0

I am trying to set up an EJBCA server to work as Cluster Issuer for all our services. Currently we use Vault to do that, but for external reasons we have to switch to EJBCA.

However, with my best effort I cannot seem to get it working. I keep getting "No client certificate was presented" errors when trying to access the Admin interface of EJBCA, and overall I cannot find an exhaustive documentation on the matter.

Is it at all possible to use EJBCA as Cluster Issuer, and if so how do I go about configuring it?

I have already tried deploying it using Bitnami's Helm chart, or Keyfactor's image, but to no avail.

Quentin Gérard
  • 3
  • 1

1 Answers1

0

While I can't answer your full question, I can say that the "No client certificate was presented" message is because you haven't installed the superadmin.p12 PKCS#12 file in the browser of the user who will be the Super Admin.

This file contains the client certificate which the message refers to.

garethTheRed
  • 1,997
  • 13
  • 20
  • Thanks a lot for your reply, that's what I thought also so I installed it again, however when entering the admin url it retrieves the secret from Kubernetes, i.e. the default certificate... That's when I get the "No client certificate was presented" message. – Quentin Gérard Apr 27 '23 at 09:59
  • I'm not sure what a Cluster issuer is, but if you have multiple nodes of EJBCA in a cluster, they are typically set to accept the same client certificate. What client certificate a WildFly TLS server accepts is configured in the truststore.p12/jks. Typically the EJBCA cluster is connected with a shared database so it is "the same" on all EJBCA cluster nodes. But if you prefer completely separate instances you can do that as well by adding a common Management CA/using a common superadmin.p12 for different isolated EJBCA instances. It's in the documentation somewhere... – primetomas May 05 '23 at 13:49