0

I am trying to use EJBCA enrolled certificate in signserver. There is some problem during usage it in timestamping. It gives this error using command signserver getstatus brief all

Errors:
      - Missing extended key usage timeStamping
      - The extended key usage extension must be present and marked as critical

Although when I checked certificate profile timestamping extended key usage is marked and critical. Is there any way that I could enroll with timestamping?

OS version: Windows Server 2016
Java: OpenJDK 8.0.242.08
Ant: ant 1.9.14
Database: MariaDB 10.4.12
Server: Wildfly 10.1.0
Signserver: 5.2.0 EJBCA: Community 6.15.2.6

https://pastebin.com/bkpNBvc1

enter image description here

user2426998
  • 483
  • 5
  • 20

2 Answers2

1

The most likely cause is that the certificate that you import into SignServer wasn't issued using the specified profile from EJBCA, so it is missing the extended key usage you have specified. Make sure that your certificate is issued using your profile, and verify the results with for example "openssl x509 -in cert.pem -text" that the certificate really has the key usage.

primetomas
  • 524
  • 2
  • 5
  • We issue P12 from EJBCA RA and as you see in the picture certificate profile has timestamping feature marked for use and critical. Is there any way to check P12 ? – user2426998 Dec 29 '20 at 23:45
  • You can unpack p12 and look inside with "openssl pkcs12". What I mean is that a common mistake when issuing a certificate from EJBCA is that you issue p12, but the right certificate profile is not selected when issuing, so you issue a certificate using for example the "ENDUSER" profile, instead of the one you have edited above. Verify the certificate profile selected when you add the end entity (called Certificate Subtype" when making a request in the RA Web). – primetomas Jan 01 '21 at 15:19
  • is it in "key attributes"? key attributes is empty. Certificate profile is added to end entity as certificate subtype. – user2426998 Jan 12 '21 at 03:13
  • No, if you unpack the p12 with "openssl pkcs12", you need to then copy-paste the certificate from that (BEGIN/END CERTIFICATE), adn copy that to a file that you can inspect with "openssl x509". – primetomas Jan 13 '21 at 15:09
  • That is the result. so timestamp is available. Is it not critical? `X509v3 Extended Key Usage:Code Signing, 1.2.840.113583.1.1.5, Time Stamping` – user2426998 Jan 16 '21 at 13:35
  • It looks like you have some more extended key usages there that should not be there. And it looks not critical. The screeenshot on top seems to only include time stamping, and you have checked the critical checkbox. Re-issue the certificate with the profile above, and check again. It should only include the extended key usage you have selected in the profile. – primetomas Jan 20 '21 at 07:31
  • This still is a problem on another installation. Now it is critical too but still gives this message `X509v3 Extended Key Usage: critical 1.2.840.113583.1.1.5, Time Stamping` – user2426998 May 04 '21 at 11:07
  • What message? The certificate profile you screenshotted above have multiple issues by the way, thse regular Key Usage extension is set, among other things, to be a CA (certificate and CRL sign). I think multiple things have been tried so it's hard to judge what exactly is the issue. I think it's easier to start fresh now that you know what to do with the extended key usage. – primetomas May 05 '21 at 12:25
  • Can I try it with only one or two extended key usages? I just need only two usages: timestamping and PDF signing. Do I need to use other key usages or I can have just only this two usages? – user2426998 May 05 '21 at 14:20
  • You can absolutely have only those two extended key usages. For "Key Usage" I would recommend only "digital signature". – primetomas May 10 '21 at 05:38
  • The result is this: `X509v3 Extended Key Usage: critical 1.2.840.113583.1.1.5, Time Stamping \\\ X509v3 Key Usage: critical Digital Signature`. The only thing I detect it is that in openssl result contains `Time Stamping` and signserver has `timeStamping`, but I don't think that this is true. Maybe you know where can I find a working example for timestamping. – user2426998 May 14 '21 at 18:08
0

This error persisted because I used one CN and Alias (or Friendly Name for OpenSSL) For issuer and subject. As it seems it was using the issuer certificate which obviously doesn't have timestamping extended key usage and was giving same Missing extended key usage timeStamping error despite all the previous tries.

user2426998
  • 483
  • 5
  • 20