Hi, it looks like you are mixing up the cryto.yaml in system and in your realm - those are separate files!
Your key/token definitions MUST be in the realms crypto.yaml, the secrets MUST also be defined there but CAN use the "import" syntax which loads the definitions from the system/crypto.yaml. Oliver Am 09.11.20 um 12:08 schrieb John Lemona: > Hi, > > I followed the quickstart guide for the installation of the solution > and the > configuration of my realm. > I set empty value for KEY_PASSWORD (line 27) in the demo shell script > named "sampleconfig.sh" to get random passwords in all .pass files. > > So, .pass files contain a random base64 password and openxpki user > can read all .pass files : > > myrealm/OpenXPKI_Issuing_CA.pass > myrealm/OpenXPKI_Root_CA.pass > myrealm/OpenXPKI_SCEP_CA.pass > myrealm/OpenXPKI_Datavault.pass > > I have modified the crypto.yaml file to set the different value > of .pass files, but I think I don't understand how > the crypto.yaml file is constructed. > > My crypto.yaml file look like this : > > > > # API classs to be used for different types of *realm* tokens > # Undefined values default to OpenXPKI::Crypto::Backend::API > tokenapi: > certsign: OpenXPKI::Crypto::Backend::API > crlsign: OpenXPKI::Crypto::Backend::API > datasafe: OpenXPKI::Crypto::Backend::API > scep: OpenXPKI::Crypto::Tool::LibSCEP::API > > #TEST < > type: > certsign: ca-signer > datasafe: vault > scep: scep > #TEST > > > # System wide token (non key based tokens) > token: > default: > backend: OpenXPKI::Crypto::Backend::OpenSSL > api: OpenXPKI::Crypto::Backend::API > engine: OpenSSL > key_store: OPENXPKI > # OpenSSL binary location > shell: /usr/bin/openssl > > # OpenSSL binary call gets wrapped with this command > wrapper: '' > > # random file to use for OpenSSL > randfile: /var/openxpki/rand > > javaks: > backend: OpenXPKI::Crypto::Tool::CreateJavaKeystore > api: OpenXPKI::Crypto::Tool::CreateJavaKeystore::API > engine: OpenSSL > key_store: OPENXPKI > shell: /usr/bin/keytool > randfile: /var/openxpki/rand > #TEST < > vault: > inherit: default > key: /etc/openxpki/ca/myrealm/OpenXPKI_DataVault.key > > ca-signer: > inherit: default > key: /etc/openxpki/ca/myrealm/OpenXPKI_Root_CA.key > > scep: > inherit: default > key: /etc/openxpki/ca/myrealm/OpenXPKI_SCEP_CA.key > #TEST > > > # Secret group to be shared in all realms > secret: > default: > label: Global secret group > export: 0 > method: literal > value: root > #value: OFyBqMr4xqaVNV+Xxxxxxxxxxxxxxxxxxb1n14fiwAtvU= > > # if you want to enter the password after startup via the Webui > # replace method and value above with this block, kcv is optional > # but highly recommended as wrong passwords let the engine crash > # you can generate the kcv with "openxpkiadm hashpwd -s argon2" > # Shared secrets are avail in all realms after been unlocked > in one > #method: plain > #cache: daemon > #kcv: > $argon2id$v=19$m=32768,t=3,p=1$NmwvcTxxxxxxxxxxxxxxxxxxx8uTK4DI9Ew730Q > > #TEST < > ca-signer: > label: ca-signer group > export: 0 > method: literal > #Value = Contain of .pass > value: DHxxx+ioxEAthxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= > > vault: > label: vault group > export: 0 > method: literal > #Value = Contain of .pass > value: OFxxxxxxr4xqaVNxxxxxxxxxxxxxxxxxxxxxxxxxx= > > scep: > label: scep > export: 0 > method: literal > #Value = Contain of .pass > value: r1mxxxxcw/mtF6Lxxxxxxxxxxxxxxxxxxxxxxxxxx= > #TEST > > > > > > When i put the contents of my .pass file vault-1 in the > "Global secret groupe" ; vault-1 token status is ONLINE > in the openXPKI WEBUI.Otherwise it is offline. > > Can you help me to build correctly my crypto.aml file > so that my ca-signer and vault tokens are online please ? > The log file tells me the following errors : > > > > > > 2020/11/09 10:29:47 openxpki.system.ERROR > OpenSSL error: 139969451594880:error:08064066:object identifier > routines:OB > > J_create:oid exists:../crypto/objects/obj_dat.c:709: > unable to load signing key file > 139969451594880:error:0D0AE0AB:asn1 encoding > routines:oid_module_init:adding object:../crypto/asn1/asn_moid.c:38: > 139969451594880:error:0E07606D:configuration file > routines:module_run:module initialization error:../crypto/conf/conf > > > _mod.c:177:module=oid_section, value=new_oids, retcode=-1 > 139969451594880:error:06065064:digital envelope routines: > EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: > 139969451594880:error:23077074:PKCS12 routines: > PKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c: > > 63: > 139969451594880:error:2306A075:PKCS12 routines: > PKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_de > > cr.c:94: > 139969451594880:error:0907B00D:PEM routines: > PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:88: > [pid=28490|sid=5NKl] > 2020/11/09 10:29:47 openxpki.system.ERROR I18N_OPE > NXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 [pid=28490| > > sid=5NKl] > 2020/11/09 10:29:47 openxpki.system.ERROR I18N_ > OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Back > > end::OpenSSL:: > Command::pkcs7_decrypt, __ERRVAL__ => > I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 [ > > pid=28490|sid=5NKl] > 2020/11/09 10:29:47 openxpki.system.ERROR OpenSSL > error: 139728422380672:error:08064066:object identifier routines:OB > > J_create:oid > exists:../crypto/objects/obj_dat.c:709: > unable to load signing key file > > > > Thank you for your help. > Best regards, > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
