Hi James,
you are holding it wrong - the alias command defines certificates with a
special property, with "--token certsign" you tell OpenXPKI that this is
a Issuing CA certificate which is obviously not the case. It then tries
to find the key to this certificate based on the internal discovery
patterns which fails.
To import existing end-entity certificates you have to use "openxpkicli
import_certificate", in case perldoc is installed, run "perldoc
OpenXPKI::Server::API2::Plugin::Cert::import_certificate" to show the
man page, otherwise you can find the help at
https://github.com/openxpki/openxpki/blob/master/core/server/OpenXPKI/Server/API2/Plugin/Cert/import_certificate.pm
Oliver
On 01.04.24 21:37, James B. Byrne via OpenXPKI-users wrote:
I resolved the 'The requested URL has no service assigned.' error. This was
caused by having the realm_mode set to path in webui/default.conf and not
having the hll_ca2016 realm actually mapped. I switch back to the default
'select' mode.
Now I had a working system I decided to attempt to load our old certificates.
This I did using the following.
for CF in hllcerts/*.pem
do
openxpkiadm alias --realm hll_ca2016 --token certsign --file "$CF"
done
They all loaded successfully. However, I suspect that I used the wrong token.
It appears that these were all loaded as CAs and are obviously missing their
private keys. This is evidenced by the following errors in
/va/log/openxpki/stderr.log:
. . .
2024/04/01 14:59:58 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ => Unable
to load key from datapool; __KEY__ => ca-signer-60 [pid=64808|sid=0Hbb]
2024/04/01 14:59:58 ERROR Unable to load key from datapool; __KEY__ =>
ca-signer-59 [pid=64808|sid=0Hbb]
2024/04/01 14:59:58 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ => Unable
to load key from datapool; __KEY__ => ca-signer-59 [pid=64808|sid=0Hbb]
So, my question is: what token am I supposed to use to load existing end-user
certificates? Or am I not supposed to specify a token at all?
I can delete all these and start over but I need to get clear in my head what
these okens mean and how they are intended to be used. With respect to openxpi
what is the relationship of the ca-signer token to the certificates it signed?
What command should I have used?
Thanks,
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
