Hi,
I did a first installation of OpenXPKI using a Hyper-V machine on which
Debian 10 is installed. When following the instructions in the quickstart
guide and using the sampleconfig.sh everything went fine and I got a running
system.
My second try was to set the KEY_PASSWORD in the sampleconfig.sh line 27 to
an empty string to get the random passwords as described in the comment
above (beginning from a snapshot before executing the sampleconfig.sh).
When executing this sampleconfig.sh the script ended at line 350
openxpkiadm certificate import --file "${SCEP_CERTIFICATE}" --realm
"${REALM}" --token scep --key ${SCEP_KEY}
without any further message (see complete output below).
I uncommented the line 350 in sampleconfig.sh and the script executed until
the end. Then I tried to execute the uncommented command manually and got an
error message:
######################## Manually executing line 350
##############################
root@openxpki:~# openxpkiadm certificate import --file
"/etc/openxpki/ca/democa/OpenXPKI_SCEP_RA.crt" --realm "democa" --token scep
--key /etc/openxpki/ca/democa/OpenXPKI_SCEP_RA.key
Starting import
Successfully imported certificate into database:
Subject: CN=openxpki:scep-ra
Issuer: CN=OpenXPKI Demo Issuing CA 1,OU=PKI,O=OpenXPKI,C=DE
Identifier: gdW_edXq10TxR9e4nryvq9pj-ok
Realm: democa
Successfully created alias in realm democa:
Alias : scep-1
Identifier: gdW_edXq10TxR9e4nryvq9pj-ok
NotBefore : 2020-09-20 16:51:38
NotAfter : 2021-09-20 16:51:38
2020/09/20 12:52:18 Encryption key needed to decrypt password safe entry is
unavailable
Error running command: Encryption key needed to decrypt password safe entry
is unavailable at /usr/share/perl5/OpenXPKI/Client/Simple.pm line 352.
############################################################################
##
Also the system status page says that system status is critical:
* Active encryption token: not available (vault-1)
* ca-signer-1: Offline
* vault-1: Offline
I did some further investigation with the following results:
* The behavior occurs when the KEY_PASSWORD for the
ISSUING_CA_CERTIFICATE and/or DATAVAULT_CERTIFICATE is unequal 'root', for
all other certificates the KEY_PASSWORD can be changed without errors
* I get the same behavior when following the instructions to manually
import the certificates without the sampleconfig.sh
So what did I miss?
Thanks for any help!
Regards,
Florian
####################### OpenXPKI version #########################
root@openxpki:~# openxpkiadm version
Version (core): 3.6.1
###################### Debian version ############################
root@openxpki:~# hostnamectl
Static hostname: openxpki
Icon name: computer-vm
Chassis: vm
Machine ID: xxx
Boot ID: xxx
Virtualization: microsoft
Operating System: Debian GNU/Linux 10 (buster)
Kernel: Linux 4.19.0-10-amd64
Architecture: x86-64
#################### output when KEY_PASSWORD="" ################
root@openxpki:~# ./openxpkiconfig.sh
creating configuration for openssl () .. done.
Creating certificates ..
Did not find a root ca certificate file.
Creating an own self signed root ca .. done.
Did not find existing issuing CA key file.
Creating an issuing CA request .. done.
Signing issuing certificate with own root CA .. done.
Did not find existing DataVault certificate file.
Creating a self signed DataVault certificate .. done.
Did not find existing SCEP certificate file.
Creating a SCEP request .. done.
Signing SCEP certificate with Issuing CA .. done.
Did not find existing WEB certificate file.
Creating a Web request .. done.
Signing Web certificate with Issuing CA .. done.
Starting server before running import ... Starting OpenXPKI...
OpenXPKI Server is running and accepting requests.
DONE.
Successfully imported certificate into database:
Subject: CN=OpenXPKI Root CA 1
Issuer: CN=OpenXPKI Root CA 1
Identifier: LB4x3M9GxkmssZu46AW-krr56mQ
Realm: none
Successfully imported certificate into database:
Subject: CN=Internal DataVault
Issuer: CN=Internal DataVault
Identifier: Rid8uEyPnXjJt7uSEbnsqkmDWps
Realm: democa
Successfully created alias in realm democa:
Alias : vault-1
Identifier: Rid8uEyPnXjJt7uSEbnsqkmDWps
NotBefore : 2020-09-20 16:47:10
NotAfter : 2030-09-23 16:47:10
Successfully wrote key to /etc/openxpki/ca/vault-1.pem
Successfully imported certificate into database:
Subject: CN=OpenXPKI Demo Issuing CA 1,OU=PKI,O=OpenXPKI,C=DE
Issuer: CN=OpenXPKI Root CA 1
Identifier: UoyhwCJhZgXnae3yJ2WMCbp4gUk
Realm: democa
Successfully created alias in realm democa:
Alias : ca-signer-1
Identifier: UoyhwCJhZgXnae3yJ2WMCbp4gUk
NotBefore : 2020-09-20 16:47:09
NotAfter : 2025-09-22 16:47:09
Successfully wrote key to datapool with key 'ca-signer-1'
Token is certsign, looking for root...
Creating alias for root ca:
Alias : root-1
Identifier: LB4x3M9GxkmssZu46AW-krr56mQ
NotBefore : 2020-09-20 16:47:09
NotAfter : 2030-09-23 16:47:09
Successfully imported certificate into database:
Subject: CN=openxpki:scep-ra
Issuer: CN=OpenXPKI Demo Issuing CA 1,OU=PKI,O=OpenXPKI,C=DE
Identifier: iKyRrZN3zrK4eKkLVPDB_UMSozM
Realm: democa
Successfully created alias in realm democa:
Alias : scep-1
Identifier: iKyRrZN3zrK4eKkLVPDB_UMSozM
NotBefore : 2020-09-20 16:47:10
NotAfter : 2021-09-20 16:47:10
root@openxpki:~#
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
