Hello Hans,
the password section is referenced via the keyword "secret", not the
name of the token - please check your configuration against the example.
Oliver
Am 30.11.21 um 10:11 schrieb Hans de Jong:
> Hello,
>
>
> Thanks for your reply. I am however so far unable to get it fixed.
> As you suggested I checked the token info for the ca-signer-1 and that
> seems as expected:
> root@03320e4aaa09:/var/log/openxpki# openxpkicli get_token_info --arg
> alias=ca-signer-1
> {
> "key_name" : "ca-signer-1",
> "key_secret" : 1,
> "key_store" : "DATAPOOL",
> "key_usable" : 1
> }
>
>
> However I keep getting that the certificate is offline.
> So I first added the password in <realm>/crypto.yaml (also tried
> ca-signer-1)
>
> ca-signer:
> label: CA signer secret group
> export: 0
> method: literal
> value: root
>
> First I had my own password, but to see if it worked with root (like
> the sameplconfig) script, to try to avoid possible other parts i might
> have missed. But even with root it wont work.
> Naturally I recreated the certificates and keys with the root
> password, and tested it on the server to make sure the password was
> correct.
>
> So it seems that even with same passwords and commands of the
> sampleconfig script, i fail to get the ca-signer certificate online.
>
> Do you have any other idea what this can be? I am using the docker
> container, in case that could make any difference.
>
> With kind regards,
> Hans de Jong
>
> PS: Is there a way to extend the workflows with bash scripts instead
> of references to Perl code? I would like to add my own parts, however
> I am not proficient with Perl
>
>
>
> On 11/26/21 1:32 PM, Oliver Welter wrote:
>> Hello Hans,
>>
>> please check with "openxpkicli get_token_info --arg
>> alias=ca-signer-1" if the key is properly found (key_usable = 1).
>>
>> If this is the case, check if the password in the realms crypto.yaml
>> matches the password that was used when generating the key.
>>
>> Oliver
>> |
>> |
>>
>> Am 25.11.21 um 08:57 schrieb Hans de Jong:
>>> Hello,
>>>
>>> I have been trying to set up my own realm and certificates with
>>> openxpki, however I keep running in the issue that my Signing CA
>>> wont come online.
>>>
>>> It does load it just fine, and the realm alias info lists it all.
>>> But it stays offline.
>>> The vault however does work.
>>>
>>> What I do:
>>> https://gist.github.com/Sult/8e67307bfdfbc66ed07d1d1891bbf94c
>>> I did find in the documentation that the filename is important (With
>>> default config)
>>> https://openxpki.readthedocs.io/en/stable/operation/tokenconfig.html#initial-setup
>>>
>>>
>>> The <realm>/ca says you would need to have keys in
>>> local/keys/<realm> however the sample config doesnt follow this
>>> convention. I have also tried by putting the keys there, but with
>>> the same result. Signing CA wont come online
>>>
>>> With kind regards,
>>> Hans de Jong
>>>
>>>
>>> PS: I dont know if this is useful but when i have everything
>>> loaded, I get this output when showing the realm alias info.
>>> root@6cc6f2267e07:/etc/openxpki/tmp# openxpkiadm alias --realm
>>> provisioningca
>>> === functional token ===
>>> scep (scep):
>>> Alias : scep-1
>>> Identifier: datk1dTh9DV2mUbP-YbctJn0Acw
>>> NotBefore : 2021-11-23 10:41:01
>>> NotAfter : 2022-11-23 10:41:01
>>>
>>> vault (datasafe):
>>> Alias : vault-1
>>> Identifier: f56oyzMYYgI1tFl4YVCEQTQVDVI
>>> NotBefore : 2021-11-24 13:25:59
>>> NotAfter : 2024-11-28 13:25:59
>>>
>>> ca-signer (certsign):
>>> Alias : ca-signer-1
>>> Identifier: a2YR8-rwPDRFHJZrMvkWM_YL-cA
>>> NotBefore : 2021-11-23 10:40:54
>>> NotAfter : 2022-11-23 10:40:54
>>>
>>> ratoken (cmcra):
>>> not set
>>>
>>> === root ca ===
>>> current root ca:
>>> Alias : root-1
>>> Identifier: 0wwvnOUX2DNSYdjT0MNhPpfkyJg
>>> NotBefore : 2021-11-23 10:40:49
>>> NotAfter : 2031-11-21 10:40:49
>>>
>>> upcoming root ca:
>>> not set
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OpenXPKI-users mailing list
>>> [email protected]
>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>>
>> --
>> Protect your environment - close windows and adopt a penguin!
>>
>>
>> _______________________________________________
>> OpenXPKI-users mailing list
>> [email protected]
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
