Re: [OpenXPKI-users] problems setup-cert vault key with multiple realms

Mon, 26 Jun 2023 12:43:32 -0700 

Hi Harm,
the docker container as well as the setup-cert script are not ment for production use but only for a PoC/Showcase. While it might just work, we do NOT gurantee any upgrade capabilities for the containers and advise to set up a productive PKI using a real VM with the provided debian packages. 


We also suggest to set the certs up by hand or write a custom script to 
enforce proper settings, there are also some people on the ML using 
Ansible or similar for this task but this is nothing which is provided 
by the project itself.


As usual with OSS - YMMV ;)

Oli

On 23.06.23 08:55, Harm Verhagen wrote:

The openxpki docker images come with a script to import the 
keys/certificates: setup-cert



The script seems to have problems when importing the vault credentials 
when using multiple realms.



Is there a problem here? Or am I using this script incorrectly?

Is setup-cert still the recommended way to deploy your keys/certs on a 
production environment? Or is there another recommended way?


Steps to reproduce
 * have 2 realms: mobility, sensor
 * place vault-1.crt  vault-1.key   in /etc/openxpki/ca
 * run setup-cert

What happens

The vault key/cert is only imported for 1 realm

# setup-cert
Starting import
Successfully imported certificate into database:
  Subject:    CN=DataVault
  Issuer:     CN=DataVault
  Identifier: bSiSGisjSnbA5HLzTQLSX5XPvE4
  Realm:      none
Successfully wrote alias:
  Alias     : vault-1
  Identifier: bSiSGisjSnbA5HLzTQLSX5XPvE4
  NotBefore : 2023-06-22 14:34:47
  NotAfter  : 2026-06-26 14:34:47

Doing /etc/openxpki/tls/chain/
vault certificate already imported


Its imported for mobility, but not for sensor


/etc/openxpki/ca# openxpkicli  get_token_info --realm mobility --arg 
alias=vault-1

{
   "key_name" : "/etc/openxpki/local/keys/vault-1.pem",
   "key_secret" : 1,
   "key_store" : "OPENXPKI",
   "key_usable" : 1
}

root@e83cd2f2fc1a:/etc/openxpki/ca# openxpkicli  get_token_info 
--realm sensor --arg alias=vault-1

Error: TokenManager failed to create token for vault-1



/etc/openxpki/ca# ls
mobility
README.md
sensor
vault-1.crt
vault-1.key

Expected
Vault credentials are imported for both realms.


_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users


--
Protect your environment -  close windows and adopt a penguin!

_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to