Hi there all you cover, is in place correctly, which is why this is driving me nuts, it doesn't make sense. In the end it was a password issue, linked to inheritance. By design I presume, just not intuitive when doing troubleshooting with passwords defined in two different places that seem to conflict.
- file written by the import process of openXPKI, not myself,with the correct permissions set - crypto,yaml password is set correctly, made sure my YAML indenting was set correctly - able to use the generated password file to verify the password - Validated the password is correct, the MD5 has matches, using the same password file generated by the sampleconfig.sh make_password() function, validated with the generated file. I altered the password in the password file, then I got the same error as the import process. root@can-lx-intca-01 :~# openssl pkey -in /etc/openxpki/ca/vault-1.pem -pubout -passin file:/etc/openxpki/ca/lawl_dev/OpenXPKI_lawl_dev_DataVault.pass | openssl md5 unable to load key 139732138353792:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: 139732138353792:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:63: 139732138353792:error:2306A075:PKCS12 routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_decr.c:94: 139732138353792:error:0907B00D:PEM routines:PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:88: So this confirms it was a password issue, but where were passwords being set, in the system/crypto.yaml. # Secret group to be shared in all realms secret: default: label: Global secret group export: 0 method: literal value: '' #value root So, when the value is set in system/crypto.yaml, does not the realm/crypto.yaml overwrite system/realm.yaml as needed, as realm is lower down in the inheritance chain with a defined value? Or since one was defalut: vs token_name: that the value overwrite didn't take? realm/crypto.yaml type: certsign: ca-signer datasafe: vault scep: scep ..... secret: default: # this let OpenXPKI use the secret of the same name from system.crypto # if you do not want to share the secret just replace this line with # the config found in system.crypto. You can create additional secrets # by adding similar blocks with another key import: 1 vault: label: Vault group method: literal value: '9fQ...M=' _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
