Steve,
the openxpkiadm alias ... --key internally calls "set_data_pool_entry",
we have added this as a convenience function to openxpkiadm in 3.6.
Your problem is still that the DataVault token is not working and
therefore the import into the Datapool fails. Key material is held in
the datapool wrapped by an extra layer of encryption using this
DataVault Token. I am pretty sure that you found a way to make the key
unusable which might be file permissions (check upper path folders),
wrong passphrase in crypto.yaml or even non-matching key/certificate pair.
Try to run openxpkicli get_token_info --arg alias=vault-1
Oliver
Am 13.10.20 um 18:13 schrieb Steve Downey via OpenXPKI-users:
> So this, has to do with something in the database. All I did was change from
> key_store:DATAPOOL to a key file, and import worked.
> .
> ca-signer:
> inherit: default
> # key_store: DATAPOOL
> # key: "[% ALIAS %]"
> key: /etc/openxpki/ca/[% ALIAS %].pem
> secret: ca-signer
>
> root@can-lx-intca-01:~# openxpkiadm alias --realm "${REALM}" --token certsign
> --file "${ISSUING_CA_CERTIFICATE}" --key ${ISSUING_CA_KEY}
> Successfully created alias in realm lawl_dev:
> Alias : ca-signer-1
> Identifier: 6j87PRoXumH_EEamEXfVGfgidzk
> NotBefore : 2020-10-09 22:53:09
> NotAfter : 2041-10-09 23:03:09
>
> Successfully wrote key to /etc/openxpki/ca/ca-signer-1.pem
>
> Token is certsign, looking for root...
> Root ca already in alias table:
> Alias : root-1
> Identifier: VkBjvHQvHV6Flt0T-ESDSm3Av4g
> NotBefore : 2020-10-05 11:52:00
> NotAfter : 2050-10-06 11:52:00
>
> this jives with what ive read and where the keys should be. Yet nothing on
> key_value:DATASTORE outside it being an opaque encrypted SQL blob. it just
> seems to auto-magically know the path to the key. (I presume ca/vault-x.pem
> [x being each vault defined if multi-realm] )
>
> I see there are references to having to be manually imported, but it being
> unable to find the data vault key to import with isn't indicative that this
> step was not completed. By what I've read, the --key flag does this import,
> with the vault key encryption.
>
>>> openxpkicli set_data_pool_entry --arg namespace=sys.crypto.keys \
> --arg key=scep-1 \
> --arg encrypt=1 \
> --filearg value=file_with_key.pem
>
> So what in the import process would cause this when trying to write to the
> database. ?
> What have I missed?
>
>> 2020/10/12 13:07:30 openxpki.system.ERROR OpenSSL error:
>> 140438229632128:error:08064066:object identifier routines:OBJ_create:oid
>> exists:../crypto/objects/obj_dat.c:709:
>> unable to load signing key file
>>> 2020/10/12 13:07:30 openxpki.system.ERROR Encryption key needed to decrypt
>>> password safe entry is unavailable; __token_id__ => vault-1
>>> [pid=33188|user=anonymous|role=System|sid=ZsEI]
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
