ejbca

NPE during Renew super admin certificate


We have an super admin certificate expired. Tried to renew it using ejbca.sh and in the last step it failed:

[jboss@63a2ea1bfbfd bin]$ ./ejbca.sh batch
./ejbca.sh: line 3: which: command not found
Use 'batch --help' for additional options.
Generating keys in directory /tmp/p12.
Generating for end entities with status NEW.
Batch generating 2 users.
java.lang.NullPointerException
at org.cesecore.configuration.GlobalConfigurationSessionBean$GlobalConfigurationCacheHolder.updateConfiguration(GlobalConfigurationSessionBean.java:281)
at org.cesecore.configuration.GlobalConfigurationSessionBean.getCachedConfiguration(GlobalConfigurationSessionBean.java:141)

Version 6.5.0-Alpha, installed on jboss 7.1.1. Any idea why this NPE?

Thanks


Solution

  • Thanks @primetomas, I finally fixed the issue.

    1. The crypto token related to the admin CA was offline. The NPE mentioned in the question was solved after activate it. In order to not present that NPE and really show the exception, I have to updated at cesecore-ejb the file org.cesecore.configuration.GlobalConfigurationSessionBean to prevent NPE if caches does not contain the key.

          public void updateConfiguration(final ConfigurationBase conf, final String configId) {
          if (caches.containsKey(configId)) {
            caches.get(configId).updateConfiguration(conf);
          }else {
              System.out.println(String.format("updateConfiguration(%s) skipped as there is no cache for it ", new Object[] {configId}));
          }
      }
      
    2. After that fix, another NPE fixed at cesecore-common at org.cesecore.certificates.ca.X509CA:

          // Check that the certificate fulfills name constraints
      if (cacert instanceof X509Certificate) {
          GeneralNames altNameGNs = null;
          String altName = "" + subject.getSubjectAltName(); // Added "" to prevent NPE later
          if(certProfile.getUseSubjectAltNameSubSet()){
              altName = certProfile.createSubjectAltNameSubSet(altName);
          }
          if (altName != null && altName.length() > 0) {
              altNameGNs = CertTools.getGeneralNamesFromAltName(altName);
          }
          CertTools.checkNameConstraints((X509Certificate)cacert, subjectDNName, altNameGNs);
      }