Hi John, there is some documentation about the crypto.yaml on Read the Docs.
If you need additional documentation or personal support please check the website for our commercial offerings. Oliver Am 10.11.20 um 14:53 schrieb John Lemona: > Hi, > > Thank you for your help Oliver !! > I have modified my > realms.crypto file and the status of my system is good. > My tokens are online. I didn't use the import function but > I directly added my tokens and .pass file in the same file. > > Is there any special documentation for > the configuration of the crypto file? > Here is the result below, do you think it is correct > and do you have recommendations if not? > (i also have a doubt about SCEP section) > > > > type: > certsign: ca-signer > datasafe: vault > scep: scep > > > token: > ca-signer: > backend: OpenXPKI::Crypto::Backend::OpenSSL > api: OpenXPKI::Crypto::Backend::API > engine: OpenSSL > engine_section: '' > engine_usage: '' > key_store: OPENXPKI > shell: /usr/bin/openssl > wrapper: '' > randfile: /var/openxpki/rand > secret: ca-signer > key: /etc/openxpki/ca/prod/openXPKI_Issuing_CA.key > > vault: > backend: OpenXPKI::Crypto::Backend::OpenSSL > api: OpenXPKI::Crypto::Backend::API > engine: OpenSSL > engine_section: '' > engine_usage: '' > key_store: OPENXPKI > shell: /usr/bin/openssl > wrapper: '' > randfile: /var/openxpki/rand > secret: vault > key: /etc/openxpki/ca/prod/vault-1.pem > > scep: > backend: OpenXPKI::Crypto::Tool::LibSCEP > api: OpenXPKI::Crypto::Tool::LibSCEP::API > engine: OpenSSL > engine_section: '' > engine_usage: '' > key_store: DATAPOOL > shell: /usr/bin/openssl > wrapper: '' > randfile: /var/openxpki/rand > secret: scep > key: /etc/openxpki/ca/prod/openXPKI_SCEP_CA.key > > ############################# > > secret: > vault: > label: VAULT SECRET > export: 0 > method: literal > value: XvDSzVLn3xxxxxxxxxxxxxxxxxxxxxxxxx= > > ca-signer: > label: CA-SIGNER SECRET > export: 0 > method: literal > value: /WhT6xxxxxxxxxxxxxxxxxxxxxxxxxxxxx= > > scep: > label: SCEP SECRET > export: 0 > method: literal > value: 7rEXLV1xxxxxxxxxxxxxxxxxxxxxxxxxxxx= > > > > Thank you for your help. > Best regards, > > > > > ------------------------------------------------------------------------ > *From:* Oliver Welter <[email protected]> > *Sent:* Monday, November 9, 2020 4:43 PM > *To:* [email protected] > <[email protected]> > *Subject:* Re: [OpenXPKI-users] edit : Token not available - Unable to > load signing key file > > Hi, > > it looks like you are mixing up the cryto.yaml in system and in your > realm - those are separate files! > > Your key/token definitions MUST be in the realms crypto.yaml, the > secrets MUST also be defined there but CAN use the "import" syntax > which loads the definitions from the system/crypto.yaml. > > Oliver > > Am 09.11.20 um 12:08 schrieb John Lemona: >> Hi, >> >> I followed the quickstart guide for the installation of the solution >> and the >> configuration of my realm. >> I set empty value for KEY_PASSWORD (line 27) in the demo shell script >> named "sampleconfig.sh" to get random passwords in all .pass files. >> >> So, .pass files contain a random base64 password and openxpki user >> can read all .pass files : >> >> myrealm/OpenXPKI_Issuing_CA.pass >> myrealm/OpenXPKI_Root_CA.pass >> myrealm/OpenXPKI_SCEP_CA.pass >> myrealm/OpenXPKI_Datavault.pass >> >> I have modified the crypto.yaml file to set the different value >> of .pass files, but I think I don't understand how >> the crypto.yaml file is constructed. >> >> My crypto.yaml file look like this : >> >> >> >> # API classs to be used for different types of *realm* tokens >> # Undefined values default to OpenXPKI::Crypto::Backend::API >> tokenapi: >> certsign: OpenXPKI::Crypto::Backend::API >> crlsign: OpenXPKI::Crypto::Backend::API >> datasafe: OpenXPKI::Crypto::Backend::API >> scep: OpenXPKI::Crypto::Tool::LibSCEP::API >> >> #TEST < >> type: >> certsign: ca-signer >> datasafe: vault >> scep: scep >> #TEST > >> >> # System wide token (non key based tokens) >> token: >> default: >> backend: OpenXPKI::Crypto::Backend::OpenSSL >> api: OpenXPKI::Crypto::Backend::API >> engine: OpenSSL >> key_store: OPENXPKI >> # OpenSSL binary location >> shell: /usr/bin/openssl >> >> # OpenSSL binary call gets wrapped with this command >> wrapper: '' >> >> # random file to use for OpenSSL >> randfile: /var/openxpki/rand >> >> javaks: >> backend: OpenXPKI::Crypto::Tool::CreateJavaKeystore >> api: OpenXPKI::Crypto::Tool::CreateJavaKeystore::API >> engine: OpenSSL >> key_store: OPENXPKI >> shell: /usr/bin/keytool >> randfile: /var/openxpki/rand >> #TEST < >> vault: >> inherit: default >> key: /etc/openxpki/ca/myrealm/OpenXPKI_DataVault.key >> >> ca-signer: >> inherit: default >> key: /etc/openxpki/ca/myrealm/OpenXPKI_Root_CA.key >> >> scep: >> inherit: default >> key: /etc/openxpki/ca/myrealm/OpenXPKI_SCEP_CA.key >> #TEST > >> >> # Secret group to be shared in all realms >> secret: >> default: >> label: Global secret group >> export: 0 >> method: literal >> value: root >> #value: OFyBqMr4xqaVNV+Xxxxxxxxxxxxxxxxxxb1n14fiwAtvU= >> >> # if you want to enter the password after startup via the Webui >> # replace method and value above with this block, kcv is optional >> # but highly recommended as wrong passwords let the engine crash >> # you can generate the kcv with "openxpkiadm hashpwd -s argon2" >> # Shared secrets are avail in all realms after been unlocked >> in one >> #method: plain >> #cache: daemon >> #kcv: >> $argon2id$v=19$m=32768,t=3,p=1$NmwvcTxxxxxxxxxxxxxxxxxxx8uTK4DI9Ew730Q >> >> #TEST < >> ca-signer: >> label: ca-signer group >> export: 0 >> method: literal >> #Value = Contain of .pass >> value: DHxxx+ioxEAthxxxxxxxxxxxxxxxxxxxxxxxxxxxxx= >> >> vault: >> label: vault group >> export: 0 >> method: literal >> #Value = Contain of .pass >> value: OFxxxxxxr4xqaVNxxxxxxxxxxxxxxxxxxxxxxxxxx= >> >> scep: >> label: scep >> export: 0 >> method: literal >> #Value = Contain of .pass >> value: r1mxxxxcw/mtF6Lxxxxxxxxxxxxxxxxxxxxxxxxxx= >> #TEST > >> >> >> >> >> When i put the contents of my .pass file vault-1 in the >> "Global secret groupe" ; vault-1 token status is ONLINE >> in the openXPKI WEBUI.Otherwise it is offline. >> >> Can you help me to build correctly my crypto.aml file >> so that my ca-signer and vault tokens are online please ? >> The log file tells me the following errors : >> >> >> >> >> >> 2020/11/09 10:29:47 openxpki.system.ERROR >> OpenSSL error: 139969451594880:error:08064066:object identifier >> routines:OB >> >> J_create:oid exists:../crypto/objects/obj_dat.c:709: >> unable to load signing key file >> 139969451594880:error:0D0AE0AB:asn1 encoding >> routines:oid_module_init:adding object:../crypto/asn1/asn_moid.c:38: >> 139969451594880:error:0E07606D:configuration file >> routines:module_run:module initialization error:../crypto/conf/conf >> >> >> _mod.c:177:module=oid_section, value=new_oids, retcode=-1 >> 139969451594880:error:06065064:digital envelope routines: >> EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:570: >> 139969451594880:error:23077074:PKCS12 routines: >> PKCS12_pbe_crypt:pkcs12 cipherfinal >> error:../crypto/pkcs12/p12_decr.c: >> >> 63: >> 139969451594880:error:2306A075:PKCS12 routines: >> PKCS12_item_decrypt_d2i:pkcs12 pbe crypt >> error:../crypto/pkcs12/p12_de >> >> cr.c:94: >> 139969451594880:error:0907B00D:PEM routines: >> PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:88: >> [pid=28490|sid=5NKl] >> 2020/11/09 10:29:47 openxpki.system.ERROR I18N_OPE >> NXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 [pid=28490| >> >> sid=5NKl] >> 2020/11/09 10:29:47 openxpki.system.ERROR I18N_ >> OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => >> OpenXPKI::Crypto::Back >> >> end::OpenSSL:: >> Command::pkcs7_decrypt, __ERRVAL__ => >> I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 [ >> >> pid=28490|sid=5NKl] >> 2020/11/09 10:29:47 openxpki.system.ERROR OpenSSL >> error: 139728422380672:error:08064066:object identifier routines:OB >> >> J_create:oid >> exists:../crypto/objects/obj_dat.c:709: >> unable to load signing key file >> >> >> >> Thank you for your help. >> Best regards, >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > -- > Protect your environment - close windows and adopt a penguin! -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
