Re: [OpenXPKI-users] issuer identifier

Fri, 21 Oct 2016 09:35:15 -0700 

Hi Andreas,
I got the problem (after receiving the certificates off-list): the underlying "verify" command checks the validity of the certificates and as you are importing expired certificates this fails :( 


The best way I see to work around this with the current code base is to 
force the issuer to ignore verify-errors:



openxpkiadm certificate import --force-issuer --issuer 
eUdTvdwYCzIsTACohxEdwiscmSs --file entity.crt



If you import from different issuers, make sure you force the right one! 
I also created a ticket on gitub to fix this in a future version.


best regards

Oliver

Am 21.10.2016 um 08:19 schrieb Oliver Welter:

Hi Andreas,

after looking into the code - the underlying problem seems to be that
OpenXPKI is unable to validate the signatures on the certificates up to
the root.

Did you "force" anything while importing? So we have a broken chain in
the database?

For further assistance, can you please send me the certificate + chain
and root and, if possible, the database rows from the certificate table
for the root and chain certificates. If you are concered about privacy
issues posting them to the list, send it by PM.

Oliver

Am 20.10.2016 um 18:38 schrieb [email protected]:

Hello Oliver,



just saw that may last mail was send without content so I send it again.



I have imported the old ROOT and Sub CA certificates. Both signer tokens
(old and new) are online. I also can download the old ones as bundle
including Sub and ROOT CA.



But when importing an old certificate that was issued by the old Sub CA
then I get the following error:



I18N_OPENXPKI_SERVER_API_DEFAULT_IMPORT_CERTIFICATE_UNABLE_TO_BUILD_CHAIN

   __ISSUER_IDENTIFIER__: eUdTvdwYCzIsTACohxEdwiscmSs

   __ISSUER_SUBJECT__:
C=DE,ST=Saxony,L=Hoyerswerda,O=OS,OU=MS/2,CN=Sub CA 1



Issuer identifier/subject are right.





Mit freundlichen Grüßen / Best regards



Andreas Krieger





-----Ursprüngliche Nachricht-----
Von: Oliver Welter [mailto:[email protected]]
Gesendet: Mittwoch, 19. Oktober 2016 22:00
An: [email protected]
Betreff: Re: [OpenXPKI-users] issuer identifier



Hello Andreas,



Am 19.10.2016 um 18:51 schrieb [email protected]
<mailto:[email protected]>:


What I try to do is to switch from OpenCA to OpenXPKI.


I am very astonished that this piece of software is still running in the
wild ;)




The reason is that it looks like that OpenCA is also not in developing

anymore. (and OpenXPKI looks easier to configure). There is also an
migration from SHA1 to SHA2 in progress so I thought switching to a
better CA is a good idea.

OpenCA went mostly dead when the majority of developers moved away and
founded OpenXPKI back in 2005, and so yes - it is a good idea to move
over, too.




OpenXPKI looks great so far and I also impressed how it works.



Installing it via Debian packages was much easier than the old CA via



source code :)


We tried hard to do it better.




I think that we just start over with our existing ROOT CA but with new

Sub CA's when going to SHA2. I was asked if it is possible to migrate
all the old certificates we have on the OpenCA into the OpenXPKI. So
moving 3 OpenCA's into one OpenXPKI with 3 realms was my idea. Each
realm should then have the old certificates and issue new certificates.


So if importing the ROOT and Sub CA certificates is not a problem than

I will do it. If I'm right only the certificate that is marked as
signing token will be used.



This is correct, but mind that you also wont be able to create CRLs if
you dont add the key and link the signing tokens. It wouldnt be a
problem to add the old CAs too, the signer for new requests is always
chosen based on the latest notbefore date. So having the "legacy root"

fully operational to create CRLs while signing with the new SHA2 CA is
no problem. Actually we do so at one of our larger customers now for the
third generation of CAs.



After importing the certs you need to tweak one thing: set the "req_key"

column in the database to "-1", otherwise they wont show up in the
search as they are not considered as end entity certificates.




By the way ... OpenCA is also using the index.txt from OpenSSL. How is

OpenXPKI doing it?

Thats easy - for each ca action, the index.txt and other files for
openssl are created on the fly in a temporary location.




Many Thanks


you are welcome



best regards



Oliver










Mit freundlichen Grüßen / Best regards







Andreas Krieger











-----Ursprüngliche Nachricht-----



Von: Oliver Welter [mailto:[email protected]]



Gesendet: Mittwoch, 19. Oktober 2016 15:16



An: [email protected]

<mailto:[email protected]>


Betreff: Re: [OpenXPKI-users] issuer identifier







Hello Andreas,







Am 19.10.2016 um 14:04 schrieb [email protected]

<mailto:[email protected]>:






I try to import a certificate "openxpkiadm  certificate import



--realm 'realmname' --force-no-chain --file 'filename'".







When I do this I get the following error:







ERROR:  null value in column "issuer_identifier" violates not-null



constraint







Well, thats a bug ;)







Would it help to add the option --issuer? But what exactly is the



identifier? If I get the information from a certificate (openssl x509



..) then I don't find anything about the issuer identifier.











The identifier is defined by openxpki, so you wont get it from openssl.



You can use "openxpkiadm certificate id --file <certificate>" to get

the identifier from a PEM encoded certificate.






But the best way would be to import the certificate with its full

chain, just start with above import command using the root certificate
file and proceed with all further chain certificates. If this is not
doable for you, just set the identifier to any non-empty value together
with "force-issuer". Note that this might led to unexpected behaviour if
you need to build the chain for this certificate. Perhaps you can share
what you intend to do, so I can give a better advice.






best regards







Oliver







----------------------------------------------------------------------



-------- Check out the vibrant tech community on one of the world's



most engaging tech sites, SlashDot.org! http://sdm.link/slashdot



_______________________________________________



OpenXPKI-users mailing list



[email protected]

<mailto:[email protected]>


https://lists.sourceforge.net/lists/listinfo/openxpki-users










--

Protect your environment -  close windows and adopt a penguin!





------------------------------------------------------------------------------

Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot



_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, SlashDot.org! http://sdm.link/slashdot



_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users




--
Protect your environment -  close windows and adopt a penguin!




Attachment:
smime.p7s

Description: S/MIME Cryptographic Signature


------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most 
engaging tech sites, SlashDot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to