Hello Oliver, What I try to do is to switch from OpenCA to OpenXPKI.
The reason is that it looks like that OpenCA is also not in developing anymore. (and OpenXPKI looks easier to configure). There is also an migration from SHA1 to SHA2 in progress so I thought switching to a better CA is a good idea. OpenXPKI looks great so far and I also impressed how it works. Installing it via Debian packages was much easier than the old CA via source code :) I think that we just start over with our existing ROOT CA but with new Sub CA's when going to SHA2. I was asked if it is possible to migrate all the old certificates we have on the OpenCA into the OpenXPKI. So moving 3 OpenCA's into one OpenXPKI with 3 realms was my idea. Each realm should then have the old certificates and issue new certificates. So if importing the ROOT and Sub CA certificates is not a problem than I will do it. If I'm right only the certificate that is marked as signing token will be used. I thought that the identifier is just an internal thing but was not sure. Now I got the answer. By the way ... OpenCA is also using the index.txt from OpenSSL. How is OpenXPKI doing it? Many Thanks Mit freundlichen Grüßen / Best regards Andreas Krieger -----Ursprüngliche Nachricht----- Von: Oliver Welter [mailto:[email protected]] Gesendet: Mittwoch, 19. Oktober 2016 15:16 An: [email protected] Betreff: Re: [OpenXPKI-users] issuer identifier Hello Andreas, Am 19.10.2016 um 14:04 schrieb [email protected]: > I try to import a certificate "openxpkiadm certificate import --realm > 'realmname' --force-no-chain --file 'filename'". > > When I do this I get the following error: > > ERROR: null value in column "issuer_identifier" violates not-null > constraint Well, thats a bug ;) > Would it help to add the option --issuer? But what exactly is the > identifier? If I get the information from a certificate (openssl x509 > ..) then I don't find anything about the issuer identifier. > The identifier is defined by openxpki, so you wont get it from openssl. You can use "openxpkiadm certificate id --file <certificate>" to get the identifier from a PEM encoded certificate. But the best way would be to import the certificate with its full chain, just start with above import command using the root certificate file and proceed with all further chain certificates. If this is not doable for you, just set the identifier to any non-empty value together with "force-issuer". Note that this might led to unexpected behaviour if you need to build the chain for this certificate. Perhaps you can share what you intend to do, so I can give a better advice. best regards Oliver ------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, SlashDot.org! http://sdm.link/slashdot _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
