Hi James,
> This is the diff between the current config.d and the original before any
> changes were made.
>
> # git diff -G. hllv1.00 -- --follow config.d
> diff --git a/config.d/realm.tpl/crypto.yaml b/config.d/realm.tpl/crypto.yaml
> index 95614f5..bda48a1 100644
> --- a/config.d/realm.tpl/crypto.yaml
> +++ b/config.d/realm.tpl/crypto.yaml
> @@ -15,7 +15,8 @@ token:
> # Template to create key, available vars are
> # ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1)
> # KEY_IDENTIFIER (00:AA:BB...), IDENTIFIER (aGSNY1Z...)
> - key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
> +# key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
> + key: /usr/local/etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
>
> # possible values are OpenSSL, nCipher, LunaCA
> engine: OpenSSL
> @@ -42,7 +43,8 @@ token:
>
> vault:
> inherit: default
> - key: /etc/openxpki/local/keys/[% ALIAS %].pem
> +# key: /etc/openxpki/local/keys/[% ALIAS %].pem
> + key: /usr/local/etc/openxpki/local/keys/[% ALIAS %].pem
>
> ratoken:
> inherit: default
> @@ -58,6 +60,13 @@ token:
>
> # Define the secret groups
> secret:
> +
> + ca-signer:
> + label: Secret group for certsign Token
> + export: 1
> + method: literal
> + value: "democa"
> +
> default:
> # this let OpenXPKI use the secret of the same name from system.crypto
> # if you do not want to share the secret just replace this line with
> @@ -69,4 +78,4 @@ secret:
> label: Secret group for RA Token
> export: 1
> method: literal
> - value: root
> \ No newline at end of file
> + value: root
Yep, that's the problem. In the original default crypto.yaml we find
...
# The actual token setup
token:
default:
...
# Default value for import, recorded in database, can be overriden
secret: default
...
# use ALIAS as key as it makes debug and management easier
ca-signer:
inherit: default
key_store: DATAPOOL
key: "[% ALIAS %]"
...
# Define the secret groups
secret:
default:
# this let OpenXPKI use the secret of the same name from system.crypto
# if you do not want to share the secret just replace this line with
# the config found in system.crypto. You can create additional secrets
# by adding similar blocks with another key
import: 1
This means that the ca-signer token inherits from the default token
configuration which references the "default" secret group. This "default"
secret group is imported from the global configuration in
config.d/system/crypto.yaml.
There we find:
secret:
default:
label: Global secret group
export: 0
method: literal
value: root
You added a new literal secret group "ca-signer" with the value "democa" to
your token configuration.
Now, the error in the configuration is that you obviously assumed that by
defining a secret group with the same name as the signer token will link this.
This is not the case. Your new secret group was defined but is never used.
In order to make this work as you intend you need to do one of the following:
1. in your default token configuration change the secret definition to the
correct secret group reference:
token:
default:
...
secret: ca-signer
OR
2. change the password in the "default" secret group from "root" to "democa"
OR
3. change the CA key passphrase to "root"
OR
3. enable passphrase entry via the GUI and use the GUI to enter your passphrase
"democa" after startup
Cheers
Martin
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
