Search code examples
ejbcajscep

How to include password when enrolling CSR to EJBCA using JSCEP

I am attempting to enroll a certificate signing request to EJBCA using JSCEP as documented here: https://github.com/jscep/jscep

I am able to submit a csr from the web console using the same format of csr and private key (for ssl authorization on port 8443), but when I try it via JSCEP, I get the following error in the EJBCA logs:

Error processing SCEP request.: org.cesecore.certificates.ca.SignRequestExcept ion: No password in request.

I'm guessing that it wants the username and enrollment code of an end entity like the one I am required to enter via the web UI, but I see absolutely nowhere in the JSCEP API to enter that information. Perhaps the private key is sufficient, but that does seem a little odd as the UI wanted both.

I suppose it could also mean that my CSR must have a password, which it doesn't, but the UI didn't give me a problem with that so I don't see why this would.

The keystore (parsed from a p12 file, with password included), and csr are both parsed from files rather than generated programatically. The csr is from a third party whose keys I do not have.

My enrollment request via the jscep client looks like the following:

client.enrol(certificate, privateKey, request, config.getCaProfile());

The certificate and private key are both taken from the p12 file and the request is parsed from the csr (pkcs12) passed to me. The caProfile is the CA Name listed in the table on the homepage of the https::8443/ejbca/adminweb/

Please let me know if my parameters are wrong or if I need to include a password somewhere, how can I do that in the API.

Solution

  • I am now able to do this for a programatically constructed csr and it works end to end, so I'm considering the issue closed. I still have some work to use a third party csr, but that shouldn't be a big deal.

    The code is below.

        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
    keyPairGenerator.initialize(1024);
    KeyPair entityKeyPair = keyPairGenerator.genKeyPair();

    PublicKey entityPubKey = entityKeyPair.getPublic();
    X500Principal requesterSubject = new X500Principal("CN=endEntityName");
    PKCS10CertificationRequestBuilder csrBuilder = new JcaPKCS10CertificationRequestBuilder(requesterSubject, entityPubKey); 

    DERPrintableString password = new DERPrintableString("endEntityPassword");
    csrBuilder.addAttribute(PKCSObjectIdentifiers.pkcs_9_at_challengePassword, password);

    PrivateKey entityPrivKey = entityKeyPair.getPrivate();
    JcaContentSignerBuilder csrSignerBuilder = new JcaContentSignerBuilder("SHA1withRSA");
    ContentSigner csrSigner = csrSignerBuilder.build(entityPrivKey);
    PKCS10CertificationRequest csr = csrBuilder.build(csrSigner);