KUR does not work properly in RA mode

[XYQ202]

I've solved the problem with runtimes like IR and KUR in client mode. However, in RA mode, the IR request can run normally, but the KUR cannot run normally, and the problem has not been found. In RA mode, is it necessary to add a cmp alisas to the CMP configuration, and then configure it?

Your official manual is too simple to write, it is not good for the basic operations that the CA does not understand.

The cmp alias I added in the CMP configuration of CA UI is opensslra, and the others are not specially configured. The configuration is as follows:

Please help to see what other configuration is needed.

When I run:openssl cmp -cmd ir -server http://192.168.32.146:8080 -path ejbca/publicweb/cmp/opensslra -srvcert ManagementCA.cacert.pem -ref rauser -secret pass:password -certout cl_cert.pem -newkey cl_key.pem -subject "/CN=rauser/O=sunwave/C=SE" -verbosity 8
It works fine, the terminal prints the following:

The certificate is registered from EJBCA normally, and the corresponding end entity is generated at the same time.

But when I want to renew the certificate:
openssl cmp -cmd kur -server http://192.168.32.146:8080 -path ejbca/publicweb/cmp/opensslra -srvcert ManagementCA.cacert.pem -verbosity 8 -key cl_key.pem -cert cl_cert.pem -certout cl_new_cert.pem -newkey cl_new_key.pem
Run as follows:

I need some help, I think it's something that is not configured in my CA UI, because I solve the client mode is to do some configuration on the end entity in the CA UI, before I can register the certificate and update the certificate.

[XYQ202]

Can your devs help?

[primetomas]

As mentioned in #57 and in #58. You should look in the server.log (which is described where it is in #57). It should be visible there what goes wrong when you issue a KUR. @Realiserad also pointed to a repo with sample commands.

If you issue a KUR, that fails, keep an eye on server.log and you can attach the full output (during the KUR command running) here.

[XYQ202]

Thanks, I typed out the log of server.log. The log when I run KUR is as follows:

2022-07-15 09:04:42,817 DEBUG [org.cesecore.configuration.GlobalConfigurationSessionBean] (default task-17) Reading Configuration: AVAILABLE_PROTOCOLS
2022-07-15 09:04:42,822 DEBUG [org.cesecore.configuration.GlobalConfigurationSessionBean] (default task-17) No default GlobalConfiguration exists. Creating a new one.
2022-07-15 09:04:42,823 DEBUG [org.ejbca.util.ServiceControlFilter] (default task-17) Access to service CMP is allowed. HTTP request http://192.168.32.148/ejbca/publicweb/cmp/opensslra is let through.
2022-07-15 09:04:42,824 DEBUG [org.cesecore.certificates.ca.CaSessionBean] (default task-17) CA with ID 1812405533 will be checked for updates.
2022-07-15 09:04:42,845 DEBUG [org.cesecore.certificates.ca.CABaseCommon] (default task-17) implementation classname for extended service type: 3 is org.ejbca.core.model.ca.caadmin.extendedcaservices.CmsCAService
2022-07-15 09:04:42,845 DEBUG [org.ejbca.core.model.ca.caadmin.extendedcaservices.CmsCAService] (default task-17) Not trying to load KEYSTORE for inactive CmsCAService, subjectDN:'CN=CmsCertificate, CN=ManagementCA,O=Example CA,C=SE'.
2022-07-15 09:04:42,845 DEBUG [org.cesecore.certificates.ca.CABaseCommon] (default task-17) implementation classname for extended service type: 5 is org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAService
2022-07-15 09:04:42,845 DEBUG [org.cesecore.config.CesecoreConfiguration] (default task-17) Using default value of 20 for new CA's ca.serialnumberoctetsize
2022-07-15 09:04:42,846 DEBUG [org.cesecore.certificates.ca.CABaseCommon] (default task-17) CA certificate chain is 1 levels deep.
2022-07-15 09:04:42,846 DEBUG [org.cesecore.certificates.ca.CABaseCommon] (default task-17) CA-cert subjectDN: CN=ManagementCA,O=Example CA,C=SE
2022-07-15 09:04:42,846 DEBUG [org.cesecore.certificates.ca.CABaseCommon] (default task-17) CA-cert issuerDN: CN=ManagementCA,O=Example CA,C=SE
2022-07-15 09:04:42,846 DEBUG [org.cesecore.certificates.ca.CAData] (default task-17) CAData.getProtectString gives size: 9454
2022-07-15 09:04:42,846 DEBUG [org.cesecore.certificates.ca.CABaseCommon] (default task-17) implementation classname for extended service type: 3 is org.ejbca.core.model.ca.caadmin.extendedcaservices.CmsCAService
2022-07-15 09:04:42,846 DEBUG [org.ejbca.core.model.ca.caadmin.extendedcaservices.CmsCAService] (default task-17) Not trying to load KEYSTORE for inactive CmsCAService, subjectDN:'CN=CmsCertificate, CN=ManagementCA,O=Example CA,C=SE'.
2022-07-15 09:04:42,846 DEBUG [org.cesecore.certificates.ca.CABaseCommon] (default task-17) implementation classname for extended service type: 5 is org.ejbca.core.model.ca.caadmin.extendedcaservices.KeyRecoveryCAService
2022-07-15 09:04:42,846 DEBUG [org.cesecore.config.CesecoreConfiguration] (default task-17) Using default value of 20 for new CA's ca.serialnumberoctetsize
2022-07-15 09:04:42,846 DEBUG [org.cesecore.internal.CommonCacheBase] (default task-17) Update not needed X509CAImpl in cache. Digest was -182702633, cacheEntry digest was -182702633
2022-07-15 09:04:42,847 DEBUG [org.cesecore.certificates.ca.CABaseCommon] (default task-17) CA certificate chain is 1 levels deep.
2022-07-15 09:04:42,847 DEBUG [org.cesecore.certificates.ca.CABaseCommon] (default task-17) CA-cert subjectDN: CN=ManagementCA,O=Example CA,C=SE
2022-07-15 09:04:42,847 DEBUG [org.cesecore.certificates.ca.CABaseCommon] (default task-17) CA-cert issuerDN: CN=ManagementCA,O=Example CA,C=SE
2022-07-15 09:04:42,847 DEBUG [org.cesecore.authorization.AuthorizationSessionBean] (default task-17) cmpProtocolAuthCheck has the following access rules:
allow /
2022-07-15 09:04:42,856 DEBUG [org.cesecore.authorization.AuthorizationCache] (default task-17) Added entry for key 'AlwaysAllowLocalAuthenticationToken;fbc45fe018830de401f0cf801177a57d0039bc72d922b8ff2c82af7af05dd32b;null'.
2022-07-15 09:04:42,857 DEBUG [org.ejbca.ui.web.protocol.CmpServlet] (default task-17) Using CMP configuration alias: opensslra
2022-07-15 09:04:42,857 INFO [org.ejbca.ui.web.protocol.CmpServlet] (default task-17) CMP message received from: 192.168.32.148, for CMP alias: opensslra
2022-07-15 09:04:42,857 DEBUG [org.cesecore.certificates.ca.CaSessionBean] (default task-17) Returning CA from cache for CA ID: 1812405533
2022-07-15 09:04:42,857 DEBUG [org.cesecore.certificates.ca.CABaseCommon] (default task-17) CA certificate chain is 1 levels deep.
2022-07-15 09:04:42,857 DEBUG [org.cesecore.certificates.ca.CABaseCommon] (default task-17) CA-cert subjectDN: CN=ManagementCA,O=Example CA,C=SE
2022-07-15 09:04:42,857 DEBUG [org.cesecore.certificates.ca.CABaseCommon] (default task-17) CA-cert issuerDN: CN=ManagementCA,O=Example CA,C=SE
2022-07-15 09:04:42,857 DEBUG [org.cesecore.configuration.GlobalConfigurationSessionBean] (default task-17) Reading Configuration: 1
2022-07-15 09:04:42,884 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (default task-17) Received CMP message with pvno=2, sender=4: CN=rauser,O=sunwave,C=SE, recipient=4: CN=ManagementCA,O=Example CA,C=SE
Cmp configuration alias: opensslra
The CMP message is already authenticated: false
Body is of type: 7
Transaction ID: #279a93d987fbb937115959a26771380d
2022-07-15 09:04:42,885 INFO [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (default task-17) Dispatching message of type 7 with transaction ID: #279a93d987fbb937115959a26771380d
2022-07-15 09:04:42,918 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (default task-17) Add CA certificates of CAs '' to the CMP response message caPubs field.
2022-07-15 09:04:42,918 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (default task-17) Add CA certificates of CAs '' to the PKI response message extraCerts field.
2022-07-15 09:04:42,918 DEBUG [org.ejbca.core.protocol.cmp.CrmfKeyUpdateHandler] (default task-17) CMP running on RA mode: true
2022-07-15 09:04:42,918 DEBUG [org.ejbca.core.protocol.cmp.CrmfKeyUpdateHandler] (default task-17) CRMF request message (update) header has protection alg: 1.2.840.113549.1.1.11
2022-07-15 09:04:42,918 INFO [org.ejbca.core.protocol.cmp.CrmfKeyUpdateHandler] (default task-17) EndEntityCertificate authentication module is not configured. For a KeyUpdate request to be authentication in RA mode, EndEntityCertificate authentication module has to be set and configured
2022-07-15 09:04:42,918 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageHelper] (default task-17) Creating an unprotected error message with failInfo=2, failText=EndEntityCertificate authentication module is not configured. For a KeyUpdate request to be authentication in RA mode, EndEntityCertificate authentication module has to be set and configured
2022-07-15 09:04:42,920 DEBUG [org.ejbca.core.protocol.cmp.CmpErrorResponseMessage] (default task-17) Create error message from requestType: 23
2022-07-15 09:04:42,920 DEBUG [org.ejbca.core.protocol.cmp.CmpMessageDispatcherSessionBean] (default task-17) Received a response message of type 'org.ejbca.core.protocol.cmp.CmpErrorResponseMessage' from CmpMessageHandler.
2022-07-15 09:04:42,921 DEBUG [org.ejbca.ui.web.pub.ServletUtils] (default task-17) Adding Pragma header
2022-07-15 09:04:42,921 DEBUG [org.ejbca.ui.web.pub.ServletUtils] (default task-17) Adding Cache-Control header
2022-07-15 09:04:42,928 DEBUG [org.ejbca.ui.web.RequestHelper] (default task-17) Sent 414 bytes to client
2022-07-15 09:04:42,928 INFO [org.ejbca.ui.web.protocol.CmpServlet] (default task-17) Sent a CMP response to: 192.168.32.148, process time 71.

[XYQ202]

According to the log information, the error appears here:
Creating an unprotected error message with failInfo=2, failText=EndEntityCertificate authentication module is not configured. For a KeyUpdate request to be authentication in RA mode, EndEntityCertificate authentication module has to be set and configured.

Can you guys help me out, what do I need to do to run the KUR request？

[primetomas]

In the CMP alias there is a multi-select option for Authentication Module. The Certificate authentication checkbox need to be selected (also).