On Wed, March 13, 2024 07:52, Martin Bartosch wrote:
> Hi James,
. . .
>
> You should get more information about the error in the openxpki.log file. I
> suspect something is wrong with the CSR or the CA key, but the details you
> posted do not contain sufficient detail to tell what exactly went wrong.
]# tail -15 /var/log/openxpki/openxpki.log
30356799270912:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
decrypt:/usr/src/crypto/openssl/crypto/evp/evp_enc.c:612:
30356799270912:error:0906A065:PEM routines:PEM_do_header:bad
decrypt:/usr/src/crypto/openssl/crypto/pem/pem_lib.c:461:
[pid=28821|sid=Xo3x]
2024/03/13 08:16:05 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__
=> cms -sign -binary -nosmimecap -outform PEM -nodetach -in
/var/tmp/openxpki2882150mH98yQ -inkey
/var/tmp/openxpki28821I21Uh1bg/ca-signer-1 -signer
/var/tmp/openxpki28821N0I0U0Uk -out /var/tmp/openxpki28821zjQtwDW0 -passin
env:pwd, __EXIT_STATUS__ => 512 [pid=28821|sid=Xo3x]
2024/03/13 08:16:05 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
-nosmimecap -outform PEM -nodetach -in /var/tmp/openxpki2882150mH98yQ -inkey
/var/tmp/openxpki28821I21Uh1bg/ca-signer-1 -signer
/var/tmp/openxpki28821N0I0U0Uk -out /var/tmp/openxpki28821zjQtwDW0 -passin
env:pwd, __EXIT_STATUS__ => 512 [pid=28821|sid=Xo3x]
2024/03/13 08:16:31 ERROR OpenSSL error: Using configuration from
/var/tmp/openxpki28821VniVdpfp/openssl.cnf
unable to load CA private key
. . .
I guess that this is the problem: unable to load CA private key
The realm was created using:
openxpkiadm alias \
--realm "democa" \
--token certsign \
--file
/root/CLCA/CAS/democa/certs/1A84E8FBE282453D5F22038C58A89786BCD6CCAC.pem \
--key /root/CLCA/CAS/democa_i/private/democa_i_key.pem
openxpkicli get_token_info --realm=democa --arg alias=vault-1
{
"key_name" : "/usr/local/etc/openxpki/local/keys/vault-1.pem",
"key_secret" : 1,
"key_store" : "OPENXPKI",
"key_usable" : 1
}
I have verified that the private key password provided in
config/realm/democa/crypto.yaml is correct:
. .
ca-signer:
inherit: default
key_store: DATAPOOL
key: "[% ALIAS %]"
. . .
secret:
ca-signer:
label: Secret group for certsign Token
export: 1
method: literal
value: "democa"
openssl rsa \
-noout \
-text \
-in /root/CLCA/CAS/democa_i/private/democa_i_key.pem
Enter pass phrase for /root/CLCA/CAS/democa_i/private/democa_i_key.pem:
RSA Private-Key: (4096 bit, 2 primes)
modulus:
>
> Is your CA set up correctly? Are you able to create a CRL?
# openxpkicmd --realm democa crl_issuance
Workflow created (ID: 1791), State: LOAD_NEXT_CA_CRL_GET_NEXT_CA_0
# openxpkicmd --realm hll_ca2016 crl_issuance
Workflow created (ID: 2047), State: LOAD_NEXT_CA_CRL_GET_NEXT_CA_0
What is wrong with my setup?
Thanks,
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to privacy
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:[email protected]
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
