Hello,
Thanks for your reply. I am however so far unable to get it fixed.
As you suggested I checked the token info for the ca-signer-1 and that
seems as expected:
root@03320e4aaa09:/var/log/openxpki# openxpkicli get_token_info --arg
alias=ca-signer-1
{
"key_name" : "ca-signer-1",
"key_secret" : 1,
"key_store" : "DATAPOOL",
"key_usable" : 1
}
However I keep getting that the certificate is offline.
So I first added the password in <realm>/crypto.yaml (also tried
ca-signer-1)
ca-signer:
label: CA signer secret group
export: 0
method: literal
value: root
First I had my own password, but to see if it worked with root (like the
sameplconfig) script, to try to avoid possible other parts i might have
missed. But even with root it wont work.
Naturally I recreated the certificates and keys with the root password,
and tested it on the server to make sure the password was correct.
So it seems that even with same passwords and commands of the
sampleconfig script, i fail to get the ca-signer certificate online.
Do you have any other idea what this can be? I am using the docker
container, in case that could make any difference.
With kind regards,
Hans de Jong
PS: Is there a way to extend the workflows with bash scripts instead of
references to Perl code? I would like to add my own parts, however I am
not proficient with Perl
On 11/26/21 1:32 PM, Oliver Welter wrote:
Hello Hans,
please check with "openxpkicli get_token_info --arg alias=ca-signer-1"
if the key is properly found (key_usable = 1).
If this is the case, check if the password in the realms crypto.yaml
matches the password that was used when generating the key.
Oliver
|
|
Am 25.11.21 um 08:57 schrieb Hans de Jong:
Hello,
I have been trying to set up my own realm and certificates with
openxpki, however I keep running in the issue that my Signing CA wont
come online.
It does load it just fine, and the realm alias info lists it all. But
it stays offline.
The vault however does work.
What I do: https://gist.github.com/Sult/8e67307bfdfbc66ed07d1d1891bbf94c
I did find in the documentation that the filename is important (With
default config)
https://openxpki.readthedocs.io/en/stable/operation/tokenconfig.html#initial-setup
The <realm>/ca says you would need to have keys in local/keys/<realm>
however the sample config doesnt follow this convention. I have also
tried by putting the keys there, but with the same result. Signing CA
wont come online
With kind regards,
Hans de Jong
PS: I dont know if this is useful but when i have everything
loaded, I get this output when showing the realm alias info.
root@6cc6f2267e07:/etc/openxpki/tmp# openxpkiadm alias --realm
provisioningca
=== functional token ===
scep (scep):
Alias : scep-1
Identifier: datk1dTh9DV2mUbP-YbctJn0Acw
NotBefore : 2021-11-23 10:41:01
NotAfter : 2022-11-23 10:41:01
vault (datasafe):
Alias : vault-1
Identifier: f56oyzMYYgI1tFl4YVCEQTQVDVI
NotBefore : 2021-11-24 13:25:59
NotAfter : 2024-11-28 13:25:59
ca-signer (certsign):
Alias : ca-signer-1
Identifier: a2YR8-rwPDRFHJZrMvkWM_YL-cA
NotBefore : 2021-11-23 10:40:54
NotAfter : 2022-11-23 10:40:54
ratoken (cmcra):
not set
=== root ca ===
current root ca:
Alias : root-1
Identifier: 0wwvnOUX2DNSYdjT0MNhPpfkyJg
NotBefore : 2021-11-23 10:40:49
NotAfter : 2031-11-21 10:40:49
upcoming root ca:
not set
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
