Hi Timo, the short answer - dont do it, its not supported.
a bit longer answer - what you are trying to do is exactly what realms are made for in OpenXPKI. Issuer override was a "hack" to allow usage of "older" tokens after a CA rollover (we used that during SHA1 -> SHA2 upgrade for a customer) and is was not designed to switch between token groups. This might work but you need to add the new group in several other places too to make all parts work. I suggest to make a grep for "certsign" in config and code to check whats needed. Oliver Am 16.04.19 um 15:13 schrieb Klimmeck, Timo: > Hi all, > > > > currently we are trying to have multiple CAs in one realm. The final > state should allow us to have certain profiles linked to single CAs. > > > > For example we have two CAs in one realm. We want all requests in this > realm for i.e. TLS to be signed by one of the CAs and all People (secure > e-mail / authentication) to be signed by the other one. > > > > So far we have changed “AlwaysFalse” to “AlwaysTrue” as stated in > certificate_signing_request_v2.yaml: > > /# The default is to autodetect the issuer token, in case you want to > # give the Ra Operator the option to select a special CA Token for > # signing, set this to AlwaysTrue. Note that this works only with the > # default "NICE::Local" implementation and has some limitations. > /*allow_isuer_override*: > *class*: OpenXPKI::Server::Workflow::Condition::AlwaysFalse > > > > And imported two certificates into two different token Groups: > > > > root@openxpki:/etc/openxpki/ssl/ca-two# openxpkiadm alias --realm ca-two > > === functional token === > > ca-one-vault (datasafe): > > Alias : ca-one-vault-1 > > Identifier: jDZTDiCM2oXB9tdsvA0plEYCyas > > NotBefore : 2019-03-05 13:28:53 > > NotAfter : 2029-03-07 13:28:53 > > > > ca-one-scep (scep): > > not set > > > > ca-one-signer (certsign): > > Alias : ca-one-signer-1 > > Identifier: -V4REbtuR4s8NHQ3Dnb-uaiiTSk > > NotBefore : 2019-04-16 12:05:21 > > NotAfter : 2022-01-10 12:05:21 > > > > ca-one-signer-2 (certsign2): > > Alias : ca-one-signer-2-1 > > Identifier: oQnAm63BtRPHajxsWv-r9qlm1x8 > > NotBefore : 2019-04-16 12:22:15 > > NotAfter : 2022-01-10 12:22:15 > > > > === root ca === > > current root ca: > > Alias : root-1 > > Identifier: E7zcJADBdEqKPwvX8oqmuR_-LtQ > > NotBefore : 2019-03-05 13:28:51 > > NotAfter : 2029-03-07 13:28:51 > > > > upcoming root ca: > > not set > > > > We also changed the system/crypto.yaml file: > > > > # API classs to be used for different types of *realm* tokens > > # Undefined values default to OpenXPKI::Crypto::Backend::API > > tokenapi: > > certsign: OpenXPKI::Crypto::Backend::API > > crlsign: OpenXPKI::Crypto::Backend::API > > datasafe: OpenXPKI::Crypto::Backend::API > > # scep: OpenXPKI::Crypto::Tool::LibSCEP::API > > scep: OpenXPKI::Crypto::Tool::SCEP::API > > certsign2: OpenXPKI::Crypto::Backend::API > > > > So far the second CA is not shown. > > > > *Token Alias* > > > > *Identifier* > > > > *Status* > > > > *not Before* > > > > *not After* > > ca-one-signer-1 > > > > -V4REbtuR4s8NHQ3Dnb-uaiiTSk > > > > ONLINE > > > > 2019-04-16 12:05:21 UTC > > > > 2022-01-10 12:05:21 UTC > > > > > > Can you please tell us, what we forgot and how the configuration needs > to look like? > > > > Thanks a los in advance. > > > > Best Regards, > > > > *Timo Klimmeck > *Werkstudent > Bereich Compliance & Information Security > > E-Mail: [email protected] > <mailto:[email protected]> > Web: www.adesso-service.com > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.adesso-2Dservice.com_&d=DwMFAw&c=-5LgSL_TkF3nGRQI95ci6eeFVMQ5VESHPf5koMIAxOA&r=-l-tJnueMWRiaos9gBffxHHLVl_WzKcuHi45sOCo81A&m=L6iYYqGNGpeGXwLKwi1kkJEK97zcuWJ_BGjLPCRKu_E&s=O2FSJp5aFkurWC4ZGwoi-8oLsZWERGTuBDdO14mLhsw&e=> > > > > adesso as a service GmbH > Stockholmer Allee 24 > 44269 Dortmund > > > adesso as a service GmbH *·* Sitz der Gesellschaft: > Dortmund *·* Amtsgericht Dortmund HRB 25321 *·*Geschäftsführer: Stefan > Schmitt, Christopher Schmelter > > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin!
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
