No client certificate requested when accessing EJBCA adminweb #1023

tn-tickler · 2026-02-19T12:24:39Z

tn-tickler
Feb 19, 2026

I have an EJBCA Community instance installed that does not ask for a certificate when trying to access the admin web. I am currently only able to access the admin web if I set web.reqauth=true and allow PublicAccessAuthenticationToken:TRANSPORT_ANY with the super admin roles. The CLI and client toolbox work as expected. EJBCA Community was installed/built with ant from source.

12:07:19,436 ERROR [org.ejbca.ui.web.admin.configuration.EjbcaJSFHelperImpl] (default task-1: 52122302) Failed to initialize EjbcaWebBean: org.cesecore.authentication.AuthenticationNotProvidedException: Client certificate or OAuth bearer token required. at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.configuration.EjbcaWebBeanImpl.initializeInternal(EjbcaWebBeanImpl.java:310) at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.configuration.EjbcaWebBeanImpl.initialize(EjbcaWebBeanImpl.java:271) at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.configuration.EjbcaJSFHelperImpl.getEjbcaWebBean(EjbcaJSFHelperImpl.java:147) at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.BaseManagedBean.getEjbcaWebBean(BaseManagedBean.java:82) at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.BaseManagedBean.authorizedResources(BaseManagedBean.java:75) at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.CheckAdmin.authorizedResources(CheckAdmin.java:48) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at java.base/jdk.internal.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:77) at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.base/java.lang.reflect.Method.invoke(Method.java:569) at org.glassfish.expressly@5.0.0//org.glassfish.expressly.util.ReflectionUtil.invokeMethod(ReflectionUtil.java:186) at org.glassfish.expressly@5.0.0//org.glassfish.expressly.parser.AstValue.invoke(AstValue.java:253) at org.glassfish.expressly@5.0.0//org.glassfish.expressly.MethodExpressionImpl.invoke(MethodExpressionImpl.java:248) at org.jboss.weld.core@5.1.4.Final//org.jboss.weld.module.web.util.el.ForwardingMethodExpression.invoke(ForwardingMethodExpression.java:40) at org.jboss.weld.core@5.1.4.Final//org.jboss.weld.module.web.el.WeldMethodExpression.invoke(WeldMethodExpression.java:50) at jakarta.faces.impl@4.0.8//com.sun.faces.facelets.el.TagMethodExpression.invoke(TagMethodExpression.java:70) at jakarta.faces.impl@4.0.8//com.sun.faces.facelets.tag.faces.core.DeclarativeSystemEventListener.processEvent(EventHandler.java:105) at jakarta.faces.impl@4.0.8//jakarta.faces.component.UIComponent$ComponentSystemEventListenerAdapter.processEvent(UIComponent.java:2017) at jakarta.faces.impl@4.0.8//jakarta.faces.event.SystemEvent.processListener(SystemEvent.java:124) at jakarta.faces.impl@4.0.8//jakarta.faces.event.ComponentSystemEvent.processListener(ComponentSystemEvent.java:109) at jakarta.faces.impl@4.0.8//com.sun.faces.application.applicationimpl.Events.processListeners(Events.java:242) at jakarta.faces.impl@4.0.8//com.sun.faces.application.applicationimpl.Events.invokeComponentListenersFor(Events.java:177) at jakarta.faces.impl@4.0.8//com.sun.faces.application.applicationimpl.Events.publishEvent(Events.java:98) at jakarta.faces.impl@4.0.8//com.sun.faces.application.ApplicationImpl.publishEvent(ApplicationImpl.java:120) at jakarta.faces.impl@4.0.8//com.sun.faces.application.ApplicationImpl.publishEvent(ApplicationImpl.java:112) at jakarta.faces.impl@4.0.8//jakarta.faces.application.ApplicationWrapper.publishEvent(ApplicationWrapper.java:660) at jakarta.faces.impl@4.0.8//com.sun.faces.lifecycle.RenderResponsePhase.execute(RenderResponsePhase.java:81) at jakarta.faces.impl@4.0.8//com.sun.faces.lifecycle.Phase.doPhase(Phase.java:72) at jakarta.faces.impl@4.0.8//com.sun.faces.lifecycle.LifecycleImpl.render(LifecycleImpl.java:150) at jakarta.faces.impl@4.0.8//jakarta.faces.webapp.FacesServlet.executeLifecyle(FacesServlet.java:692) at jakarta.faces.impl@4.0.8//jakarta.faces.webapp.FacesServlet.service(FacesServlet.java:449) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.ServletHandler.handleRequest(ServletHandler.java:74) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:129) at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.CharEncodingFilter.doFilter(CharEncodingFilter.java:32) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.NoCacheFilter.doFilter(NoCacheFilter.java:68) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at deployment.ejbca.ear//org.owasp.filters.ContentSecurityPolicyFilter.doFilter(ContentSecurityPolicyFilter.java:151) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at deployment.ejbca.ear.adminweb.war//org.ejbca.ui.web.admin.ProxiedAuthenticationFilter.doFilter(ProxiedAuthenticationFilter.java:104) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at deployment.ejbca.ear//org.ejbca.util.RequestIdFilter.doFilter(RequestIdFilter.java:35) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.core.ManagedFilter.doFilter(ManagedFilter.java:67) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.FilterHandler$FilterChainImpl.doFilter(FilterHandler.java:131) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.FilterHandler.handleRequest(FilterHandler.java:84) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.security.ServletSecurityRoleHandler.handleRequest(ServletSecurityRoleHandler.java:62) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.ServletChain$1.handleRequest(ServletChain.java:68) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.ServletDispatchingHandler.handleRequest(ServletDispatchingHandler.java:36) at org.wildfly.security.elytron-web.undertow-server@4.1.0.Final//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.lambda$handleRequest$1(ElytronRunAsHandler.java:68) at org.wildfly.security.elytron-base@2.6.0.Final//org.wildfly.security.auth.server.FlexibleIdentityAssociation.runAsFunctionEx(FlexibleIdentityAssociation.java:103) at org.wildfly.security.elytron-base@2.6.0.Final//org.wildfly.security.auth.server.Scoped.runAsFunctionEx(Scoped.java:161) at org.wildfly.security.elytron-base@2.6.0.Final//org.wildfly.security.auth.server.Scoped.runAs(Scoped.java:73) at org.wildfly.security.elytron-web.undertow-server@4.1.0.Final//org.wildfly.elytron.web.undertow.server.ElytronRunAsHandler.handleRequest(ElytronRunAsHandler.java:67) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.RedirectDirHandler.handleRequest(RedirectDirHandler.java:68) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.security.SSLInformationAssociationHandler.handleRequest(SSLInformationAssociationHandler.java:117) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.security.ServletAuthenticationCallHandler.handleRequest(ServletAuthenticationCallHandler.java:57) at io.undertow.core@2.3.18.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.core@2.3.18.Final//io.undertow.security.handlers.AuthenticationConstraintHandler.handleRequest(AuthenticationConstraintHandler.java:53) at io.undertow.core@2.3.18.Final//io.undertow.security.handlers.AbstractConfidentialityHandler.handleRequest(AbstractConfidentialityHandler.java:46) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.security.ServletConfidentialityConstraintHandler.handleRequest(ServletConfidentialityConstraintHandler.java:64) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.security.ServletSecurityConstraintHandler.handleRequest(ServletSecurityConstraintHandler.java:60) at io.undertow.core@2.3.18.Final//io.undertow.security.handlers.AbstractSecurityContextAssociationHandler.handleRequest(AbstractSecurityContextAssociationHandler.java:43) at org.wildfly.security.elytron-web.undertow-server-servlet@4.1.0.Final//org.wildfly.elytron.web.undertow.server.servlet.CleanUpHandler.handleRequest(CleanUpHandler.java:38) at io.undertow.core@2.3.18.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow@35.0.1.Final//org.wildfly.extension.undertow.security.jacc.JACCContextIdHandler.handleRequest(JACCContextIdHandler.java:44) at io.undertow.core@2.3.18.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at org.wildfly.extension.undertow@35.0.1.Final//org.wildfly.extension.undertow.deployment.GlobalRequestControllerHandler.handleRequest(GlobalRequestControllerHandler.java:51) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.SendErrorPageHandler.handleRequest(SendErrorPageHandler.java:52) at io.undertow.core@2.3.18.Final//io.undertow.server.handlers.PredicateHandler.handleRequest(PredicateHandler.java:43) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.ServletInitialHandler.handleFirstRequest(ServletInitialHandler.java:276) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:135) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.ServletInitialHandler$2.call(ServletInitialHandler.java:132) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.core.ServletRequestContextThreadSetupAction$1.call(ServletRequestContextThreadSetupAction.java:48) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.core.ContextClassLoaderSetupAction$1.call(ContextClassLoaderSetupAction.java:43) at org.wildfly.extension.undertow@35.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421) at org.wildfly.extension.undertow@35.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421) at org.wildfly.extension.undertow@35.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421) at org.wildfly.extension.undertow@35.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421) at org.wildfly.extension.undertow@35.0.1.Final//org.wildfly.extension.undertow.deployment.UndertowDeploymentInfoService$UndertowThreadSetupAction.lambda$create$0(UndertowDeploymentInfoService.java:1421) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.ServletInitialHandler.dispatchRequest(ServletInitialHandler.java:256) at io.undertow.servlet@2.3.18.Final//io.undertow.servlet.handlers.ServletInitialHandler$1.handleRequest(ServletInitialHandler.java:101) at io.undertow.core@2.3.18.Final//io.undertow.server.Connectors.executeRootHandler(Connectors.java:395) at io.undertow.core@2.3.18.Final//io.undertow.server.HttpServerExchange$1.run(HttpServerExchange.java:861) at org.jboss.threads@2.4.0.Final//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990) at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at org.jboss.threads@2.4.0.Final//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1348) at org.jboss.xnio@3.8.16.Final//org.xnio.XnioWorker$WorkerThreadFactory$1$1.run(XnioWorker.java:1282) at java.base/java.lang.Thread.run(Thread.java:840)

Trying to fetch currently used server properties...
12:16:15,931 INFO  [org.cesecore.audit.impl.log4j.Log4jDevice] (default task-1) 2026-02-19 12:16:15+00:00;ACCESS_CONTROL;SUCCESS;ACCESSCONTROL;CORE;ejbca;;;;resource0=/system_functionality/edit_systemconfiguration
 java.specification.version = 17
 web.log.adminforwardedip = true
 logging.configuration = file:/opt/wildfly/standalone/configuration/logging.properties
 sun.jnu.encoding = ANSI_X3.4-1968
 community.version = EJBCA 9.3.7 Community (working copy)
 org.jboss.resolver.warning = true
 sun.arch.data.model = 64
 web.reqcertindb = true
 java.vendor.url = https://ubuntu.com/
 httpsserver.tokentype = P12
 org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH = true
 sun.boot.library.path = /usr/lib/jvm/java-17-openjdk-amd64/lib
 sun.java.command = /opt/wildfly/jboss-modules.jar -mp /opt/wildfly/modules org.jboss.as.standalone -Djboss.home.dir=/opt/wildfly -Djboss.server.base.dir=/opt/wildfly/standalone
 jdk.debug = release
 database.driver = com.mysql.cj.jdbc.Driver
 sun.stderr.encoding = ANSI_X3.4-1968
 java.specification.vendor = Oracle Corporation
 java.naming.factory.url.pkgs = org.jboss.as.naming.interfaces
 superadmin.cn = SA_crh
 java.version.date = 2026-01-20
 java.home = /usr/lib/jvm/java-17-openjdk-amd64
 app.version = EJBCA 9.3.7 Enterprise (working copy)
 jboss.server.persist.config = true
 file.separator = /
 java.vm.compressedOopsMode = 32-bit
 jboss.server.data.dir = /opt/wildfly/standalone/data
 sun.stdout.encoding = ANSI_X3.4-1968
 line.separator =

 java.vm.specification.vendor = Oracle Corporation
 java.specification.name = Java Platform API Specification
 web.log.adminremoteip = true
 jboss.server.base.dir = /opt/wildfly/standalone
 datasource.jndi-name = EjbcaDS
 git.revision = working copy
 jdk.tls.ephemeralDHKeySize = 2048
 superadmin.password = password
 java.protocol.handler.pkgs = org.jboss.net.protocol|org.jboss.vfs.protocol
 sun.management.compiler = HotSpot 64-Bit Tiered Compilers
 java.runtime.version = 17.0.18+8-Ubuntu-122.04.1
 user.name = wildfly
 app.edition.verbose = Enterprise
 database.username = ejbca
 app.version.number = 9.3.7
 file.encoding = ANSI_X3.4-1968
 java.io.tmpdir = /tmp
 org.jboss.boot.log.file = /opt/wildfly/standalone/log/server.log
 java.version = 17.0.18
 jboss.modules.system.pkgs = org.jboss.byteman
 java.vm.specification.name = Java Virtual Machine Specification
 jboss.host.name = unknown-host
 httpsserver.password = password
 native.encoding = ANSI_X3.4-1968
 jboss.server.name = unknown-host
 module.path = /opt/wildfly/modules
 java.library.path = /usr/java/packages/lib:/usr/lib/x86_64-linux-gnu/jni:/lib/x86_64-linux-gnu:/usr/lib/x86_64-linux-gnu:/usr/lib/jni:/lib:/usr/lib
 java.vendor = Ubuntu
 community.edition.verbose = Community
 java.specification.maintenance.version = 1
 https.protocols = TLSv1.2,TLSv1.3
 sun.io.unicode.encoding = UnicodeLittle
 jboss.server.temp.dir = /opt/wildfly/standalone/tmp
 org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH = true
 ejbca.cli.defaultusername = ejbca
 allow.external-dynamic.configuration = true
 [Standalone] =
 java.class.path = /opt/wildfly/jboss-modules.jar
 jakarta.security.jacc.PolicyConfigurationFactory.provider = org.wildfly.security.authz.jacc.ElytronPolicyConfigurationFactory
 java.vm.vendor = Ubuntu
 ejbca.cli.defaultpassword = ejbca
 user.timezone = Etc/UTC
 os.name = Linux
 java.vm.specification.version = 17
 web.reqauth = true
 user.country = US
 sun.java.launcher = SUN_STANDARD
 jboss.server.config.dir = /opt/wildfly/standalone/configuration
 sun.cpu.endian = little
 user.home = /home/wildfly
 user.language = en
 org.apache.catalina.connector.USE_BODY_ENCODING_FOR_QUERY_STRING = true
 jboss.qualified.host.name = unknown-host.unknown-domain
 java.trustpassword = password
 org.apache.tomcat.util.http.Parameters.MAX_COUNT = 2048
 httpsserver.dn = CN=172.24.0.2
 database.password = ejbca
 java.awt.headless = true
 jboss.tx.node.id = 45
 httpsserver.hostname = 172.24.0.2
 org.apache.xml.security.ignoreLineBreaks = true
 java.security.manager = allow
 java.net.preferIPv4Stack = true
 jboss.home.dir = /opt/wildfly
 appserver.home = /opt/wildfly-35.0.1.Final
 path.separator = :
 superadmin.dn = CN=SA_crh
 os.version = 5.4.0-1127-fips
 java.runtime.name = OpenJDK Runtime Environment
 jdk.tls.client.protocols = TLSv1.2,TLSv1.3
 sun.nio.ch.bugLevel =
 java.vm.name = OpenJDK 64-Bit Server VM
 jboss.server.log.dir = /opt/wildfly/standalone/log
 java.vendor.url.bug = https://bugs.launchpad.net/ubuntu/+source/openjdk-17
 jdk.serialFilter =
 user.dir = /home/wildfly
 os.arch = amd64
 database.name = mysql
 database.url = jdbc:mysql://10.235.90.8:3306/ejbca?characterEncoding=UTF-8
 javax.management.builder.initial = org.jboss.as.jmx.PluggableMBeanServerBuilder
 java.util.logging.manager = org.jboss.logmanager.LogManager
 java.vm.info = mixed mode, sharing
 java.vm.version = 17.0.18+8-Ubuntu-122.04.1
 cluster.nodeid = 172.24.0.2
 org.apache.catalina.connector.URI_ENCODING = UTF-8
 superadmin.batch = true
 jboss.node.name = unknown-host
 java.class.version = 61.0

I get "Authorization Denied: No client certificate was presented" when trying to access adminweb using ports 8442 and 8443 unless web.reqauth is set to false.

primetomas · 2026-02-19T14:04:28Z

primetomas
Feb 19, 2026
Maintainer

Is this a container startup? In that case what command did you use to start it?

2 replies

tn-tickler Feb 19, 2026
Author

Yes, its a docker container. I followed this guide for the most part: https://docs.keyfactor.com/ejbca-software/latest/installation. I launch wildfly with /opt/wildfly/bin/standalone.sh then ant build, ant deployear and ant deploy-keystore.

primetomas Feb 19, 2026
Maintainer

Then it's your own docker container, and not https://hub.docker.com/r/keyfactor/ejbca-ce. So it is likely a wildfly configuration issue, i.e. you didn't configure the TLS setup correctly. You can test it on the official container and see how it looks like.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

No client certificate requested when accessing EJBCA adminweb #1023

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{editor}}'s edit

{{editor}}'s edit

Uh oh!

Replies: 1 comment 2 replies

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Uh oh!

{{title}}

Uh oh!

Select a reply

Uh oh!

No client certificate requested when accessing EJBCA adminweb #1023

Uh oh!

Uh oh!

tn-tickler Feb 19, 2026

Replies: 1 comment · 2 replies

Uh oh!

primetomas Feb 19, 2026 Maintainer

Uh oh!

tn-tickler Feb 19, 2026 Author

Uh oh!

primetomas Feb 19, 2026 Maintainer

tn-tickler
Feb 19, 2026

Replies: 1 comment 2 replies

primetomas
Feb 19, 2026
Maintainer

tn-tickler Feb 19, 2026
Author

primetomas Feb 19, 2026
Maintainer