[OpenXPKI-users] Importing Certs into Datavault

[Steve Downey via OpenXPKI-users]

Hi there

Im getting this error whenever I import a key,  Seems I'm not setting the 
DataVault password correctly, wherever that is

Encryption key needed to decrypt password safe entry is unavailable

how its generated

openssl req -new -verbose -config "${OPENSSL_CONF}" -reqexts 
v3_datavault_reqexts -batch -newkey rsa:$BITS -passout 
file:"${DATAVAULT_KEY_PASSWORD}" -keyout "${DATAVAULT_KEY}" -subj 
"${DATAVAULT_SUBJECT}" -out "${DATAVAULT_REQUEST}"

The datavault is a 4K RSA key , key and permissions seem ok.

root@can-lx-intca-01:~# ls -la /etc/openxpki/ca/
total 24
drwxr-xr-x  4 root     root     4096 Oct 10 10:58 .
drwxr-xr-x 11 openxpki root     4096 Oct  8 19:10 ..
drwxr-xr-x  3 openxpki root     4096 Oct  9 19:27 dev
-r--------  1 openxpki openxpki 3413 Oct 10 10:58 vault-1.pem

I've tried defining the secret here with no improvement

/etc/openxpki/config.d/realm/dev/crypto.yaml
/etc/openxpki/config.d/system/crypto.yaml

all I see is  "secret: default' only i'm not sure from any of the doc how the 
defined password in the .pass file is injected to allow the rest of the 
importing, if that's in fact the problem.

i've based myself off of sampleconfig.sh but I see no reference on how the 
private key secret is set on import

root@can-lx-intca-01:~# openxpkiadm certificate import --file 
"${DATAVAULT_CERTIFICATE}" --realm "${REALM}" --token datasafe --key 
${DATAVAULT_KEY}
Starting import
Successfully imported certificate into database:
  Subject:    CN=DEV LinuxCA Internal DataVault
  Issuer:     CN=Enterprises DEV Intermediate Linux CA,OU=PKI,O=Enterprises,C=CA
  Identifier: f9BVEDgua8xsUVKBpPzD_JpQeHA
  Realm:      dev

Successfully created alias in realm dev:
  Alias     : vault-1
  Identifier: f9BVEDgua8xsUVKBpPzD_JpQeHA
  NotBefore : 2020-10-09 23:27:14
  NotAfter  : 2030-10-12 23:27:14

Successfully wrote key to /etc/openxpki/ca/vault-1.pem
root@can-lx-intca-01:~# openxpkiadm alias --realm "${REALM}" --token certsign  
--file "${ISSUING_CA_CERTIFICATE}" --key ${ISSUING_CA_KEY}
Successfully created alias in realm dev:
  Alias     : ca-signer-1
  Identifier: 6j87PRoXumH_EEamEXfVGfgidzk
  NotBefore : 2020-10-09 22:53:09
  NotAfter  : 2041-10-09 23:03:09

2020/10/10 10:58:46 Encryption key needed to decrypt password safe entry is 
unavailable


_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users