Hi Steve,
I think I had a similar issue and I solved it by editing the crypto.yaml file
of the realm as shown below.
By the way, the ‘root’ password used in sampleconfig.sh is defined in
/etc/openxpki/config.d/system/crypto.yaml
in the section secrets: default: and is used by inheritance for all tokens if
the realm’s crypto.yaml is not modified.
Hope this helps!
Regards
Florian
##### changes in crypto.yaml ####
…
ca-signer:
inherit: default
key_store: DATAPOOL
key: "[% ALIAS %]"
secret: ca-signer
vault:
inherit: default
key: /etc/openxpki/ca/[% ALIAS %].pem
secret: vault
scep:
inherit: default
backend: OpenXPKI::Crypto::Tool::LibSCEP
key_store: DATAPOOL
key: "[% ALIAS %]"
secret: scep
# Define the secret groups
secret:
default:
# this let OpenXPKI use the secret of the same name from system.crypto
# if you do not want to share the secret just replace this line with
# the config found in system.crypto. You can create additional secrets
# by adding similar blocks with another key
import: 1
ca-signer:
label: CA signer group
method: literal
value: <content of OpenXPKI_Issuing_CA.pass>
vault:
label: Vault group
method: literal
value: <content of OpenXPKI_DataVault.pass>
scep:
label: SCEP group
method: literal
value: <content of OpenXPKI_SCEP_RA.pass>
-----Original Message-----
From: Steve Downey via OpenXPKI-users <[email protected]>
Sent: Samstag, 10. Oktober 2020 17:14
To: [email protected]
Cc: Steve Downey <[email protected]>
Subject: [OpenXPKI-users] Importing Certs into Datavault
Hi there
Im getting this error whenever I import a key, Seems I'm not setting the
DataVault password correctly, wherever that is
Encryption key needed to decrypt password safe entry is unavailable
how its generated
openssl req -new -verbose -config "${OPENSSL_CONF}" -reqexts
v3_datavault_reqexts -batch -newkey rsa:$BITS -passout
file:"${DATAVAULT_KEY_PASSWORD}" -keyout "${DATAVAULT_KEY}" -subj
"${DATAVAULT_SUBJECT}" -out "${DATAVAULT_REQUEST}"
The datavault is a 4K RSA key , key and permissions seem ok.
root@can-lx-intca-01:~# ls -la /etc/openxpki/ca/ total 24 drwxr-xr-x 4 root
root 4096 Oct 10 10:58 .
drwxr-xr-x 11 openxpki root 4096 Oct 8 19:10 ..
drwxr-xr-x 3 openxpki root 4096 Oct 9 19:27 dev
-r-------- 1 openxpki openxpki 3413 Oct 10 10:58 vault-1.pem
I've tried defining the secret here with no improvement
/etc/openxpki/config.d/realm/dev/crypto.yaml
/etc/openxpki/config.d/system/crypto.yaml
all I see is "secret: default' only i'm not sure from any of the doc how the
defined password in the .pass file is injected to allow the rest of the
importing, if that's in fact the problem.
i've based myself off of sampleconfig.sh but I see no reference on how the
private key secret is set on import
root@can-lx-intca-01:~# openxpkiadm certificate import --file
"${DATAVAULT_CERTIFICATE}" --realm "${REALM}" --token datasafe --key
${DATAVAULT_KEY} Starting import Successfully imported certificate into
database:
Subject: CN=DEV LinuxCA Internal DataVault
Issuer: CN=Enterprises DEV Intermediate Linux CA,OU=PKI,O=Enterprises,C=CA
Identifier: f9BVEDgua8xsUVKBpPzD_JpQeHA
Realm: dev
Successfully created alias in realm dev:
Alias : vault-1
Identifier: f9BVEDgua8xsUVKBpPzD_JpQeHA
NotBefore : 2020-10-09 23:27:14
NotAfter : 2030-10-12 23:27:14
Successfully wrote key to /etc/openxpki/ca/vault-1.pem root@can-lx-intca-01:~#
openxpkiadm alias --realm "${REALM}" --token certsign --file
"${ISSUING_CA_CERTIFICATE}" --key ${ISSUING_CA_KEY} Successfully created alias
in realm dev:
Alias : ca-signer-1
Identifier: 6j87PRoXumH_EEamEXfVGfgidzk
NotBefore : 2020-10-09 22:53:09
NotAfter : 2041-10-09 23:03:09
2020/10/10 10:58:46 Encryption key needed to decrypt password safe entry is
unavailable
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
