Hello,
Good, no more errors with -x509.
--small remark---
I have not yet figured out how to configure CA token and I don't know if it is
necessary to configure it. Do I need it?
The command openxpkiadm alias --realm democa
says that current root ca: not set
although I have imported the root certificate before....
---/remark---
The main problem now is the Apache TLS certificate.
The documentation says to place the key to
/etc/openxpki/tls/private/openxpki.pem and the certificate to
/etc/openxpki/tls/endentity/openxpki.crt.
But the virtual site config says:
/etc/apache2/sites-enabled# cat openxpki.conf
SSLCertificateFile /etc/openxpki/tls/endentity/openxpki.crt
SSLCertificateChainFile /etc/openxpki/tls/endentity/openxpki.crt
SSLCertificateKeyFile /etc/openxpki/tls/private/openxpki.pem
The paths are different. I doubt that this will work. Is this normal?
Thank you
-----Original Message-----
From: Martin Bartosch <[email protected]>
Sent: Wednesday, April 28, 2021 5:35 PM
To: [email protected]
Cc: Dimitri TIMOCHENKO <[email protected]>
Subject: Re: [OpenXPKI-users] Cannot install. Where to obtain DataVault Key and
DataVault certificate?
Hi,
> Then I followed the updated document and stuck with strange error:
>
> root@server:/home/admin# openssl req -new -keyout vault.key -out
> vault.crt -days 3650 -config /etc/openxpki/contrib/vault.openssl.cnf
> Ignoring -days; not generating a certificate Generating a RSA private
> key .........................++++
> ......................................................................
> .++++ writing new private key to 'vault.key'
> -----
> Error Loading extension section v3_datavault_extensions
> 140436864996480:error:22077079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer
> certificate:../crypto/x509v3/v3_akey.c:104:
> 140436864996480:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error
> in
> extension:../crypto/x509v3/v3_conf.c:47:name=authorityKeyIdentifier,
> value=keyid:always,issuer
>
> It only generates a key, but no certificate. Where in the filesystem this
> command has to be executed? Under root or other user?
The command referenced in the documentation contains a small error. Retry,
adding -x509 on the command line, i. e.:
openssl req -new -x509 -keyout vault.key -out vault.crt -days 3650 -config
/etc/openxpki/contrib/vault.openssl.cnf
This command will generate the vault.crt certificate file.
It does not matter where this command is executed and which user executes it,
as the generated key and certificate are imported into the OpenXPKI database by
the following two openxpkiadm commands. You can delete the generated key and
certificate after the import.
cheers
Martin
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
