Hello Alex,
> Please see
http://wiki.openxpki.org/index.php/Manual/Quickstart/Installation#Setting_up_the_CA_certificate_and_key
for more information on what needs to be done to get a working CA
setup. I'd suggest trying it out on the web interface first before doing
it via OpenXPKI::Client.
We generated CA certificate using the following commands:
openxpkiadm key generate --realm I18N_OPENXPKI_DEPLOYMENT_TEST_DUMMY_CA --group
default
openssl req -config /root/openssl.cnf -extensions ext -days 356 -new -x509 -key
cakey.pem -out cacert.pem
openxpkiadm certificate import --file cacert.pem
Unfortunately, we can't see CA certificate via web interface after those
actions ("... your CA should be up and running. You can check that using the
web interface - use the Download > CA certificates menu to see if your CA is
listed as usable."), but we can see it via "openxpkiadm certificate list"
command:
Certificates in I18N_OPENXPKI_DEPLOYMENT_TEST_DUMMY_CA:
Identifier: cQPyP2spBaYEALeKfOyimVQ6kY8
Alias:
CYBORG
Certificates in self-signed pseudo-realm:
> Hmmm, that looks like an error to me rather than a warning. What's in
the <secret> section of your config.xml? Was the key created
successfully?
FYI, the following are the keys we used:
openxpkiadm key list --realm I18N_OPENXPKI_DEPLOYMENT_TEST_DUMMY_CA
CA keys:
Key for purpose CA with ID: testdummyca1
+ /usr/local/etc/openxpki/ca/testdummyca1/cakey.pem
EVAL_ERROR: I18N_OPENXPKI_XML_CACHE_GET_XPATH_COUNT_NOTHING_FOUND; __XPATH__ =>
pki_realm/0/common/0/secret/0/group/0/method/0/required_shares Secret group:
default
Secret method: plain (n = 1, k = 1)
SCEP keys:
I18N_OPENXPKI_XML_CACHE_GET_XPATH_COUNT_NOTHING_FOUND; __XPATH__ =>
pki_realm/0/scep[[email protected] ~]#
The following is the <secret> section of our config.xml:
<secret>
<group id="default"
label="I18N_OPENXPKI_CONFIG_DEFAULT_SECRET_AUTHENTICATION_GROUP">
<method id="plain">
<total_shares>1</total_shares>
<!-- <required_shares>1</required_shares> -->
</method>
<cache>
<type>daemon</type>
<usage_count>-1</usage_count>
</cache>
</group>
</secret>
When we uncomment "<!-- <required_shares>1</required_shares> -->" line, then
"EVAL_ERROR: I18N_OPENXPKI_XML_CACHE_GET_XPATH_COUNT_NOTHING_FOUND; __XPATH__
=> pki_realm/0/common/0/secret/0/group/0/method/0/required_shares Secret" error
will disappear... but it won't affect the presence of CA certificate in the web
interface.
Is it possible to check presence and validity of CA certificate in a different
way (not via "openxpkiadm certificate list"/web interface)?
______________________________
With best regards, Dmitry Golomolzin
INDEC Ltd.
[email protected]
[email protected]
-----Original Message-----
From: Alexander Klink [mailto:[email protected]]
Sent: Monday, January 19, 2009 5:17 PM
To: [email protected]
Subject: Re: [OpenXPKI-users] Signature in the
I18N_OPENXPKI_WF_ACTION_APPROVE_CSR activity
Hi Dmitry,
On Mon, Jan 19, 2009 at 01:42:26PM +0500, Dmitry Golomolzin wrote:
> You wrote: "The error typically means that you do not have a CA installed
> that can satisfy the requested notafter date - did you install a CA
> certificate yet? If so, does it run out before August 2009?"
>
> We used "openxpkiadm key generate --realm CYBORG --group default" command in
> order to generate CA certificate (it's valid during 365 days from the
> generation date, in other words, until Jan 2010) and got the following
> warning:
openxpkiadm key generate just generates a CA _key_, not a CA
certificate.
Please see
http://wiki.openxpki.org/index.php/Manual/Quickstart/Installation#Setting_up_the_CA_certificate_and_key
for more information on what needs to be done to get a working CA
setup. I'd suggest trying it out on the web interface first before doing
it via OpenXPKI::Client.
> EVAL_ERROR: I18N_OPENXPKI_XML_CACHE_GET_XPATH_COUNT_NOTHING_FOUND; __XPATH__
> => pki_realm/0/common/0/secret/0/group/0/method/0/required_shares
Hmmm, that looks like an error to me rather than a warning. What's in
the <secret> section of your config.xml? Was the key created
successfully?
> Does it mean that CA certificate's expiration date should match the
> "notbefore" and "notafter" dates interval? Could you explain where we can
> change these values ("notbefore" and "notafter")?
The end entities notbefore and notafter dates must be within the range
of one available CA certificate. You can change the length of the
validity period in profile.xml, but that won't help you as long as you
don't have a valid CA certificate ...
Cheers,
Alex
--
Dipl.-Math. Alexander Klink | IT-Security Engineer
[email protected] | working @ urn:oid:1.3.6.1.4.1.11417
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
------------------------------------------------------------------------------
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to tell your story.
http://p.sf.net/sfu/sf-spreadtheword
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
