Hi Stijn,
thanks to your hint I found a first primitive solution to fix the problem by
changing the
/etc/openxpki/config.d/realm/democa/crypto.yaml
as shown below.
To use the sampleconfig.sh with random passwords I performed the following
steps:
1. Uncomment line KEAY_PASSWORD="root"
2. Uncomment the four lines openxpkiadm certificate.
3. Run samplecofig.sh
4. Changed the crypto.yaml file (.pass files in
/etc/openxpki/ca/democa/)
5. Run the four lines openxpkiadm manually
openxpkiadm certificate import --file
"/etc/openxpki/ca/democa/OpenXPKI_Root_CA.crt"
openxpkiadm certificate import --file
"/etc/openxpki/ca/democa/OpenXPKI_DataVault.crt" --realm "democa" --token
datasafe --key /etc/openxpki/ca/democa/OpenXPKI_DataVault.key
openxpkiadm certificate import --file
"/etc/openxpki/ca/democa/OpenXPKI_Issuing_CA.crt" --realm "democa" --token
certsign --key /etc/openxpki/ca/democa/OpenXPKI_Issuing_CA.key
openxpkiadm certificate import --file
"/etc/openxpki/ca/democa/OpenXPKI_SCEP_RA.crt" --realm "democa" --token scep
--key /etc/openxpki/ca/democa/OpenXPKI_SCEP_RA.key
By the way, the 'root' password is defined in
/etc/openxpki/config.d/system/crypto.yaml
in the section secrets: default: and is used by inheritance for all tokens
if the realm's crypto.yaml is not modified.
So thanks for the hint!
Regards
Florian
##### changes in crypto.yaml ####
.
ca-signer:
inherit: default
key_store: DATAPOOL
key: "[% ALIAS %]"
secret: ca-signer
vault:
inherit: default
key: /etc/openxpki/ca/[% ALIAS %].pem
secret: vault
scep:
inherit: default
backend: OpenXPKI::Crypto::Tool::LibSCEP
key_store: DATAPOOL
key: "[% ALIAS %]"
secret: scep
# Define the secret groups
secret:
default:
# this let OpenXPKI use the secret of the same name from
system.crypto
# if you do not want to share the secret just replace this line with
# the config found in system.crypto. You can create additional
secrets
# by adding similar blocks with another key
import: 1
ca-signer:
label: CA signer group
method: literal
value: <content of OpenXPKI_Issuing_CA.pass>
vault:
label: Vault group
method: literal
value: <content of OpenXPKI_DataVault.pass>
scep:
label: SCEP group
method: literal
value: <content of OpenXPKI_SCEP_RA.pass>
From: Stijn Adriaensens <[email protected]>
Sent: Dienstag, 22. September 2020 12:35
To: [email protected]
Subject: Re: [OpenXPKI-users] sampleconfig.sh fails for key password unequal
'root'
Hi Florian,
You will most likely still have to set the passwords in crypto.yaml
(configure the security tokens).
See also
<https://openxpki.readthedocs.io/en/stable/operation/tokenconfig.html>
https://openxpki.readthedocs.io/en/stable/operation/tokenconfig.html
When this is configured, a RA will have to unlock the tokens in the GUI
(depending on the token configuration).
Stijn
From: <mailto:[email protected]> [email protected] <
<mailto:[email protected]> [email protected]>
Sent: zondag 20 september 2020 19:38
To: <mailto:[email protected]>
[email protected]
Subject: [OpenXPKI-users] sampleconfig.sh fails for key password unequal
'root'
Hi,
I did a first installation of OpenXPKI using a Hyper-V machine on which
Debian 10 is installed. When following the instructions in the quickstart
guide and using the sampleconfig.sh everything went fine and I got a running
system.
My second try was to set the KEY_PASSWORD in the sampleconfig.sh line 27 to
an empty string to get the random passwords as described in the comment
above (beginning from a snapshot before executing the sampleconfig.sh).
When executing this sampleconfig.sh the script ended at line 350
openxpkiadm certificate import --file "${SCEP_CERTIFICATE}" --realm
"${REALM}" --token scep --key ${SCEP_KEY}
without any further message (see complete output below).
I uncommented the line 350 in sampleconfig.sh and the script executed until
the end. Then I tried to execute the uncommented command manually and got an
error message:
######################## Manually executing line 350
##############################
root@openxpki:~# openxpkiadm certificate import --file
"/etc/openxpki/ca/democa/OpenXPKI_SCEP_RA.crt" --realm "democa" --token scep
--key /etc/openxpki/ca/democa/OpenXPKI_SCEP_RA.key
Starting import
Successfully imported certificate into database:
Subject: CN=openxpki:scep-ra
Issuer: CN=OpenXPKI Demo Issuing CA 1,OU=PKI,O=OpenXPKI,C=DE
Identifier: gdW_edXq10TxR9e4nryvq9pj-ok
Realm: democa
Successfully created alias in realm democa:
Alias : scep-1
Identifier: gdW_edXq10TxR9e4nryvq9pj-ok
NotBefore : 2020-09-20 16:51:38
NotAfter : 2021-09-20 16:51:38
2020/09/20 12:52:18 Encryption key needed to decrypt password safe entry is
unavailable
Error running command: Encryption key needed to decrypt password safe entry
is unavailable at /usr/share/perl5/OpenXPKI/Client/Simple.pm line 352.
############################################################################
##
Also the system status page says that system status is critical:
* Active encryption token: not available (vault-1)
* ca-signer-1: Offline
* vault-1: Offline
I did some further investigation with the following results:
* The behavior occurs when the KEY_PASSWORD for the
ISSUING_CA_CERTIFICATE and/or DATAVAULT_CERTIFICATE is unequal 'root', for
all other certificates the KEY_PASSWORD can be changed without errors
* I get the same behavior when following the instructions to manually
import the certificates without the sampleconfig.sh
So what did I miss?
Thanks for any help!
Regards,
Florian
####################### OpenXPKI version #########################
root@openxpki:~# openxpkiadm version
Version (core): 3.6.1
###################### Debian version ############################
root@openxpki:~# hostnamectl
Static hostname: openxpki
Icon name: computer-vm
Chassis: vm
Machine ID: xxx
Boot ID: xxx
Virtualization: microsoft
Operating System: Debian GNU/Linux 10 (buster)
Kernel: Linux 4.19.0-10-amd64
Architecture: x86-64
#################### output when KEY_PASSWORD="" ################
root@openxpki:~# ./openxpkiconfig.sh
creating configuration for openssl () .. done.
Creating certificates ..
Did not find a root ca certificate file.
Creating an own self signed root ca .. done.
Did not find existing issuing CA key file.
Creating an issuing CA request .. done.
Signing issuing certificate with own root CA .. done.
Did not find existing DataVault certificate file.
Creating a self signed DataVault certificate .. done.
Did not find existing SCEP certificate file.
Creating a SCEP request .. done.
Signing SCEP certificate with Issuing CA .. done.
Did not find existing WEB certificate file.
Creating a Web request .. done.
Signing Web certificate with Issuing CA .. done.
Starting server before running import ... Starting OpenXPKI...
OpenXPKI Server is running and accepting requests.
DONE.
Successfully imported certificate into database:
Subject: CN=OpenXPKI Root CA 1
Issuer: CN=OpenXPKI Root CA 1
Identifier: LB4x3M9GxkmssZu46AW-krr56mQ
Realm: none
Successfully imported certificate into database:
Subject: CN=Internal DataVault
Issuer: CN=Internal DataVault
Identifier: Rid8uEyPnXjJt7uSEbnsqkmDWps
Realm: democa
Successfully created alias in realm democa:
Alias : vault-1
Identifier: Rid8uEyPnXjJt7uSEbnsqkmDWps
NotBefore : 2020-09-20 16:47:10
NotAfter : 2030-09-23 16:47:10
Successfully wrote key to /etc/openxpki/ca/vault-1.pem
Successfully imported certificate into database:
Subject: CN=OpenXPKI Demo Issuing CA 1,OU=PKI,O=OpenXPKI,C=DE
Issuer: CN=OpenXPKI Root CA 1
Identifier: UoyhwCJhZgXnae3yJ2WMCbp4gUk
Realm: democa
Successfully created alias in realm democa:
Alias : ca-signer-1
Identifier: UoyhwCJhZgXnae3yJ2WMCbp4gUk
NotBefore : 2020-09-20 16:47:09
NotAfter : 2025-09-22 16:47:09
Successfully wrote key to datapool with key 'ca-signer-1'
Token is certsign, looking for root...
Creating alias for root ca:
Alias : root-1
Identifier: LB4x3M9GxkmssZu46AW-krr56mQ
NotBefore : 2020-09-20 16:47:09
NotAfter : 2030-09-23 16:47:09
Successfully imported certificate into database:
Subject: CN=openxpki:scep-ra
Issuer: CN=OpenXPKI Demo Issuing CA 1,OU=PKI,O=OpenXPKI,C=DE
Identifier: iKyRrZN3zrK4eKkLVPDB_UMSozM
Realm: democa
Successfully created alias in realm democa:
Alias : scep-1
Identifier: iKyRrZN3zrK4eKkLVPDB_UMSozM
NotBefore : 2020-09-20 16:47:10
NotAfter : 2021-09-20 16:47:10
root@openxpki:~#
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
