Resolution: Won't Do
Affects Version/s: EJBCA 3.5.2
Fix Version/s: None
Component/s: CA GUI
If an administrator fails to login to the EJBCA Admin GUI the error-message is cryptic at best. To help unexperienced EJBCA admins the feedback needs to be improved.
If possible, tomcat should redirect failed https-sessions to a http error page with a message like
"None of your client-certificates is issued by a CA that is trusted by EJBCA.
This could be caused by
1. You are not supposed to be able to access this page.
2. The issuing CA has not been added to the application server truststore.
3. The application server has not yet picked up the changes in the truststore. (Might require application server restart.)"
If the login fails later, EJBCA should try to analyze the client certificate and present the user with a reason and if possible a solution.
"Your used client-certificate with serial number XXX is revoked..."
"Your used client-certificate is not part of any admin group..."