Hi, > I setup openxpki with HSM and the WebUI reports active encryption token > vault-1, all tokens are shown as ONLINE. > > # openxpkiadm alias list > === functional token === > vault (datasafe): > Alias : vault-1 > Identifier: 87-reU8L8VIStmq-oj7IWlX6-ls > NotBefore : 2024-08-05 14:54:32 > NotAfter : 2024-09-04 14:54:32 > > ratoken (cmcra): > not set > > ratoken (scep): > not set > > ca-signer (certsign): > Alias : ca-signer-1 > Identifier: 1dzhOuBydkcgA82KWxSpPEefNVg > NotBefore : 2024-08-05 14:54:05 > NotAfter : 2025-08-05 14:54:05 > > === root ca === > current root ca: > Alias : root-1 > Identifier: 3_8BFNLuYFZNsEcV7i9yih-AMrs > NotBefore : 2024-08-05 14:53:04 > NotAfter : 2024-09-04 14:53:04 > > upcoming root ca: > not set > > # openxpkiadm key list > Keys for token group ratoken > Keys for token group vault > c vault-1 > Keys for token group ca-signer > c ca-signer-1 > Keys for token group ratoken > > > CRL could be issued and published, correctly signed by ca-signer-1. However, > if I try to sign a CSR i get an exception (started with debug 10): > > 2024-08-05 17:22:39.155271 DEBUG:1 PID:432869 > OpenXPKI::Exception::full_message (line 118): exception thrown: Could not > find token alias by group; __group__ => ca-signer, __noafter__ => 1754407359, > __notbefore__ => 1722871359, __pki_realm__ => democa > 2024-08-05 17:22:39.155658 DEBUG:1 PID:432869 > OpenXPKI::Exception::full_message (line 118): exception thrown: Could not > find token alias by group; __group__ => ca-signer, __noafter__ => 1754407359, > __notbefore__ => 1722871359, __pki_realm__ => democa > > I don't know what went wrong and why CRL signing works but CSR signing not, > any advice or hint?
OpenXPKI is designed to perform fully automatic CA rollovers. This means you can have any number of Issuing CA certificates within a PKI Realm that will issue certificates for this logical CA. CA rollovers are therefore a lightweight, uninteresting thing to OpenXPKI, you don't even have to restart the daemon process. When a certificate request is approved and about to be issued, OpenXPKI determines the responsible Issuing CA at runtime: 1. determine all currently valid CA certificates for this PKI Realm 2. determine all CA certificates which can issue a certificate for the requested validity 3. from the remaining CAs choose the one with the highest NotBefore date Your particular OpenXPKI instance has been configured with a CA certificate that is valid until 2025-08-05 14:54:05 UTC. You seem to try to issue a certificate that would be valid until 2025-08-05 15:22:39 UTC (I suppose you kept the 1 year default validity), which is outside the validity of the Issuing CA certificate. Your OpenXPKI concludes that there is no matching CA Certificate which can perform this action and thus bails out with an error. Possible solutions: - perform an Issuing CA rollover (import a new CA Signer token with a validity that allows issuance of the certificate) - reduce the requested certificate validity (e. g. reduce to 6 months Yes, OpenXPKI is that cool B) Cheers Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
