Ok James, I gotten woken up earlier than expected.
Can you send me the QUICKSTART.md file and the README.md files that are located in the /etc/openxpki or /usr/local/etc/openxpki if using BSD I want to see how much variance of what you see and what I see at the moment. Also can you confirm that you received my email sent to you on 2/22/2024 around 4:55 PM EST I don’t want to flood people with our every struggle just with the results when we get the expected outcome. Thanks John From: John Shelley Sent: Friday, March 22, 2024 2:34 PM To: [email protected] <mailto:[email protected]> Cc: [email protected] <mailto:[email protected]> Subject: RE: ***Spam***RE: [OpenXPKI-users] 1 secret groups not available Response below -----Original Message----- From: James B. Byrne <[email protected] <mailto:[email protected]> > Sent: Friday, March 22, 2024 2:05 PM To: John Shelley <[email protected] <mailto:[email protected]> > Cc: [email protected] <mailto:[email protected]> Subject: Re: ***Spam***RE: [OpenXPKI-users] 1 secret groups not available On Fri, March 22, 2024 12:32, <mailto:[email protected]> [email protected] wrote: > It has been awhile since I set this up, but essentially you end up > generating 3 or 4 certificates. > There is usually a script that you run after you change the > placeholder values. That script is not really useable on FreeBSD as shipped. I looked into using it but the paths need to be changed for a lot of the file references therein and some of the external scripts used are not packaged with Apache on FreeBSD. In the end I decided that my time would be better spent on getting the software working than trying to modify a one-time script. > I noticed that you have been trying to get this thing running for a > while now on BSD. Has it ever worked for you yet since you have been > emailing this list? > Yes it is running on FreeBSD-13.2p9. It works fine for democa. I can issue certs an d keys. I can sign csrs. I believe the certs are already made in the democa and that is why it’s working. I would just create a brand new SELF signed cert for testing and use it to produce the other certs required by the system I have done something odd with respect to the demo cert I produced so that it does not import. But that will eventually be resolved and in my opinion will come down to some missunderstanding on my part when generating the cert. For hll_ca2016 I can log on. The issues I have are almost certainly due to realm misconfiguration resulting from my ignorance. That it what presently I am trying to address. Yes the terminology or taxonomy feels ambiguous at first, but its will become straight forward once you do it a few times action straight forward. I am investigating the intricacies of properly configuring a realm other than democa. The documentation is fine as an aide-mémoire but it makes a lot of assumptions respecting prior knowledge. I am not clear on exactly what a token is or its relationship to certificates. Does it refer to a specific certificate or a group of certificates issued by the same CA? That is not clear to me. I worked all night upgrading my one of my Xamarin Forms apps to MAUI and I have to get some sleep. Once I get some zees I will take a look at my setup and see if we can finally get this thing working for you. > Have you thought of just renting a VM with Debian and see if you can > get it working. Perhaps you will find a missing piece of instruction > while following the typical Debian setup. I am not presently considering switching to another OS and configuring a VM just to install a piece of software which, in the end, either runs on FreeBSD or we get something else. Understood but it might be worth $14-15 to go over the process once on Debian and generate the keys that are required (master key, offline store key, Signer 1 key Signer 2 key, etc. I bet I could get a Debian box up and running with the correct information albeit with Self Signed certs in under 35 min. The time and effort is better spent, in my opinion, on discovering the ins and outs of openxpki configuration. Ok well it was a though because I am sure your hair is getting thinner from once you first started, and perhaps you will see something you missed on a clean setup that could be the missing piece for your BOS setup. The object of the exercise to to arrive at a working CA installation with the documented steps of how to get this reproduced on any other FreeBSD system we may wish to employ in this role. If we getting working will at least share the details 😉 I don’t use BSD, but I hear it has allot security baked in.. My current belief is that there are simply a few remaining issues of misunderstanding on my part as to how the private keys and pass phrases are managed and resolving in my own mind the matter of what a token is and how it is used with respect to certificates issued by the CA. As promised once I get some sleep I will take a look at my setup for a reference so we can be on the same page. Not sure what your hours are like, but I am going to sleep in 20 min and will wake up at 10pm EST. No doubt I will have further questions on how to set up profiles, but again, that is simply obtaining knowledge of the mechanics of which files and what contents. It’s mainly just ceremony and certain keys generate new keys and those new key have to protected and then you produce more and use those for signing everyday stuff. Thanks John Regards, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrne <mailto:[email protected]> mailto:[email protected] Harte & Lyne Limited <http://www.harte-lyne.ca> http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
