Configuration Issues

The following provides information about implemented configuration issues.

Basic Constraints Violation

Produces one ticket with priority ERROR for each X.509 CA with a certificate chain violating a basic constraint.

This is done by evaluating the basic constraints extension in the certificate. A certificate chain violates basic constraints if:

  • The certificate chain contains a certificate which is not a CA certificate.

  • The certificate chain contains a certificate without the basic constraints extension.

  • The certificate chain contains a certificate violating a path length constraint.

A certificate chain violating a basic constraint is unlikely to be accepted by a TLS client.

To pinpoint the issue, you can print the certificate chain using OpenSSL and inspect the basic constraints extension:

Inspect the basic constraints extension using OpenSSL
openssl x509 -in chain.pem -noout -text

Look for a section that resembles the following:

Example of a basic constraints extension for a CA certificate with a path length constraint
X509v3 Basic Constraints: critical
CA:TRUE, pathlen:0

ECC With Key Encipherment

Produces one ticket with priority WARN, for each certificate profile supporting an ECC-based signature scheme while having the key usage keyEncipherment enabled at the same time.

Section 3 of RFC 5480 defines the keyUsage bits allowed with Elliptic Curve Cryptography Subject Public Key Information. Key Encipherment is not on the list.

Internal Key Binding Validity Check

Produces one ticket per active internal key binding whose certificate is either expired or not yet valid, according to EJBCA's local clock.

Internal key bindings with expired certificates will not be able to function properly and you should renew these certificates as soon as possible.

Not In Production Mode

Produces a single ticket with priority INFO when EJBCA is running in non-production mode.

It is possible to run system tests (on purpose or by accident) on such an instance, and additional tools for developers are available. A production environment should never have an instance running in a non-production mode for security reasons.

To put EJBCA in production mode, make the following adjustment in the configuration file ejbca.properties and redeploy EJBCA.

Switch to production mode
ejbca.productionmode=true

End Entity/Certificate Profile Pair Without Any Certificate Authorities in Common

Produces one ticket with priority ERROR for each profile pair without any certificate authorities in common.

There is a setting to restrict the available CAs for an end entity in the end entity profile.

images/download/attachments/85923817/available_cas_ee_profile.png

It is considered a misconfiguration if none of the certificate authorities selected in this list are selected in the list of available certificate authorities for the certificate profile (since it will be impossible to issue certificates using such an end entity profile).