Thank you for clearification.
I think using the "Connector" feature would be a good solution for me -
I'll check it :)
On Sun, Jun 10, 2018, 16:02 Oliver Welter <[email protected]> wrote:
> Hi Martin,
>
> Am 06.06.2018 um 19:30 schrieb Martin Krämer:
>
> > This works great except if I change the KEY_PASSWORD value (e.g. instead
> > of "root" I use "toor").
> >
> > As soon as I change the definition of secret:default:value
> > within crypto.yaml to the value of KEY_PASSWORD and restart openxpki I
> > can issue the crl without any problems.
>
> The sample script does not adjust the config but only sets the passwords
> for generating the keys, so this is the intended behaviour.
> > My questions at this point are:
> >
> > 1. Do I really have to store the KEY_PASSWORD in clear text within
> > crypto.yaml to be able to perform a crl_issuance?
>
> no
>
> Option 1: Set the secret method from "literal" to "plain" and remove the
> value. Restart the daemon and go to "PKI Operation > Manage Secret",
> enter the value of the key password for the approriate secret group. The
> value will be held in the daemon until you restart it.
>
> Option 2: You can use the "Connector" Features to hold the password in
> an extra file outside the configuration or use some kind of password
> daemon, e.g "KeyNanny". You can find a brief example in the "Connector"
> slides from the workshop: http://www.openxpki.org/2018/05/workshop-slides
>
> > 2. If I set KEY_PASSWORD to an empty value and due to this use a
> > random KEY_PASSWORD (created by "make_password" function within
> > sampleconfig.sh),
> > which is differnet for RootCA, IssuingCA, DataVault, SCEP and WEB,
> > which one do I need to store within crypto.yaml?
>
> You need to create individuel secret groups for each token type and
> reference them with the "secret:" keyword, e.g.
>
> ca-one-signer:
> inherit: default
> secret: issuer-secret
>
> secret:
> issuer-secret:
> ....
>
> HTH
>
> Oliver
>
> --
> Protect your environment - close windows and adopt a penguin!
>
>
> ------------------------------------------------------------------------------
> Check out the vibrant tech community on one of the world's most
> engaging tech sites, Slashdot.org! http://sdm.link/slashdot
> _______________________________________________
> OpenXPKI-users mailing list
> [email protected]
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
