Upgrade from EJBCA 6.1.1.3 to the latest

[fgn-itsupport]

I have still an old EJBCA instance running which I want to upgrade to the latest version.
I already migrated the trust-/keystores to the EJBCA Container based version in the same release. Which seems to work. The non Admin area is usable and the superadmin.p12 has been signed by the old ca cert imported via the trust-/keystore from the old instance. Yet if I use the superadmin.p12 I can't access the admin area with this error:

So I can't verify if everthing is working. Yet I really would want to verify that before I'll continue with the rest of the upgrade.
Can someone help me with that?

[dobicinaitis]

I already migrated the trust-/keystores to the EJBCA Container based version in the same release.

Where did you find the container for 6.1.1.3? Or did you use the latest container? If so, how did you start it, and does the log contain any errors?

[fgn-itsupport]

I didn't find any offical container for 6.1.1.3 so I built one based on this: https://github.com/tsaarni/docker-ejbca
It works without any modification and has a working access.
I replaced the key-/truststore as well as the config files addressing the location for the stores.
I haven't seen any specific errors in the logs.

[primetomas]

That error typically means that the server, on the TLS connection level, does not recognize your client certificate. This in turn is typically because the (Root) CA certificate of the CA that issued your client certificate is not available in the truststore of the server.

When accessing, does your browser ask you for a client certificate to start with?

you can use "openssl s_client" to see what the server actually sends back to the client as "trusted CAs".

[fgn-itsupport]

Yes, it does ask for the client cert and it does accept it as well. Yet it still fails with the errors shown in the log entries below.

[fgn-itsupport]

I've replaced the key-/truststore again, created a new superadmin with:

ejbca.sh ra setuserstatus superadmin 10
ejbca.sh ra setclearpwd superadmin
ejbca.sh batch

the new superadmin.p12 get's created and has the right pw.
Yet when I import it into the browser, it still complains like this in the ejbca los:

13:16:45,800 INFO [org.ejbca.core.ejb.services.ServiceSessionBean] (EJB default - 2) Service CRL Update Service 1 executed successfully.
13:17:57,896 INFO [org.ejbca.core.ejb.authentication.web.WebAuthenticationProviderSessionBean] (http--0.0.0.0-8443-1) The certificate is revoked or cannot be located in the database. SubjectDN 'CN=SuperAdmin'.
13:17:57,897 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (http--0.0.0.0-8443-1) 2025-11-13 13:17:57+00:00;AUTHENTICATION;FAILURE;ADMINWEB;EJBCA;none;;;;msg=The certificate is revoked or cannot be located in the database. SubjectDN 'CN=SuperAdmin'.
13:18:04,721 INFO [org.ejbca.core.ejb.authentication.web.WebAuthenticationProviderSessionBean] (http--0.0.0.0-8443-1) The certificate is revoked or cannot be located in the database. SubjectDN 'CN=SuperAdmin'.
13:18:04,722 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (http--0.0.0.0-8443-1) 2025-11-13 13:18:04+00:00;AUTHENTICATION;FAILURE;ADMINWEB;EJBCA;none;;;;msg=The certificate is revoked or cannot be located in the database. SubjectDN 'CN=SuperAdmin'.
13:18:07,830 INFO [org.ejbca.core.ejb.authentication.web.WebAuthenticationProviderSessionBean] (http--0.0.0.0-8443-1) The certificate is revoked or cannot be located in the database. SubjectDN 'CN=SuperAdmin'.
13:18:07,831 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (http--0.0.0.0-8443-1) 2025-11-13 13:18:07+00:00;AUTHENTICATION;FAILURE;ADMINWEB;EJBCA;none;;;;msg=The certificate is revoked or cannot be located in the database. SubjectDN 'CN=SuperAdmin'.
13:18:08,006 INFO [org.ejbca.core.ejb.authentication.web.WebAuthenticationProviderSessionBean] (http--0.0.0.0-8443-1) The certificate is revoked or cannot be located in the database. SubjectDN 'CN=SuperAdmin'.
13:18:08,006 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (http--0.0.0.0-8443-1) 2025-11-13 13:18:08+00:00;AUTHENTICATION;FAILURE;ADMINWEB;EJBCA;none;;;;msg=The certificate is revoked or cannot be located in the database. SubjectDN 'CN=SuperAdmin'.
13:18:08,222 INFO [org.ejbca.core.ejb.authentication.web.WebAuthenticationProviderSessionBean] (http--0.0.0.0-8443-1) The certificate is revoked or cannot be located in the database. SubjectDN 'CN=SuperAdmin'.
13:18:08,223 INFO [org.cesecore.audit.impl.log4j.Log4jDevice] (http--0.0.0.0-8443-1) 2025-11-13 13:18:08+00:00;AUTHENTICATION;FAILURE;ADMINWEB;EJBCA;none;;;;msg=The certificate is revoked or cannot be located in the database. SubjectDN 'CN=SuperAdmin'.

[primetomas]

It's a setting both in "Edit CA" and "Certificate Profiles". The setting is called "Use Certificate Storage" and "Store Certificate Data", and should be checked in all places.

[fgn-itsupport]

How do I configured that if I don't have access to the WebUI?

[primetomas]

I don't know, it's you old instance right? You had access to Web UI sometime I hope?

If you make a fresh installation, say using the container quickstart, you will get access to Web UI.
https://docs.keyfactor.com/ejbca/latest/quick-start-guide-start-ejbca-container-with-clien

[fgn-itsupport]

Yes, if I do a fresh restart, I'll get access to the WebUI. Question is how do I get the old config importend and still get access to the WebUI.
I've tried to find something which gives me access without Cert so I can modify everything and fix the access. But till now, I haven't found anything that worked. Even the documentation doesn't seem to mention something which gives me the option to enable the User/PW auth instead of the usercert auth which is set by default. Even the Superadmin cert is being created and placed into the certstore, yet for some reason it's not being recognised and I can't figure out why.

[primetomas]

Reading back here, it says that you want to upgrade. But it seems you are migrating things, and you were not running a container before you started the upgrade process?. Assuming that you are running an external database, pure software upgrades are just a matter of starting a new version of EJBCA (sometimes with updated appserver and java of course) pointing to the same database. https://docs.keyfactor.com/ejbca-software/latest/upgrade-ejbca-software-stack
A standard upgrade process doesn't create any new superadmin certificates and such.

What is your upgrade process you are following?