What I'm doing wrong with ejbca.sh cli when trying to create SubCA

[aloeenmae]

I have a strange issue when creating SubCA via CLI

1. New crypto token for my SubCA

ejbca.sh cryptotoken create --token my_test_token --type SoftCryptoToken --autoactivate allow --pin null
Enter CryptoToken password:
CryptoToken with id -1299393819 created successfully.

2. New signKey for my newly created crypto token

ejbca.sh cryptotoken generatekey --token my_test_token --keyspec 4096 --alias signKey
Key pair generated successfully.

3. Create defaultKey for my newly created crypto token

ejbca.sh cryptotoken generatekey --token my_test_token --keyspec 4096 --alias defaultKey
Key pair generated successfully.

4. Create testKey for my newly created crypto token

ejbca.sh cryptotoken generatekey --token my_test_token --keyspec 4096 --alias testKey
Key pair generated successfully

5. List my newly created cryptokey

ejbca.sh cryptotoken listkeys --token my_test_token
CryptoToken name: "my_test_token"
CryptoToken id:   -1299393819

 ALIAS	 ALGORITHM SPECIFICATION SUBJECTKEYID
 signKey	RSA 4096 c661e45c9679cc788ae1b70771877b2bb259d2e3
 testKey	RSA 4096 9e502bd79347737cb3028811ae77b5d571942336
 defaultKey	RSA 4096 e1f8b72e69be644599ff7ba6800d55d03de4778e

6. This is how my crypto properties file looks like

# cat crypto.prop
defaultKey defaultKey
certSignKey signKey
testKey testKey

7. Now I'm trying to create my new SubCA with this crypto token, but it fails with some strange error.

# ejbca.sh ca init --caname "My Test CA" --dn "CN=My Test CA,OU=My Test,O=My Test Org OU,C=EE" -v 365 --keytype RSA --keyspec 4096 -s SHA384WithRSA --tokenName my_test_token --tokenprop /tmp/crypto.prop --policy null --signedby 1691783881 -certprofile SUBCA -externalcachain /tmp/my_external_root_ca.crt -type x509
Initializing CA
Generating rootCA keystore:
CA Type:x509
CA name: My Test CA
SuperAdmin CN: null
DN: CN=My Test CA,OU=My Test,O=My Test Org,C=EE
CA token type: null
CA token password: null
Keytype: RSA
Keyspec: 4096
Validity: 365d
Policy ID: null
Signature alg: SHA384WithRSA
Certificate profile: SUBCA
CA token properties: {certSignKey=signKey, testKey=testKey, defaultKey=defaultKey}
Signed by: My External Root CA
Creating CA...
Crypto token was unavailable: No alias for key purpose 1

So, what I'm doing wrong?

Thanks
Alo

[primetomas]

You have not added a key for crlSignKey.

[aloeenmae]

@primetomas sorry, seems that my copy-n-paste cut crlSignKey line. This is how my crypto.prop file looks like:

# cat crypto.prop
certSignKey signKey
testKey testKey
crlSignKey defaultKey
defaultKey defaultKey

[aloeenmae]

# ejbca.sh ca init --caname "My Test CA" --dn "CN=My Test CA,OU=My Test,O=My Test Org OU,C=EE" -v 365 --keytype RSA --keyspec 4096 -s SHA384WithRSA --tokenName my_test_token --tokenprop /tmp/crypto.prop --policy null --signedby -1691783881 -certprofile SUBCA -externalcachain /tmp/my_external_root_ca.crt -type x509
Initializing CA
Generating rootCA keystore:
CA Type:x509
CA name: My Test CA
SuperAdmin CN: null
DN: CN=My Test CA,OU=My Test,O=My Test Org OU,C=EE
CA token type: null
CA token password: null
Keytype: RSA
Keyspec: 4096
Validity: 365d
Policy ID: null
Signature alg: SHA384WithRSA
Certificate profile: SUBCA
CA token properties: {certSignKey=signKey, crlSignKey=defaultKey, testKey=testKey, defaultKey=defaultKey}
Signed by: My External CA
Creating CA...
Crypto token was unavailable: No alias for key purpose 1

This produce the following lines in the Wildfly server.log file

2024-05-27 13:15:11,816 INFO  [org.cesecore.certificates.ca.CaSessionBean] (default task-338) CA with name My Test CA does not exist.
2024-05-27 13:15:12,053 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-338) 2024-05-27 13:15:12+00:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;ejbca;;;;resource0=/ca/-1691783881
2024-05-27 13:15:13,172 INFO  [org.ejbca.core.ejb.ca.caadmin.CAAdminSessionBean] (default task-338) Creating an X509 CA: My Test CA
2024-05-27 13:15:13,174 INFO  [org.cesecore.certificates.ca.CaSessionBean] (default task-338) cryptoTokenId: -1299393819
2024-05-27 13:15:13,174 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-338) 2024-05-27 13:15:13+00:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;ejbca;;;;resource0=/ca_functionality/add_ca;resource1=/cryptotoken/use/-1299393819
2024-05-27 13:15:13,200 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-338) 2024-05-27 13:15:13+00:00;CA_CREATION;SUCCESS;CA;CORE;ejbca;-1450813919;;;msg=CA with id -1450813919 and name My Test CA added, status: 1. ;tokenproperties={certSignKey=signKey, crlSignKey=defaultKey, testKey=testKey, defaultKey=defaultKey};tokensequence=00000
2024-05-27 13:15:13,214 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-338) 2024-05-27 13:15:13+00:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;ejbca;;;;resource0=/ca/-1691783881
2024-05-27 13:15:13,226 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-338) 2024-05-27 13:15:13+00:00;CA_CREATION;FAILURE;CA;CORE;ejbca;-1450813919;;;msg=CA token is offline for CA 'My Test CA'.

When I look at the Crypto Tokens on the EJBCA Admin page, my token is active.

[primetomas]

A couple of things.

• Don't specify "--keytype RSA --keyspec 4096" when you have key generated on the token already.
• The keys must already be pre-generated and exist on your token, which you can do with the CLI as well.
• crlSignKey must always be the same as certSignKey

[primetomas]

It is also not clear what you want to achieve. --signedby looks like you are signing by an internal Root CA for this SubCA. Byt --externalcachain is specified if you want to sign by an external CA?
Are you signing this subCA with a CA that exists on the same EJBCA? Or an external CA, in which case --signedby should be "External"
(see "ejbca.sh ca init --help")

[aloeenmae]

@primetomas My goal is to generate crypto keys and a subCA signed by an external Root CA (external Root CA is imported to my EJBCA) through the EJBCA CLI, and the crypto keys must be RSA 4096-bit. The default EJBCA subCA profile allows for 2048-bit RSA, and I do not want to change this default EJBCA subCA profile.

Seems that --keytype RSA and --keyspec are required, because with these I get:

ejbca.sh ca init --caname "My Test CA" --dn "CN=My Test CA,OU=My Test,O=My Test Org OU,C=EE" -v 365 -s SHA384WithRSA --tokenName my_test_token --tokenprop /tmp/crypto.prop --policy null --signedby -1691783881 -certprofile SUBCA
ERROR: Incorrect parameter usage.
    The following mandatory arguments are missing or poorly formed, use --help for more information:
        --keyspec       Key specification for CA signing key (soft crypto token) and OCSP/CMS service keys. Keyspec for RSA
                        keys is size of RSA keys (1024, 2048, 4096, 8192). Keyspec for DSA keys is size of DSA keys (1024).
                        Keyspec for ECDSA keys is name of curve or 'implicitlyCA'' (see docs).
        --keytype       Key type for CA signing key (soft crypto token) and OCSP/CMS service keys. Keytype is RSA, DSA, ECDSA,
                        Ed25519 or Ed448

Run command with "--help" to see full manual page.

Ok, after more testing it seems I finally made it with the following command

# ejbca.sh ca init --caname "My Test CA" --dn "CN=My Test CA,OU=My Test,O=My Test Org OU,C=EE" -v 365 -s SHA384WithRSA --tokenName my_test_token --tokenprop /tmp/crypto.prop --policy null --signedby External -certprofile SUBCA --tokenPass prompt --keyspec 4096 --keytype RSA -externalcachain /tmp/my_external_root_ca.crt
Enter CA token password:

Initializing CA
Generating rootCA keystore:
CA Type:x509
CA name: My Test CA
SuperAdmin CN: null
DN: CN=My Test CA,OU=My Test,O=My Test Org OU,C=EE
CA token type: null
CA token password: hidden
Keytype: RSA
Keyspec: 4096
Validity: 365d
Policy ID: null
Signature alg: SHA384WithRSA
Certificate profile: SUBCA
CA token properties: {certSignKey=signKey, keyEncryptKey=defaultKey, crlSignKey=signKey, testKey=testKey, defaultKey=defaultKey}
Signed by: External CA
Creating CA...
CAId for created CA: -1450813919
Creating a CA signed by an external CA, creating certificate request.
Created CSR for CA, to be sent to external CA. Wrote CSR to file 'My Test CA_csr.der'.
CA initialized
Note that open browser sessions may have to be restarted to interact with this CA.

I missed the section regarding --signedby <CA_ID>: To create a CA signed by an external CA, use the keyword 'External' as <CA_ID>. This will result in a certificate request (CSR) being saved on file.

# openssl req -in "My Test CA_csr.der" -inform DER -outform PEM -text
Certificate Request:
    Data:
        Version: 1 (0x0)
        Subject: CN = My Test CA, OU = My Test, O = My Test Org OU, C = EE
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                RSA Public-Key: (4096 bit)

@primetomas thank you very much for guiding me in the right direction.

NB! It is interesting, of course, that EJBCA generates IDs with negative numbers: CAId for created CA: -1450813919,
is this intentional, or where could this negative ID value come from?

[primetomas]

Great!

These IDs are Java hash codes, which can be seen pretty much as random signed integers. So some (like 50%) will be positive and some (like 50%) will be negative.