Thanx Oliver, it's plus one step. One more question.This key is working. How I can do the same for others keys? ca-one-signer and ca-one-scep ca-one-vault: inherit: default secret: vault secret: vault: label: some secret group of this realm export: 0 method: literal value: strongPassword cache: daemon
Hi Denis, the passwords are in realn/ca-one/crypto.yaml, you must also make sure that the key files have the correct file names (=name of the token alias) and are readable by the OpenXPKI daemon user. Oliver Am 04.11.2018 um 14:33 schrieb Denis: > Hi. Ok. I creat new root certificate and SCEP, DATAVAULT, SIGNER. Then > successfully imported into the database. > But they offline. I can't find any information in the documentation. > After this sentence """Here is what you need to do if you /dont/ use the > sampleconfig script."""" I can't see any information what I must do > with passwords from certificates/ > Could you tell me where I must change passwords? > > > --- > > Hi, > > > Hi. I installed openxpki with sampleconfig.sh and all works fine. > > But I want to change some information in the script for using in prod. > I can't find examples. > > When I changed: > > ROOT_CA='Mycompany_root_ca' > > ROOT_CA_SERVER_FQDN='rootca.mycompany.dn.com', > > ISSUING_CA_SUBJECT='/DC=com/DC=dn/DC=mycompany/DC=ca-one/CN=OpenXPKI > Issuing CA 1' > > ISSUING_CA_SUBJECT='/DC=com/DC=dn/DC=mycompany/DC=ca-one/CN=OpenXPKI > CA-One SCEP RA 1' > > THATS all what I chaged. > > Then I use command openxpkiadm alias --realm ca-one I can see all cert > like in your documentation > > then 'openxpkictl start' and open http://yourhost/openxpki/ > > Isee my tokens but they offline. And CRL expired - update required! > > I pressed 'Issue a certificate revocation list(CRL)' and I got error > "Unable to load workflow information." > > If I press on Publish CA I'll have error Unknown error (server > workflow error on execute) > > HOW I can modify script for use certificate with my information?? > > Everething in your documentation is good except this. Could you right > in script comments e.g. 'ROOT_CA='Mycompany_root_ca' or > ISSUING_CA_SUBJECT='/DC=com/DC=dn/DC=mycompany/DC=ca-one/CN=OpenXPKI CA-One > SCEP RA 1'. What I can change in script. One example. How I can use this > script for production? Is it so difficult? Could you help me with this? I > spend few days for this problem and I can't understand why few words in > config make this error > > The sampleconfig.sh script is exactly this: a sample configuration. The > sample configuration is NOT meant to be used in a production environment. The > key material produced is not protected properly and the certificate profiles > are fine for a test environment but are surely not suitable for a production > setup. > > Setting up a real PKI is not something you can let a script do for you. > You should take the time and plan your PKI properly, plan the architecture > and logical topology, properly define CA and end entity certificate profiles, > define your policies and processes and design your PKI to implement the plan. > > In short: I strongly recommend not to use the script in production. > Generate your Root CA separately, create your Issuing CA key and CSR, have it > signed by the Root CA and import the generated CA certificate in OpenXPKI > with the designated administrative commands. > > If you are not confident how to do this properly I recommend that you > seek the support of experts on this topic. > > Best regards > > Martin > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
