Type: New Feature
Affects Version/s: None
Fix Version/s: EJBCA 7.2.0
Issue discovered during:Customer
Sprint:EJBCA Team Bob - 2019 w21
the CLI command: bin/ejbca.sh ca importcvcca
can only import self signed CVCAs right now. It should be possible to import DVCAs as well.
The importcvca command unfortunately does not handle import of DVCAs. the reason for this is that it was originally designed for ePassport CVCA/DVCA. Here the DVCA is valid at most for 3 months, in which case there is no need to export/import, you simply create a new one when you need it.
There is no "external" API to import a DVCA without patching EJBCA.
Attaching a patched java file, only the client side (CLI) is needed to patch.
Replace the existing file with the same name and run "ant build".
Now you can verify that you have the new version with:
bin/ejbca.sh ca importcvcca --help
It will show a new description option:
- Imports a private key and chain with first certificate a DVCA and the second one a CVCA certificate, creating a
DVCA assuming the CVCA (certificate) has already been imported.
You can now import both CVCA and DVCA, I tested with:
bin/ejbca.sh ca importcvcca --caname TomasCVCARSA -f ~/Downloads/TomasCVCARSA.pkcs8 -c ~/Downloads/SECVCARSA00000_SECVCARSA00000.cacert.pem
bin/ejbca.sh ca importcvcca --caname TomasDVCARSA -f ~/Downloads/TomasDVCARSA.pkcs8 -c ~/Downloads/chain.pem
chain.pem is created with:
cat SECVCARSA00000_SEDVCARSA00000.cacert.pem SECVCARSA00000_SECVCARSA00000.cacert.pem > chain.pem