Hello,
Excuse me, it took me some time to find a gap to try and test these things.
I should have checked the dates and notice the mismatch.
I do have a question about the maximum validity.
As I understand, the CA validity has to be longer or the same as the
configured validity in the used profile (which currently is +01, which
is 1 year as i understand)
Now my CAs are valid for 1 year, and have a bit of overlap.
Issuing certificates of this Realm
Subject not before not after
CN=Factory CA,OU=Hyva,O=Sioux,ST=Noord Brabant,C=NL 2022-11-14 00:00:00
UTC 2023-11-14 00:00:00 UTC
CN=Factory CA,OU=Hyva,O=Sioux,ST=Noord Brabant,C=NL 2021-12-09 09:23:55
UTC 2022-12-09 09:23:55 UTC
But I am still getting the same error.
Does this mean that the overlap of certificate validity has to be at
least the duration of the issued certificate?
(so that there is always 1 CA that is valid for the full duration of the
requested certificate)
Sorry if this more a generic CA related question instead of an openxpki one.
With kind regards,
Hans de Jong
On 12/9/21 11:22 AM, Martin Bartosch via OpenXPKI-users wrote:
Hi,
I run into the following error during trying to (automatically) sign a CSR for
the factory_ca realm
2021/12/09 10:42:36 255 start cert issue for serial 255, workflow 255
2021/12/09 10:42:36 255 NICE backend error: Could not find token alias by group; __group__
=> ca-signer, __noafter__ => 1670578956, __notbefore__ => 1639042956,
__pki_realm__ => factory_ca
I checked the ca-signer inside openxpki client and it is Online under name
ca-signer-1
Which you can also see in the listing of the realm
ca-signer (certsign):
Alias : ca-signer-1
Identifier: m8UxpPiH9ux60PrL3_c0NDkiRDg
NotBefore : 2021-12-09 09:23:55
NotAfter : 2022-12-09 09:23:55
As far As I found in documentation. You dont need to update the -1 -2 etc on
rollover.
What am i missing here?
You are trying to issue a certificate which is valid until Fri, 09 Dec 2022
09:42:36 GMT, but your Issuing CA is only valid until 2022-12-09 09:23:55.
Hence your CA system can no find a suitable CA certificate which can issue the
requested certificate validity.
When designing your PKI you should align your CA validities properly with the
maximum required end entity validity (which does not seem to be the case here).
And you should also plan for the regular CA rollovers and prepare your system
by importing the new CA certificate and associating it with the private key. If
the regular CA rollover is executed properly your PKI will work indefinitely.
Cheers
Martin
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
