hi there
1) that's just troubleshooting confirming the cert tree, the step right after
confirms the import is successful after the SubCA cert is imported
2) that's me sanitizing the output. all is "lawl_dev" I just missed a
reference. I only have one realm defined all symlinked to realm.tpl
so far I dont understand why the vault key file can't be found, that is what im
focusing on, even if I statically define it in ctypto.yaml. still doesn't find
it when I try to define the alias. When I list the keys, shouldn't there be a
" + " next to the entry when a file is defined? Which it is, per the example
submitted in this thread and even the crypto.yaml supplied in realm.tpl
Lists keys together with a status flag, which can be one of the
following:
c - token not defined in crypto.token
===crypto.yaml
token:
> default:
> backend: OpenXPKI::Crypto::Backend::OpenSS
....
> ca-signer:
> inherit: default
> key_store: DATAPOOL
> key: "[% ALIAS %]"
> secret: ca-signer
>
>
> vault:
> inherit: default
> key: /etc/openxpki/ca/[% ALIAS %].pem
> secret: vault
>
root@can-lx-intca-01:~# openxpkiadm key list
Keys for token group vault
c vault-1
Keys for token group ca-signer
c ca-signer-1
Keys for token group scep
c scep-1
root@can-lx-intca-01:~# openxpkiadm alias --realm dev
=== functional token ===
scep (scep):
Alias : scep-1
Identifier: ORa3_tVU3aWFjXD5rFd80BQydjw
NotBefore : 2020-10-09 23:27:14
NotAfter : 2022-10-09 23:27:14
ca-signer (certsign):
Alias : ca-signer-1
Identifier: 6j87PRoXumH_EEamEXfVGfgidzk
NotBefore : 2020-10-09 22:53:09
NotAfter : 2041-10-09 23:03:09
vault (datasafe):
Alias : vault-1
Identifier: f9BVEDgua8xsUVKBpPzD_JpQeHA
NotBefore : 2020-10-09 23:27:14
NotAfter : 2030-10-12 23:27:14
=== root ca ===
current root ca:
Alias : root-1
Identifier: VkBjvHQvHV6Flt0T-ESDSm3Av4g
NotBefore : 2020-10-05 11:52:00
NotAfter : 2050-10-06 11:52:00
> 2020/10/12 13:07:30 openxpki.system.ERROR OpenSSL error:
> 140438229632128:error:08064066:object identifier routines:OBJ_create:oid
> exists:../crypto/objects/obj_dat.c:709:
> unable to load signing key file
>> 2020/10/12 13:07:30 openxpki.system.ERROR Encryption key needed to decrypt
>> password safe entry is unavailable; __token_id__ => vault-1
>> [pid=33188|user=anonymous|role=System|sid=ZsEI]
but its imported and written to file system, and the file is good, the chain is
also valid
root@can-lx-intca-01:~# ls -lat /etc/openxpki/ca/vault-1.pem
-r-------- 1 openxpki openxpki 3413 Oct 12 13:07 /etc/openxpki/ca/vault-1.pem
root@can-lx-intca-01:~# openssl pkey -in /etc/openxpki/ca/vault-1.pem -pubout
-passin file:${DATAVAULT_KEY_PASSWORD} | openssl md5
(stdin)= 50df29da6755c3ebc322e553ac96784a
root@can-lx-intca-01:~# openssl x509 -pubkey -in ${DATAVAULT_CERTIFICATE}
-noout | openssl md5
(stdin)= 50df29da6755c3ebc322e553ac96784a
> root@can-lx-intca-01:~# openxpkiadm certificate import --file
> "${DATAVAULT_CERTIFICATE}" --realm "${REALM}" --token datasafe --key
> ${DATAVAULT_KEY}> Starting import> Successfully imported certificate into
> database:> Subject: CN=DEV LinuxCA Internal DataVault
> Issuer: CN=Enterprises DEV Intermediate Linux
> CA,OU=PKI,O=Enterprises,C=CA
> Identifier: f9BVEDgua8xsUVKBpPzD_JpQeHA
> Realm: dev
>
>
> Successfully created alias in realm dev:
> Alias : vault-1
> Identifier: f9BVEDgua8xsUVKBpPzD_JpQeHA
> NotBefore : 2020-10-09 23:27:14
> NotAfter : 2030-10-12 23:27:14
>
>
> Successfully wrote key to /etc/openxpki/ca/vault-1.pem
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
