在 Windows 上安装 Ejbca 时，“c:\ejbca\p12\truststore.jks”中缺少 JKS truststorestore 文件

Question

I am installing EJBCA on a Windows.
OS version: Windows Server 2016
Java: OpenJDK 8.0.242.08 Ant: ant 1.9.14
Database: MariaDB 10.4.12
Server: Wildfly 10.1.0
EJBCA Version: 6.15.2

Installation proceeded using this https://doc.primekey.com/ejbca6152/ejbca-installations/ejbca-main-installation manual.

Unfortunately on the command ant deploy-keystore provides this error:

jee:deploytruststore:

BUILD FAILED
c:\ejbca\build.xml:844: The following error occurred while executing this line:
c:\ejbca\bin\jboss.xml:310: The following error occurred while executing this line:
c:\ejbca\bin\jboss.xml:294: Missing JKS truststorestore file in 'c:\ejbca/p12/truststore.jks'

It has a corresponding error (I think they are related):

ejbca:javatruststore:
    [input] skipping input as property ca.name has already been set.
     [echo] Getting root certificate in DER format...
     [echo] ca getcacert "ManagementCA" C:\Users\tsaForFN\AppData\Local\Temp\2\/rootca.der -der
     [java] Wrote CA certificate to 'C:\Users\tsaForFN\AppData\Local\Temp\2\/rootca.der' using DER encoding.
     [echo] Adding to or creating keystore: c:\ejbca/p12/truststore.jks

ejbca:javatruststore-removeold:
     [exec] keytool error: java.lang.Exception: Input not an X.509 certificate
     [exec] java.lang.Exception: Input not an X.509 certificate
     [exec]     at sun.security.tools.keytool.Main.addTrustedCert(Main.java:2861)
     [exec]     at sun.security.tools.keytool.Main.doCommands(Main.java:1050)
     [exec]     at sun.security.tools.keytool.Main.run(Main.java:366)
     [exec]     at sun.security.tools.keytool.Main.main(Main.java:359)

     [exec] Result: 1
   [delete] Deleting: C:\Users\tsaForFN\AppData\Local\Temp\2\rootca.der

I tried to change slashes but it still didn't worked.

This is the log of Wildfly server https://controlc.com/bb5d54f4
This is the log of EJBCA installation https://controlc.com/f6f062d2

properties are default except database which is configured, working and not relevant right now.

Answer 1

Your issue is this: "Input not an X.509 certificate"

This is due to your usage of "implicitlyCA" in "install.properties", creating a CA certificate that is not useable by normal clients.

Initializing CA with 'ManagementCA' 'CN=ManagementCA,O=EJBCA Sample,C=SE' 'soft' '<ca.tokenpassword hidden>' 'implicitlyCA' 'ECDSA' '3650' 'null' 'SHA256withECDSA' -superadmincn 'SuperAdmin'...

You have configured the Management CA to use "implicitlyCA" ECDSA, which is not something that Java, Windows or any web servers and browsers support.

You need to use keys (in the ca.keyspec setting) that can be used for TLS connections, such as RSA 2048 or ECDSA prime256v1.

ImplicitlyCA can only be used if you are really really really sure what you are doing, and you use specific customer client software.

Answer 2

The step before is ant runinstall which:

1- created the Management CA.

2-Create TLS keystores for handling HTTPS, signed by the Management CA

3-Create the key store for the initial super administrator

it might not successfully done 2nd and 3rd step.

So you need to:

delete all the date(rows) in you ejbca database in all tables,then from $EJBCA_HOME:

ant -q clean deployear

ant runinstall

ant deploy-keystore

Inshaallah it will work