Hi James, > This is the diff between the current config.d and the original before any > changes were made. > > # git diff -G. hllv1.00 -- --follow config.d > diff --git a/config.d/realm.tpl/crypto.yaml b/config.d/realm.tpl/crypto.yaml > index 95614f5..bda48a1 100644 > --- a/config.d/realm.tpl/crypto.yaml > +++ b/config.d/realm.tpl/crypto.yaml > @@ -15,7 +15,8 @@ token: > # Template to create key, available vars are > # ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1) > # KEY_IDENTIFIER (00:AA:BB...), IDENTIFIER (aGSNY1Z...) > - key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem > +# key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem > + key: /usr/local/etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem > > # possible values are OpenSSL, nCipher, LunaCA > engine: OpenSSL > @@ -42,7 +43,8 @@ token: > > vault: > inherit: default > - key: /etc/openxpki/local/keys/[% ALIAS %].pem > +# key: /etc/openxpki/local/keys/[% ALIAS %].pem > + key: /usr/local/etc/openxpki/local/keys/[% ALIAS %].pem > > ratoken: > inherit: default > @@ -58,6 +60,13 @@ token: > > # Define the secret groups > secret: > + > + ca-signer: > + label: Secret group for certsign Token > + export: 1 > + method: literal > + value: "democa" > + > default: > # this let OpenXPKI use the secret of the same name from system.crypto > # if you do not want to share the secret just replace this line with > @@ -69,4 +78,4 @@ secret: > label: Secret group for RA Token > export: 1 > method: literal > - value: root > \ No newline at end of file > + value: root
Yep, that's the problem. In the original default crypto.yaml we find ... # The actual token setup token: default: ... # Default value for import, recorded in database, can be overriden secret: default ... # use ALIAS as key as it makes debug and management easier ca-signer: inherit: default key_store: DATAPOOL key: "[% ALIAS %]" ... # Define the secret groups secret: default: # this let OpenXPKI use the secret of the same name from system.crypto # if you do not want to share the secret just replace this line with # the config found in system.crypto. You can create additional secrets # by adding similar blocks with another key import: 1 This means that the ca-signer token inherits from the default token configuration which references the "default" secret group. This "default" secret group is imported from the global configuration in config.d/system/crypto.yaml. There we find: secret: default: label: Global secret group export: 0 method: literal value: root You added a new literal secret group "ca-signer" with the value "democa" to your token configuration. Now, the error in the configuration is that you obviously assumed that by defining a secret group with the same name as the signer token will link this. This is not the case. Your new secret group was defined but is never used. In order to make this work as you intend you need to do one of the following: 1. in your default token configuration change the secret definition to the correct secret group reference: token: default: ... secret: ca-signer OR 2. change the password in the "default" secret group from "root" to "democa" OR 3. change the CA key passphrase to "root" OR 3. enable passphrase entry via the GUI and use the GUI to enter your passphrase "democa" after startup Cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users