Re: [OpenXPKI-users] Importing a certificate created and signed outside openxpki

Fri, 22 Mar 2024 00:42:09 -0700 

Hi James,
I really dont have a clue why this is not working - the chain for the intermediate is build via the database when you import the certificate with the identifier and issuer_identifier fields, it might be the case that something went wrong at this stage already. 


The admin tool is somewhat outdated and is only meant for bootstrapping 
the CA and not really for importing legacy stuff, you should use 
"openxpkicli import_certificate" for this which also allows you to let 
the certs look like there were issued here, just importing it into the 
realm will not list them as they are not recognized as a "realm entity".



Please also ensure the validities of the chain are ok, the verify 
command fails if a certificate exceeds the validity of its parent.


Oliver

On 20.03.24 20:01, James B. Byrne via OpenXPKI-users wrote:

On Wed, March 20, 2024 14:12, James B. Byrne via OpenXPKI-users wrote:


# openxpkiadm certificate import --realm democa --file newname_rsa.crt
try/catch is experimental at
/usr/local/lib/perl5/site_perl/OpenXPKI/Server/Init.pm line 103.
try/catch is experimental at
/usr/local/lib/perl5/site_perl/OpenXPKI/Server/Init.pm line 107.

Starting import

2024/03/20 12:40:19 OpenSSL error: C = CA, O = Harte & Lyne Limited, OU =
Networked Data Services, CN = openxpki-3.internal.harte-lyne.ca
error 20 at 0 depth lookup: unable to get local issuer certificate


The error I see is associated with the absence of a root CA certificate.
However, to the best of my ability to see the CA certificate chain is complete
and correct.


# openxpkiadm certificate list --realm democa -v -v

Certificates in democa:

   Identifier: IC6oLFDYdHybpJ4xwclmCOgQO9w
     Alias:
       vault-1
     Subject:
       CN=DataVault
     Issuer DN:
       CN=DataVault
     Chain:
       IC6oLFDYdHybpJ4xwclmCOgQO9w(complete)

   Identifier: OfdNydD4PfjsPh06Te0qh8dn_Kw
     Alias:
       root-1
     Subject:
       CN=OpenXPKI Root DUMMY CA 1,OU=PKI,O=OpenXPKI,C=DE
     Issuer DN:
       CN=OpenXPKI Root DUMMY CA 1,OU=PKI,O=OpenXPKI,C=DE
     Chain:
       OfdNydD4PfjsPh06Te0qh8dn_Kw(complete)

   Identifier: ctK9f4qbA2-d8heTMBu1P365Ckc
     Alias:
       ca-signer-1
     Subject:
       CN=democa_i.harte-lyne.ca,OU=IT,O=Harte & Lyne Demo,C=CA
     Issuer DN:
       CN=OpenXPKI Root DUMMY CA 1,OU=PKI,O=OpenXPKI,C=DE
     Chain:
       ctK9f4qbA2-d8heTMBu1P365Ckc -> OfdNydD4PfjsPh06Te0qh8dn_Kw(complete)

So, why does openxppkiadm certificate import not see it?


--
Protect your environment -  close windows and adopt a penguin!



_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to