So this, has to do with something in the database. All I did was change from
key_store:DATAPOOL to a key file, and import worked.
.
ca-signer:
inherit: default
# key_store: DATAPOOL
# key: "[% ALIAS %]"
key: /etc/openxpki/ca/[% ALIAS %].pem
secret: ca-signer
root@can-lx-intca-01:~# openxpkiadm alias --realm "${REALM}" --token certsign
--file "${ISSUING_CA_CERTIFICATE}" --key ${ISSUING_CA_KEY}
Successfully created alias in realm lawl_dev:
Alias : ca-signer-1
Identifier: 6j87PRoXumH_EEamEXfVGfgidzk
NotBefore : 2020-10-09 22:53:09
NotAfter : 2041-10-09 23:03:09
Successfully wrote key to /etc/openxpki/ca/ca-signer-1.pem
Token is certsign, looking for root...
Root ca already in alias table:
Alias : root-1
Identifier: VkBjvHQvHV6Flt0T-ESDSm3Av4g
NotBefore : 2020-10-05 11:52:00
NotAfter : 2050-10-06 11:52:00
this jives with what ive read and where the keys should be. Yet nothing on
key_value:DATASTORE outside it being an opaque encrypted SQL blob. it just
seems to auto-magically know the path to the key. (I presume ca/vault-x.pem [x
being each vault defined if multi-realm] )
I see there are references to having to be manually imported, but it being
unable to find the data vault key to import with isn't indicative that this
step was not completed. By what I've read, the --key flag does this import,
with the vault key encryption.
>> openxpkicli set_data_pool_entry --arg namespace=sys.crypto.keys \
--arg key=scep-1 \
--arg encrypt=1 \
--filearg value=file_with_key.pem
So what in the import process would cause this when trying to write to the
database. ?
What have I missed?
> 2020/10/12 13:07:30 openxpki.system.ERROR OpenSSL error:
> 140438229632128:error:08064066:object identifier routines:OBJ_create:oid
> exists:../crypto/objects/obj_dat.c:709:
> unable to load signing key file
>> 2020/10/12 13:07:30 openxpki.system.ERROR Encryption key needed to decrypt
>> password safe entry is unavailable; __token_id__ => vault-1
>> [pid=33188|user=anonymous|role=System|sid=ZsEI]
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
