On Wed, March 13, 2024 18:00, Martin Bartosch wrote:
> Hi James,
. . .
>
>
> Yep, that's the problem. In the original default crypto.yaml we find
>
> ...
> # The actual token setup
> token:
> default:
> ...
> # Default value for import, recorded in database, can be overriden
> secret: default
> ...
>
> # use ALIAS as key as it makes debug and management easier
> ca-signer:
> inherit: default
> key_store: DATAPOOL
> key: "[% ALIAS %]"
In this context: What does "[% ALIAS %]" represent, where is it set, and how is
it used? Is this the realm name? In other words in this instance 'democa'? Is
this value then used to search the RDBMS for the appropriate records?
Respecting the democa secret, I updated system/crypto.yaml as you suggested and
openxpki webui appeared to function correctly. However, that is not the final
solution given two realms having two separate roots and private keys with
differing passphrase.
By inference it should be possible to override the secret: default in
token:ca-signer simply by replacing it with 'secret: ca-signer'. Given that the
ca-signer block exists and contains the data as given in my previous message.
Therefore, I removed the democa secret from system/crypto.yaml and made the
change described above to the token:ca-signer block in
realm/democa/crypto.yaml. This appears to work although evidently it is not a
suggested solution, for security reasons most likely.
I infer from these results that each realm/<name>/crypto.yaml can be
individually configured to hold the private key decryption passphrase specific
to the private key for that realm's issuing CA. Am I correct?
Thank you for the help. It was immensely useful.
Regards,
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to privacy
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:byrn...@harte-lyne.ca
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
