Hi,
I didn't want to gate crash this thread
> examples of crypto.yaml desired.
but similar(ish) question.
I wanted to use openxpki to generate our own self signed certificates.
These are not for public use - just internally.
I am running this in docker, at least for testing.
We do not have our own CA - I wanted to use one generated by openxpki.
I modified the sampleconfig.sh to my own details and ran it.
I can see the certificates generated in the /tmp dir like this:
-r--r--r--. 1 root openxpki 1846 Feb 13 11:08 MyCompany_DataVault.crt
-r--r-----. 1 root openxpki 3414 Feb 13 11:08 MyCompany_DataVault.key
-r--------. 1 root root 45 Feb 13 11:08 MyCompany_DataVault.pass
-r--r--r--. 1 root openxpki 7337 Feb 13 11:08 MyCompany_Issuing_CA.crt
-rw-r--r--. 1 root root 1744 Feb 13 11:08 MyCompany_Issuing_CA.csr
-r--r-----. 1 root openxpki 3414 Feb 13 11:08 MyCompany_Issuing_CA.key
-r--------. 1 root root 45 Feb 13 11:08 MyCompany_Issuing_CA.pass
-r--r--r--. 1 root openxpki 1866 Feb 13 11:08 MyCompany_Root_CA.crt
-r--r-----. 1 root openxpki 3414 Feb 13 11:08 MyCompany_Root_CA.key
-r--------. 1 root root 45 Feb 13 11:08 MyCompany_Root_CA.pass
-r--r--r--. 1 root openxpki 7087 Feb 13 11:09 MyCompany_SCEP_RA.crt
-rw-r--r--. 1 root root 1675 Feb 13 11:09 MyCompany_SCEP_RA.csr
-r--r-----. 1 root openxpki 3272 Feb 13 11:09 MyCompany_SCEP_RA.key
-r--r--r--. 1 root openxpki 7390 Feb 13 11:09 MyCompany_WebUI.crt
-rw-r--r--. 1 root root 1728 Feb 13 11:09 MyCompany_WebUI.csr
-r--r-----. 1 root openxpki 3272 Feb 13 11:09 MyCompany_WebUI.key
On logging in to the panel I see:
Your system status is critical!
Active Encryption Token...... not available (vault-1)
System Version 3.28.0
Tokens of type: certsign
Token Alias Certificate Identifier Token Status not before not
after
ca-signer-1 2sPRQv4vXX6FbbqyJmp_QW64fJA OFFLINE 2024-02-13 10:08:54
UTC 2029-02-14 10:08:54 UTC
Tokens of type: datasafe
Token Alias Certificate Identifier Token Status not before not
after
vault-1 vp9LTHBjoxj49OuRh75rL9kvNp4 OFFLINE 2024-02-13 10:08:59 UTC
2034-02-15 10:08:59 UTC
I can login easily with the various test users, and one I created
myself, and I can see the CA cert seems to be installed in the webui but
not set as below.
Any ideas what I have missed?
B. Rgds
John
openxpkiadm alias --realm democa
=== functional token ===
vault (datasafe):
Alias : vault-1
Identifier: vp9LTHBjoxj49OuRh75rL9kvNp4
NotBefore : 2024-02-13 10:08:59
NotAfter : 2034-02-15 10:08:59
ratoken (cmcra):
Alias : ratoken-1
Identifier: 7jo0jYEhWSX9qOBNQSPXPS_Sk7E
NotBefore : 2024-02-13 10:09:08
NotAfter : 2025-02-12 10:09:08
ratoken (scep):
Alias : ratoken-1
Identifier: 7jo0jYEhWSX9qOBNQSPXPS_Sk7E
NotBefore : 2024-02-13 10:09:08
NotAfter : 2025-02-12 10:09:08
ca-signer (certsign):
Alias : ca-signer-1
Identifier: 2sPRQv4vXX6FbbqyJmp_QW64fJA
NotBefore : 2024-02-13 10:08:54
NotAfter : 2029-02-14 10:08:54
=== root ca ===
current root ca:
not set
upcoming root ca:
not set
openxpkicli get_token_info --arg alias=vault-1
{
"key_name" : "/etc/openxpki/local/keys/vault-1.pem",
"key_secret" : 1,
"key_store" : "OPENXPKI",
"key_usable" : 1
}
openxpkiadm certificate list --all -v -v
Certificates in democa:
Identifier: 7jo0jYEhWSX9qOBNQSPXPS_Sk7E
Alias:
ratoken-1 (in realm: democa)
Subject:
CN=esmith.MyCompany.co.uk:scep-ra
Issuer DN:
CN=CA_MyCompany 20240213,OU=IT,O=MyCompany,C=GB
Chain:
7jo0jYEhWSX9qOBNQSPXPS_Sk7E -> 2sPRQv4vXX6FbbqyJmp_QW64fJA ->
2XsEOH_8e-zOsbilaYHfNr1vjH0(complete)
Identifier: 2sPRQv4vXX6FbbqyJmp_QW64fJA
Alias:
ca-signer-1 (in realm: democa)
Subject:
CN=CA_MyCompany 20240213,OU=IT,O=MyCompany,C=GB
Issuer DN:
CN=MyCompany Root CA 20240213
Chain:
2sPRQv4vXX6FbbqyJmp_QW64fJA -> 2XsEOH_8e-zOsbilaYHfNr1vjH0(complete)
Identifier: vp9LTHBjoxj49OuRh75rL9kvNp4
Alias:
vault-1 (in realm: democa)
Subject:
CN=DataVault
Issuer DN:
CN=DataVault
Chain:
vp9LTHBjoxj49OuRh75rL9kvNp4(complete)
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
