EJCBA-CE and changing the web server cert

[dug-ianc]

I've installed EJBCA-CE from a docker container, set up a CA for sake of argument called "MyCA", in addition to the default ManagementCA. I want EJBCA's web services to use a certificate signed by MyCA and not Management CA, however whatever I do, it never seems to work.

For example:
docker run -it -p 8080:8080 -p 8443:8443 -h myhost -v /home/docker/server.jks:/mnt/external/secrets/tls/ks/server.jks -v /home/docker/server.keypasswd:/mnt/external/secrets/tls/ks/server.keypasswd localhost/ejbca/updated-cert2

I've also tried updating the server.jks inside the container and comitting a new images, but it seems like it gets generated on the fly.

I must be missing something obvious? Thanks

[svenska-primekey]

What do you see in the logs when the container starts? You should see that the keystore is detected and used. The volume mount is correct /mnt/external/secrets/tls/ks. You could try putting both files into 1 directory and only volume mounting the 1 directory.

[dug-ianc]

I actually see this in the logs, which is seems related, although the path is different. I'll also try your suggestion.

No key password file were detected at '/opt/keyfactor/secrets/persistent/tls/pcertms/server.keypasswd'. Keystore password will also be used to access private key.
No truststore and/or password file were detected at '/opt/keyfactor/secrets/external/tls/ts/truststore.[jks|storepasswd]'. Check mount points and file permissions if this is not what you expected

[primetomas]

How about the truststore? It's in the truststore that you specify which CAs are acceptable for client certificates. The server certificate doesn't have to be changed for that.

[dug-ianc]

I'm not sure I understand entirely. In short, I want the admin interface and RA interface for EJBCA to use a the cert generated by "MyCA" rather than "ManagementCA". MyCA is trusted in our browsers but ManagementCA is not and it would it would be preferable not to get certificate warnings when access the web interface. Are you saying that truststore.jks will help with that?

[primetomas]

typically they go hand in hand. both keystore.jks (server TLS certificate) and truststore.jks (CA certificates only) are updated with the new CA certificate.

[svenska-primekey]

On the EJBCA container there is an option to provide a separate truststore from the TLS certificate store. This was to give granular control over managing the certs for TLS and trusting what CA's can mtls to EJBCA.

Can you verify there are no special characters in the password for the keystore? I'm wondering if it is failing because bash is having an issue with the password. You can also use an env variable to put the password in which is preferred over the file. The variable for TLS cert is APPSERVER_KEYSTORE_SECRET and APPSERVER_TRUSTSTORE_SECRET for the trust store password.