Hi Martin, I'm still in the tryout phase of PKI systems and I'm aware that the sampeconfig.sh is not to be used for productive environments. But unfortunately the documentation of OpenXPKI is missing so many details that is was impossible for me to get a productive running system just following the documentation. So I started to inspect the sampleconfig.sh to find the missing parts (e.g. the whole setup stuff of the apache webserver at the end of the script) and to make little changes to get closer to a production environment step by step - and there I got stuck when changing the passwords for the certificate keys. The whole token-secret group construct is great, but for a beginner it is not really self-explaining...
Anyway, thanks for your response and your advice! Regards Florian -----Original Message----- From: Martin Bartosch via OpenXPKI-users <[email protected]> Sent: Dienstag, 22. September 2020 16:25 To: [email protected] Cc: Martin Bartosch <[email protected]> Subject: Re: [OpenXPKI-users] sampleconfig.sh fails for key password unequal 'root' Hi, > I did a first installation of OpenXPKI using a Hyper-V machine on which Debian 10 is installed. When following the instructions in the quickstart guide and using the sampleconfig.sh everything went fine and I got a running system. > > My second try was to set the KEY_PASSWORD in the sampleconfig.sh line 27 to an empty string to get the random passwords as described in the comment above (beginning from a snapshot before executing the sampleconfig.sh). > When executing this sampleconfig.sh the script ended at line 350 > openxpkiadm certificate import --file "${SCEP_CERTIFICATE}" --realm > "${REALM}" --token scep --key ${SCEP_KEY} without any further message (see complete output below). p Good to hear you got it working. lease note that the sampleconfig script is only that - a quick way to get a working system up and running so you can have a peek at the software. It is not intended to give you a PKI you could actually use in production. If you are wondering about the security of the CA passphrase of this setup you are likely about to follow a non-optimal path, let's say. As mentioned earlier on the list you need to design your PKI properly before you get to the point where you actually configure the system according to the design. And at that point you wouldn't use sampleconfig.sh. Cheers Martin _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users _______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
