Am 06.09.24 um 19:27 schrieb Martin Bartosch:
I think i know what's causing the observed behaviour. The cert 013C522BCC6F5A2B.crt was first imported in realm xca. If i try to import the same cert into realm prodxca it fails with "Cert already exists", despite the fact, i specified different realms. import With update=1 changes the cert in realm xca, even if i specify realm=prodxca. If I have an issuer cert in realm xca and import a cert signed by this issuer in realm prodxca the cert will be imported into realm xca, the issuer's realm. this is described in Server/API2/Plugin/Cert/import_certificate.pm but I'm not sure I understand the reasons for it. I expected, the realms are separated, certificates are only visible in the specified realm. Certs without realm are visible to all realms. But pki_realm is not in the where clause, the check searches in all realms: # Check if the certificate is already in the PKI my $existing_cert = $dbi->select_one( from => 'certificate', columns => [ qw( identifier pki_realm status req_key ) ], where => { identifier => $cert_identifier }, ); I quickly scanned the code and found more statements without pki_realm in the where clause, so it seems to be a design decision. Why are the certificates not separated by pki_realm?You are correct, this is a design decision which incidentally I personally made around 2006 IIRC. The basic idea is that a certain certificate is unique, and hence should only be present in the database once. We actually enforce this by setting a unique index on the certificate identifier on the certificate table. For end entity certificates I believe there is no case where this is actually a problem, in most cases OpenXPKI itself (or a remote issuer) issues the certificate which should by definition be unique. However, there are cases where certificates from one PKI Realm is needed in another PKI Realm. In almost any case I can think of this will be a CA certificate, e. g. for building the certificate chain. In order to cater for situations where a particular certificate existing in a different realm is needed in another realm, we introduced the idea of an alias. An alias is a named reference to an arbitrary certificate in any local PKI Realm. By setting an alias in the PKI Realm to a certificate in a different PKI Realm, you effectively allow the realm containing the alias to use the referenced certificate, and without violating the uniqueness requirement. You are obviously trying to migrate existing data from an existing setup. The problems you encounter stem from conflicting imports into another PKI Realm. My recommendation is to work on a clean setup and avoid "fiddling with data" (this will also make sure that the resulting system is in a sane state). Once you are confident, perform this operation as a one-off import in the actual production environment. (This is how we do migrations of existing environments with our own tool set, anyway.)
Thanks Martin for the detailed explanation, much appreciated. You're correct, I'm trying to migrate existing data (for tracking and monitoring purposes only) and with the new knowledge about the design and how it works I know how to set it up. Best, -ap _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
