Our existing domain has many certificates, some of which have expired and
others which been revoked. Plus the balance of active certificates. These
need to be imported.
I previously employed cacl to create the root and issuing CA for democa. These
certificates and the private key of the issuing (level2) ca were imported into
openxpki. And they appear to be working. I have been able to issue a new
certificate and key from democa uping the openxpki webui.
To test importing existing certificates I next used openssl to create a test
key and csr. This is the csr:
# viewcsr.sh newname_rsa.csr
Certificate Request:
Data:
Version: 1 (0x0)
Subject: C = CA, ST = Ontario, L = Hamilton, O = Harte & Lyne Limited,
OU = Networked Data Services, CN = openxpki-3.internal.harte-lyne.ca,
emailAddress = [email protected]
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
. . .
this was signed in cacl using the level 2 CA and this cert resulted:
Certificate:
Data:
Version: 3 (0x2)
Serial Number:
19:eb:04:95:e9:c1:24:a5:60:6c:c4:4c:d3:ff:d3:c4:c4:ce:82:92
Signature Algorithm: sha256WithRSAEncryption
Issuer: C = DE, O = OpenXPKI, OU = PKI, CN = OpenXPKI Root DUMMY CA 2
Validity
Not Before: Jan 1 00:00:00 2024 GMT
Not After : Dec 31 23:59:59 2124 GMT
Subject: C = CA, O = Harte & Lyne Limited, OU = Networked Data
Services, CN = openxpki-3.internal.harte-lyne.ca
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
RSA Public-Key: (4096 bit)
. . .
X509v3 extensions:
X509v3 Subject Key Identifier:
0D:16:10:B4:E8:CD:75:84:AB:D9:65:36:8C:B2:6E:B1:0E:1F:B2:26
X509v3 Authority Key Identifier:
keyid:44:01:B2:24:9E:35:02:82:DF:3E:AE:FC:86:DE:87:2C:04:5C:56:61
X509v3 Basic Constraints: critical
CA:FALSE
X509v3 Key Usage: critical
Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication, TLS Web Client Authentication
Signature Algorithm: sha256WithRSAEncryption
. .
When I went to import this certificate I received this error:
# openxpkiadm certificate import --realm democa --file newname_rsa.crt
try/catch is experimental at
/usr/local/lib/perl5/site_perl/OpenXPKI/Server/Init.pm line 103.
try/catch is experimental at
/usr/local/lib/perl5/site_perl/OpenXPKI/Server/Init.pm line 107.
Starting import
2024/03/20 12:40:19 OpenSSL error: C = CA, O = Harte & Lyne Limited, OU =
Networked Data Services, CN = openxpki-3.internal.harte-lyne.ca
error 20 at 0 depth lookup: unable to get local issuer certificate
2024/03/20 12:40:19 I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ =>
verify -CAfile /var/tmp/openxpki64437CYXev26Z -untrusted
/var/tmp/openxpki6443712OEwVHF -attime 1704067201
/var/tmp/openxpki64437G2TpNBdW, __EXIT_STATUS__ => 512
2024/03/20 12:40:19 I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::verify_cert, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => verify -CAfile
/var/tmp/openxpki64437CYXev26Z -untrusted /var/tmp/openxpki6443712OEwVHF
-attime 1704067201 /var/tmp/openxpki64437G2TpNBdW, __EXIT_STATUS__ => 512
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED
__ERRVAL__: I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => verify
-CAfile /var/tmp/openxpki64437CYXev26Z -untrusted
/var/tmp/openxpki6443712OEwVHF -attime 1704067201
/var/tmp/openxpki64437G2TpNBdW, __EXIT_STATUS__ => 512
__COMMAND__: OpenXPKI::Crypto::Backend::OpenSSL::Command::verify_cert
What have I done that is incorrect?
Thanks,
PS. Is there any way to get rid of the 'try/catch is experimental at' warnings?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to privacy
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:[email protected]
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
