It is not possible to generate a keystore with an autogenerated password from RA. The use case could be self-registration, or perhaps simply enforcing good random passwords.
Steps to reproduce:
- Create an End Entity Profile with password set to auto-generated.
(In a real world use case, one would also enable notifications and send the password via e-mail)
- Allow keystore generation in this profile (P12, JKS and PEM)
- Try to enroll from the RA using this profile.
- Should work. (TODO: decide if the RA operator should receive the keystore at this point, or if only the user should get a link via e-mail)
- You get LOGIN_FAILURE
Why it happens:
EnrollMakeNewRequestBean creates keystores using two separate RaMasterApi method calls. First it creates the End Entity (which gets assigned a random password) using addUser(). Second it tries to generate a keystore using generateKeyStore(), but EnrollMakeNewRequestBean does not have the password, so the authentication fails.
If, in the use case, the RA operator needs to download the keystore directly from the RA web (rather than from an e-mail link), we would need to restructure the two API calls into one API call.