If there is an error publishing to the VA database, the VA/OCSP Responder will be out of sync with the CA. It is very important to re-synchronize the databases in that case.
In case of failure to publish to the VA database, the following error message is displayed in the server log on the EJBCA server:
Validation Authority ERROR, publishing is not working
The error message is followed by more details of the error.
The log must be monitored to discover such an error and if discovered, an alarm should notify and prompt the operator to fix the issue and then synchronize the VA database with the EJBCA database.
Synchronize Database of the Responder
At the beginning and after a failure in publishing to the VA responder, the master database of the publishers must be synchronized with the CertificateData and CRLData table of the database of EJBCA.
If you only use OCSP and not CRL store, only the CertificateData table needs to be synchronized. If there is a single certificate out of sync, you can re-sync it by selecting Republish from the Admin GUI.
Follow the steps below to synchronize the EJBCA database with the database of a pure VA instance (for example, where all certificates are issued on another instance).
Note that the following procedure applies for MySQL, and should be adapted to your environment (database, hostnames, database name, and database credentials).
Prevent any further issuing of new certificates and revocation of old certificates until the synchronization is finished, by blocking the port to the Admin GUI.
To enable synchronization, run the following commands on the host of the CA. Run on the OCSP responder machine (as root user in MySQL).
mysql -u ejbca -p ocsp_db
mysql> drop table CertificateData;
mysql> drop table CRLData;
This drops and re-creates the tables containing the certificate and CRL information.
Run the following on the CA server:
mysqldump -u ejbca -p --compress ejbca_db CertificateData > CertificateData.dat
mysqldump -u ejbca -p --compress ejbca_db CRLData > CRLData.dat
cat CertificateData.dat | mysql -h ocspresponder ocsp_db
cat CRLData.dat | mysql -h ocspresponder ocsp_db
This can generally not be done from a Windows machine to a Linux machine, since Windows is not case sensitive.
Check that the publishing is working before allowing issuing and revoking.