Hello Hans, we always appreciate pull requets that approve the documentation, but in this case it is already there:
If you have a 2-Tier hierarchy, please import the Root CA certificate before you proceed: ```bash $ openxpkiadm certificate import --file root.crt ``` If you have multiple roots or a deeper hierarchy please import all certificates that will not be signer tokens to the current installation. Always start with the self-signed root. Oliver Am 02.12.21 um 11:01 schrieb Hans de Jong: > > Hello, > > I finally figured it out. > There is a really important line missing on the readthedocs (or i > totally missed it). > > If you have multiple roots or a deeper hierarchy please import all > certificates that will not be signer tokens to the current > installation. Always start with the self-signed root. > > The line I did find on the quickstart of the config repository: > https://github.com/openxpki/openxpki-config/blob/community/QUICKSTART.md > > The QUICKSTART from the config isnt something people tend to read (At > least me) when there is already quickstart on the readthedocs and the > docker repository > > With kind regards, > Hans de Jong > > > On 12/2/21 10:31 AM, Hans de Jong wrote: >> >> Hello, >> >> I figured out an issue with my certificates. >> However now i run into a different issue when importing the certificates. >> >> I am working with a longer CA chain than the example. >> Root CA > Factory Root CA > Factory CA >> Before i used the certificate bundle/chain as signer-ca.crt and the >> root certificate as root.crt >> However that wouldnt validate. >> >> Now I use Factory Root CA bundle as root.crt and the Factory CA as >> signer-ca.crt >> This will validate by openssl. However this runs into an issue when >> trying to import these certificates into openxpki >> >> See actions taken: >> https://gist.github.com/Sult/3729e123e0d4f20dc9b5bc1702ce87b0 >> Certificates (testing): >> root: https://gist.github.com/Sult/09f65ffb1f1bf4ae52dbee72983c5080 >> signer-ca: https://gist.github.com/Sult/51339d3a07e83c7238cd7527abc0a772 >> I am concluding I most likely am actually doing something with my >> certificates instead of the password. >> >> I did a password check on the sample-config certificates to see if i >> changed them in the right location. which indeed would put them offline. >> >> What should be the correct use of the certificates? >> Both, root.crt as bundle or signer-ca as bundle, don't seem to work >> >> With kind regards, >> Hans de Jong >> >> >> On 11/30/21 10:44 AM, Oliver Welter wrote: >>> Hello Hans, >>> >>> the password section is referenced via the keyword "secret", not the >>> name of the token - please check your configuration against the example. >>> >>> Oliver >>> >>> Am 30.11.21 um 10:11 schrieb Hans de Jong: >>>> Hello, >>>> >>>> >>>> Thanks for your reply. I am however so far unable to get it fixed. >>>> As you suggested I checked the token info for the ca-signer-1 and >>>> that seems as expected: >>>> root@03320e4aaa09:/var/log/openxpki# openxpkicli get_token_info >>>> --arg alias=ca-signer-1 >>>> { >>>> "key_name" : "ca-signer-1", >>>> "key_secret" : 1, >>>> "key_store" : "DATAPOOL", >>>> "key_usable" : 1 >>>> } >>>> >>>> >>>> However I keep getting that the certificate is offline. >>>> So I first added the password in <realm>/crypto.yaml (also tried >>>> ca-signer-1) >>>> >>>> ca-signer: >>>> label: CA signer secret group >>>> export: 0 >>>> method: literal >>>> value: root >>>> >>>> First I had my own password, but to see if it worked with root >>>> (like the sameplconfig) script, to try to avoid possible other >>>> parts i might have missed. But even with root it wont work. >>>> Naturally I recreated the certificates and keys with the root >>>> password, and tested it on the server to make sure the password was >>>> correct. >>>> >>>> So it seems that even with same passwords and commands of the >>>> sampleconfig script, i fail to get the ca-signer certificate online. >>>> >>>> Do you have any other idea what this can be? I am using the docker >>>> container, in case that could make any difference. >>>> >>>> With kind regards, >>>> Hans de Jong >>>> >>>> PS: Is there a way to extend the workflows with bash scripts >>>> instead of references to Perl code? I would like to add my own >>>> parts, however I am not proficient with Perl >>>> >>>> >>>> >>>> On 11/26/21 1:32 PM, Oliver Welter wrote: >>>>> Hello Hans, >>>>> >>>>> please check with "openxpkicli get_token_info --arg >>>>> alias=ca-signer-1" if the key is properly found (key_usable = 1). >>>>> >>>>> If this is the case, check if the password in the realms >>>>> crypto.yaml matches the password that was used when generating the >>>>> key. >>>>> >>>>> Oliver >>>>> | >>>>> | >>>>> >>>>> Am 25.11.21 um 08:57 schrieb Hans de Jong: >>>>>> Hello, >>>>>> >>>>>> I have been trying to set up my own realm and certificates with >>>>>> openxpki, however I keep running in the issue that my Signing CA >>>>>> wont come online. >>>>>> >>>>>> It does load it just fine, and the realm alias info lists it all. >>>>>> But it stays offline. >>>>>> The vault however does work. >>>>>> >>>>>> What I do: >>>>>> https://gist.github.com/Sult/8e67307bfdfbc66ed07d1d1891bbf94c >>>>>> I did find in the documentation that the filename is important >>>>>> (With default config) >>>>>> https://openxpki.readthedocs.io/en/stable/operation/tokenconfig.html#initial-setup >>>>>> >>>>>> >>>>>> The <realm>/ca says you would need to have keys in >>>>>> local/keys/<realm> however the sample config doesnt follow this >>>>>> convention. I have also tried by putting the keys there, but with >>>>>> the same result. Signing CA wont come online >>>>>> >>>>>> With kind regards, >>>>>> Hans de Jong >>>>>> >>>>>> >>>>>> PS: I dont know if this is useful but when i have everything >>>>>> loaded, I get this output when showing the realm alias info. >>>>>> root@6cc6f2267e07:/etc/openxpki/tmp# openxpkiadm alias --realm >>>>>> provisioningca >>>>>> === functional token === >>>>>> scep (scep): >>>>>> Alias : scep-1 >>>>>> Identifier: datk1dTh9DV2mUbP-YbctJn0Acw >>>>>> NotBefore : 2021-11-23 10:41:01 >>>>>> NotAfter : 2022-11-23 10:41:01 >>>>>> >>>>>> vault (datasafe): >>>>>> Alias : vault-1 >>>>>> Identifier: f56oyzMYYgI1tFl4YVCEQTQVDVI >>>>>> NotBefore : 2021-11-24 13:25:59 >>>>>> NotAfter : 2024-11-28 13:25:59 >>>>>> >>>>>> ca-signer (certsign): >>>>>> Alias : ca-signer-1 >>>>>> Identifier: a2YR8-rwPDRFHJZrMvkWM_YL-cA >>>>>> NotBefore : 2021-11-23 10:40:54 >>>>>> NotAfter : 2022-11-23 10:40:54 >>>>>> >>>>>> ratoken (cmcra): >>>>>> not set >>>>>> >>>>>> === root ca === >>>>>> current root ca: >>>>>> Alias : root-1 >>>>>> Identifier: 0wwvnOUX2DNSYdjT0MNhPpfkyJg >>>>>> NotBefore : 2021-11-23 10:40:49 >>>>>> NotAfter : 2031-11-21 10:40:49 >>>>>> >>>>>> upcoming root ca: >>>>>> not set >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> _______________________________________________ >>>>>> OpenXPKI-users mailing list >>>>>> [email protected] >>>>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users >>>>> >>>>> >>>>> -- >>>>> Protect your environment - close windows and adopt a penguin! >>>>> >>>>> >>>>> _______________________________________________ >>>>> OpenXPKI-users mailing list >>>>> [email protected] >>>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users >>>> >>>> >>>> _______________________________________________ >>>> OpenXPKI-users mailing list >>>> [email protected] >>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users >>> >>> >>> -- >>> Protect your environment - close windows and adopt a penguin! >>> >>> >>> _______________________________________________ >>> OpenXPKI-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
