Hello everyone,
for some testing I have set up openxpki 2.0.2-0 on Debian 8.10.
Based on the instrucitons from quickstart guide I took the easy way and
used sampleconfig.sh to create required certificates, keys etc.
This works great except if I change the KEY_PASSWORD value (e.g. instead of
"root" I use "toor").
If this value is changed within the webinterface, after logon of "raop"
user I get the error "CRL expired - update required!"
When trying to manually issue the crl I get the following error:
root@openxpki-000001:~# openxpkicmd --socketfile
/var/openxpki/openxpki.socket --authstack Operator --authuser raop
--authpass openxpki --realm ca-one crl_issuance
Error:
$VAR1 = {
'SERVICE_MSG' => 'ERROR',
'LIST' => [
{
'PARAMS' => {
'__ACTION__' =>
'global_nice_issue_crl',
'__EXCEPTION__' =>
'OpenXPKI::Exception'
},
'LABEL' =>
'I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE'
}
]
};
root@openxpki-000001:~#
As soon as I change the definition of secret:default:value
within crypto.yaml to the value of KEY_PASSWORD and restart openxpki I can
issue the crl without any problems.
root@openxpki-000001:~# sed -i "s#\(^\s\+\)\(value: root\)\(.*$\)#\1value:
toor\3#g" "/etc/openxpki/config.d/realm/ca-one/crypto.yaml"
root@openxpki-000001:~# systemctl restart openxpkid
root@openxpki-000001:~# openxpkicmd --socketfile
/var/openxpki/openxpki.socket --authstack Operator --authuser raop
--authpass openxpki --realm ca-one crl_issuance
Workflow created (ID: 1279), State: SUCCESS
My questions at this point are:
1. Do I really have to store the KEY_PASSWORD in clear text within
crypto.yaml to be able to perform a crl_issuance?
2. If I set KEY_PASSWORD to an empty value and due to this use a random
KEY_PASSWORD (created by "make_password" function within
sampleconfig.sh),
which is differnet for RootCA, IssuingCA, DataVault, SCEP and WEB, which
one do I need to store within crypto.yaml?
Unfortunately I was not able to get this questions solved by the
documentation or the mailing list history. :(
Maybe somebody can give me a hint where to find more details of usage for
openxpki in general,
because currently I am understanding a lot of things just by doing "reverse
enginnering" from the sampleconfig.sh?
Thank you
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
