Re: [OpenXPKI-users] change workflow to not have password in key

Thu, 09 Aug 2018 09:30:46 -0700 

Hi David,
yes sure it is possible and there is more than one way to do so but you need to dig a bit deeper. 


The activities used to generate the Key/Request file do not accept an 
empty password - so if you want them to do so you need to copy them to a 
custom class and modify them.



Another option - without modifing the code - would be to either set a 
static password (easy but somewhat insecure) or generate an random 
password in the background and store it in the workflow (also not very 
secure as it is unencrypted in the database and readable by and admin) 
or use the datapool as storage (look how we handle the key to get an 
idea of how that works). Afterwards modify the export workflow to 
know/fetch the password on export.


best regards

Oliver

Am 08.08.2018 um 18:30 schrieb David Magniez:

Hello,


We want to be able to issue some certificate with server-generated 
private key, without having to prompt any password.


We checked old discussion about workflow modifications in files :

/etc/openxpki/config.d/realm/ca-one/workflow/def/certificate_signing_request_v2.yaml


And 
/etc/openxpki/config.d/realm/ca-one/workflow/global/validator/password_quality.yaml



But changing minlen :0 in password quality file does not permit to pass 
the form without entering anything.



Is that possible to have a third choice “no password” with the two 
existing password method “generate password on server” and “choose 
password yourself” ?


How can I do that ?

Have a good day,

**

*David MAGNIEZ*



------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot



_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users




--
Protect your environment -  close windows and adopt a penguin!

------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to