Hi Oliver, you're right. I checked and ratoken isn't in use, so after commenting out this section from democa-crypto.yaml the error disappeared.
>> I can find the certificates in the sql dump (BEGIN CERTIFICATE) but I >> can't find any string with 'BEGIN ENCRYPTED PRIVATE KEY'. Where is the >> private key located? > The keys are wrapped into a PKCS7 containe - look for something where > the namespace column has a value of sys.crypto.keys what's the preferred way, store in database or put a keyfile with permission 0400/user openxpki on hdd ? Thank you, Stefan ________________________________________ Von: Oliver Welter <[email protected]> Gesendet: Mittwoch, 22. Dezember 2021 09:14 An: [email protected] Betreff: Re: [OpenXPKI-users] Problems with setup (democa) Hi Stefan, Am 20.12.21 um 21:43 schrieb Stefan Weigel: > >>> When changing to "Manage Secrets" I get >>> "Unknown error (crypto secret plain setsecret missing part)" >> This basically means you broke the secret/crypto config - check the >> "secret" sections in your realm and system crypto.yaml > I used the democa (https://github.com/openxpki/openxpki-config) without > changes to the mentioned file. Can you set the item "secret.ratoken.value" to a fixed value (remove the @ symbol and put a string there) and see if this solves the problem? Looks like tThere is an incomplete setup in the sample files. >>> Further on I'm wondering why /etc/openxpki/local/keys/vault-1.pem >>> get's >>> created, but /etc/openxpki/local/keys/democa/ca-signer-1.pem + >>> /etc/openxpki/local/keys/democa/scep-1.pem wasn't copied to the >>> dir: >>> from /etc/openxpki/config.d/realm/democa/crypto.yaml: >>> [..] >>> ca-signer: >>> inherit: default >>> key_store: DATAPOOL >>> key: "[% ALIAS %]" >>> >>> vault: >>> inherit: default >>> key: /etc/openxpki/local/keys/[% ALIAS %].pem >>> [..] >>> >>> for vault there is a absolute path, ca-signer is only specified >>> with >>> alias. Why? >> With "key_store: DATAPOOL" you tell the system to store the key in >> the >> internal database, as the vault is used to encrypt the datapool you >> can >> not store the vault itself in the datapool so it remains as a file on >> disk. >> > I can find the certificates in the sql dump (BEGIN CERTIFICATE) but I > can't find any string with 'BEGIN ENCRYPTED PRIVATE KEY'. Where is the > private key located? The keys are wrapped into a PKCS7 containe - look for something where the namespace column has a value of sys.crypto.keys Oliver -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
