i have a weird problem. i made an entitiy as admin for CA with custom privileges and after that i imported its keystore into a hardware token (using "create browser certificate" in public web )and i imported its certificate in hardware token as well. now i use my hardware token to get into CA's adminweb but when i eject the hardware token i still can do actions like adding end entity or creating certificate profiles in adminweb . is this normall? i mean obviously it should block me from doing any actions right away after ejecting hardware token from my pc because client keypair and certificate are in hardware token and they don't exist after ejecting hardware token, right ? if it is not normal how can i fix it ? is there config or something for this?
my ejbca version is 6.0.4 and it is running on a windows 10.
This is an issue between your web browser and your USB token middleware, and has nothing todo with EJBCA. The web browser establish a TLS connection, where you RSA key on the USB token is used for authentication. However, after authentication, the TLS connection have an open session, and does not need to use the RSA key on your USB token any longer, until the session expires or you restart the web browser. So technically, for TLS, this is just as it should. Your USB token and web browser may have functionality to detect token ejection and close all active session. You need to investigate your USB token driver, or talk to that vendor, for this.