER Formats, but it doesn't work.

Best Regards,
Dara Penhchet

from x-road.

In that case it seems that the issue is related to Windows server's PKCS 10 implementation. The next logical step would be to find out a more detailed error message on the Windows server, investigate the root cause and see if the problem can be fixed by changing the Windows server's configuration.

Best regards,
Petteri

from x-road.

I will check with the Window Server.

Thank you so much.

Best Regards,
Dara Penhchet

from x-road.

Dear petkivim,
I have changed to use the EJBCA Server to issue the ceritificate, but it still error.

Do you have any guideline to do it with EJBCA Server?

Thanks in advance.

Best Regards,
Dara Penhchet

from x-road.

Hi @darapenhchet

Have you added the EJBCA under certification services on the Central Server according to these instructions?

https://confluence.niis.org/pages/viewpage.action?pageId=6783483#HowtoConfigureCentralServer?-1.3Addingcertificationservice

What CertificateProfileInfo value did you use when adding EJBCA? With EJBCA you should use the value below:

ee.ria.xroad.common.certificateprofile.impl.EjbcaCertificateProfileInfoProvider

In case you have used some other value, you should update the value on the Central Server, wait few minutes and regenerate the CSR file. Please note that when you regenerate the CSR file, you must select the EJBCA from the Certification Service menu.

Best regards,
Petteri

from x-road.

Dear @petkivim ,

I have tried with it already, but it still error. Could you help to check this one?

Best Regards,
Dara Penhchet

from x-road.

Hi @darapenhchet

How does the CSR file's content look like? Could you post the output generated by the command below:

openssl req -in <MY_CSR_FILE.pem> -text -noout

Best regards,
Petteri

from x-road.

Dear @petkivim ,
Here is the CSR content

Best Regards,
Dara Penhchet

from x-road.

Hi @darapenhchet

Thank you! How about the content of the certificate signed using EJBCA?

openssl x509 -in <CERTIFICATE.CRT> -text -noout

Best regards,
Petteri

from x-road.

Dear @petkivim ,

Here is the content of that certificate.

Best Regards,
Dara Penhchet

from x-road.

Hi @darapenhchet

Thank you! The certificate in the screenshot has not been issued using the CSR that you posted before. Please take a look at the subject fields - they do not match. You should create a certificate using the CSR above and then try to import it.

The certificate above follows the Finnish certificate profile and not the EJBCA certificate profile as it should.

Best regards,
Petteri

from x-road.

Dear @petkivim ,
Could you help to check this one for me?

https://34.87.20.107/ejbca/adminweb/
Id: superadmin
Password: ipAnIQ6eftpD0YgIIsU=

Keystore:
superadmin.zip

CS1: https://35.240.251.85:4000/login
SS1: https://34.87.80.93:4000/login
ID: camdx-systemadmin
Password: 123456

You can modify anything

Best Regards,
Dara Penhchet

from x-road.

Dear @petkivim ,

I have tried with it again and the error is different. And It Failed to import certificate: Certificate is not valid.

Best Regards,
Dara Penhchet

from x-road.

Dear @darapenhchet

It seems that there's a problem with your EJBCA configuration. Unfortunately, I cannot help you with that, because I have not used EJBCA personally. Maybe @JyrgenSuvalov can help you with configuring EJBCA?

Best regards,
Petteri

from x-road.

Dear @darapenhchet

I also advice you not to share the credentials of your environment publicly. Anyone can copy them from GitHub and access your environment. In case you need to share credentials with someone, it is better to use a private channel for that.

Best regards,
Petteri

from x-road.

Dear @petkivim ,
Thanks for you advice. But it is okay because it just the development environment.

Best Regards,
Dara Penhchet

from x-road.

Dear @JyrgenSuvalov ,

Could you help me to configure the EJBCA Server with XRoad?

Best Regards,
Dara Penhchet

from x-road.

Hi @darapenhchet

For test and development purposes the easiest way to go is install the test-CA using the Ansible script. The test-CA comes with OCSP and TSA which means that it provides all the required trust services.

Your EJBCA installation does not have an OCSP service yet and you also need an additional TSA service to make your X-Road environment operational. Don't forget these components when considering the required effort to get everything up and running. Considering this using the test-CA might be the easiest and fastest way forward.

Best regards,
Petteri

from x-road.

Dear @petkivim ,

I have tried with the test-CA already and it works well, but I want to install the CA for Production but it cannot integrate with XRoad.

And right now I can issue the certificate for Authenticiation and import it to XRoad. But for the SIGNING key is not working it said the certificate is not valid. Do you know what is the problem of this error?

Best Regards,
Dara Penhchet

from x-road.

Hi @darapenhchet

There's probably something wrong with the EJBCA configuration - most likely it's related to the certificate profile and its attributes.

Best regards,
Petteri

from x-road.

Dear @petkivim ,

Here is my Siging Certificate and CSR File. Could you help to check it?

SS-Sign Certificate.zip

Best Regards,
Dara Penhchet

from x-road.

Hi @darapenhchet

This is how a valid auth certificate issued by the test-CA looks like:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 6 (0x6)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C=FI, O=Xroad Test Organization X, OU=Xroad Test CA OU, CN=Xroad Test CA CN
        Validity
            Not Before: Dec  8 14:52:18 2018 GMT
            Not After : Dec  3 14:52:18 2038 GMT
        Subject: C=FI, O=Test Company, CN=35.176.66.110/serialNumber=PLAYGROUND/testcomss01/COM
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: critical
                Digital Signature, Key Encipherment, Data Encipherment, Key Agreement
            X509v3 Extended Key Usage: 
                TLS Web Client Authentication, TLS Web Server Authentication
    Signature Algorithm: sha256WithRSAEncryption
         ...

You should check that your certificate profile contains the same extensions.

In addition, I noticed that you had used the Finnish certificate profile for generating the CSR. That can be seen from the CSR's subject field. You should use the EJBCA profile instead.

Subject: C=FI, O=CAMDX/serialNumber=CAMBODIA/10.10.40.25/GOV, CN=1234

Please check that you have configured the correct certificate profile for your EJBCA on the Central Server. In addition, you must select the EJBCA when you generate the CSR.

ee.ria.xroad.common.certificateprofile.impl.EjbcaCertificateProfileInfoProvider

Best regards,
Petteri

from x-road.

Dear @petkivim ,

Thanks for your help.

Best Regards,
Dara Penhchet

from x-road.

Dear @petkivim ,
Sorry to ask you again.

I have changed the CA to Windows Server and Issued the AUTHENTICATION Certificate Successfully, but for SIGNING Certificate is not working.

Could you help to check this one?

CSR And Signed Cert.zip

Thanks in advanced,
Best Regards,
Dara Penhchet

from x-road.

Hi @darapenhchet

Unfortunately, I have no experience with Windows Server's CA. In general, you should check that contents of a sign certificate look like this:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number: 3 (0x3)
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = FI, O = Xroad Test Organization X, OU = Xroad Test CA OU, CN = Xroad Test CA CN
        Validity
            Not Before: Dec  8 14:12:41 2018 GMT
            Not After : Dec  3 14:12:41 2038 GMT
        Subject: C = FI, O = NIIS, CN = 2908758-4, serialNumber = PLAYGROUND/niisss01/ORG
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    ...
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Basic Constraints: 
                CA:FALSE
            X509v3 Key Usage: critical
                Non Repudiation
    Signature Algorithm: sha256WithRSAEncryption
         ...

Best regards,
Petteri

from x-road.

Dear @petkivim ,

Here is my Certificate

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            11:00:00:00:23:4e:cb:f8:04:64:1a:f0:73:00:00:00:00:00:23
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC = kh, DC = gov, DC = camdx, CN = SubCA2019
        Validity
            Not Before: Sep 11 22:16:56 2019 GMT
            Not After : Sep 10 20:35:54 2020 GMT
        Subject: serialNumber = CAMBODIA/10.10.40.25/GOV, C = FI, O = CAMDX, CN = 1234
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (2048 bit)
                Modulus:
                    00:93:f9:b2:53:bb:15:5b:f0:16:f4:0e:ab:93:65:
                    20:31:b5:6a:c2:66:2c:c7:42:ab:73:ef:9a:79:2a:
                    21:b7:bf:8d:5c:17:d8:d0:0a:2b:ca:cb:1b:49:b8:
                    50:0d:2e:0f:5b:30:dd:db:3f:eb:bc:e4:d3:10:c5:
                    af:6c:c2:41:8c:52:10:e7:89:2c:b6:9a:b9:ea:01:
                    24:ca:f0:06:22:a9:98:9e:59:f2:64:26:0a:d3:df:
                    4f:28:c9:1c:9b:fb:ec:7d:bc:60:9e:20:e4:94:08:
                    cd:60:82:0d:cd:88:3f:db:5c:7f:13:4c:3b:8f:75:
                    5d:87:10:33:35:9d:4c:3c:b7:03:0d:66:b8:a2:d6:
                    5f:ac:a3:15:94:4e:16:1d:f1:25:a0:3b:9a:67:dc:
                    9b:9a:5f:69:87:ee:78:64:98:02:c5:7d:35:07:c6:
                    d9:12:0b:23:fb:95:40:cd:81:8d:73:d8:58:bd:3d:
                    c2:3b:70:7c:27:00:36:f8:f9:a7:97:95:e8:ef:54:
                    9a:03:44:1a:08:3f:5c:42:54:a7:bd:90:65:23:22:
                    60:1f:73:37:ce:10:f4:ac:5f:38:9a:fe:52:df:06:
                    df:9a:02:d3:4f:c2:27:ed:51:6d:da:93:6e:81:b7:
                    a5:88:d2:20:75:cf:e7:d1:5f:0a:65:c8:5b:30:54:
                    8a:01
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Subject Key Identifier: 
                E0:D9:73:98:88:60:FC:51:DC:53:6F:17:EA:0C:52:34:89:05:31:D4
            X509v3 Authority Key Identifier: 
                keyid:86:EE:F1:9C:14:7A:53:38:20:7A:9F:98:41:D8:76:47:2F:1C:42:08

            Authority Information Access: 
                CA Issuers - URI:ldap:///CN=SubCA2019,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=camdx,DC=gov,DC=kh?cACertificate?base?objectClass=certificationAuthority

            X509v3 Key Usage: critical
                Non Repudiation
            1.3.6.1.4.1.311.21.7: 
                0,.$+.....7........6...*...4...!m..+...\..d...
    Signature Algorithm: sha256WithRSAEncryption
         22:f9:3c:a5:04:3d:03:2b:20:90:a7:ce:88:2b:35:ec:17:88:
         6a:86:23:1d:f2:33:bb:75:65:00:a1:65:55:90:fb:be:0f:fa:
         6c:a4:78:4a:7e:46:2e:68:69:0f:2f:fc:eb:3e:2f:56:6c:eb:
         7e:c8:c8:dd:8d:a5:75:ac:ce:be:33:31:8d:e0:31:66:0f:14:
         bb:cf:e5:5d:f2:4f:7e:2b:d0:14:f7:d4:77:9a:3b:aa:b5:63:
         9b:ff:e4:5e:1b:fa:2d:2f:c0:e7:13:47:84:00:37:ff:b3:32:
         e3:3c:8e:8e:e4:05:51:2b:b3:b4:5e:e0:d1:a1:d7:8c:bb:e4:
         e2:16:b2:c3:cc:31:5c:59:d0:be:60:22:e9:68:a8:ce:85:b9:
         fe:58:67:da:0d:87:99:1d:02:89:b3:28:85:d3:97:7a:32:25:
         50:19:4a:25:58:de:a9:29:b8:48:d0:69:ca:71:e0:35:bb:ba:
         a6:5a:b5:14:be:ee:0f:1e:07:f2:77:23:91:6e:f3:76:36:8e:
         ad:24:9c:18:7c:3f:f0:d2:1e:0d:37:01:3b:77:6b:f9:30:4d:
         d7:bc:a6:c2:e6:f5:e9:00:be:12:a1:22:d8:da:ac:1f:0e:92:
         70:e1:c9:dc:4f:2c:a6:eb:3e:b8:fc:fd:ba:ea:ad:a9:77:ba:
         f2:60:a5:fe

Best Regards,
Dara Penhchet

from x-road.

Dear @petkivim ,

For SIGNING Certificate it works now. Why does it take 1 day to make that certificate is valid to import to SIGNKey?

Best Regards,
Dara Penhchet

from x-road.

Dear @darapenhchet

That's good news! There should not be any delay before the certificate can be imported - it should be possible to import it as soon as it is created. When a certificate is imported, the certificate chain is validated, and in your case the validation failed at first for some reason.

Are your CA's and Security Server's clocks in sync? I noticed that your certificate's validity started from this date/time:Not Before: Sep 11 22:16:56 2019 GMT. Please note that the time zone is GMT (Greenwich Mean Time Zone), and not your local time zone. One potential explanation could be that the certificate was not valid yet when you tried to import it yesterday.

Best regards,
Petteri

from x-road.

Dear @petkivim ,

Thanks for your help, I will check that timezone

Best Regards,
Dara Penhchet

from x-road.

Dear brother,

May I ask you one more question?

For CA Certificate is the Root CA or Issuing CA?

Best Regards,
Dara Penhchet

from x-road.

Hi @darapenhchet

Which certificate are you referring? The screenshot that you tried to add is not showing.

Best regards,
Petteri

from x-road.

Dear @petkivim ,

Here it is

Best Regards,
Dara Penhchet

from x-road.

Dear brother,
For the Timezone is different so how could I update the Timezone in Central Server and Security Server?

Best Regards,
Dara Penhchet

from x-road.

Hi @darapenhchet

It's the root certificate. In case there are intermediate CAs, they must be configured in the "Intermediate CAs" tab. More information can be found here.

This article explains how to set or change timezone on Ubuntu 18.

Best regards,
Petteri

from x-road.

Thanks you.
Right now I can import both SIGNING and AUTHENTICATION Certificate. but after I clicked the Register it shows error like this

Best Regards,
Dara Penhchet

from x-road.

Dear @petkivim ,

It is caused by the Timezone

System Parameter Timezone

Certificate Not Before

Best Regards,
Dara Penhchet

from x-road.

Hi @darapenhchet

UTC (Coordinated Universal Time) and GMT (Greenwich Mean Time) are equivalent, there is no time difference between them.

You should probably check that the host system clocks are in sync. On Ubuntu/RHEL, one can check the UTC/GMT time with date --utc. If the host system clocks, expressed in GMT / UTC differ, the certificate validity can be in the future from the Security Server point of view. It is recommended to synchronize the host clocks to a NTP time source.

If the clocks are in sync, then you should check how your CA set's the "Not before" date/time in the certificate. Is it the date/time when the certificate is issued or is it a date/time in the future.

Best regards,
Petteri

from x-road.

Dear @petkivim,

Thank you so much for your help. Right now it works well.

Best Regards,
Dara Penhchet

from x-road.