Hi Florian, You will most likely still have to set the passwords in crypto.yaml (configure the security tokens). See also https://openxpki.readthedocs.io/en/stable/operation/tokenconfig.html When this is configured, a RA will have to unlock the tokens in the GUI (depending on the token configuration).
Stijn From: [email protected] <[email protected]> Sent: zondag 20 september 2020 19:38 To: [email protected] Subject: [OpenXPKI-users] sampleconfig.sh fails for key password unequal 'root' Hi, I did a first installation of OpenXPKI using a Hyper-V machine on which Debian 10 is installed. When following the instructions in the quickstart guide and using the sampleconfig.sh everything went fine and I got a running system. My second try was to set the KEY_PASSWORD in the sampleconfig.sh line 27 to an empty string to get the random passwords as described in the comment above (beginning from a snapshot before executing the sampleconfig.sh). When executing this sampleconfig.sh the script ended at line 350 openxpkiadm certificate import --file "${SCEP_CERTIFICATE}" --realm "${REALM}" --token scep --key ${SCEP_KEY} without any further message (see complete output below). I uncommented the line 350 in sampleconfig.sh and the script executed until the end. Then I tried to execute the uncommented command manually and got an error message: ######################## Manually executing line 350 ############################## root@openxpki:~# openxpkiadm certificate import --file "/etc/openxpki/ca/democa/OpenXPKI_SCEP_RA.crt" --realm "democa" --token scep --key /etc/openxpki/ca/democa/OpenXPKI_SCEP_RA.key Starting import Successfully imported certificate into database: Subject: CN=openxpki:scep-ra Issuer: CN=OpenXPKI Demo Issuing CA 1,OU=PKI,O=OpenXPKI,C=DE Identifier: gdW_edXq10TxR9e4nryvq9pj-ok Realm: democa Successfully created alias in realm democa: Alias : scep-1 Identifier: gdW_edXq10TxR9e4nryvq9pj-ok NotBefore : 2020-09-20 16:51:38 NotAfter : 2021-09-20 16:51:38 2020/09/20 12:52:18 Encryption key needed to decrypt password safe entry is unavailable Error running command: Encryption key needed to decrypt password safe entry is unavailable at /usr/share/perl5/OpenXPKI/Client/Simple.pm line 352. ############################################################################## Also the system status page says that system status is critical: * Active encryption token: not available (vault-1) * ca-signer-1: Offline * vault-1: Offline [cid:[email protected]] I did some further investigation with the following results: * The behavior occurs when the KEY_PASSWORD for the ISSUING_CA_CERTIFICATE and/or DATAVAULT_CERTIFICATE is unequal 'root', for all other certificates the KEY_PASSWORD can be changed without errors * I get the same behavior when following the instructions to manually import the certificates without the sampleconfig.sh So what did I miss? Thanks for any help! Regards, Florian ####################### OpenXPKI version ######################### root@openxpki:~# openxpkiadm version Version (core): 3.6.1 ###################### Debian version ############################ root@openxpki:~# hostnamectl Static hostname: openxpki Icon name: computer-vm Chassis: vm Machine ID: xxx Boot ID: xxx Virtualization: microsoft Operating System: Debian GNU/Linux 10 (buster) Kernel: Linux 4.19.0-10-amd64 Architecture: x86-64 #################### output when KEY_PASSWORD="" ################ root@openxpki:~# ./openxpkiconfig.sh creating configuration for openssl () .. done. Creating certificates .. Did not find a root ca certificate file. Creating an own self signed root ca .. done. Did not find existing issuing CA key file. Creating an issuing CA request .. done. Signing issuing certificate with own root CA .. done. Did not find existing DataVault certificate file. Creating a self signed DataVault certificate .. done. Did not find existing SCEP certificate file. Creating a SCEP request .. done. Signing SCEP certificate with Issuing CA .. done. Did not find existing WEB certificate file. Creating a Web request .. done. Signing Web certificate with Issuing CA .. done. Starting server before running import ... Starting OpenXPKI... OpenXPKI Server is running and accepting requests. DONE. Successfully imported certificate into database: Subject: CN=OpenXPKI Root CA 1 Issuer: CN=OpenXPKI Root CA 1 Identifier: LB4x3M9GxkmssZu46AW-krr56mQ Realm: none Successfully imported certificate into database: Subject: CN=Internal DataVault Issuer: CN=Internal DataVault Identifier: Rid8uEyPnXjJt7uSEbnsqkmDWps Realm: democa Successfully created alias in realm democa: Alias : vault-1 Identifier: Rid8uEyPnXjJt7uSEbnsqkmDWps NotBefore : 2020-09-20 16:47:10 NotAfter : 2030-09-23 16:47:10 Successfully wrote key to /etc/openxpki/ca/vault-1.pem Successfully imported certificate into database: Subject: CN=OpenXPKI Demo Issuing CA 1,OU=PKI,O=OpenXPKI,C=DE Issuer: CN=OpenXPKI Root CA 1 Identifier: UoyhwCJhZgXnae3yJ2WMCbp4gUk Realm: democa Successfully created alias in realm democa: Alias : ca-signer-1 Identifier: UoyhwCJhZgXnae3yJ2WMCbp4gUk NotBefore : 2020-09-20 16:47:09 NotAfter : 2025-09-22 16:47:09 Successfully wrote key to datapool with key 'ca-signer-1' Token is certsign, looking for root... Creating alias for root ca: Alias : root-1 Identifier: LB4x3M9GxkmssZu46AW-krr56mQ NotBefore : 2020-09-20 16:47:09 NotAfter : 2030-09-23 16:47:09 Successfully imported certificate into database: Subject: CN=openxpki:scep-ra Issuer: CN=OpenXPKI Demo Issuing CA 1,OU=PKI,O=OpenXPKI,C=DE Identifier: iKyRrZN3zrK4eKkLVPDB_UMSozM Realm: democa Successfully created alias in realm democa: Alias : scep-1 Identifier: iKyRrZN3zrK4eKkLVPDB_UMSozM NotBefore : 2020-09-20 16:47:10 NotAfter : 2021-09-20 16:47:10 root@openxpki:~#
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
