Good evening/morning OpenXPKI team, After a few weeks of re-reading docs and lots of testing, I'm back where I started. I have a mostly working system except I cannot download keys.
I'm logged in as an RA Operator. I generate the request within OpenXPKI I generate the password in OpenXPKI I approve the workflow and generate the certificate. I can tell from the logs that the key is also generated. However, when I select the certificate I have download options for the cert and the chain in various formats, but I do not have an option to download the key. I believe my datapool encryption is working since I'm using the datapool successfully for the vault, ca-signer, and SCEP keys with no (reported) issues. One question - I have not found docs that define the roles clearly and if they have access controls. For example, is it reasonable to assume the RA Operator can request a cert, use the built in CSR tools, approve and generate the cert, AND also download the corresponding keys? Alternatively, I'd be grateful to be pointed to any docs that outline roles and access, etc if that might be a potential source of my challenge. The only other potentially complicating factor in my setup is that I'm running on FreeBSD. To my previous posts and Oliver's hypothesis - once I added --authuser and --authpass to my openxpkicli command, I was able to successfully import keys. I resolved that in my previous test builds and it with that knowledge, it wasn't an issue in my current test environment. On Mon, Nov 09, 2020 at 11:45 PM, Oliver Welter <[email protected]> wrote: > Hi, > > this looks like you crashed your authentication system - I suggest you > start over from scratch with a vanilla config and try to the get anything > up and running once before changing things. > > Oliver > > Am 09.11.20 um 23:16 schrieb Nick Dawson: > > thanks Martin and Oliver! > > I'm almost certain it is the later: > datapool encryption has not been set up properly on your system > > If I try and import keys into the datapool, I get an error. > > ➜ ~ openxpkicli set_data_pool_entry --arg namespace=sys.crypto.keys \ > --arg key=scep-1 \ > --arg encrypt=1 \ > --filearg value=/usr/local/etc/openxpki/ssl/dzsec/ca-one-scep-1.pem > Error: I18N_OPENXPKI_SERVER_AUTHENTICATION_INCORRECT_HANDLER > Unhandled service message. Stopped at /usr/local/bin/openxpkicli line 355 > > > On Mon, Nov 09, 2020 at 10:17 AM, Martin Bartosch <openxpki-users@lists. > sourceforge.net> wrote: > > Hi, > > Thanks Oliver - what might it mean if I don't have that section at all? I > have the the download section for the certs, and below that is "relations" > and below that is nothing. > > Some possible reasons are > - the system does not have the key (e. g. a PKCS#10 request was submitted) > - you don't have permissions to download the key (e. g. you are not the > user who submitted the request) > - datapool encryption has not been set up properly on your system > > Cheers > > Martin > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > _______________________________________________ > OpenXPKI-users mailing > [email protected]https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
