Hi Karsten, sorry for the late reply but your mail was moved to the SPAM folder :)
Password segments are only necessary if you want to use "Split passwords", you just need to copy the "literal" secret group for every password and link it to the tokens. To not expose the password to an attacker you can set the secret type to "plain" which requires that you enter the password on the UI after starting OpenXPKI (PKI Ops -> Manage Secret). This Option is a bit clumsy and on the improvement list.... Oliver Am 01.03.20 um 08:49 schrieb Karsten Werner: > Hello again, > > and I did. And everything is working fine until raop is logging in. > Even user Bob can request a certificate without problems. > > I used an adjusted version of the to do the work for me. I also added > the new realm: > > root@rootca:/home/karsten# cat /etc/openxpki/config.d/system/realms.yaml > democa: > label: Example.org Demo CA > baseurl: https://pki.example.com/openxpki/ > > antelopeca: > label: Antelope CA > baseurl: https://rootca.antelope.lan/openxpki/ > > I thought it was a bad idea to use the password "root" for all keys. > So I let the script generate random passwords. > > sampleconfig.sh > #KEY_PASSWORD="root" > > And here they are: > root@rootca:/home/karsten# find /etc/openxpki/ -name *.pass > /etc/openxpki/ca/antelopeca/Antelope_Issuing_CA.pass > /etc/openxpki/ca/antelopeca/Antelope_DataVault.pass > /etc/openxpki/ca/antelopeca/Antelope_WebUI.pass > /etc/openxpki/ca/antelopeca/Antelope_SCEP_RA.pass > /etc/openxpki/ca/antelopeca/Antelope_Root_CA.pass > > Things seem to be good so far: > > root@rootca:/home/karsten# openxpkiadm alias --realm antelopeca > === functional token === > ca-signer (certsign): > Alias : ca-signer-1 > Identifier: kAfGWvM0WZRxNzolzQI2zim_n3o > NotBefore : 2020-03-01 06:27:11 > NotAfter : 2025-03-03 06:27:11 > > vault (datasafe): > Alias : vault-1 > Identifier: G924fgBHDtGxIFBsQ4CEUeZjYB8 > NotBefore : 2020-03-01 06:27:12 > NotAfter : 2030-03-04 06:27:12 > > scep (scep): > Alias : scep-1 > Identifier: HSIzIBopVOmDbW4AbCoPJ-0W2dc > NotBefore : 2020-03-01 06:27:13 > NotAfter : 2021-03-01 06:27:13 > > === root ca === > current root ca: > Alias : root-1 > Identifier: Eh2S9P37OpCvugpSDIUKtHKZrx0 > NotBefore : 2020-03-01 06:27:10 > NotAfter : 2030-03-04 06:27:10 > > upcoming root ca: > not set > > But then: > > 2020/03/01 07:35:30 openxpki.auth.INFO Login successful using > authentication stack 'Operator' (user: 'raop', role: 'RA Operator') > [pid=656|sid=yesj] > 2020/03/01 07:35:31 openxpki.system.ERROR OpenSSL error: > 140532922659968:error:08064066:object identifier > routines:OBJ_create:oid exists:../crypto/objects/obj_dat.c:709: > unable to load signing key file > > > > My guess would be that the config still expects "root" to be the > password for all keys. > > root@rootca:/home/karsten# tail > /etc/openxpki/config.d/realm/antelopeca/crypto.yaml > secret: > default: > label: Default secret group of this realm > export: 0 > method: literal > value: root > cache: daemon > > > > https://openxpki.readthedocs.io/en/stable/reference/configuration/realm.html: > > "TODO: How to create the password segments?" Is that it? > > Thaks in advance! > > Am Fr., 28. Feb. 2020 um 13:49 Uhr schrieb Martin Bartosch <[email protected]>: >> >> Hi, >> >>> In order to create a new realm the easiest way is to copy the sample >>> directory tree realm/democa to a new directoy within the realm >>> directory. Adjust the realm configuration file contents accordingly >>> (see below). >> >> It's really all you need to do. OpenXPKI processes realms as follows: >> >> - read all entries in system/realms >> - iterate through all entries found below realms/ENTRY >> >> That means you can set up a new realm by copying the sample configuration to >> a new directory below realms and add it to system/realms >> >> Of course you need to modify the configuration to suit your needs. It is >> perfectly OK to symlink files within the configuration tree to avoid >> unnecessary redundancy. >> >> HTH >> >> Martin >> >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
