Discussion:
[Ejbca-develop] 'Allow Subject DN override' and web service call
Nikita Bedmutha
2017-02-01 11:20:40 UTC
Permalink
Hi,

I have a user(end-entity) created using a certificate profile which has
'Allow Subject DN override' checked. This end-entity is registered with
Token as User Generated.
When I use 'Create Certificate from CSR' option on public web, I get the
certificate with the subject DN used while creating the CSR and not the
registered DN.
Now I want to achieve same using web service call. I tried the
'certificateRequest' and 'pkcs10' request with the same CSR that I used in
previous Public web call. But in the web service call case, I get
certificate with the registered DN and not overridden by the CSR.

Kindly guide me how to achieve this.

Thanks and Regards,
Nikita
Nikita Bedmutha
2017-02-02 12:44:14 UTC
Permalink
Sorry for spamming, but just correcting the query:

I want to make a certificate request which uses the subject DN from CSR and
not the registered end entity subject DN . I am using the certificate
profile which has 'Allow subject DN override by CSR' checked. However the
web service requests 'pkcs10Request' as well as 'certificateRequest' do not
return certificates with subject DN overridden by the CSR but uses the
registered DN only.

On the other hand, using the same CSR, the public web call 'Create
Certificate from CSR' as well as the 'createcert' CLI command generates a
certificate which has the subject DN overridden by the CSR.

Your inputs would really be very helpful.
Thanks.

Regards,
Nikita Bedmutha
Post by Nikita Bedmutha
Hi,
I have a user(end-entity) created using a certificate profile which has
'Allow Subject DN override' checked. This end-entity is registered with
Token as User Generated.
When I use 'Create Certificate from CSR' option on public web, I get the
certificate with the subject DN used while creating the CSR and not the
registered DN.
Now I want to achieve same using web service call. I tried the
'certificateRequest' and 'pkcs10' request with the same CSR that I used in
previous Public web call. But in the web service call case, I get
certificate with the registered DN and not overridden by the CSR.
Kindly guide me how to achieve this.
Thanks and Regards,
Nikita
Tomas Gustavsson
2017-02-03 00:05:07 UTC
Permalink
This is very common to do this using WS so there is probably something
wrong with your call. Are you using the correct certificate profile in
your WS call?

Debug logging will show in detail all decisions egarding override or not
that is takes during certificate issuance.

Regards,
Tomas
---
RSA Conference 2017
------------------------------------------------------------------
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!

Want a free expo pass?
Go to https://www.rsaconference.com/events/us17/register
and use the code: XE7PRMKEY
Post by Nikita Bedmutha
I want to make a certificate request which uses the subject DN from CSR
and not the registered end entity subject DN . I am using the
certificate profile which has 'Allow subject DN override by CSR'
checked. However the web service requests 'pkcs10Request' as well as
'certificateRequest' do not return certificates with subject DN
overridden by the CSR but uses the registered DN only.
On the other hand, using the same CSR, the public web call 'Create
Certificate from CSR' as well as the 'createcert' CLI command generates
a certificate which has the subject DN overridden by the CSR.
Your inputs would really be very helpful.
Thanks.
Regards,
Nikita Bedmutha
On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha
Hi,
I have a user(end-entity) created using a certificate profile which
has 'Allow Subject DN override' checked. This end-entity is
registered with Token as User Generated.
When I use 'Create Certificate from CSR' option on public web, I get
the certificate with the subject DN used while creating the CSR and
not the registered DN.
Now I want to achieve same using web service call. I tried the
'certificateRequest' and 'pkcs10' request with the same CSR that I
used in previous Public web call. But in the web service call case,
I get certificate with the registered DN and not overridden by the CSR.
Kindly guide me how to achieve this.
Thanks and Regards,
Nikita
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Nikita Bedmutha
2017-02-08 09:10:47 UTC
Permalink
Hi,

I know this must be the very basic requirement to get the certificate with
subject DN overridden. But I have tried my best with all settings but no
clue whats going wrong.
I have a user 'user1' which is created with a 'Client endentity profile'
which uses default cert profile as 'Client Cert Profile'. This certificate
profile has 'Allow subject DN override by CSR' and 'Allow subject DN
override by End Entity Information' checked. In the case where both are
checked, documentation says that DN will be overriden by CSR.

Now I make this SOAP call for pkcs10Request:
Body:
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ws="http://ws.protocol.core.ejbca.org/">
<soapenv:Header/>
<soapenv:Body>
<ws:pkcs10Request>
<!--Optional:-->
<arg0>user1</arg0>
<!--Optional:-->
<arg1>password</arg1>
<!--Optional:-->
<arg2>-----BEGIN CERTIFICATE REQUEST-----
MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH
DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ
nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF
Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0
2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB
fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW
LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA
AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk
RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp
1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC
EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z
++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/
fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu
-----END CERTIFICATE REQUEST-----</arg2>
<!--Optional:-->
<arg3></arg3>
<!--Optional:-->
<arg4>CERTIFICATE</arg4>
</ws:pkcs10Request>
</soapenv:Body>
</soapenv:Envelope>


I even made call without '-----BEGIN CERTIFICATE REQUEST-----' and
'-----END CERTIFICATE REQUEST-----' but no success.
In both cases, the certificate generated still uses the subject DN which
was used while creating the user. I tried this webservice call using
SOAP-UI as well as eclipse code. Only when the call is made using public
web 'Create certificate from CSR' or cli command, the subject DN is
overriden. For some reason unable to achieve it through web service call.
Kindly guide me if I am doing anything wrong here.



Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | [image: G]
G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
<http://www.gslab.com/>
Post by Tomas Gustavsson
This is very common to do this using WS so there is probably something
wrong with your call. Are you using the correct certificate profile in
your WS call?
Debug logging will show in detail all decisions egarding override or not
that is takes during certificate issuance.
Regards,
Tomas
---
RSA Conference 2017
------------------------------------------------------------------
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!
Want a free expo pass?
Go to https://www.rsaconference.com/events/us17/register
and use the code: XE7PRMKEY
Post by Nikita Bedmutha
I want to make a certificate request which uses the subject DN from CSR
and not the registered end entity subject DN . I am using the
certificate profile which has 'Allow subject DN override by CSR'
checked. However the web service requests 'pkcs10Request' as well as
'certificateRequest' do not return certificates with subject DN
overridden by the CSR but uses the registered DN only.
On the other hand, using the same CSR, the public web call 'Create
Certificate from CSR' as well as the 'createcert' CLI command generates
a certificate which has the subject DN overridden by the CSR.
Your inputs would really be very helpful.
Thanks.
Regards,
Nikita Bedmutha
On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha
Hi,
I have a user(end-entity) created using a certificate profile which
has 'Allow Subject DN override' checked. This end-entity is
registered with Token as User Generated.
When I use 'Create Certificate from CSR' option on public web, I get
the certificate with the subject DN used while creating the CSR and
not the registered DN.
Now I want to achieve same using web service call. I tried the
'certificateRequest' and 'pkcs10' request with the same CSR that I
used in previous Public web call. But in the web service call case,
I get certificate with the registered DN and not overridden by the
CSR.
Post by Nikita Bedmutha
Kindly guide me how to achieve this.
Thanks and Regards,
Nikita
------------------------------------------------------------
------------------
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Tomas Gustavsson
2017-02-08 09:51:58 UTC
Permalink
I can only re-iterate here:

---
Debug logging will show in detail all decisions egarding override or not
that is takes during certificate issuance.
---

For more information about logging, how to configure debug etc, see
https://www.ejbca.org/docs/adminguide.html#Logging

/Tomas
Post by Nikita Bedmutha
Hi,
I know this must be the very basic requirement to get the certificate
with subject DN overridden. But I have tried my best with all settings
but no clue whats going wrong.
I have a user 'user1' which is created with a 'Client endentity profile'
which uses default cert profile as 'Client Cert Profile'. This
certificate profile has 'Allow subject DN override by CSR' and 'Allow
subject DN override by End Entity Information' checked. In the case
where both are checked, documentation says that DN will be overriden by CSR.
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ws="http://ws.protocol.core.ejbca.org/">
<soapenv:Header/>
<soapenv:Body>
<ws:pkcs10Request>
<!--Optional:-->
<arg0>user1</arg0>
<!--Optional:-->
<arg1>password</arg1>
<!--Optional:-->
<arg2>-----BEGIN CERTIFICATE REQUEST-----
MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH
DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ
nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF
Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0
2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB
fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW
LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA
AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk
RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp
1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC
EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z
++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/
fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu
-----END CERTIFICATE REQUEST-----</arg2>
<!--Optional:-->
<arg3></arg3>
<!--Optional:-->
<arg4>CERTIFICATE</arg4>
</ws:pkcs10Request>
</soapenv:Body>
</soapenv:Envelope>
I even made call without '-----BEGIN CERTIFICATE REQUEST-----' and
'-----END CERTIFICATE REQUEST-----' but no success.
In both cases, the certificate generated still uses the subject DN which
was used while creating the user. I tried this webservice call using
SOAP-UI as well as eclipse code. Only when the call is made using public
web 'Create certificate from CSR' or cli command, the subject DN is
overriden. For some reason unable to achieve it through web service
call. Kindly guide me if I am doing anything wrong here.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
<http://www.gslab.com/>
This is very common to do this using WS so there is probably something
wrong with your call. Are you using the correct certificate profile in
your WS call?
Debug logging will show in detail all decisions egarding override or not
that is takes during certificate issuance.
Regards,
Tomas
---
RSA Conference 2017
------------------------------------------------------------------
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!
Want a free expo pass?
Go to https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>
and use the code: XE7PRMKEY
Post by Nikita Bedmutha
I want to make a certificate request which uses the subject DN from CSR
and not the registered end entity subject DN . I am using the
certificate profile which has 'Allow subject DN override by CSR'
checked. However the web service requests 'pkcs10Request' as well as
'certificateRequest' do not return certificates with subject DN
overridden by the CSR but uses the registered DN only.
On the other hand, using the same CSR, the public web call 'Create
Certificate from CSR' as well as the 'createcert' CLI command generates
a certificate which has the subject DN overridden by the CSR.
Your inputs would really be very helpful.
Thanks.
Regards,
Nikita Bedmutha
On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha
Hi,
I have a user(end-entity) created using a certificate profile which
has 'Allow Subject DN override' checked. This end-entity is
registered with Token as User Generated.
When I use 'Create Certificate from CSR' option on public web, I get
the certificate with the subject DN used while creating the CSR and
not the registered DN.
Now I want to achieve same using web service call. I tried the
'certificateRequest' and 'pkcs10' request with the same CSR that I
used in previous Public web call. But in the web service call case,
I get certificate with the registered DN and not overridden by the CSR.
Kindly guide me how to achieve this.
Thanks and Regards,
Nikita
------------------------------------------------------------------------------
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Nikita Bedmutha
2017-02-08 13:35:30 UTC
Permalink
Serious apologies for sending incomplete data. Well, I observed the Debug
logs for both the calls, call from web service and call from public web.
Here are my observations:

1. For the pkcs10Request webservice call through SOAP UI, the INFO log has
an entry:
CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=AdminUser,O=My
Organization,C=SE;-759363256;;user1;subjectdn=CN=user1,OU=GS
L,C=IN;requestX500name=null;certprofile=1681037015;keyusage=
-1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBg
kqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4d
Cd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjr
IkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTX
lLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkM
hDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE
29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJr
nC/7TBVYijU0u6bwIDAQAB

where, requestX500name=null

2. For public web 'Create Certificate from CSR' call:
CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;RequestInstance:
123.252.222.122;-759363256;;user1;subjectdn=CN=user1,OU=GSL,
C=IN;requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK;certp
rofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence=
;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6
J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlA
zoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5
L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjind
NARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6
JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2
zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB

where, requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK

Both the calls use same CSR, also same certificate profile is being used in
both cases and the public key extracted from CSR also looks same.

However, in case of public web call we see a log statement, 'Using X509Name
from request instead of user's registered.' which is missing in webservice
call log and only 'Using subjectDN: CN=user1,OU=GSL,C=IN' can be seen.
I suspect this could be because requestX500name is null in case of
webservice call.

However, we are using same CSR and so this behaviour is bit confusing.
If this info can help. Thanks.

Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | [image: G]
G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
<http://www.gslab.com/>
Post by Tomas Gustavsson
---
Debug logging will show in detail all decisions egarding override or not
that is takes during certificate issuance.
---
For more information about logging, how to configure debug etc, see
https://www.ejbca.org/docs/adminguide.html#Logging
/Tomas
Post by Nikita Bedmutha
Hi,
I know this must be the very basic requirement to get the certificate
with subject DN overridden. But I have tried my best with all settings
but no clue whats going wrong.
I have a user 'user1' which is created with a 'Client endentity profile'
which uses default cert profile as 'Client Cert Profile'. This
certificate profile has 'Allow subject DN override by CSR' and 'Allow
subject DN override by End Entity Information' checked. In the case
where both are checked, documentation says that DN will be overriden by
CSR.
Post by Nikita Bedmutha
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/"
xmlns:ws="http://ws.protocol.core.ejbca.org/">
<soapenv:Header/>
<soapenv:Body>
<ws:pkcs10Request>
<!--Optional:-->
<arg0>user1</arg0>
<!--Optional:-->
<arg1>password</arg1>
<!--Optional:-->
<arg2>-----BEGIN CERTIFICATE REQUEST-----
MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH
DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ
nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF
Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0
2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB
fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW
LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA
AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk
RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp
1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC
EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z
++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/
fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu
-----END CERTIFICATE REQUEST-----</arg2>
<!--Optional:-->
<arg3></arg3>
<!--Optional:-->
<arg4>CERTIFICATE</arg4>
</ws:pkcs10Request>
</soapenv:Body>
</soapenv:Envelope>
I even made call without '-----BEGIN CERTIFICATE REQUEST-----' and
'-----END CERTIFICATE REQUEST-----' but no success.
In both cases, the certificate generated still uses the subject DN which
was used while creating the user. I tried this webservice call using
SOAP-UI as well as eclipse code. Only when the call is made using public
web 'Create certificate from CSR' or cli command, the subject DN is
overriden. For some reason unable to achieve it through web service
call. Kindly guide me if I am doing anything wrong here.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
<http://www.gslab.com/>
This is very common to do this using WS so there is probably
something
Post by Nikita Bedmutha
wrong with your call. Are you using the correct certificate profile
in
Post by Nikita Bedmutha
your WS call?
Debug logging will show in detail all decisions egarding override or
not
Post by Nikita Bedmutha
that is takes during certificate issuance.
Regards,
Tomas
---
RSA Conference 2017
------------------------------------------------------------------
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!
Want a free expo pass?
Go to https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>
and use the code: XE7PRMKEY
Post by Nikita Bedmutha
I want to make a certificate request which uses the subject DN
from CSR
Post by Nikita Bedmutha
Post by Nikita Bedmutha
and not the registered end entity subject DN . I am using the
certificate profile which has 'Allow subject DN override by CSR'
checked. However the web service requests 'pkcs10Request' as well
as
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'certificateRequest' do not return certificates with subject DN
overridden by the CSR but uses the registered DN only.
On the other hand, using the same CSR, the public web call 'Create
Certificate from CSR' as well as the 'createcert' CLI command
generates
Post by Nikita Bedmutha
Post by Nikita Bedmutha
a certificate which has the subject DN overridden by the CSR.
Your inputs would really be very helpful.
Thanks.
Regards,
Nikita Bedmutha
On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha
Hi,
I have a user(end-entity) created using a certificate profile
which
Post by Nikita Bedmutha
Post by Nikita Bedmutha
has 'Allow Subject DN override' checked. This end-entity is
registered with Token as User Generated.
When I use 'Create Certificate from CSR' option on public web,
I get
Post by Nikita Bedmutha
Post by Nikita Bedmutha
the certificate with the subject DN used while creating the
CSR and
Post by Nikita Bedmutha
Post by Nikita Bedmutha
not the registered DN.
Now I want to achieve same using web service call. I tried the
'certificateRequest' and 'pkcs10' request with the same CSR
that I
Post by Nikita Bedmutha
Post by Nikita Bedmutha
used in previous Public web call. But in the web service call
case,
Post by Nikita Bedmutha
Post by Nikita Bedmutha
I get certificate with the registered DN and not overridden by
the CSR.
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Kindly guide me how to achieve this.
Thanks and Regards,
Nikita
-----------------------------------------------------------
-------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
-----------------------------------------------------------
-------------------
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
------------------------------------------------------------
------------------
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Tomas Gustavsson
2017-02-09 09:16:50 UTC
Permalink
What version of EJBCA are you using btw?

I'm using this WS command:

./ejbcaClientToolBox.sh EjbcaWsRaCli certreq req9
"CN=req9,O=Edited,C=SE" NULL ManagementCA User Client ./p10.der PKCS10
DER NONE .

My CSR have subjectDN:
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=req9

If I have enabled "Allow Subject DN Override by CSR" in the Certificate
Profile "Client". My issued certificate gets the DN from the p10.

If you try using clientToolBox first, than you will know if/how the
feature works, and then you can try to translate it to SOAP-UI (you can
even debug log the full soap messages).

Regards,
Tomas
---
RSA Conference 2017
------------------------------------------------------------------
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!

Want a free expo pass?
Go to https://www.rsaconference.com/events/us17/register
and use the code: XE7PRMKEY
Post by Nikita Bedmutha
Serious apologies for sending incomplete data. Well, I observed the
Debug logs for both the calls, call from web service and call from
1. For the pkcs10Request webservice call through SOAP UI, the INFO log
CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=AdminUser,O=My
Organization,C=SE;-759363256;;user1;subjectdn=CN=user1,OU=GSL,C=IN;requestX500name=null;certprofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB
where, requestX500name=null
123.252.222.122;-759363256;;user1;subjectdn=CN=user1,OU=GSL,C=IN;requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK;certprofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB
where, requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK
Both the calls use same CSR, also same certificate profile is being used
in both cases and the public key extracted from CSR also looks same.
However, in case of public web call we see a log statement, 'Using
X509Name from request instead of user's registered.' which is missing in
webservice call log and only 'Using subjectDN: CN=user1,OU=GSL,C=IN' can
be seen.
I suspect this could be because requestX500name is null in case of
webservice call.
However, we are using same CSR and so this behaviour is bit confusing.
If this info can help. Thanks.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
<http://www.gslab.com/>
---
Debug logging will show in detail all decisions egarding override or not
that is takes during certificate issuance.
---
For more information about logging, how to configure debug etc, see
https://www.ejbca.org/docs/adminguide.html#Logging
<https://www.ejbca.org/docs/adminguide.html#Logging>
/Tomas
Post by Nikita Bedmutha
Hi,
I know this must be the very basic requirement to get the certificate
with subject DN overridden. But I have tried my best with all settings
but no clue whats going wrong.
I have a user 'user1' which is created with a 'Client endentity
profile'
Post by Nikita Bedmutha
which uses default cert profile as 'Client Cert Profile'. This
certificate profile has 'Allow subject DN override by CSR' and 'Allow
subject DN override by End Entity Information' checked. In the case
where both are checked, documentation says that DN will be
overriden by CSR.
Post by Nikita Bedmutha
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
<http://schemas.xmlsoap.org/soap/envelope/>"
Post by Nikita Bedmutha
xmlns:ws="http://ws.protocol.core.ejbca.org/
<http://ws.protocol.core.ejbca.org/>">
Post by Nikita Bedmutha
<soapenv:Header/>
<soapenv:Body>
<ws:pkcs10Request>
<!--Optional:-->
<arg0>user1</arg0>
<!--Optional:-->
<arg1>password</arg1>
<!--Optional:-->
<arg2>-----BEGIN CERTIFICATE REQUEST-----
MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH
DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ
nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF
Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0
2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB
fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW
LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA
AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk
RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp
1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC
EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z
++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/
fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu
-----END CERTIFICATE REQUEST-----</arg2>
<!--Optional:-->
<arg3></arg3>
<!--Optional:-->
<arg4>CERTIFICATE</arg4>
</ws:pkcs10Request>
</soapenv:Body>
</soapenv:Envelope>
I even made call without '-----BEGIN CERTIFICATE REQUEST-----' and
'-----END CERTIFICATE REQUEST-----' but no success.
In both cases, the certificate generated still uses the subject DN
which
Post by Nikita Bedmutha
was used while creating the user. I tried this webservice call using
SOAP-UI as well as eclipse code. Only when the call is made using
public
Post by Nikita Bedmutha
web 'Create certificate from CSR' or cli command, the subject DN is
overriden. For some reason unable to achieve it through web service
call. Kindly guide me if I am doing anything wrong here.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>>reat Software Laboratory
Post by Nikita Bedmutha
<http://www.gslab.com/>
This is very common to do this using WS so there is probably
something
Post by Nikita Bedmutha
wrong with your call. Are you using the correct certificate
profile in
Post by Nikita Bedmutha
your WS call?
Debug logging will show in detail all decisions egarding
override or not
Post by Nikita Bedmutha
that is takes during certificate issuance.
Regards,
Tomas
---
RSA Conference 2017
------------------------------------------------------------------
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!
Want a free expo pass?
Go to https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>>
Post by Nikita Bedmutha
and use the code: XE7PRMKEY
Post by Nikita Bedmutha
I want to make a certificate request which uses the subject
DN from CSR
Post by Nikita Bedmutha
Post by Nikita Bedmutha
and not the registered end entity subject DN . I am using the
certificate profile which has 'Allow subject DN override by CSR'
checked. However the web service requests 'pkcs10Request' as
well as
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'certificateRequest' do not return certificates with subject DN
overridden by the CSR but uses the registered DN only.
On the other hand, using the same CSR, the public web call
'Create
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Certificate from CSR' as well as the 'createcert' CLI
command generates
Post by Nikita Bedmutha
Post by Nikita Bedmutha
a certificate which has the subject DN overridden by the CSR.
Your inputs would really be very helpful.
Thanks.
Regards,
Nikita Bedmutha
On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha
Hi,
I have a user(end-entity) created using a certificate profile which
has 'Allow Subject DN override' checked. This end-entity is
registered with Token as User Generated.
When I use 'Create Certificate from CSR' option on public web, I get
the certificate with the subject DN used while creating the CSR and
not the registered DN.
Now I want to achieve same using web service call. I tried the
'certificateRequest' and 'pkcs10' request with the same CSR that I
used in previous Public web call. But in the web service call case,
I get certificate with the registered DN and not overridden by the CSR.
Kindly guide me how to achieve this.
Thanks and Regards,
Nikita
------------------------------------------------------------------------------
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
Post by Nikita Bedmutha
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
------------------------------------------------------------------------------
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Nikita Bedmutha
2017-02-09 13:10:38 UTC
Permalink
Hi,

Thanks for the pointers.

I am using EJBCA 6.3.1.1 Community (r21429)

I tried clientToolBox today on this version of EJBCA.
My command looked : ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq mgmtUser
"CN=mgmtUser,C=SE" NULL ICA12 "Client EndEntity Profile" "Client Cert
Profile" ./csr.pem PKCS10 PEM NONE .
which generated the mgmtUser.pem certificate file. However this certificate
did not have the subjectDN overriden. It was same 'CN=mgmtUser,C=SE' given
in the request and not the one given while creating CSR.
Again, when trying this same csr file with public web call, it returned
overridden subjectDN in certificate.


I tried then the DER format for the above request:
./ejbcaClientToolBox.sh EjbcaWsRaCli certreq mgmtUser "CN=mgmtUser,C=SE"
NULL ICA12 "Client EndEntity Profile" "Client Cert Profile" ./dercsr.der
PKCS10 DER NONE .

However it returned:
com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received
SOAP Fault from server: Unmarshalling Error: Illegal character ((CTRL-CHAR,
code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to find
more detail regarding exact cause of the failure.
org.ejbca.ui.cli.ErrorAdminCommandException:
com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received
SOAP Fault from server: Unmarshalling Error: Illegal character ((CTRL-CHAR,
code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to find
more detail regarding exact cause of the failure.
at
org.ejbca.core.protocol.ws.client.CertificateRequestCommand.execute(CertificateRequestCommand.java:146)
at
org.ejbca.core.protocol.ws.client.ejbcawsracli.main(ejbcawsracli.java:36)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.ejbca.ui.cli.EjbcaWsRaCli.execute(EjbcaWsRaCli.java:36)
at
org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:66)
Caused by: com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client
received SOAP Fault from server: Unmarshalling Error: Illegal character
((CTRL-CHAR, code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to find
more detail regarding exact cause of the failure.
at
com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:178)
at
com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:116)
at
com.sun.xml.internal.ws.client.sei.StubHandler.readResponse(StubHandler.java:238)
at
com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(DatabindingImpl.java:189)
at
com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(DatabindingImpl.java:276)
at
com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:104)
at
com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:77)
at
com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147)
at com.sun.proxy.$Proxy32.certificateRequest(Unknown Source)
at
org.ejbca.core.protocol.ws.client.CertificateRequestCommand.execute(CertificateRequestCommand.java:111)
... 8 more


I did make sure that the CSR generated is in proper DER format. However
will look into it more.






Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | [image: G]
G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
<http://www.gslab.com/>
Post by Tomas Gustavsson
What version of EJBCA are you using btw?
./ejbcaClientToolBox.sh EjbcaWsRaCli certreq req9
"CN=req9,O=Edited,C=SE" NULL ManagementCA User Client ./p10.der PKCS10
DER NONE .
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=req9
If I have enabled "Allow Subject DN Override by CSR" in the Certificate
Profile "Client". My issued certificate gets the DN from the p10.
If you try using clientToolBox first, than you will know if/how the
feature works, and then you can try to translate it to SOAP-UI (you can
even debug log the full soap messages).
Regards,
Tomas
---
RSA Conference 2017
------------------------------------------------------------------
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!
Want a free expo pass?
Go to https://www.rsaconference.com/events/us17/register
and use the code: XE7PRMKEY
Post by Nikita Bedmutha
Serious apologies for sending incomplete data. Well, I observed the
Debug logs for both the calls, call from web service and call from
1. For the pkcs10Request webservice call through SOAP UI, the INFO log
CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=AdminUser,O=My
Organization,C=SE;-759363256;;user1;subjectdn=CN=user1,OU=
GSL,C=IN;requestX500name=null;certprofile=1681037015;
keyusage=-1;notbefore=;notafter=;sequence=;publickey=
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZi
j4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzP
ylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/
4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+
Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhK
bVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyE
GY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB
Post by Nikita Bedmutha
where, requestX500name=null
123.252.222.122;-759363256;;user1;subjectdn=CN=user1,OU=
GSL,C=IN;requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK;
certprofile=1681037015;keyusage=-1;notbefore=;
notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ
8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6Tdqdu
A0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqT
u6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/
g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9W
CXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVY
uo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB
Post by Nikita Bedmutha
where, requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK
Both the calls use same CSR, also same certificate profile is being used
in both cases and the public key extracted from CSR also looks same.
However, in case of public web call we see a log statement, 'Using
X509Name from request instead of user's registered.' which is missing in
webservice call log and only 'Using subjectDN: CN=user1,OU=GSL,C=IN' can
be seen.
I suspect this could be because requestX500name is null in case of
webservice call.
However, we are using same CSR and so this behaviour is bit confusing.
If this info can help. Thanks.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
<http://www.gslab.com/>
---
Debug logging will show in detail all decisions egarding override or
not
Post by Nikita Bedmutha
that is takes during certificate issuance.
---
For more information about logging, how to configure debug etc, see
https://www.ejbca.org/docs/adminguide.html#Logging
<https://www.ejbca.org/docs/adminguide.html#Logging>
/Tomas
Post by Nikita Bedmutha
Hi,
I know this must be the very basic requirement to get the
certificate
Post by Nikita Bedmutha
Post by Nikita Bedmutha
with subject DN overridden. But I have tried my best with all
settings
Post by Nikita Bedmutha
Post by Nikita Bedmutha
but no clue whats going wrong.
I have a user 'user1' which is created with a 'Client endentity
profile'
Post by Nikita Bedmutha
which uses default cert profile as 'Client Cert Profile'. This
certificate profile has 'Allow subject DN override by CSR' and
'Allow
Post by Nikita Bedmutha
Post by Nikita Bedmutha
subject DN override by End Entity Information' checked. In the case
where both are checked, documentation says that DN will be
overriden by CSR.
Post by Nikita Bedmutha
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
<http://schemas.xmlsoap.org/soap/envelope/>"
Post by Nikita Bedmutha
xmlns:ws="http://ws.protocol.core.ejbca.org/
<http://ws.protocol.core.ejbca.org/>">
Post by Nikita Bedmutha
<soapenv:Header/>
<soapenv:Body>
<ws:pkcs10Request>
<!--Optional:-->
<arg0>user1</arg0>
<!--Optional:-->
<arg1>password</arg1>
<!--Optional:-->
<arg2>-----BEGIN CERTIFICATE REQUEST-----
MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH
DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ
nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF
Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0
2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB
fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW
LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA
AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk
RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp
1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC
EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z
++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/
fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu
-----END CERTIFICATE REQUEST-----</arg2>
<!--Optional:-->
<arg3></arg3>
<!--Optional:-->
<arg4>CERTIFICATE</arg4>
</ws:pkcs10Request>
</soapenv:Body>
</soapenv:Envelope>
I even made call without '-----BEGIN CERTIFICATE REQUEST-----' and
'-----END CERTIFICATE REQUEST-----' but no success.
In both cases, the certificate generated still uses the subject DN
which
Post by Nikita Bedmutha
was used while creating the user. I tried this webservice call
using
Post by Nikita Bedmutha
Post by Nikita Bedmutha
SOAP-UI as well as eclipse code. Only when the call is made using
public
Post by Nikita Bedmutha
web 'Create certificate from CSR' or cli command, the subject DN is
overriden. For some reason unable to achieve it through web service
call. Kindly guide me if I am doing anything wrong here.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>>reat Software Laboratory
Post by Nikita Bedmutha
<http://www.gslab.com/>
On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson <
This is very common to do this using WS so there is probably
something
Post by Nikita Bedmutha
wrong with your call. Are you using the correct certificate
profile in
Post by Nikita Bedmutha
your WS call?
Debug logging will show in detail all decisions egarding
override or not
Post by Nikita Bedmutha
that is takes during certificate issuance.
Regards,
Tomas
---
RSA Conference 2017
------------------------------------------------------------
------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!
Want a free expo pass?
Go to https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>>
Post by Nikita Bedmutha
and use the code: XE7PRMKEY
Post by Nikita Bedmutha
I want to make a certificate request which uses the subject
DN from CSR
Post by Nikita Bedmutha
Post by Nikita Bedmutha
and not the registered end entity subject DN . I am using the
certificate profile which has 'Allow subject DN override by
CSR'
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
checked. However the web service requests 'pkcs10Request' as
well as
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'certificateRequest' do not return certificates with subject
DN
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
overridden by the CSR but uses the registered DN only.
On the other hand, using the same CSR, the public web call
'Create
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Certificate from CSR' as well as the 'createcert' CLI
command generates
Post by Nikita Bedmutha
Post by Nikita Bedmutha
a certificate which has the subject DN overridden by the CSR.
Your inputs would really be very helpful.
Thanks.
Regards,
Nikita Bedmutha
On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha
Hi,
I have a user(end-entity) created using a certificate
profile which
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
has 'Allow Subject DN override' checked. This end-entity
is
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
registered with Token as User Generated.
When I use 'Create Certificate from CSR' option on
public web, I get
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
the certificate with the subject DN used while creating
the CSR and
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
not the registered DN.
Now I want to achieve same using web service call. I
tried the
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'certificateRequest' and 'pkcs10' request with the same
CSR that I
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
used in previous Public web call. But in the web service
call case,
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
I get certificate with the registered DN and not
overridden by the CSR.
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Kindly guide me how to achieve this.
Thanks and Regards,
Nikita
------------------------------------------------------------
------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's
most
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
Post by Nikita Bedmutha
------------------------------------------------------------
------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
------------------------------------------------------------
------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
------------------------------------------------------------
------------------
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
------------------------------------------------------------
------------------
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Tomas Gustavsson
2017-02-09 13:34:42 UTC
Permalink
Might be a new feature. Can you test 6.5.0?

(I will update 6.5.0 release in a few days with a small upgrade fix, see
other issue in forums)

Cheers,
Tomas
Post by Nikita Bedmutha
Hi,
Thanks for the pointers.
I am using EJBCA 6.3.1.1 Community (r21429)
I tried clientToolBox today on this version of EJBCA.
My command looked : ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq
mgmtUser "CN=mgmtUser,C=SE" NULL ICA12 "Client EndEntity Profile"
"Client Cert Profile" ./csr.pem PKCS10 PEM NONE .
which generated the mgmtUser.pem certificate file. However this
certificate did not have the subjectDN overriden. It was same
'CN=mgmtUser,C=SE' given in the request and not the one given while
creating CSR.
Again, when trying this same csr file with public web call, it returned
overridden subjectDN in certificate.
./ejbcaClientToolBox.sh EjbcaWsRaCli certreq mgmtUser "CN=mgmtUser,C=SE"
NULL ICA12 "Client EndEntity Profile" "Client Cert Profile" ./dercsr.der
PKCS10 DER NONE .
com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received
SOAP Fault from server: Unmarshalling Error: Illegal character
((CTRL-CHAR, code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to
find more detail regarding exact cause of the failure.
com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received
SOAP Fault from server: Unmarshalling Error: Illegal character
((CTRL-CHAR, code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to
find more detail regarding exact cause of the failure.
at
org.ejbca.core.protocol.ws.client.CertificateRequestCommand.execute(CertificateRequestCommand.java:146)
at
org.ejbca.core.protocol.ws.client.ejbcawsracli.main(ejbcawsracli.java:36)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.ejbca.ui.cli.EjbcaWsRaCli.execute(EjbcaWsRaCli.java:36)
at
org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:66)
Client received SOAP Fault from server: Unmarshalling Error: Illegal
character ((CTRL-CHAR, code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to
find more detail regarding exact cause of the failure.
at
com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:178)
at
com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:116)
at
com.sun.xml.internal.ws.client.sei.StubHandler.readResponse(StubHandler.java:238)
at
com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(DatabindingImpl.java:189)
at
com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(DatabindingImpl.java:276)
at
com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:104)
at
com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:77)
at
com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147)
at com.sun.proxy.$Proxy32.certificateRequest(Unknown Source)
at
org.ejbca.core.protocol.ws.client.CertificateRequestCommand.execute(CertificateRequestCommand.java:111)
... 8 more
I did make sure that the CSR generated is in proper DER format. However
will look into it more.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
<http://www.gslab.com/>
What version of EJBCA are you using btw?
./ejbcaClientToolBox.sh EjbcaWsRaCli certreq req9
"CN=req9,O=Edited,C=SE" NULL ManagementCA User Client ./p10.der PKCS10
DER NONE .
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=req9
If I have enabled "Allow Subject DN Override by CSR" in the Certificate
Profile "Client". My issued certificate gets the DN from the p10.
If you try using clientToolBox first, than you will know if/how the
feature works, and then you can try to translate it to SOAP-UI (you can
even debug log the full soap messages).
Regards,
Tomas
---
RSA Conference 2017
------------------------------------------------------------------
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!
Want a free expo pass?
Go to https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>
and use the code: XE7PRMKEY
Post by Nikita Bedmutha
Serious apologies for sending incomplete data. Well, I observed the
Debug logs for both the calls, call from web service and call from
1. For the pkcs10Request webservice call through SOAP UI, the INFO log
CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=AdminUser,O=My
Organization,C=SE;-759363256;;user1;subjectdn=CN=user1,OU=GSL,C=IN;requestX500name=null;certprofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB
Post by Nikita Bedmutha
where, requestX500name=null
123.252.222.122;-759363256;;user1;subjectdn=CN=user1,OU=GSL,C=IN;requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK;certprofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB
Post by Nikita Bedmutha
where, requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK
Both the calls use same CSR, also same certificate profile is
being used
Post by Nikita Bedmutha
in both cases and the public key extracted from CSR also looks same.
However, in case of public web call we see a log statement, 'Using
X509Name from request instead of user's registered.' which is
missing in
CN=user1,OU=GSL,C=IN' can
Post by Nikita Bedmutha
be seen.
I suspect this could be because requestX500name is null in case of
webservice call.
However, we are using same CSR and so this behaviour is bit
confusing.
Post by Nikita Bedmutha
If this info can help. Thanks.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>>reat Software Laboratory
Post by Nikita Bedmutha
<http://www.gslab.com/>
---
Debug logging will show in detail all decisions egarding
override or not
Post by Nikita Bedmutha
that is takes during certificate issuance.
---
For more information about logging, how to configure debug
etc, see
Post by Nikita Bedmutha
https://www.ejbca.org/docs/adminguide.html#Logging
<https://www.ejbca.org/docs/adminguide.html#Logging>
Post by Nikita Bedmutha
<https://www.ejbca.org/docs/adminguide.html#Logging
<https://www.ejbca.org/docs/adminguide.html#Logging>>
Post by Nikita Bedmutha
/Tomas
Post by Nikita Bedmutha
Hi,
I know this must be the very basic requirement to get the
certificate
Post by Nikita Bedmutha
Post by Nikita Bedmutha
with subject DN overridden. But I have tried my best with
all settings
Post by Nikita Bedmutha
Post by Nikita Bedmutha
but no clue whats going wrong.
I have a user 'user1' which is created with a 'Client endentity
profile'
Post by Nikita Bedmutha
which uses default cert profile as 'Client Cert Profile'. This
certificate profile has 'Allow subject DN override by CSR'
and 'Allow
Post by Nikita Bedmutha
Post by Nikita Bedmutha
subject DN override by End Entity Information' checked. In
the case
Post by Nikita Bedmutha
Post by Nikita Bedmutha
where both are checked, documentation says that DN will be
overriden by CSR.
Post by Nikita Bedmutha
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
<http://schemas.xmlsoap.org/soap/envelope/>
Post by Nikita Bedmutha
<http://schemas.xmlsoap.org/soap/envelope/
<http://schemas.xmlsoap.org/soap/envelope/>>"
Post by Nikita Bedmutha
Post by Nikita Bedmutha
xmlns:ws="http://ws.protocol.core.ejbca.org/
<http://ws.protocol.core.ejbca.org/>
Post by Nikita Bedmutha
<http://ws.protocol.core.ejbca.org/
<http://ws.protocol.core.ejbca.org/>>">
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<soapenv:Header/>
<soapenv:Body>
<ws:pkcs10Request>
<!--Optional:-->
<arg0>user1</arg0>
<!--Optional:-->
<arg1>password</arg1>
<!--Optional:-->
<arg2>-----BEGIN CERTIFICATE REQUEST-----
MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH
DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ
nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF
Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0
2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB
fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW
LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA
AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk
RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp
1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC
EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z
++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/
fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu
-----END CERTIFICATE REQUEST-----</arg2>
<!--Optional:-->
<arg3></arg3>
<!--Optional:-->
<arg4>CERTIFICATE</arg4>
</ws:pkcs10Request>
</soapenv:Body>
</soapenv:Envelope>
I even made call without '-----BEGIN CERTIFICATE
REQUEST-----' and
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'-----END CERTIFICATE REQUEST-----' but no success.
In both cases, the certificate generated still uses the
subject DN
Post by Nikita Bedmutha
which
Post by Nikita Bedmutha
was used while creating the user. I tried this webservice
call using
Post by Nikita Bedmutha
Post by Nikita Bedmutha
SOAP-UI as well as eclipse code. Only when the call is made
using
Post by Nikita Bedmutha
public
Post by Nikita Bedmutha
web 'Create certificate from CSR' or cli command, the
subject DN is
Post by Nikita Bedmutha
Post by Nikita Bedmutha
overriden. For some reason unable to achieve it through web
service
Post by Nikita Bedmutha
Post by Nikita Bedmutha
call. Kindly guide me if I am doing anything wrong here.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>
Post by Nikita Bedmutha
<http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>>>reat Software Laboratory
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<http://www.gslab.com/>
On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson
This is very common to do this using WS so there is probably
something
Post by Nikita Bedmutha
wrong with your call. Are you using the correct certificate
profile in
Post by Nikita Bedmutha
your WS call?
Debug logging will show in detail all decisions egarding
override or not
Post by Nikita Bedmutha
that is takes during certificate issuance.
Regards,
Tomas
---
RSA Conference 2017
------------------------------------------------------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!
Want a free expo pass?
Go to https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
and use the code: XE7PRMKEY
Post by Nikita Bedmutha
I want to make a certificate request which uses the
subject
Post by Nikita Bedmutha
DN from CSR
Post by Nikita Bedmutha
Post by Nikita Bedmutha
and not the registered end entity subject DN . I am
using the
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
certificate profile which has 'Allow subject DN
override by CSR'
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
checked. However the web service requests
'pkcs10Request' as
Post by Nikita Bedmutha
well as
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'certificateRequest' do not return certificates with
subject DN
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
overridden by the CSR but uses the registered DN only.
On the other hand, using the same CSR, the public web call
'Create
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Certificate from CSR' as well as the 'createcert' CLI
command generates
Post by Nikita Bedmutha
Post by Nikita Bedmutha
a certificate which has the subject DN overridden by
the CSR.
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Your inputs would really be very helpful.
Thanks.
Regards,
Nikita Bedmutha
On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha
Hi,
I have a user(end-entity) created using a certificate profile which
has 'Allow Subject DN override' checked. This end-entity is
registered with Token as User Generated.
When I use 'Create Certificate from CSR' option on public web, I get
the certificate with the subject DN used while creating the CSR and
not the registered DN.
Now I want to achieve same using web service call. I tried the
'certificateRequest' and 'pkcs10' request with the same CSR that I
used in previous Public web call. But in the web service call case,
I get certificate with the registered DN and not overridden by the CSR.
Kindly guide me how to achieve this.
Thanks and Regards,
Nikita
------------------------------------------------------------------------------
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>>
------------------------------------------------------------------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
------------------------------------------------------------------------------
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
------------------------------------------------------------------------------
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Nikita Bedmutha
2017-02-09 13:48:15 UTC
Permalink
Sure. I will try on latest version. Thanks.

Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | [image: G]
G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
<http://www.gslab.com/>
Post by Tomas Gustavsson
Might be a new feature. Can you test 6.5.0?
(I will update 6.5.0 release in a few days with a small upgrade fix, see
other issue in forums)
Cheers,
Tomas
Post by Nikita Bedmutha
Hi,
Thanks for the pointers.
I am using EJBCA 6.3.1.1 Community (r21429)
I tried clientToolBox today on this version of EJBCA.
My command looked : ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq
mgmtUser "CN=mgmtUser,C=SE" NULL ICA12 "Client EndEntity Profile"
"Client Cert Profile" ./csr.pem PKCS10 PEM NONE .
which generated the mgmtUser.pem certificate file. However this
certificate did not have the subjectDN overriden. It was same
'CN=mgmtUser,C=SE' given in the request and not the one given while
creating CSR.
Again, when trying this same csr file with public web call, it returned
overridden subjectDN in certificate.
./ejbcaClientToolBox.sh EjbcaWsRaCli certreq mgmtUser "CN=mgmtUser,C=SE"
NULL ICA12 "Client EndEntity Profile" "Client Cert Profile" ./dercsr.der
PKCS10 DER NONE .
com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received
SOAP Fault from server: Unmarshalling Error: Illegal character
((CTRL-CHAR, code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to
find more detail regarding exact cause of the failure.
com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received
SOAP Fault from server: Unmarshalling Error: Illegal character
((CTRL-CHAR, code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to
find more detail regarding exact cause of the failure.
at
org.ejbca.core.protocol.ws.client.CertificateRequestCommand.execute(
CertificateRequestCommand.java:146)
Post by Nikita Bedmutha
at
org.ejbca.core.protocol.ws.client.ejbcawsracli.main(
ejbcawsracli.java:36)
Post by Nikita Bedmutha
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(
NativeMethodAccessorImpl.java:62)
Post by Nikita Bedmutha
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(
DelegatingMethodAccessorImpl.java:43)
Post by Nikita Bedmutha
at java.lang.reflect.Method.invoke(Method.java:498)
at org.ejbca.ui.cli.EjbcaWsRaCli.execute(EjbcaWsRaCli.java:36)
at
org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:66)
Client received SOAP Fault from server: Unmarshalling Error: Illegal
character ((CTRL-CHAR, code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to
find more detail regarding exact cause of the failure.
at
com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(
SOAP11Fault.java:178)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(
SOAPFaultBuilder.java:116)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws.client.sei.StubHandler.
readResponse(StubHandler.java:238)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(
DatabindingImpl.java:189)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(
DatabindingImpl.java:276)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws.client.sei.SyncMethodHandler.
invoke(SyncMethodHandler.java:104)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws.client.sei.SyncMethodHandler.
invoke(SyncMethodHandler.java:77)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147)
at com.sun.proxy.$Proxy32.certificateRequest(Unknown Source)
at
org.ejbca.core.protocol.ws.client.CertificateRequestCommand.execute(
CertificateRequestCommand.java:111)
Post by Nikita Bedmutha
... 8 more
I did make sure that the CSR generated is in proper DER format. However
will look into it more.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
<http://www.gslab.com/>
What version of EJBCA are you using btw?
./ejbcaClientToolBox.sh EjbcaWsRaCli certreq req9
"CN=req9,O=Edited,C=SE" NULL ManagementCA User Client ./p10.der
PKCS10
Post by Nikita Bedmutha
DER NONE .
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=req9
If I have enabled "Allow Subject DN Override by CSR" in the
Certificate
Post by Nikita Bedmutha
Profile "Client". My issued certificate gets the DN from the p10.
If you try using clientToolBox first, than you will know if/how the
feature works, and then you can try to translate it to SOAP-UI (you
can
Post by Nikita Bedmutha
even debug log the full soap messages).
Regards,
Tomas
---
RSA Conference 2017
------------------------------------------------------------------
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!
Want a free expo pass?
Go to https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>
and use the code: XE7PRMKEY
Post by Nikita Bedmutha
Serious apologies for sending incomplete data. Well, I observed the
Debug logs for both the calls, call from web service and call from
1. For the pkcs10Request webservice call through SOAP UI, the INFO
log
Post by Nikita Bedmutha
Post by Nikita Bedmutha
CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=AdminUser,O=My
Organization,C=SE;-759363256;;user1;subjectdn=CN=user1,OU=
GSL,C=IN;requestX500name=null;certprofile=1681037015;
keyusage=-1;notbefore=;notafter=;sequence=;publickey=
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZi
j4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzP
ylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/
4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+
Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhK
bVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyE
GY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB
Post by Nikita Bedmutha
Post by Nikita Bedmutha
where, requestX500name=null
123.252.222.122;-759363256;;user1;subjectdn=CN=user1,OU=
GSL,C=IN;requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK;
certprofile=1681037015;keyusage=-1;notbefore=;
notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ
8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6Tdqdu
A0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqT
u6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/
g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9W
CXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVY
uo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB
Post by Nikita Bedmutha
Post by Nikita Bedmutha
where, requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK
Both the calls use same CSR, also same certificate profile is
being used
Post by Nikita Bedmutha
in both cases and the public key extracted from CSR also looks
same.
Post by Nikita Bedmutha
Post by Nikita Bedmutha
However, in case of public web call we see a log statement, 'Using
X509Name from request instead of user's registered.' which is
missing in
CN=user1,OU=GSL,C=IN' can
Post by Nikita Bedmutha
be seen.
I suspect this could be because requestX500name is null in case of
webservice call.
However, we are using same CSR and so this behaviour is bit
confusing.
Post by Nikita Bedmutha
If this info can help. Thanks.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>>reat Software Laboratory
Post by Nikita Bedmutha
<http://www.gslab.com/>
On Wed, Feb 8, 2017 at 3:21 PM, Tomas Gustavsson <
---
Debug logging will show in detail all decisions egarding
override or not
Post by Nikita Bedmutha
that is takes during certificate issuance.
---
For more information about logging, how to configure debug
etc, see
Post by Nikita Bedmutha
https://www.ejbca.org/docs/adminguide.html#Logging
<https://www.ejbca.org/docs/adminguide.html#Logging>
Post by Nikita Bedmutha
<https://www.ejbca.org/docs/adminguide.html#Logging
<https://www.ejbca.org/docs/adminguide.html#Logging>>
Post by Nikita Bedmutha
/Tomas
Post by Nikita Bedmutha
Hi,
I know this must be the very basic requirement to get the
certificate
Post by Nikita Bedmutha
Post by Nikita Bedmutha
with subject DN overridden. But I have tried my best with
all settings
Post by Nikita Bedmutha
Post by Nikita Bedmutha
but no clue whats going wrong.
I have a user 'user1' which is created with a 'Client
endentity
Post by Nikita Bedmutha
Post by Nikita Bedmutha
profile'
Post by Nikita Bedmutha
which uses default cert profile as 'Client Cert Profile'.
This
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
certificate profile has 'Allow subject DN override by CSR'
and 'Allow
Post by Nikita Bedmutha
Post by Nikita Bedmutha
subject DN override by End Entity Information' checked. In
the case
Post by Nikita Bedmutha
Post by Nikita Bedmutha
where both are checked, documentation says that DN will be
overriden by CSR.
Post by Nikita Bedmutha
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
<http://schemas.xmlsoap.org/soap/envelope/>
Post by Nikita Bedmutha
<http://schemas.xmlsoap.org/soap/envelope/
<http://schemas.xmlsoap.org/soap/envelope/>>"
Post by Nikita Bedmutha
Post by Nikita Bedmutha
xmlns:ws="http://ws.protocol.core.ejbca.org/
<http://ws.protocol.core.ejbca.org/>
Post by Nikita Bedmutha
<http://ws.protocol.core.ejbca.org/
<http://ws.protocol.core.ejbca.org/>>">
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<soapenv:Header/>
<soapenv:Body>
<ws:pkcs10Request>
<!--Optional:-->
<arg0>user1</arg0>
<!--Optional:-->
<arg1>password</arg1>
<!--Optional:-->
<arg2>-----BEGIN CERTIFICATE REQUEST-----
MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYD
VQQH
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCC
ASIw
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+
L7NIJLOHQ
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46y
JIhF
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+
UHR1QMkD30iU15S7FVEII0
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZ
jsPB
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/
RqdAZhNvVSyyEvScyF72jFW
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+
0wVWIo1NLum8CAwEA
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+
o3cjk
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0
k/mNTrecp
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/
WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/
ZLSDtauKxpP8z
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf
8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu
-----END CERTIFICATE REQUEST-----</arg2>
<!--Optional:-->
<arg3></arg3>
<!--Optional:-->
<arg4>CERTIFICATE</arg4>
</ws:pkcs10Request>
</soapenv:Body>
</soapenv:Envelope>
I even made call without '-----BEGIN CERTIFICATE
REQUEST-----' and
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'-----END CERTIFICATE REQUEST-----' but no success.
In both cases, the certificate generated still uses the
subject DN
Post by Nikita Bedmutha
which
Post by Nikita Bedmutha
was used while creating the user. I tried this webservice
call using
Post by Nikita Bedmutha
Post by Nikita Bedmutha
SOAP-UI as well as eclipse code. Only when the call is made
using
Post by Nikita Bedmutha
public
Post by Nikita Bedmutha
web 'Create certificate from CSR' or cli command, the
subject DN is
Post by Nikita Bedmutha
Post by Nikita Bedmutha
overriden. For some reason unable to achieve it through web
service
Post by Nikita Bedmutha
Post by Nikita Bedmutha
call. Kindly guide me if I am doing anything wrong here.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>
Post by Nikita Bedmutha
<http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>>>reat Software
Laboratory
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<http://www.gslab.com/>
On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson
This is very common to do this using WS so there is
probably
Post by Nikita Bedmutha
Post by Nikita Bedmutha
something
Post by Nikita Bedmutha
wrong with your call. Are you using the correct
certificate
Post by Nikita Bedmutha
Post by Nikita Bedmutha
profile in
Post by Nikita Bedmutha
your WS call?
Debug logging will show in detail all decisions egarding
override or not
Post by Nikita Bedmutha
that is takes during certificate issuance.
Regards,
Tomas
---
RSA Conference 2017
------------------------------------------------------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!
Want a free expo pass?
Go to https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
and use the code: XE7PRMKEY
Post by Nikita Bedmutha
I want to make a certificate request which uses the
subject
Post by Nikita Bedmutha
DN from CSR
Post by Nikita Bedmutha
Post by Nikita Bedmutha
and not the registered end entity subject DN . I am
using the
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
certificate profile which has 'Allow subject DN
override by CSR'
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
checked. However the web service requests
'pkcs10Request' as
Post by Nikita Bedmutha
well as
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'certificateRequest' do not return certificates with
subject DN
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
overridden by the CSR but uses the registered DN only.
On the other hand, using the same CSR, the public web
call
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'Create
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Certificate from CSR' as well as the 'createcert' CLI
command generates
Post by Nikita Bedmutha
Post by Nikita Bedmutha
a certificate which has the subject DN overridden by
the CSR.
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Your inputs would really be very helpful.
Thanks.
Regards,
Nikita Bedmutha
On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha
Hi,
I have a user(end-entity) created using a
certificate profile which
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
has 'Allow Subject DN override' checked. This
end-entity is
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
registered with Token as User Generated.
When I use 'Create Certificate from CSR' option on
public web, I get
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
the certificate with the subject DN used while
creating the CSR and
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
not the registered DN.
Now I want to achieve same using web service call.
I tried the
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'certificateRequest' and 'pkcs10' request with the
same CSR that I
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
used in previous Public web call. But in the web
service call case,
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
I get certificate with the registered DN and not
overridden by the CSR.
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Kindly guide me how to achieve this.
Thanks and Regards,
Nikita
------------------------------
------------------------------------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the
world's most
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/
lists/listinfo/ejbca-develop
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-
develop
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
------------------------------
------------------------------------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the
world's most
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>>
------------------------------------------------------------
------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's
most
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
------------------------------------------------------------
------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
------------------------------------------------------------
------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
------------------------------------------------------------
------------------
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
------------------------------------------------------------
------------------
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Nikita Bedmutha
2017-02-10 06:24:12 UTC
Permalink
Hi,

My issue is resolved with the EJBCA 6.5.0 version. The subject DN is
overriden now in web services call.
Thanks.

Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | [image: G]
G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
<http://www.gslab.com/>
Post by Nikita Bedmutha
Sure. I will try on latest version. Thanks.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | [image: G]
G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
<http://www.gslab.com/>
Post by Tomas Gustavsson
Might be a new feature. Can you test 6.5.0?
(I will update 6.5.0 release in a few days with a small upgrade fix, see
other issue in forums)
Cheers,
Tomas
Post by Nikita Bedmutha
Hi,
Thanks for the pointers.
I am using EJBCA 6.3.1.1 Community (r21429)
I tried clientToolBox today on this version of EJBCA.
My command looked : ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq
mgmtUser "CN=mgmtUser,C=SE" NULL ICA12 "Client EndEntity Profile"
"Client Cert Profile" ./csr.pem PKCS10 PEM NONE .
which generated the mgmtUser.pem certificate file. However this
certificate did not have the subjectDN overriden. It was same
'CN=mgmtUser,C=SE' given in the request and not the one given while
creating CSR.
Again, when trying this same csr file with public web call, it returned
overridden subjectDN in certificate.
./ejbcaClientToolBox.sh EjbcaWsRaCli certreq mgmtUser "CN=mgmtUser,C=SE"
NULL ICA12 "Client EndEntity Profile" "Client Cert Profile" ./dercsr.der
PKCS10 DER NONE .
com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received
SOAP Fault from server: Unmarshalling Error: Illegal character
((CTRL-CHAR, code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to
find more detail regarding exact cause of the failure.
com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client received
SOAP Fault from server: Unmarshalling Error: Illegal character
((CTRL-CHAR, code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to
find more detail regarding exact cause of the failure.
at
org.ejbca.core.protocol.ws.client.CertificateRequestCommand.
execute(CertificateRequestCommand.java:146)
Post by Nikita Bedmutha
at
org.ejbca.core.protocol.ws.client.ejbcawsracli.main(ejbcawsr
acli.java:36)
Post by Nikita Bedmutha
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAcce
ssorImpl.java:62)
Post by Nikita Bedmutha
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMe
thodAccessorImpl.java:43)
Post by Nikita Bedmutha
at java.lang.reflect.Method.invoke(Method.java:498)
at org.ejbca.ui.cli.EjbcaWsRaCli.execute(EjbcaWsRaCli.java:36)
at
org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
at org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:66)
Client received SOAP Fault from server: Unmarshalling Error: Illegal
character ((CTRL-CHAR, code 2))
at [row,col {unknown-source}]: [1,530] Please see the server log to
find more detail regarding exact cause of the failure.
at
com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolExcepti
on(SOAP11Fault.java:178)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createExcepti
on(SOAPFaultBuilder.java:116)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws.client.sei.StubHandler.readResponse(
StubHandler.java:238)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws.db.DatabindingImpl.deserializeRespon
se(DatabindingImpl.java:189)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws.db.DatabindingImpl.deserializeRespon
se(DatabindingImpl.java:276)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(
SyncMethodHandler.java:104)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws.client.sei.SyncMethodHandler.invoke(
SyncMethodHandler.java:77)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws.client.sei.SEIStub.invoke(SEIStub.java:147)
at com.sun.proxy.$Proxy32.certificateRequest(Unknown Source)
at
org.ejbca.core.protocol.ws.client.CertificateRequestCommand.
execute(CertificateRequestCommand.java:111)
Post by Nikita Bedmutha
... 8 more
I did make sure that the CSR generated is in proper DER format. However
will look into it more.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
<http://www.gslab.com/>
What version of EJBCA are you using btw?
./ejbcaClientToolBox.sh EjbcaWsRaCli certreq req9
"CN=req9,O=Edited,C=SE" NULL ManagementCA User Client ./p10.der
PKCS10
Post by Nikita Bedmutha
DER NONE .
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=req9
If I have enabled "Allow Subject DN Override by CSR" in the
Certificate
Post by Nikita Bedmutha
Profile "Client". My issued certificate gets the DN from the p10.
If you try using clientToolBox first, than you will know if/how the
feature works, and then you can try to translate it to SOAP-UI (you
can
Post by Nikita Bedmutha
even debug log the full soap messages).
Regards,
Tomas
---
RSA Conference 2017
------------------------------------------------------------------
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!
Want a free expo pass?
Go to https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>
and use the code: XE7PRMKEY
Post by Nikita Bedmutha
Serious apologies for sending incomplete data. Well, I observed
the
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Debug logs for both the calls, call from web service and call from
1. For the pkcs10Request webservice call through SOAP UI, the
INFO log
Post by Nikita Bedmutha
Post by Nikita Bedmutha
CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=AdminUser,O=My
Organization,C=SE;-759363256;;user1;subjectdn=CN=user1,OU=G
SL,C=IN;requestX500name=null;certprofile=1681037015;keyusage
=-1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBg
kqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4d
Cd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjr
IkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTX
lLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkM
hDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE
29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJr
nC/7TBVYijU0u6bwIDAQAB
Post by Nikita Bedmutha
Post by Nikita Bedmutha
where, requestX500name=null
123.252.222.122;-759363256;;user1;subjectdn=CN=user1,OU=GSL
,C=IN;requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK;certp
rofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence=
;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6
J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlA
zoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5
L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjind
NARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6
JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2
zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB
Post by Nikita Bedmutha
Post by Nikita Bedmutha
where, requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK
Both the calls use same CSR, also same certificate profile is
being used
Post by Nikita Bedmutha
in both cases and the public key extracted from CSR also looks
same.
Post by Nikita Bedmutha
Post by Nikita Bedmutha
However, in case of public web call we see a log statement, 'Using
X509Name from request instead of user's registered.' which is
missing in
CN=user1,OU=GSL,C=IN' can
Post by Nikita Bedmutha
be seen.
I suspect this could be because requestX500name is null in case of
webservice call.
However, we are using same CSR and so this behaviour is bit
confusing.
Post by Nikita Bedmutha
If this info can help. Thanks.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>>reat Software
Laboratory
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<http://www.gslab.com/>
On Wed, Feb 8, 2017 at 3:21 PM, Tomas Gustavsson <
---
Debug logging will show in detail all decisions egarding
override or not
Post by Nikita Bedmutha
that is takes during certificate issuance.
---
For more information about logging, how to configure debug
etc, see
Post by Nikita Bedmutha
https://www.ejbca.org/docs/adminguide.html#Logging
<https://www.ejbca.org/docs/adminguide.html#Logging>
Post by Nikita Bedmutha
<https://www.ejbca.org/docs/adminguide.html#Logging
<https://www.ejbca.org/docs/adminguide.html#Logging>>
Post by Nikita Bedmutha
/Tomas
Post by Nikita Bedmutha
Hi,
I know this must be the very basic requirement to get the
certificate
Post by Nikita Bedmutha
Post by Nikita Bedmutha
with subject DN overridden. But I have tried my best with
all settings
Post by Nikita Bedmutha
Post by Nikita Bedmutha
but no clue whats going wrong.
I have a user 'user1' which is created with a 'Client
endentity
Post by Nikita Bedmutha
Post by Nikita Bedmutha
profile'
Post by Nikita Bedmutha
which uses default cert profile as 'Client Cert Profile'.
This
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
certificate profile has 'Allow subject DN override by CSR'
and 'Allow
Post by Nikita Bedmutha
Post by Nikita Bedmutha
subject DN override by End Entity Information' checked. In
the case
Post by Nikita Bedmutha
Post by Nikita Bedmutha
where both are checked, documentation says that DN will be
overriden by CSR.
Post by Nikita Bedmutha
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
<http://schemas.xmlsoap.org/soap/envelope/>
Post by Nikita Bedmutha
<http://schemas.xmlsoap.org/soap/envelope/
<http://schemas.xmlsoap.org/soap/envelope/>>"
Post by Nikita Bedmutha
Post by Nikita Bedmutha
xmlns:ws="http://ws.protocol.core.ejbca.org/
<http://ws.protocol.core.ejbca.org/>
Post by Nikita Bedmutha
<http://ws.protocol.core.ejbca.org/
<http://ws.protocol.core.ejbca.org/>>">
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<soapenv:Header/>
<soapenv:Body>
<ws:pkcs10Request>
<!--Optional:-->
<arg0>user1</arg0>
<!--Optional:-->
<arg1>password</arg1>
<!--Optional:-->
<arg2>-----BEGIN CERTIFICATE REQUEST-----
MIICkzCCAXsCAQAwTjELMAkGA1UEBh
MCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
DAJQUDELMAkGA1UECgwCSkoxCzAJBg
NVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
DQYJKoZIhvcNAQEBBQADggEPADCCAQ
oCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
nfc2T40eJPFGwek3anbgNFrLedFX0M
FgW8k2JQM6CF14xa88z8pSaecsr46yJIhF
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Cn+440zN3ecRy6k7umotmuYMtqGc7H
l2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
2O9y74yaMZgP4PCIeiGSxngybMY4p3
TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
fJvVgl746KseurPG7dRXD+U+4eicDU
6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
LqNnrVdDibSPcSZpEXnwotsy4MCLMh
BmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQ
B9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/
mNTrecp
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNw
GJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+
QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
++VLGGTuIO4CMLuqDzhHtmnGD0Ezwd
Kf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu
-----END CERTIFICATE REQUEST-----</arg2>
<!--Optional:-->
<arg3></arg3>
<!--Optional:-->
<arg4>CERTIFICATE</arg4>
</ws:pkcs10Request>
</soapenv:Body>
</soapenv:Envelope>
I even made call without '-----BEGIN CERTIFICATE
REQUEST-----' and
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'-----END CERTIFICATE REQUEST-----' but no success.
In both cases, the certificate generated still uses the
subject DN
Post by Nikita Bedmutha
which
Post by Nikita Bedmutha
was used while creating the user. I tried this webservice
call using
Post by Nikita Bedmutha
Post by Nikita Bedmutha
SOAP-UI as well as eclipse code. Only when the call is made
using
Post by Nikita Bedmutha
public
Post by Nikita Bedmutha
web 'Create certificate from CSR' or cli command, the
subject DN is
Post by Nikita Bedmutha
Post by Nikita Bedmutha
overriden. For some reason unable to achieve it through web
service
Post by Nikita Bedmutha
Post by Nikita Bedmutha
call. Kindly guide me if I am doing anything wrong here.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>
Post by Nikita Bedmutha
<http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>>>reat Software
Laboratory
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<http://www.gslab.com/>
On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson
This is very common to do this using WS so there is
probably
Post by Nikita Bedmutha
Post by Nikita Bedmutha
something
Post by Nikita Bedmutha
wrong with your call. Are you using the correct
certificate
Post by Nikita Bedmutha
Post by Nikita Bedmutha
profile in
Post by Nikita Bedmutha
your WS call?
Debug logging will show in detail all decisions egarding
override or not
Post by Nikita Bedmutha
that is takes during certificate issuance.
Regards,
Tomas
---
RSA Conference 2017
------------------------------------------------------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!
Want a free expo pass?
Go to https://www.rsaconference.com/
events/us17/register
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register>
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
and use the code: XE7PRMKEY
Post by Nikita Bedmutha
I want to make a certificate request which uses the
subject
Post by Nikita Bedmutha
DN from CSR
Post by Nikita Bedmutha
Post by Nikita Bedmutha
and not the registered end entity subject DN . I am
using the
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
certificate profile which has 'Allow subject DN
override by CSR'
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
checked. However the web service requests
'pkcs10Request' as
Post by Nikita Bedmutha
well as
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'certificateRequest' do not return certificates with
subject DN
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
overridden by the CSR but uses the registered DN only.
On the other hand, using the same CSR, the public web
call
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'Create
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Certificate from CSR' as well as the 'createcert' CLI
command generates
Post by Nikita Bedmutha
Post by Nikita Bedmutha
a certificate which has the subject DN overridden by
the CSR.
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Your inputs would really be very helpful.
Thanks.
Regards,
Nikita Bedmutha
On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha
Hi,
I have a user(end-entity) created using a
certificate profile which
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
has 'Allow Subject DN override' checked. This
end-entity is
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
registered with Token as User Generated.
When I use 'Create Certificate from CSR' option
on public web, I get
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
the certificate with the subject DN used while
creating the CSR and
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
not the registered DN.
Now I want to achieve same using web service
call. I tried the
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'certificateRequest' and 'pkcs10' request with
the same CSR that I
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
used in previous Public web call. But in the web
service call case,
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
I get certificate with the registered DN and not
overridden by the CSR.
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Kindly guide me how to achieve this.
Thanks and Regards,
Nikita
-----------------------------
-------------------------------------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the
world's most
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/
lists/listinfo/ejbca-develop
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<https://lists.sourceforge.ne
t/lists/listinfo/ejbca-develop
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
-----------------------------
-------------------------------------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the
world's most
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>>
------------------------------------------------------------
------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's
most
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
------------------------------------------------------------
------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's
most
Post by Nikita Bedmutha
Post by Nikita Bedmutha
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
Post by Nikita Bedmutha
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
-----------------------------------------------------------
-------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
-----------------------------------------------------------
-------------------
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
------------------------------------------------------------
------------------
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
------------------------------------------------------------
------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Tomas Gustavsson
2017-02-10 07:40:44 UTC
Permalink
Great.

Regards,
Tomas
---
RSA Conference 2017
------------------------------------------------------------------
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!

Want a free expo pass?
Go to https://www.rsaconference.com/events/us17/register
and use the code: XE7PRMKEY
Post by Nikita Bedmutha
Hi,
My issue is resolved with the EJBCA 6.5.0 version. The subject DN is
overriden now in web services call.
Thanks.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha>reat Software Laboratory
<http://www.gslab.com/>
On Thu, Feb 9, 2017 at 7:18 PM, Nikita Bedmutha
Sure. I will try on latest version. Thanks.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha>reat Software
Laboratory <http://www.gslab.com/>
Might be a new feature. Can you test 6.5.0?
(I will update 6.5.0 release in a few days with a small upgrade fix, see
other issue in forums)
Cheers,
Tomas
Post by Nikita Bedmutha
Hi,
Thanks for the pointers.
I am using EJBCA 6.3.1.1 Community (r21429)
I tried clientToolBox today on this version of EJBCA.
My command looked : ./ejbcaClientToolBox.sh EjbcaWsRaCli certreq
mgmtUser "CN=mgmtUser,C=SE" NULL ICA12 "Client EndEntity Profile"
"Client Cert Profile" ./csr.pem PKCS10 PEM NONE .
which generated the mgmtUser.pem certificate file. However this
certificate did not have the subjectDN overriden. It was same
'CN=mgmtUser,C=SE' given in the request and not the one given
while
Post by Nikita Bedmutha
creating CSR.
Again, when trying this same csr file with public web call, it
returned
Post by Nikita Bedmutha
overridden subjectDN in certificate.
./ejbcaClientToolBox.sh EjbcaWsRaCli certreq mgmtUser
"CN=mgmtUser,C=SE"
Post by Nikita Bedmutha
NULL ICA12 "Client EndEntity Profile" "Client Cert Profile"
./dercsr.der
Post by Nikita Bedmutha
PKCS10 DER NONE .
com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client
received
Post by Nikita Bedmutha
SOAP Fault from server: Unmarshalling Error: Illegal character
((CTRL-CHAR, code 2))
at [row,col {unknown-source}]: [1,530] Please see the server
log to
Post by Nikita Bedmutha
find more detail regarding exact cause of the failure.
com.sun.xml.internal.ws.fault.ServerSOAPFaultException: Client
received
Post by Nikita Bedmutha
SOAP Fault from server: Unmarshalling Error: Illegal character
((CTRL-CHAR, code 2))
at [row,col {unknown-source}]: [1,530] Please see the server
log to
Post by Nikita Bedmutha
find more detail regarding exact cause of the failure.
at
org.ejbca.core.protocol.ws
<http://org.ejbca.core.protocol.ws>.client.CertificateRequestCommand.execute(CertificateRequestCommand.java:146)
Post by Nikita Bedmutha
at
org.ejbca.core.protocol.ws
<http://org.ejbca.core.protocol.ws>.client.ejbcawsracli.main(ejbcawsracli.java:36)
Post by Nikita Bedmutha
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native
Method)
Post by Nikita Bedmutha
at
sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
Post by Nikita Bedmutha
at
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Post by Nikita Bedmutha
at java.lang.reflect.Method.invoke(Method.java:498)
at
org.ejbca.ui.cli.EjbcaWsRaCli.execute(EjbcaWsRaCli.java:36)
Post by Nikita Bedmutha
at
org.ejbca.ui.cli.ClientToolBox.executeIfSelected(ClientToolBox.java:40)
Post by Nikita Bedmutha
at
org.ejbca.ui.cli.ClientToolBox.main(ClientToolBox.java:66)
Illegal
Post by Nikita Bedmutha
character ((CTRL-CHAR, code 2))
at [row,col {unknown-source}]: [1,530] Please see the server
log to
Post by Nikita Bedmutha
find more detail regarding exact cause of the failure.
at
com.sun.xml.internal.ws.fault.SOAP11Fault.getProtocolException(SOAP11Fault.java:178)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws.fault.SOAPFaultBuilder.createException(SOAPFaultBuilder.java:116)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws
<http://com.sun.xml.internal.ws>.client.sei.StubHandler.readResponse(StubHandler.java:238)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(DatabindingImpl.java:189)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws.db.DatabindingImpl.deserializeResponse(DatabindingImpl.java:276)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws
<http://com.sun.xml.internal.ws>.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:104)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws
<http://com.sun.xml.internal.ws>.client.sei.SyncMethodHandler.invoke(SyncMethodHandler.java:77)
Post by Nikita Bedmutha
at
com.sun.xml.internal.ws
<http://com.sun.xml.internal.ws>.client.sei.SEIStub.invoke(SEIStub.java:147)
Post by Nikita Bedmutha
at com.sun.proxy.$Proxy32.certificateRequest(Unknown
Source)
Post by Nikita Bedmutha
at
org.ejbca.core.protocol.ws
<http://org.ejbca.core.protocol.ws>.client.CertificateRequestCommand.execute(CertificateRequestCommand.java:111)
Post by Nikita Bedmutha
... 8 more
I did make sure that the CSR generated is in proper DER
format. However
Post by Nikita Bedmutha
will look into it more.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>>reat Software Laboratory
Post by Nikita Bedmutha
<http://www.gslab.com/>
What version of EJBCA are you using btw?
./ejbcaClientToolBox.sh EjbcaWsRaCli certreq req9
"CN=req9,O=Edited,C=SE" NULL ManagementCA User Client
./p10.der PKCS10
Post by Nikita Bedmutha
DER NONE .
C=AU, ST=Some-State, O=Internet Widgits Pty Ltd, CN=req9
If I have enabled "Allow Subject DN Override by CSR" in
the Certificate
Post by Nikita Bedmutha
Profile "Client". My issued certificate gets the DN from
the p10.
Post by Nikita Bedmutha
If you try using clientToolBox first, than you will know
if/how the
Post by Nikita Bedmutha
feature works, and then you can try to translate it to
SOAP-UI (you can
Post by Nikita Bedmutha
even debug log the full soap messages).
Regards,
Tomas
---
RSA Conference 2017
------------------------------------------------------------------
Post by Nikita Bedmutha
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference 2017!
Want a free expo pass?
Go to https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>>
Post by Nikita Bedmutha
and use the code: XE7PRMKEY
Post by Nikita Bedmutha
Serious apologies for sending incomplete data. Well, I
observed the
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Debug logs for both the calls, call from web service and
call from
Post by Nikita Bedmutha
Post by Nikita Bedmutha
1. For the pkcs10Request webservice call through SOAP
UI, the INFO log
Post by Nikita Bedmutha
Post by Nikita Bedmutha
CERT_REQUEST;SUCCESS;CERTIFICATE;CORE;CN=AdminUser,O=My
Organization,C=SE;-759363256;;user1;subjectdn=CN=user1,OU=GSL,C=IN;requestX500name=null;certprofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB
Post by Nikita Bedmutha
Post by Nikita Bedmutha
where, requestX500name=null
123.252.222.122;-759363256;;user1;subjectdn=CN=user1,OU=GSL,C=IN;requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK;certprofile=1681037015;keyusage=-1;notbefore=;notafter=;sequence=;publickey=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA682O6J7UvRLCSiZij4vs0gks4dCd9zZPjR4k8UbB6TdqduA0Wst50VfQwWBbyTYlAzoIXXjFrzzPylJp5yyvjrIkiEUKf7jjTM3d5xHLqTu6ai2a5gy2oZzseXZj5L/4ZI2j5QdHVAyQPfSJTXlLsVUQgjTY73LvjJoxmA/g8Ih6IZLGeDJsxjindNARceac+Dg6vybLY5xhkMhDomviilmOw8F8m9WCXvjoqx66s8bt1FcP5T7h6JwNTokhKbVu2lr9Gp0BmE29VLLIS9JzIXvaMVYuo2etV0OJtI9xJmkRefCi2zLgwIsyEGY0QCY2RY5OJrnC/7TBVYijU0u6bwIDAQAB
Post by Nikita Bedmutha
Post by Nikita Bedmutha
where, requestX500name=C=OO,ST=KK,L=PP,O=JJ,OU=LL,CN=KK
Both the calls use same CSR, also same certificate
profile is
Post by Nikita Bedmutha
being used
Post by Nikita Bedmutha
in both cases and the public key extracted from CSR also
looks same.
Post by Nikita Bedmutha
Post by Nikita Bedmutha
However, in case of public web call we see a log
statement, 'Using
Post by Nikita Bedmutha
Post by Nikita Bedmutha
X509Name from request instead of user's registered.'
which is
Post by Nikita Bedmutha
missing in
CN=user1,OU=GSL,C=IN' can
Post by Nikita Bedmutha
be seen.
I suspect this could be because requestX500name is null
in case of
Post by Nikita Bedmutha
Post by Nikita Bedmutha
webservice call.
However, we are using same CSR and so this behaviour is bit
confusing.
Post by Nikita Bedmutha
If this info can help. Thanks.
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>
Post by Nikita Bedmutha
<http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>>>reat Software Laboratory
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<http://www.gslab.com/>
On Wed, Feb 8, 2017 at 3:21 PM, Tomas Gustavsson
---
Debug logging will show in detail all decisions egarding
override or not
Post by Nikita Bedmutha
that is takes during certificate issuance.
---
For more information about logging, how to configure
debug
Post by Nikita Bedmutha
etc, see
Post by Nikita Bedmutha
https://www.ejbca.org/docs/adminguide.html#Logging
<https://www.ejbca.org/docs/adminguide.html#Logging>
Post by Nikita Bedmutha
<https://www.ejbca.org/docs/adminguide.html#Logging
<https://www.ejbca.org/docs/adminguide.html#Logging>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<https://www.ejbca.org/docs/adminguide.html#Logging
<https://www.ejbca.org/docs/adminguide.html#Logging>
Post by Nikita Bedmutha
<https://www.ejbca.org/docs/adminguide.html#Logging
<https://www.ejbca.org/docs/adminguide.html#Logging>>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
/Tomas
Post by Nikita Bedmutha
Hi,
I know this must be the very basic requirement to
get the
Post by Nikita Bedmutha
certificate
Post by Nikita Bedmutha
Post by Nikita Bedmutha
with subject DN overridden. But I have tried my
best with
Post by Nikita Bedmutha
all settings
Post by Nikita Bedmutha
Post by Nikita Bedmutha
but no clue whats going wrong.
I have a user 'user1' which is created with a
'Client endentity
Post by Nikita Bedmutha
Post by Nikita Bedmutha
profile'
Post by Nikita Bedmutha
which uses default cert profile as 'Client Cert
Profile'. This
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
certificate profile has 'Allow subject DN override
by CSR'
Post by Nikita Bedmutha
and 'Allow
Post by Nikita Bedmutha
Post by Nikita Bedmutha
subject DN override by End Entity Information'
checked. In
Post by Nikita Bedmutha
the case
Post by Nikita Bedmutha
Post by Nikita Bedmutha
where both are checked, documentation says that DN
will be
Post by Nikita Bedmutha
Post by Nikita Bedmutha
overriden by CSR.
Post by Nikita Bedmutha
<soapenv:Envelope
xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/
<http://schemas.xmlsoap.org/soap/envelope/>
Post by Nikita Bedmutha
<http://schemas.xmlsoap.org/soap/envelope/
<http://schemas.xmlsoap.org/soap/envelope/>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<http://schemas.xmlsoap.org/soap/envelope/
<http://schemas.xmlsoap.org/soap/envelope/>
Post by Nikita Bedmutha
<http://schemas.xmlsoap.org/soap/envelope/
<http://schemas.xmlsoap.org/soap/envelope/>>>"
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
xmlns:ws="http://ws.protocol.core.ejbca.org/
<http://ws.protocol.core.ejbca.org/>
Post by Nikita Bedmutha
<http://ws.protocol.core.ejbca.org/
<http://ws.protocol.core.ejbca.org/>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<http://ws.protocol.core.ejbca.org/
<http://ws.protocol.core.ejbca.org/>
Post by Nikita Bedmutha
<http://ws.protocol.core.ejbca.org/
<http://ws.protocol.core.ejbca.org/>>>">
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<soapenv:Header/>
<soapenv:Body>
<ws:pkcs10Request>
<!--Optional:-->
<arg0>user1</arg0>
<!--Optional:-->
<arg1>password</arg1>
<!--Optional:-->
<arg2>-----BEGIN CERTIFICATE REQUEST-----
MIICkzCCAXsCAQAwTjELMAkGA1UEBhMCT08xCzAJBgNVBAgMAktLMQswCQYDVQQH
DAJQUDELMAkGA1UECgwCSkoxCzAJBgNVBAsMAkxMMQswCQYDVQQDDAJLSzCCASIw
DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAOvNjuie1L0SwkomYo+L7NIJLOHQ
nfc2T40eJPFGwek3anbgNFrLedFX0MFgW8k2JQM6CF14xa88z8pSaecsr46yJIhF
Cn+440zN3ecRy6k7umotmuYMtqGc7Hl2Y+S/+GSNo+UHR1QMkD30iU15S7FVEII0
2O9y74yaMZgP4PCIeiGSxngybMY4p3TQEXHmnPg4Or8my2OcYZDIQ6Jr4opZjsPB
fJvVgl746KseurPG7dRXD+U+4eicDU6JISm1btpa/RqdAZhNvVSyyEvScyF72jFW
LqNnrVdDibSPcSZpEXnwotsy4MCLMhBmNEAmNkWOTia5wv+0wVWIo1NLum8CAwEA
AaAAMA0GCSqGSIb3DQEBCwUAA4IBAQB9KtGBwZA7W+haj6OUXsj83qTKLv+o3cjk
RPDqVYIRaRQqcacf5z9TXLH1+gQ63Q1RZzG6U9t4TnhzitVQxa2nSk0k/mNTrecp
1G+pqRg1eQ91Yq/fbAg5gOc4tHXcNwGJ/WvbMJYmQ1OOHgzxn1IYM1yEz6ZqgsEC
EtiGlRlfEBO4TAdHcf/HVgOWXVsCP+QF7/ibk8q6BYbGZGpzSZ/ZLSDtauKxpP8z
++VLGGTuIO4CMLuqDzhHtmnGD0EzwdKf8koeLfAXSj5AjfWUrVJA1P7xoZfUJrg/
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
fLK3lnrKOP6K5CG1HyCvJt4c8NFqgdH22LMtWJ113QKgPtGZzWAu
-----END CERTIFICATE REQUEST-----</arg2>
<!--Optional:-->
<arg3></arg3>
<!--Optional:-->
<arg4>CERTIFICATE</arg4>
</ws:pkcs10Request>
</soapenv:Body>
</soapenv:Envelope>
I even made call without '-----BEGIN CERTIFICATE
REQUEST-----' and
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'-----END CERTIFICATE REQUEST-----' but no success.
In both cases, the certificate generated still
uses the
Post by Nikita Bedmutha
subject DN
Post by Nikita Bedmutha
which
Post by Nikita Bedmutha
was used while creating the user. I tried this
webservice
Post by Nikita Bedmutha
call using
Post by Nikita Bedmutha
Post by Nikita Bedmutha
SOAP-UI as well as eclipse code. Only when the
call is made
Post by Nikita Bedmutha
using
Post by Nikita Bedmutha
public
Post by Nikita Bedmutha
web 'Create certificate from CSR' or cli command, the
subject DN is
Post by Nikita Bedmutha
Post by Nikita Bedmutha
overriden. For some reason unable to achieve it
through web
Post by Nikita Bedmutha
service
Post by Nikita Bedmutha
Post by Nikita Bedmutha
call. Kindly guide me if I am doing anything wrong
here.
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Regards,
Nikita Bedmutha
Software Engineer | m: +91 94042 02790 | G
G <http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>
Post by Nikita Bedmutha
<http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>
Post by Nikita Bedmutha
<http://www.linkedin.com/in/nikitabedmutha
<http://www.linkedin.com/in/nikitabedmutha>>>>reat Software
Laboratory
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<http://www.gslab.com/>
On Fri, Feb 3, 2017 at 5:35 AM, Tomas Gustavsson
This is very common to do this using WS so
there is probably
Post by Nikita Bedmutha
Post by Nikita Bedmutha
something
Post by Nikita Bedmutha
wrong with your call. Are you using the
correct certificate
Post by Nikita Bedmutha
Post by Nikita Bedmutha
profile in
Post by Nikita Bedmutha
your WS call?
Debug logging will show in detail all
decisions egarding
Post by Nikita Bedmutha
Post by Nikita Bedmutha
override or not
Post by Nikita Bedmutha
that is takes during certificate issuance.
Regards,
Tomas
---
RSA Conference 2017
------------------------------------------------------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
San Francisco | February 13-17 | Moscone Center
Come visit us in booth #627 at RSA Conference
2017!
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Want a free expo pass?
Go to
https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>>>
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>
Post by Nikita Bedmutha
<https://www.rsaconference.com/events/us17/register
<https://www.rsaconference.com/events/us17/register>>>>
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
and use the code: XE7PRMKEY
Post by Nikita Bedmutha
Sorry for spamming, but just correcting the
I want to make a certificate request which
uses the
Post by Nikita Bedmutha
subject
Post by Nikita Bedmutha
DN from CSR
Post by Nikita Bedmutha
Post by Nikita Bedmutha
and not the registered end entity subject DN
. I am
Post by Nikita Bedmutha
using the
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
certificate profile which has 'Allow subject DN
override by CSR'
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
checked. However the web service requests
'pkcs10Request' as
Post by Nikita Bedmutha
well as
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'certificateRequest' do not return
certificates with
Post by Nikita Bedmutha
subject DN
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
overridden by the CSR but uses the
registered DN only.
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
On the other hand, using the same CSR, the
public web call
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'Create
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Certificate from CSR' as well as the
'createcert' CLI
Post by Nikita Bedmutha
Post by Nikita Bedmutha
command generates
Post by Nikita Bedmutha
Post by Nikita Bedmutha
a certificate which has the subject DN
overridden by
Post by Nikita Bedmutha
the CSR.
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Your inputs would really be very helpful.
Thanks.
Regards,
Nikita Bedmutha
On Wed, Feb 1, 2017 at 4:50 PM, Nikita Bedmutha
Hi,
I have a user(end-entity) created using
a certificate profile which
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
has 'Allow Subject DN override' checked.
This end-entity is
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
registered with Token as User Generated.
When I use 'Create Certificate from CSR'
option on public web, I get
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
the certificate with the subject DN used
while creating the CSR and
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
not the registered DN.
Now I want to achieve same using web
service call. I tried the
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
'certificateRequest' and 'pkcs10'
request with the same CSR that I
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
used in previous Public web call. But in
the web service call case,
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
I get certificate with the registered DN
and not overridden by the CSR.
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Kindly guide me how to achieve this.
Thanks and Regards,
Nikita
------------------------------------------------------------------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one
of the world's most
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>>>
------------------------------------------------------------------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of
the world's most
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>>>
------------------------------------------------------------------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the
world's most
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Post by Nikita Bedmutha
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>>
------------------------------------------------------------------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the
world's most
Post by Nikita Bedmutha
Post by Nikita Bedmutha
engaging tech sites, SlashDot.org!
http://sdm.link/slashdot
Post by Nikita Bedmutha
Post by Nikita Bedmutha
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>>
------------------------------------------------------------------------------
Post by Nikita Bedmutha
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the
world's most
Post by Nikita Bedmutha
Post by Nikita Bedmutha
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
------------------------------------------------------------------------------
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's
most
Post by Nikita Bedmutha
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>>
------------------------------------------------------------------------------
Post by Nikita Bedmutha
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
<https://lists.sourceforge.net/lists/listinfo/ejbca-develop>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
Ejbca-develop mailing list
https://lists.sourceforge.net/lists/listinfo/ejbca-develop
Loading...