Works! :)Denis, you must add this information to the Quickstart guide! It's easy but I spent many ours. Place before this sentence """Now it is time to see if anything is fine:"""
########Example############## If you use password for your keys you must add them to the file /etc/openxpki/config.d/realm/ca-one/crypto.yaml You need to create secrete group for each key. Examples: ca-one-vault: inherit: default secret: vault ca-one-signer: inherit: default secret: signer secret: vault: label: some secret group of this realm export: 0 method: literal value: YourFirstPassword cache: daemon signer: label: another secret group of this realm export: 0 method: literal value: YourSeconfPassword cache: daemon ========================== If you need more secure settings, you can use the "Connector" Features to hold the password in an extra file outside the configuration or use some kind of password daemon, e.g "KeyNanny". You can find a brief example in the "Connector" slides from the workshop: http://www.openxpki.org/2018/05/workshop-slides ###################### Have a nice day and thanx. Thanx Oliver, it's plus one step. One more question.This key is working. How I can do the same for others keys? ca-one-signer and ca-one-scep ca-one-vault: inherit: default secret: vault secret: vault: label: some secret group of this realm export: 0 method: literal value: strongPassword cache: daemon Hi Denis, the passwords are in realn/ca-one/crypto.yaml, you must also make sure that the key files have the correct file names (=name of the token alias) and are readable by the OpenXPKI daemon user. Oliver Am 04.11.2018 um 14:33 schrieb Denis: > Hi. Ok. I creat new root certificate and SCEP, DATAVAULT, SIGNER. Then > successfully imported into the database. > But they offline. I can't find any information in the documentation. > After this sentence """Here is what you need to do if you /dont/ use the > sampleconfig script."""" I can't see any information what I must do > with passwords from certificates/ > Could you tell me where I must change passwords? > > > --- > > Hi, > > > Hi. I installed openxpki with sampleconfig.sh and all works fine. > > But I want to change some information in the script for using in prod. > I can't find examples. > > When I changed: > > ROOT_CA='Mycompany_root_ca' > > ROOT_CA_SERVER_FQDN='rootca.mycompany.dn.com', > > ISSUING_CA_SUBJECT='/DC=com/DC=dn/DC=mycompany/DC=ca-one/CN=OpenXPKI > Issuing CA 1' > > ISSUING_CA_SUBJECT='/DC=com/DC=dn/DC=mycompany/DC=ca-one/CN=OpenXPKI > CA-One SCEP RA 1' > > THATS all what I chaged. > > Then I use command openxpkiadm alias --realm ca-one I can see all cert > like in your documentation > > then 'openxpkictl start' and open http://yourhost/openxpki/ > > Isee my tokens but they offline. And CRL expired - update required! > > I pressed 'Issue a certificate revocation list(CRL)' and I got error > "Unable to load workflow information." > > If I press on Publish CA I'll have error Unknown error (server > workflow error on execute) > > HOW I can modify script for use certificate with my information?? > > Everething in your documentation is good except this. Could you right > in script comments e.g. 'ROOT_CA='Mycompany_root_ca' or > ISSUING_CA_SUBJECT='/DC=com/DC=dn/DC=mycompany/DC=ca-one/CN=OpenXPKI CA-One > SCEP RA 1'. What I can change in script. One example. How I can use this > script for production? Is it so difficult? Could you help me with this? I > spend few days for this problem and I can't understand why few words in > config make this error > > The sampleconfig.sh script is exactly this: a sample configuration. The > sample configuration is NOT meant to be used in a production environment. The > key material produced is not protected properly and the certificate profiles > are fine for a test environment but are surely not suitable for a production > setup. > > Setting up a real PKI is not something you can let a script do for you. > You should take the time and plan your PKI properly, plan the architecture > and logical topology, properly define CA and end entity certificate profiles, > define your policies and processes and design your PKI to implement the plan. > > In short: I strongly recommend not to use the script in production. > Generate your Root CA separately, create your Issuing CA key and CSR, have it > signed by the Root CA and import the generated CA certificate in OpenXPKI > with the designated administrative commands. > > If you are not confident how to do this properly I recommend that you > seek the support of experts on this topic. > > Best regards > > Martin > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
