Hello again,
and I did. And everything is working fine until raop is logging in.
Even user Bob can request a certificate without problems.
I used an adjusted version of the to do the work for me. I also added
the new realm:
root@rootca:/home/karsten# cat /etc/openxpki/config.d/system/realms.yaml
democa:
label: Example.org Demo CA
baseurl: https://pki.example.com/openxpki/
antelopeca:
label: Antelope CA
baseurl: https://rootca.antelope.lan/openxpki/
I thought it was a bad idea to use the password "root" for all keys.
So I let the script generate random passwords.
sampleconfig.sh
#KEY_PASSWORD="root"
And here they are:
root@rootca:/home/karsten# find /etc/openxpki/ -name *.pass
/etc/openxpki/ca/antelopeca/Antelope_Issuing_CA.pass
/etc/openxpki/ca/antelopeca/Antelope_DataVault.pass
/etc/openxpki/ca/antelopeca/Antelope_WebUI.pass
/etc/openxpki/ca/antelopeca/Antelope_SCEP_RA.pass
/etc/openxpki/ca/antelopeca/Antelope_Root_CA.pass
Things seem to be good so far:
root@rootca:/home/karsten# openxpkiadm alias --realm antelopeca
=== functional token ===
ca-signer (certsign):
Alias : ca-signer-1
Identifier: kAfGWvM0WZRxNzolzQI2zim_n3o
NotBefore : 2020-03-01 06:27:11
NotAfter : 2025-03-03 06:27:11
vault (datasafe):
Alias : vault-1
Identifier: G924fgBHDtGxIFBsQ4CEUeZjYB8
NotBefore : 2020-03-01 06:27:12
NotAfter : 2030-03-04 06:27:12
scep (scep):
Alias : scep-1
Identifier: HSIzIBopVOmDbW4AbCoPJ-0W2dc
NotBefore : 2020-03-01 06:27:13
NotAfter : 2021-03-01 06:27:13
=== root ca ===
current root ca:
Alias : root-1
Identifier: Eh2S9P37OpCvugpSDIUKtHKZrx0
NotBefore : 2020-03-01 06:27:10
NotAfter : 2030-03-04 06:27:10
upcoming root ca:
not set
But then:
2020/03/01 07:35:30 openxpki.auth.INFO Login successful using
authentication stack 'Operator' (user: 'raop', role: 'RA Operator')
[pid=656|sid=yesj]
2020/03/01 07:35:31 openxpki.system.ERROR OpenSSL error:
140532922659968:error:08064066:object identifier
routines:OBJ_create:oid exists:../crypto/objects/obj_dat.c:709:
unable to load signing key file
My guess would be that the config still expects "root" to be the
password for all keys.
root@rootca:/home/karsten# tail
/etc/openxpki/config.d/realm/antelopeca/crypto.yaml
secret:
default:
label: Default secret group of this realm
export: 0
method: literal
value: root
cache: daemon
https://openxpki.readthedocs.io/en/stable/reference/configuration/realm.html:
"TODO: How to create the password segments?" Is that it?
Thaks in advance!
Am Fr., 28. Feb. 2020 um 13:49 Uhr schrieb Martin Bartosch <[email protected]>:
>
> Hi,
>
> > In order to create a new realm the easiest way is to copy the sample
> > directory tree realm/democa to a new directoy within the realm
> > directory. Adjust the realm configuration file contents accordingly
> > (see below).
>
> It's really all you need to do. OpenXPKI processes realms as follows:
>
> - read all entries in system/realms
> - iterate through all entries found below realms/ENTRY
>
> That means you can set up a new realm by copying the sample configuration to
> a new directory below realms and add it to system/realms
>
> Of course you need to modify the configuration to suit your needs. It is
> perfectly OK to symlink files within the configuration tree to avoid
> unnecessary redundancy.
>
> HTH
>
> Martin
>
>
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
