On Wed, March 13, 2024 18:00, Martin Bartosch wrote: > Hi James, . . . > > > Yep, that's the problem. In the original default crypto.yaml we find > > ... > # The actual token setup > token: > default: > ... > # Default value for import, recorded in database, can be overriden > secret: default > ... > > # use ALIAS as key as it makes debug and management easier > ca-signer: > inherit: default > key_store: DATAPOOL > key: "[% ALIAS %]"
In this context: What does "[% ALIAS %]" represent, where is it set, and how is it used? Is this the realm name? In other words in this instance 'democa'? Is this value then used to search the RDBMS for the appropriate records? Respecting the democa secret, I updated system/crypto.yaml as you suggested and openxpki webui appeared to function correctly. However, that is not the final solution given two realms having two separate roots and private keys with differing passphrase. By inference it should be possible to override the secret: default in token:ca-signer simply by replacing it with 'secret: ca-signer'. Given that the ca-signer block exists and contains the data as given in my previous message. Therefore, I removed the democa secret from system/crypto.yaml and made the change described above to the token:ca-signer block in realm/democa/crypto.yaml. This appears to work although evidently it is not a suggested solution, for security reasons most likely. I infer from these results that each realm/<name>/crypto.yaml can be individually configured to hold the private key decryption passphrase specific to the private key for that realm's issuing CA. Am I correct? Thank you for the help. It was immensely useful. Regards, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrne mailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users