Reputation: 2559
EJBCA refuses to generate certificates with error : not allowed to use same key
We used a static value ‘usernameTest’ as username to request EJBCA to generate X.509 certifcates; after generating certificates using this satic username we changed it to a unique value identifiying uniquely each certificate (Since using a static username is considered as a renew since the username is the same for all certificates (*) ) but now EJBCA refuses to generate certificates and stil reference the old static username ‘usernameTest’; we get this error:
User '250320092916' is not allowed to use same key as the user(s) ‘usernameTest’ is/are using.
We revoked all certificates previously generated for username 'usernameTest', but we still get this error message from EJBCA. Is there any way we can remove username 'usernameTest'?
Each certificate has a unique SubjectDN and username.
The version of EJBCA is ejbca-6.2.0.
(*): All generated certificates in EJBCA Administration GUI are related to the same username.
Thanks in advance.
Upvotes: 0
Views: 3090
Answers (4)
Reputation: 552
You can configure the PTK-C simulator to not reuse the random seed (yes that is very annoying). For ejbca we have documented it here. You have to set the environment variable ET_PTKC_SW_AUTOSEEDRNG=true. With this setting the simulator will generate real keys, a new one every time.
Upvotes: 1
Reputation: 2559
Problem solved; the problem is not that a reference to usernameTest still in EJBCA but that the same key (RSA public key) is used for the request of the other user ('250320092916').
It seems this is a known limitation when relying on the HSM PTK-C simulator from the Safenet ProtectServer series; the simulator restarts its random generator when we re-initialize it (I suspect a misuse from me), which means it will always generate the same keys in the same order (which leads to such errors).
But also the message error is not clear; talking about the "key" without specifying, this leads to a confusion with subjectDN or other attributes communicated to the EJBCA, as an error message it may be "public key" or "RSA key", ... instead of key ;)
Upvotes: 1
Reputation: 31
Tomas is correct. Go to your "Certificate Authorities" under CA Functions. Edit your CA and find the setting called "Enforce unique public keys" under the "Directives" section.
Uncheck enforce and you will be able to use the same public key for different users.
Upvotes: 3
Reputation: 552
It has nothing to do with the HSM. The default policy setting for CAs is to not allow users to share the same end-user public key. I.e not to issue a certificate with the same public key to different users. This is a checkbox setting in the CA settings.
Upvotes: 1
Related Questions
- Java CertificateFactory.generateCertPath(inputStream) not working as expected
- Revoking company iOS distribution certificates and creating a new one with a new key
- Spring security x.509 authentication - accept certificates based on their issuer Certificate Authority
- EJBCA - how to generate certificate with ECDSA key?
- x.509 Authentication not enabled in MongoDB
- X.509 Self Signed Certificates
- How to issue certificate to an entity with custom DN format?
- Generating a self-signed certificate with iOS Security.framework?