Hi,
> I agree with you, I am just a newbie in this whole world of PKI and I went
> for the easiest way to make it work at the beginning and then start from
> there to "make it right". Thanks for the heads up,
>
> You were right, just that all know what happened, the problems that I faced
>
James,
> I would like to add an I18N message to a custom profile.
>
> msgid "I18N_OPENXPKI_UI_PROFILE_HLL_MULTI_LABEL"
> msgstr "HLL Multi Purpose Profile"
>
> I have created a new openxpki.mo file using msgcat and msgfmt. I have moved
> the custom mo file into the en_US subdirectory of
Hi,
> Does OpenXPKI support IP addresses as a SubjectAlternativename?
>
>
> On Fri, May 10, 2024 12:00, James B. Byrne wrote:
>
> How does one add an IP dotted quad as an alternate subject name when a signing
> certificates? When added through the webui they appear as
> DNS:xxx.xxx.xxx.xxx.
Hi,
> I have created a csr using the elliptic curve secp256k1. When I copy this csr
> in the web interface and try to request a certificate, I get this error:
> "Used key parameter is not allowed by policy (curve_name: 1.3.132.0.10)"
>
> When I do the exact same thing but using the curve
Hi,
> For authenticated EST the OpenXPKI documentation says: Use the UI to obtain a
> TLS Client certificate with the application name *pkiclient*
>
> I don't understand in which field of the X.509 certficate should the
> "application name" go.
Our default configuration ships with the
James,
> I generated a new csr from the private key:
>
> openssl req -new -key 2016002C.key -out 2016002C_20240507.csr
No, you regenerated the same CSR from the same private key.
> When I paste the entire .csr into openxpki webui I get this error:
>
>
> The uploaded key was found to be used
Hi,
> How can the registration officer set the validity?
Well, click on "Edit Validity" on a PENDING request.
> How could I create a second profile most effectively? I know I need to
> expand the profile, but how should I configure it best?
Create a copy of the profile's YAML file for which
Ali,
> Thank you, but I have found my mistake
Would you mind sharing your experience so others can benefit from your
resolution in case they are facing a similar problem?
> Another question
> Is there a possibility under "realm/democa/profile/default" to select the
> validity between 1 year
James,
> My question was imprecise. I had in mind a batch/cli type solution. After
> further research this is what I am attempting to use.
> openxpkicli --realm=hll_ca2016 get_private_key_for_cert \
> --param identifier='Lik1K_AGi-RDqOiNxjmptAh-4-w' \
> --param password='F990NCtO' \
>
James,
> I created csr where the option to create a private key was selected. How is
> the private key created for this csr exported from openxpki?
Click on the Certificate. Choose Action -> "Download private key/keystore
(PKCS12/PKCS8/Java)"
Martin
James,
> I have successfully imported an existing certificate into the hll_ca2016
> realm,
> finally.
>
> openxpkiadm certificate list -v -v --realm hll_ca2016 --all
>
> Certificates in hll_ca2016:
>
> Identifier: 76QCIA3aO9WOjkW6g2SAGQXoATI
>Subject:
>
James,
> For the 'openxpkicli import_certificate' command there is a additional
> parameter named 'profile' which takes a string argument. Is this string a path
> to a file; or just the name of a file; or something else?
Well, it's the profile name...
In terms of the OpenXPKI configuration
James,
> I have been struggling with the yaml profile mapping of certificate extensions
> to openxpki profiles. I need some examples or a profile node key legend to
> assist me in understanding how this works.
I think the example configuration in the configuration repository is pretty
self
James,
> There is no /var/www/ directory on FreeBSD as shipped. Instead the html root
> is /usr/local/www/. I created /usr/local/www/download/
>
> # ll -d /usr/local/www/download
> drwxr-xr-x 2 root wheel 2 Apr 4 12:39 /usr/local/www/download
>
...
>
> But still get the same result.
>
James,
> openxpkicli --realm hll_ca2016 --filearg data=hllcerts/20160001.pem
> import_certificate
> Error: Error while executing API command
>Attribute (data) does not pass the type constraint because: ''Certificate:
>Data:
>Version: 3 (0x2)
>Serial Number: 538312705
Hi,
> 5- I do get authenticated through basic auth AND through the certificates i'm
> passing to cURL.
> But I keep getting back the same certificate.
> No workflow is triggered.
> And in EST.log
> INF authenticated client DN: CN=same cn,DC=Test
> Deployment,DC=OpenXPKI,DC=org
James,
> openxpkiadm alias \
> --realm "hll_ca2016" \
> --token certsign \
> --file /CA_HLL_ROOT_2016/certs/02.pem \
> --key /CA_HLL_ROOT_2016/private/keys/02.key.aes256
This command
- imported 02.pem as the first (a "--generation 1" is implicit when you import
the very first token) signer
Hi James,
> This is the diff between the current config.d and the original before any
> changes were made.
>
> # git diff -G. hllv1.00 -- --follow config.d
> diff --git a/config.d/realm.tpl/crypto.yaml b/config.d/realm.tpl/crypto.yaml
> index 95614f5..bda48a1 100644
> ---
Hi James,
> This is the diff between the current config.d and the original before any
> changes were made.
>
> # git diff -G. hllv1.00 -- --follow config.d
> diff --git a/config.d/realm.tpl/crypto.yaml b/config.d/realm.tpl/crypto.yaml
> index 95614f5..bda48a1 100644
> ---
Hi James,
> 2024/03/13 08:16:31 ERROR OpenSSL error: Using configuration from
> /var/tmp/openxpki28821VniVdpfp/openssl.cnf
> unable to load CA private key
> . . .
>
> I guess that this is the problem: unable to load CA private key
Yep.
> The realm was created using:
>
> openxpkiadm alias \
Hi James,
> __EXIT_STATUS__ => 256 == Searching for Openssl error codes the number 256
> comes up as related to an unsupported cipher. Where is the cypher being
> specified?
The exit status is shifted left by 8 bit by the execution wrapper in OpenXPKI,
so the actual return code is 256 >> 8 ==
Hi,
> Is there also a possibility when I create certificates that the certificates
> are stored directly on the server on which openxpki is running?
Your question is not specific enough to let us understand what you actually
want to achieve, and for this reason the answer is a qualified "yes".
Hi,
> Could you tell me in which workflow I cloud define the fixed password?
Well, that's the workflow you are using for requesting the certificate, most
likely certificate_signing_request_v2
In this workflow you will find an activity which is conveniently called
generate_key...
Cheers
James,
On a Unix system, a user needs execute permission in order to enter a directory
(not read).
Cheers
Martin
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
Hi,
> I have discovered that my literal reading of README.md and the Quickstart
> guide
> led me to copy the /usr/local/share/examples/openxpki/htdocs/ directory to
> /var/local/www/openxpki/ whereas it appears that I instead should have copied
> the contents thereof. This I have now done and I
Hi,
Some background information may be useful here:
When importing a certificate into the OpenXPKI database, the system tries to
build a certificate chain up to a know Root CA certificate. If no chain can be
built, import is refused (there are ways to override this, though).
For chain
Hi Mark,
> I found the display names in "/etc/openxpki/contrib/i18n/en_US/openxpki.po"
> file and added a new entry for msgid
> "I18N_OPENXPKI_UI_PROFILE_TLS_SERVER_LABEL_5Y" with a msgstr of "TLS/Web
> Server (5 years)".
The translations in OpenXPKI are handled by Gnu Gettext.
The following
Hi Mark,
> root@certca:/var/www/openxpki# openxpkicmd --realm certca crl_issuance
> Workflow created (ID: 255), State: SUCCESS
>
> But When I get to the portion of Adding the Webclient, once again following
> the instructions, I do not see Apache start listening on port 443.
>
>
Hi,
> I'm a bit further along now, I installed sscep via Github Link but now I get
> the error message:
> /sscep# ./sscep getca -c tmp/cacert -u http://domainorip/scep/scep
> ./sscep: cannot open cert file for writing
mkdir tmp
and retry.
Cheers
Martin
Hi,
> Thanks it mostly did the trick – but still some issues. It seems token
> rollover didn’t work. The crl issuance is trying to use casigner-1, but alias
> with current cert is for casigner-2.
> I also verified with openssl that crl issuance does work manually.
> Maybe this is a novice
Hi,
> I noticed that the community edition has dependency to OpenSSL version 3. I
> was wondering if OpenSSL 1 works as well, or is OpenSSL 3 a hard
> requirement?
OpenXPKI supports both versions. The reason that the debian package depends on
OpenSSL 3 is that Debian ships this version by
Hi,
> When I check with "openxpkiadm alias --realm ..." my CA signer, Valut and
> Root CA are displayed. Is that correct or not? Am I completely wrong or have
> I overlooked something?
Maybe it is correct, maybe it is not.
It is not possible to help you if you do not provide useful
Hi
> I get the message when I want to check "LOAD_NEXT_CA_CRL_GET_NEXT_CA_0" CRL.
> On the Openxpki WebGui it shows me "No CRL found!" and my CA signer is
> apparently offline.
local CRL issuance within a PKI Realm only works if the CA signer tokens of
this Realm are online, so make sure that
Happy New Year everyone!
> We are running a setup with OpenXPKI with a single Root CA (RSA private key)
> and a couple of intermediate/subordinate CA (all with EC private keys).
>
> Now we have hit a problem where a 3rd party product should act as a separate
> CA but still we want to maintain
Hi Elias,
> After updating our Debian server from version 9 to 11 and also updating the
> OpenXPKI installation and configuration, I am encountering the following
> problem:
> openxpkictl[1592]: Please set database schema version! at
> /usr/share/perl5/OpenXPKI/Server/Init.pm line 291.
> Here
Hi Maximillian,
> Having some trouble with a new openxpki install using the docker image. I've
> gotten most everything configured, but when I try to generate a CSR via the
> webui, I get the following error:
>
> Unexpected error
> This workflow was interrupted by an unexpected event, it will
Hi Scott,
> Does OpenXPKI support Certificate Management over Cryptographic Message
> Syntax (CMC) ?
>
Yes, it does.
Cheers
Martin
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
Hi Jeremy,
> There is a draft RFC which proposes to add the capability to convey private
> key attestation to an enrollment server:
>
> https://www.ietf.org/archive/id/draft-ietf-lamps-key-attestation-ext-00.html
>
> This covers all protocols and all attestation sources. I have been working
Hi,
> Hi Does openxpki has or plans to have a support for the ACME protocol ?
We are currently working on a native ACME interface implementation and we plan
to support ACME in the future.
Best regards,
Martin
___
OpenXPKI-users mailing list
Hi,
> Has anyone successfully configured OpenXPKI to run as a non-root user? I'm
> preparing an install for a hardened linux server. One of the requirements is
> additional packages need to run as non-root.
>
> I've made some changes in the openxpkid.service file as well as the
>
Hi Mike,
> Will OpenPKI meet all of our needs?
> Sempris needs a certificate management system, specifically for:
> 1. AWS Lambdas
> 2. Internal web sites
> 3. Various internal services
> The first (AWS) is the biggest challenge. We anticipate managing between
> 100-200 different certificates.
Hi,
> Am 29.09.2023 um 04:08 schrieb Lixin Liu :
>
> I am using RHEL system which is not officially supported. But from what I
> see, there are
> only very minor difference. I have these:
Just to clarify: The Community Edition is available as source code and packaged
for Debian. However,
Hi,
> we are planning to setup up an active/active system over two geo locations.
> Does anyone have experience with such a scenario and can share some best
> practices?
> We would otherwise testing db replication or setting up different signing
> ca’s within the datacenters, but I would
Hi Chris,
> 2023/09/01 16:28:21 ERR Error creating backend client Error while writing to
> socket; __EVAL_ERROR__ => I18N_OPENXPKI_CLIENT_INIT_CONNECTION_FAILED;
> __ERROR__ => Permission denied, __SOCKETFILE__ =>
> /var/openxpki/openxpki.socket [pid=2305|sid=[undef]]
The OpenXPKI Web UI
Hi Chris,
> Hi, I'm reaching out to the community seeking assistance with an issue I've
> encountered during an integration process. Having recently upgraded my Apache
> web server to the latest version from source, I referred to the documentation
> and adjusted the openxpki.conf settings in
Hi Thomas,
>> Hi Thomas,
>> invalid profile means that the NAME of the profile that the workflow tries
>> to issue does not exist or is not in the list of the allowed endpoint
>> profiles.
> Where to find the ‘list of the allowed endpoint profiles’?
In the profile_map section Enrollment
Hi,
> But I have an other question: is it possible to have an EST endpoint per
> realm?
OpenXPKI supports an arbitrary number of enrollment endpoints (EST, SCEP, RPC)
per PKI Realm. Each of those can have different enrollment policies.
Cheers
Martin
Hi Gabriel,
> I need to issue new realm certificates, both from ca-signer-1 and vault-1.
> Could you tell me what commands I should execute to issue the certificates.
If I understand you correctly you intend to perform a CA Rollover within your
PKI Realm, and you also wish to update the
Hi,
> I'm trying to issue a certificate using the default RPC configuration
> (RequestCertificate method) but a get :
> {
> "result": {
> "id": 3583,
> "proc_state": "finished",
> "state": "FAILURE",
> "data": {
> "transaction_id":
Hi,
> Thank you very much for the reply, I was wondering because the config did not
> change and everything worked smooth before the upgrade.
The semantics I posted have been in place and unchanged for a very long time,
and we did not change the relevant code portions recently, so the cause
Hi,
> We are using docker containers. At webui.log:
>
> 2023/05/19 08:34:20 ERR Error creating backend client Error while writing to
> socket; __EVAL_ERROR__ => I18N_OPENXPKI_CLIENT_INIT_CONNECTION_FAILED;
> __ERROR__ => Permission denied, __SOCKETFILE__ =>
> /var/openxpki/openxpki.socket
Hi,
> We deployed the OpenXPKI DB on a separate remote MariaDB server and changed
> the details in /etc/openxpki/config.d/system/database.yaml
>
> The server daemon restarts successfully but the UI doesn't work. It is bound
> to the local DB. How can we change it?
The Web UI has its own
Dear OpenXPKI Users,
We are back! After having to cancel our last workshop due to the Covid 19
pandemic, we are thrilled to announce that the OpenXPKI user workshop is
finally happening again, and this time, it's going to be even better. We hope
this email finds you well, and you are just as
Hi,
> I am hitting another error when publishing a cert (to a local file). I see
> the cert file is written
> to local directory, but with a 777 permission which I think is wrong.
I observed a similar same problem recently, if the file does not exist, it is
created with the system umask. If it
Hi,
> My further test shows that CDP works correctly if the director is owned by
> openxpki user.
> Previous it was owned by apache user/group with group writeable permission.
> openxpki
> user is a member of apache group. This did not work. I am not sure why,
> likely because
> the perl
Hi,
> Does software
> https://github.com/openxpki/clca
> depend from software
> https://github.com/openxpki/openxpki
> or does it conflict with the latter, if installed on the same host?
This is not a problem, both projects will work properly on the same system.
Cheers,
Martin
Hi,
> I am generating a cert from OpenXPKI UI with CSR but i get "Duplicate Key
> Error (Request)". Kindly guide me.
You uploaded a CSR which uses a key which has already been seen by your
OpenXPKI instance, hence "Duplicate Key Error". You need to generate a new
private key and a new
Hi,
> Is it possible to configure OpenXPKI SCEP enrollment for 2 different profiles
> e.g. TLS server and TLS client?
Sure it is. See the recent posts related to EST.
Cheers
Martin
___
OpenXPKI-users mailing list
Hi,
> I have only one CA, but is it possible to configure EST with 2 different
> profiles?
> I would like to setup one for User certs. and one for TLS server certs.
Within any OpenXPKI PKI Realm you can configure an arbitrary number of EST,
SCEP and RPC endpoints.
Each endpoint has its own
Hi,
> I have very little experience, and my scant use of english and documentation,
> I can't figure out how to renew an expired certificate, could you tell me how
> to renew the certificate, please.
The most straightforward way is to generate a new private key, a certificate
request from the
Hi,
> ***SNIP***
> I was adding a new certificate profile last week and had to add the new field
> template.
> For that new use case, the value for the field would always be the same. So
> I'd like to have this pre-filled when reaching the workflow step but still
> editable, if it needs to be
Hi,
> As I know, openxpki supports PKCS#11 interface via OpenSC
> I'm making a Lab to implement a CA with signer key protected inside HSMs such
> as SmartCard-HSM or Nitrokey, in documentation there is an example for
> YubicoHSM but I don't get the full idea and the required steps,
> I tried to
Hi Mukilan,
> Does it mean that we can't ignore signature verification for CSR? I will
> explain the use case. We would like to modify the SubjectDN/SAN as part of
> our own policy while internal clients (devices, computers and etc) are
> raising certificate requests. The internal clients
> I've an Active Directory for my domain users. Can I fetch users list from AD
> and request certificates on behalf of Active Directory users from OpenXPKI
> web interface?
You can do a lot of things with OpenXPKI, and the answer is probably yes.
Cheers
Martin
> Does OpenXPKI support certificate generation from Microsoft Active Directory?
This question does not make any sense.
Cheers
Martin
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
Hi,
> Does OpenXPKI have any feature to distribute public keys over all servers or
> not?
It eludes me why this might be necessary. In addition, OpenXPKI has no way of
knowing what "all servers" are.
However, OpenXPKI provides a configurable publishing operation which is
executed on every
Hi,
> I want to configure CRL (certificate revocation list) for EST protocol in
> openxpki 3.x server. I did it for SCEP protocol in openxpki 2.x. Can you
> please help me with the required steps for EST (e.g. Generating CRL
> information, Configuring CRL accessibility etc.)
>
> For your
Hi,
> The CLCA documentation https://github.com/openxpki/clca specifies to use the
> nCipher & Gemalto HSM as follows.
>
> # Define crypto engine to use. Supported values are
> # openssl - OpenSSL software only (private keys stored on disk)
> # chil - nCipher hardware
> # gem -
> That sounds great. How we can setup BridgeCA in OpenXPKI?
You analyze your requirements, define a resulting PKI architecture and
implement it properly.
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
> Is it possible to store the CA key in OpenXPKI on AWS CloudHSM?
>
Yes.
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
> Is it possible to create a Bridge CA in OpenXPKI?
Yes.
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
Hi,
> You're right, certmonger seems to keep the same private key for renewal.
> So certmonger may not be usefull as I read in the getcert man :
>
> -r automatically renews the certificate when its expiration date is close if
> the key pair already exists. This option is used by default.
>
>
Hi,
> I am stuck in testing autorenew of scep requested certificates.
>
> This is my initial enrollment with certmonger :
> ```
> getcert request -c openxpki -f $certfolder/nginx2.crt -k
> $keyfolder/nginx2.key -g 4096 -r -N cn=nginx2.domain.lan -v -w -L
> SecretChallenge
> ```
>
> On client
Hi,
> Does OpenXPKI support CMP and 3GPP standards?
No, it does not.
Cheers
Martin
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
Hi,
>>> I can find the certificates in the sql dump (BEGIN CERTIFICATE) but I
>>> can't find any string with 'BEGIN ENCRYPTED PRIVATE KEY'. Where is the
>>> private key located?
>
>> The keys are wrapped into a PKCS7 containe - look for something where
>> the namespace column has a value of
Hi,
> I do have a question about the maximum validity.
> As I understand, the CA validity has to be longer or the same as the
> configured validity in the used profile (which currently is +01, which is 1
> year as i understand)
> Now my CAs are valid for 1 year, and have a bit of overlap.
>
>
Hi,
> I run into the following error during trying to (automatically) sign a CSR
> for the factory_ca realm
>
> 2021/12/09 10:42:36 255 start cert issue for serial 255, workflow 255
> 2021/12/09 10:42:36 255 NICE backend error: Could not find token alias by
> group; __group__ => ca-signer,
Hi,
> I'm guessing this has been already asked, I searched the archives to no avail.
No, as far as I am concerned I have never seen this requirement before.
> I generate my CSR with key usage information “DigitalSignature” and “Key
> encipherment” (using OpenSSL API).
> But when I get my
> Can someone on the list update me on when pre-compiled packages for Debian 11
> Bullseye will be available?
>
> Regards
> Scotty
>
> On Wednesday, 20 October 2021, 02:52:29 pm GMT+5, Martin Bartosch
> wrote:
>
>
> Ceterum censeo Carthaginem esse delendam.
I may have raised false
Ceterum censeo Carthaginem esse delendam.
> Am 20.10.2021 um 06:54 schrieb Scott Thomas via OpenXPKI-users
> :
>
> Hi,
>
> Any update of OpenXPKI pre-compiled packages on Debian 11.0???
>
> Cheers
> Scotty
>
> On Monday, 4 October 2021, 02:16:17 pm GMT+5, Scott Thomas via OpenXPKI-users
>
Hi,
> Meanwhile I found out, that sending REST-Requests with the right header works
> fine for me:
>
> curl -s -X POST http://localhost:8080/rpc/enroll/SearchCertificate -H
> 'Content-Type: application/json' -d '{"common_name":"Rob Roberts"}' | python
> -m json.tool
I don't really know
Hi,
> We are facing the issue while validating the certificate using ocsp. We did a
> bit of R from our side and we found the following issue when we tried to
> use the following command.
> screenshot attached.
The OpenXPKI OpenSource edition does not include an OCSP server, this is a
> We are able to enable .p12 certificate CRL for certificate revocation. But we
> need to enable CRL for intermediate certificates i.e our requirement.
> Screenshots are attached along with mail for more understanding.
If you are asking where you can configure the CDP in the certificate profile
> Please guide us to enable Intermediate certificate CRL in the openxpki
> environment.We are using openxpki version 3.12 in our environment.
I don't understand this question.
Regards,
Martin
___
OpenXPKI-users mailing list
> We have used Openxpki version 3.12 in our environment. Our requirement is
> that we want to authenticate openxpki with external ldap login from openxpki
> UI. Please help us, how can we integrate external ldap users with openxpki,
> so that we can login from openxpki web UI using external
Hi,
> I mange to enforce policy of 2 approvals required by RA Operators (4 eyes) in
> order to issue a certificate using WEBUI interface
>
> Is it possible! Any advice!
(Almost) everything is possible with OpenXPKI ;-)
For the automatic enrollment interfaces the approval policy is located in
Hi,
> OK, everything working now.
>
> The name of the realm in the database deviated from the name in the
> filesystem. That's why I didn't see existing certificates.
>
> Thus the SQLs used for upgrading the schema seem to be correct. Only
> migrating the Sequences was needed an additional
Hi,
> While working through the steps for a productive setup on Debian I came
> across the following instruction in
> https://github.com/openxpki/openxpki-config/tree/community#credentials--local-users
>
>> The files are already linked into the configuration layer and must
>> be created before
Hi,
> We are using openxpki version 3.12 in our environment. We are able to add
> revoke certificates in .crl manually using openxpki raop. But we want to run
> the revoke command using cron jobs per day. Please give us the command which
> runs the backend for revocation & add .crl list.
Hi,
> Can we modify openxpki raop role to get authenticated from a Microsoft Active
> Directory account? If not then what other aternative possible instead of
> storing the hashes in yaml files???
Yes.
https://openxpki.readthedocs.io/en/latest/reference/configuration/realm.html#authentication
Hi,
> How can we customise the web server profile in OpenXPKI to include multiple
> DNS entries in subject alternative name?
An arbitrary number of SANs is already supported in the upstream configuration
sample of the TLS Server profile (and has been there since about 2010 or so).
Cheers
Hi,
> Thank you very much, how always to you Oliver!
>
> The only error that I detect is the openxpki.log and it is the following:
> 2021/08/05 11:02:13 ERROR Could not find token alias by group; __group__ =>
> ca-signer, __noafter__ => 2101557733, __notbefore__ => 1628172133,
> __pki_realm__
Hi,
> Martin, did you have a fight or some conflict with this Petr Grigoriev
> ? In the section ru_RU, such nonsense is written ...
Not as far as I can remember. We had a really nice working relationship with
the team at the time.
I am sorry to hear that the Russian translation is botched. At
Hi,
> I have set ru_RU-UTF8 and restart apache & system with Russian locale but
> never see any changes at web interface
> PS Debian 10.10 and OpenXPKI. Successfully started with en locale
The Russian translation files do exist, but the content is largely non-existent
(almost all translations
Hi,
> I have set ru_RU-UTF8 and restart apache & system with Russian locale but
> never see any changes at web interface
> PS Debian 10.10 and OpenXPKI. Successfully started with en locale
Please note that the Russian localization is very old and currently
unmaintained (we do not speak that
Hi,
> Is it possible to check if the certificate subject is unique across all
> realms on the openxpki server? I am using openxpki community edition.
OpenXPKI is a workflow based system, so literally almost any conceivable
business logic can be implemented. We distribute a set of default
> Thanks for the support, I have at least switched from SHA1 to ARGON2.
>
> I am using OpenXPKI Version (core): 3.10.2 but the options of SHA256 and
> SHA512 are not available to me. I have double checked it again.
Please upgrade to 3.12.0. The feature you require was introduced in version
> The SSHA of the raop1 is placed in
> /etc/openxpki/config.d/realm.tpl/auth/handler.yaml as
>
> raop1: "{ssha}zsmRmCaV2+Mg2t49v5hk3znKOL1VbnRz"
>
> the openxpkiadm hashpwd of OpenXPKI gives the following output
>
> Your hashed password is:
>
> I had mailed for unique certificate subject in OpenXPKI, so that I can't
> create a duplicate certificate for same user subject. The communication on
> the thread
>
> Re: [OpenXPKI-users] Support of Unique certificate subject in OpenXPKI
> Re: [OpenXPKI-users] Support of Unique certificate
> OpenXPKI uses SSHA salted Sha 1 for raop password authentication via
> openxpkiadm hashpwd. How can we configure to use a higher version of SHA such
> as SHA256 OR SHA512?
The OpenXPKI password authentication handler supports salted md5, sha1, sha224,
sha256, sha384 and sha512, crypt and
1 - 100 of 135 matches
Mail list logo
