Error no client certificate or OAuth token received used for authentication

[raxo8]

Hi,
I have deployed ejbca using docker, deployment is successfully completed.
We are facing an issue while invoking the "certificateRequest" endpoint using the soap web service.
We also tested using the clienttool box which also returned the same error "no client certificate or OAuth token received used for authentication ".
Need your kind support.

ERROR :- ejbca | 2023-03-15 06:21:06,540+0000 DEBUG [org.ejbca.core.protocol.ws.logger.TransactionLogger] (default task-5) 2023-03-15 06:21:06.538+0000;eaafb7707f00000165f08f18b794be81;20;2;certificateRequest;org.cesecore.authorization.AuthorizationDeniedException: Error no client certificate or OAuth token received used for authentication.;${ADMIN_DN};${ADMIN_ISSUER_DN}

[primetomas]

Did you use TLS_SETUP_ENABLED="simple"? You should not use that when you want to use client certificate authentication.

[mharrisistl]

I was doing that yes, I have now started from scratch and used the following docker command:

docker run -it --rm -p 80:8080 -p 443:8443 -h mycahostname -e TLS_SETUP_ENABLED="true" keyfactor/ejbca-ce

Now I have got to a position where I can enrol new devices using the rest api, however only when I am using the ManagementCA.pem file and the SuperAdmin.p12 file. Trying to use a CA I have made ( using the youtube tutorials I have MyPKIRootCAG1 and MyPKISubCAG1 CA's ) and client certificate I have made ( made through web ui, enrol -> make new request -> key-pair generation by the CA ) either through Postman or using curl gives me this error:

`curl: (60) SSL certificate problem: self-signed certificate in certificate chain
More details here: https://curl.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it.`

From what I understand, and I am learning as I go, the CA I have created will always have a self signed certificate in the chain. The root CA ( in my case MyPKIRootCAG1 ), has to be self signed, and so any sub CA's ( in my case MyPKISubCAG1 ) must contain a CA that's self signed in the chain. So how do I get around this issue ? Why does using the ManagementCA work as that is also self signed?

Do I have the wrong understanding, or am I missing a step?

[primetomas]

You can connect using for example "openssl s_client", and it will show this. Quite educational for lower level TLS stuff. This specific topic is one thing that is a bit hidden and often comes up as questions.

[13567436138]

@primetomas I face the same problem,can you do me a faver?stuck

[AdityaKoranga]

Hi everyone, I am also facing the same issue.
I am trying the Kubernetes deployment where i have cert-manager and ejbca issuer connected to the ejbca pod.

Now while requesting a new certificate i am able to approve the certificate request manually through cert-manager but after that i am unable to get the cert issued from the ejbca.

In the ejbca-issuer logs i can see:

2026-02-11T22:35:52Z ERROR signer.parseEjbcaError EJBCA returned an error
...
error: "failed to sign: failed to enroll CSR - 403 Forbidden - EJBCA API returned error {"error_code":403,"error_message":"Error no client certificate or OAuth token received for authentication."}"

(Traveling back to home from office, will share more details once reached :)

[AdityaKoranga]

Oh for me the issue got fixed, the ejbca nginx was not configured properly to request client certificate. updated the nginx config to request the client cert and now it is able to process further.

[primetomas]

great to hear, and thanks for posting what the issue was.