Skip to content

Potential bug if the CA has been renewed #865

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
aloeenmae opened this issue Apr 23, 2025 · 0 comments
Open

Potential bug if the CA has been renewed #865

aloeenmae opened this issue Apr 23, 2025 · 0 comments

Comments

@aloeenmae
Copy link

aloeenmae commented Apr 23, 2025
edited
Loading

When I download the SubCA used for signing client certificates through EJBCA Admin UI and Web RA, which underwent re-key several years ago, its serial number is completely different from what the EJBCA WS returns.

  1. Add an End Entity, the data we send to the WebService is as follows:
    <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><ns1:editUser xmlns:ns1="http://ws.protocol.core.ejbca.org/"><arg0><caName>My CA</caName><certificateProfileName>testprofile</certificateProfileName><clearPwd>false</clearPwd><email>ejbca@localhost</email><endEntityProfileName>test</endEntityProfileName><endTime>2025-04-05 00:00:00+00:00</endTime><keyRecoverable>false</keyRecoverable><password>somerandompassword</password><sendNotification>false</sendNotification><startTime>2025-04-04 00:00:00+00:00</startTime><status>10</status><subjectAltName/><subjectDN>DC=0,L=Test,ST=Test,C=EE,OU=Test,O=Test Org,CN=Test cert</subjectDN><tokenType>USERGENERATED</tokenType><username>96D6250CA49F5FBEC0E116BF67AB3E6A6F9E509C3F8B4EEABD8EBC78B5371623</username></arg0></ns1:editUser></soapenv:Body></soapenv:Envelope>

  2. Perform a PKCS10 Enrollment, the input is currently as follows:
    <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><ns1:pkcs10Request xmlns:ns1="http://ws.protocol.core.ejbca.org/"><arg0>96D6250CA49F5FBEC0E116BF67AB3E6A6F9E509C3F8B4EEABD8EBC78B5371623</arg0><arg1>somerandompassword</arg1><arg2>-----BEGIN CERTIFICATE REQUEST-----<DATA_HERE>-----END CERTIFICATE REQUEST-----</arg2><arg4>CERTIFICATE</arg4></ns1:pkcs10Request></soapenv:Body></soapenv:Envelope>

  3. Finally request the last certificate chain:
    <?xml version="1.0" encoding="UTF-8"?><soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"><soapenv:Body><ns1:getLastCertChain xmlns:ns1="http://ws.protocol.core.ejbca.org/"><arg0>96D6250CA49F5FBEC0E116BF67AB3E6A6F9E509C3F8B4EEABD8EBC78B5371623</arg0></ns1:getLastCertChain></soapenv:Body></soapenv:Envelope>

  4. In response to the query made in point 3, the CA chain is returned:
    <soap xmlns="[http://schemas.xmlsoap.org/soap/envelope/">](http://schemas.xmlsoap.org/soap/envelope/%22%3E)[soap:Body](javascript:void(0))<ns2 xmlns="[http://ws.protocol.core.ejbca.org/">](http://ws.protocol.core.ejbca.org/%22%3E)<return><type>0</type><certificateData>%%DATA%%</certificateData></return><return><type>0</type><certificateData>%%DATA%%</certificateData></return><return><type>0</type><certificateData>%%DATA%%</certificateData></return><return><type>0</type><certificateData>%%DATA%%</certificateData></return></ns2></soap></soap>

In the getLastCertChainResponse, the SubCA serial number that underwent re-key is something different (probably the serial used before re-key) than the serial on the same SubCA certificate downloaded through the Ejbca Admin UI.

Relevant code seems to be here.
https://github.com/Keyfactor/ejbca-ce/blob/main/modules/ejbca-ejb/src/org/ejbca/core/model/era/RaMasterApiSessionBean.java#L2789

_Originally posted by @aloeenmae in #850
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@aloeenmae