Hi, > Hi. I installed openxpki with sampleconfig.sh and all works fine. > But I want to change some information in the script for using in prod. I > can't find examples. > When I changed: > ROOT_CA='Mycompany_root_ca' > ROOT_CA_SERVER_FQDN='rootca.mycompany.dn.com', > ISSUING_CA_SUBJECT='/DC=com/DC=dn/DC=mycompany/DC=ca-one/CN=OpenXPKI Issuing > CA 1' > ISSUING_CA_SUBJECT='/DC=com/DC=dn/DC=mycompany/DC=ca-one/CN=OpenXPKI CA-One > SCEP RA 1' > THATS all what I chaged. > Then I use command openxpkiadm alias --realm ca-one I can see all cert like > in your documentation > then 'openxpkictl start' and open http://yourhost/openxpki/ > Isee my tokens but they offline. And CRL expired - update required! > I pressed 'Issue a certificate revocation list(CRL)' and I got error "Unable > to load workflow information." > If I press on Publish CA I'll have error Unknown error (server workflow > error on execute) > HOW I can modify script for use certificate with my information?? > Everething in your documentation is good except this. Could you right in > script comments e.g. 'ROOT_CA='Mycompany_root_ca' or > ISSUING_CA_SUBJECT='/DC=com/DC=dn/DC=mycompany/DC=ca-one/CN=OpenXPKI CA-One > SCEP RA 1'. What I can change in script. One example. How I can use this > script for production? Is it so difficult? Could you help me with this? I > spend few days for this problem and I can't understand why few words in > config make this error
The sampleconfig.sh script is exactly this: a sample configuration. The sample configuration is NOT meant to be used in a production environment. The key material produced is not protected properly and the certificate profiles are fine for a test environment but are surely not suitable for a production setup. Setting up a real PKI is not something you can let a script do for you. You should take the time and plan your PKI properly, plan the architecture and logical topology, properly define CA and end entity certificate profiles, define your policies and processes and design your PKI to implement the plan. In short: I strongly recommend not to use the script in production. Generate your Root CA separately, create your Issuing CA key and CSR, have it signed by the Root CA and import the generated CA certificate in OpenXPKI with the designated administrative commands. If you are not confident how to do this properly I recommend that you seek the support of experts on this topic. Best regards Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
