Okay, I figured out some things by myself.
First, the own pin is correctly imported by using the name "purePIN"
insteed of "importedPIN".
Second, regarding the breaking workflow, the certificate is created
and stored indeed, but after the break no further pkcs12 can be
enrolled.
stderr.log does not have any valuable entries regarding this, except
that all has worked fine...
Then, when I set the actual state to NEW_CERTt, it continues to
ENROLLED_PIN, but then it breaks by performing enroll_pkcs12 because
"The certificate cannot be determined".
However, all works fine, when I use one Key for CA, BP, Key_Backup and
LOG so I think there is a problem when using different keys.
Can somebody reproduce this, or give me a hint, what I should try next?
Ralf
"Ralf Hornik Mailings" schreibte:
> Dear list,
>
> I want to learn something about the BP module so I read the (little
> to) short explantation in the OpenCA Documentation.
>
> However I found some more information via google but I cannot
> collect them usefully...
>
> 1. I created a separate bp/log/backup_key since my cakey is located
> on an etoken.
>
> 2. I created a certificate for this key (bp_cert.pem) and changed
> all corresponding symlinks (key and certs) for log and key_backup.
>
> 3. I created a file batch_process_data.txt whith this content:
>
> USER ralf
> PROCESS gen_cert_ralf
> set_state new_process
> ROLE User
> SUBJECT_ALT_NAME_1 email:r...@xxx
> SUBJECT emailaddress=r...@xxx, CN=Ralf Hornik, O=Daheim, C=DE
> LOA_MODE USE_IT
> LOA 10
> imported...@private
> -BEGIN MYPIN-
> -BEGIN PKCS7-
> MIICBwYJKoZIhvcNAQcDoIIB+DCCAfQCAQAxggGvMIIBqwIBADCBkjCBjDELMAkG
> A1UEBhMCREUxGDAWBgNVBAoTD05hdGl2ZSBTZWN1cml0eTESMBAGA1UECxMJTmFz
> ZWMgUEtJMSAwHgYDVQQDExdOYXRpdmUgU2VjdXJpdHkgUm9vdCBDQTEtMCsGCSqG
> SIb3DQEJARYedHJ1c3RjZW50ZXJAbmF0aXZlLXNlY3VyaXR5LmRlAgEtMA0GCSqG
> SIb3DQEBAQUABIIBAGap19ueBhm5TOWrAupP7d6z6ZdcwaaGWbC39WYjK69geSJo
> Br3PdhTy4JwygXdevcBlsNVNadt1SHIzosc110B6dWY+y/DdnrVyV9JrxA5YdEsr
> XqoJ8u/kNN15GLEDvyjZuBba98kFY6MqHup+Sco/VwtCkKxo0CCRWj3FqvsRzPz6
> l2nhURSCZ3jZYOPFPfWsmF6HGc3QQjPPnF2c2bjlCMKzNpIHOwtIwOmRZ8M5ZTt3
> WRbEVz7/we/t90cCf2HWFpPBIR2PXYw8ej8JOb4PfDtlzFPKJAshK5MbK20M8n29
> ik9ESuraIBlQ82nq0k+HHBcGScqL7U+HigxGbB8wPAYJKoZIhvcNAQcBMB0GCWCG
> SAFlAwQBKgQQgebx01xrdMjKCXFMQQy7UoAQFFRAITpt2hamg9H2mgYZww==
> -END PKCS7-
> -END MYPIN-
>
> (PKCS7 was created using openca-sv)
>
> 4. I imported it into the batch interface using "Quick Import"
>
> Now I can see the new user and process. But at first the PIN in not
> shown because the Webinterface says (Unknown File: importedPIN)
>
> 5. anyway, next I start a new Workflow using "Do one step for all
> workflows", choose 16 steps and activate CA key AND BP Key for
> operation.
>
> But the batch process stops with error:
>
> "Cannot issue the certificate (6794). Cannot encrypt PIN-mail!
> Aborting! OpenCA::OpenSSL returns errorcode 0 ().
>
>
> -130"
>
> And the actual state of the process is CHECKED_CSR.
> In stderr.log I see my new issued certificate but It doesn't seem to
> be stored anywhere.
>
> So my questions are:
>
> 1. How can I import the PIN from PKCS7 File so that I can use it later
> 2. Why are the issued certificates not stored. Whats wrong?
> 3. Does the batch process start in background, once activated using
> "Do one step for all workflows" frequently, or do I have to
> configure somthing more?
>
> Thank you very much for any help.
>
>
> Ralf
>
>
> This message was sent using IMP, the Internet Messaging Program.
>
--
alles bleibt anders...
This message was sent using IMP, the Internet Messaging Program.
--
SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada.
The future of the web can't happen without you. Join us at MIX09 to help
pave the way to the Next Web now. Learn more and register at
http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
