How to create a CA signed by an external CA using the CLI? #642

datwinz · 2024-08-03T15:21:39Z

datwinz
Aug 3, 2024

Dear all,

I am stuck at an error/exception I get when I try to create an CA signed by an external CA. I am following the directions at Keyfactors' website.

I run my EJBCA instance with Docker compose. I have tried to make a CA using this command:

#!/bin/sh
docker compose exec ejbca-sub bin/ejbca.sh ca init      \
    --caname 02IssuingCA                                \
    --dn "C=SE,O=Test,CN=02IssuingCA"                   \
    --keyspec 2048                                      \
    --keytype RSA                                       \
    --policy null                                       \
    -s SHA256WithRSA                                    \
    -v 365                                              \
    --signedby External                                 \
    -externalcachain chain.pem                          \
    --tokenType soft                                    \
    --tokenPass securepassword

This gives an Exception:

Exception in thread "main" java.lang.IllegalStateException: Failed to close input stream
	at com.keyfactor.util.CertTools.getCertsFromPEM(CertTools.java:704)
	at org.ejbca.ui.cli.ca.CaInitCommand.execute(CaInitCommand.java:602)
	at org.ejbca.ui.cli.infrastructure.command.PasswordUsingCommandBase.execute(PasswordUsingCommandBase.java:201)
	at org.ejbca.ui.cli.infrastructure.library.CommandLibrary$Branch.execute(CommandLibrary.java:309)
	at org.ejbca.ui.cli.infrastructure.library.CommandLibrary$Branch.execute(CommandLibrary.java:320)
	at org.ejbca.ui.cli.infrastructure.library.CommandLibrary.findAndExecuteCommandFromParameters(CommandLibrary.java:88)
	at org.ejbca.ui.cli.EjbcaEjbCli.main(EjbcaEjbCli.java:38)

Besides that the INFO logs get stuck at:

INFO  [org.ejbca.ui.cli.ca.CaInitCommand] (main) Creating CA...

I feel like I'm missing something. Can anyone help me resolve this error?

Thank you

Answered by primetomas

Aug 5, 2024

chain.pem that you reference, is that really available from inside the container? Remember that the ejbca.sh command is run inside the container, so chain.pem has to be volume mounted or something like that.

I'm not very good at this but do you run container command with compose? Would you not typically start your container with docker compose, and then just "docker exec" to run the ejbca.se command inside a running container?

View full answer

primetomas · 2024-08-05T06:17:51Z

primetomas
Aug 5, 2024
Maintainer

chain.pem that you reference, is that really available from inside the container? Remember that the ejbca.sh command is run inside the container, so chain.pem has to be volume mounted or something like that.

I'm not very good at this but do you run container command with compose? Would you not typically start your container with docker compose, and then just "docker exec" to run the ejbca.se command inside a running container?

1 reply

datwinz Aug 5, 2024
Author

Thank you for the reply. I forgot make the chain.pem file available for the container. I copied it to the container and the command works now.

It is probably true you typically use docker exec, but you can use both docker exec or docker compose exec. I chose to do docker compose exec here for no real reason honestly.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

How to create a CA signed by an external CA using the CLI? #642

{{title}}

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

How to create a CA signed by an external CA using the CLI? #642

datwinz Aug 3, 2024

Replies: 1 comment · 1 reply

primetomas Aug 5, 2024 Maintainer

datwinz Aug 5, 2024 Author

datwinz
Aug 3, 2024

Replies: 1 comment 1 reply

primetomas
Aug 5, 2024
Maintainer

datwinz Aug 5, 2024
Author