Hi Martin, Am 06.06.2018 um 19:30 schrieb Martin Krämer:
> This works great except if I change the KEY_PASSWORD value (e.g. instead > of "root" I use "toor"). > > As soon as I change the definition of secret:default:value > within crypto.yaml to the value of KEY_PASSWORD and restart openxpki I > can issue the crl without any problems. The sample script does not adjust the config but only sets the passwords for generating the keys, so this is the intended behaviour. > My questions at this point are: > > 1. Do I really have to store the KEY_PASSWORD in clear text within > crypto.yaml to be able to perform a crl_issuance? no Option 1: Set the secret method from "literal" to "plain" and remove the value. Restart the daemon and go to "PKI Operation > Manage Secret", enter the value of the key password for the approriate secret group. The value will be held in the daemon until you restart it. Option 2: You can use the "Connector" Features to hold the password in an extra file outside the configuration or use some kind of password daemon, e.g "KeyNanny". You can find a brief example in the "Connector" slides from the workshop: http://www.openxpki.org/2018/05/workshop-slides > 2. If I set KEY_PASSWORD to an empty value and due to this use a > random KEY_PASSWORD (created by "make_password" function within > sampleconfig.sh), > which is differnet for RootCA, IssuingCA, DataVault, SCEP and WEB, > which one do I need to store within crypto.yaml? You need to create individuel secret groups for each token type and reference them with the "secret:" keyword, e.g. ca-one-signer: inherit: default secret: issuer-secret secret: issuer-secret: .... HTH Oliver -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
------------------------------------------------------------------------------ Check out the vibrant tech community on one of the world's most engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
