Hi Nick, the download link in the certificate detail popup is created by this item in the "uicontrol" section: https://github.com/openxpki/openxpki-config/blob/community/config.d/realm.tpl/uicontrol/_default.yaml#L43
In case you changed your roles setup, check this - the files have the same names as the role, if none is defined with the role name the rules in default are used. Check if the keys are in the database with "openxpkicli list_data_pool_entries --arg namespace=certificate.privatekey" - this should list the subject key hashes of the certs matching the column in the certificates table. Oliver Am 03.12.20 um 05:49 schrieb Nick Dawson: > Good evening/morning OpenXPKI team, > > After a few weeks of re-reading docs and lots of testing, I'm back > where I started. I have a mostly working system except I cannot > download keys. > > I'm logged in as an RA Operator. > I generate the request within OpenXPKI > I generate the password in OpenXPKI > > I approve the workflow and generate the certificate. I can tell from > the logs that the key is also generated. > > However, when I select the certificate I have download options for the > cert and the chain in various formats, but I do not have an option to > download the key. > > I believe my datapool encryption is working since I'm using the > datapool successfully for the vault, ca-signer, and SCEP keys with no > (reported) issues. > > One question - I have not found docs that define the roles clearly and > if they have access controls. For example, is it reasonable to assume > the RA Operator can request a cert, use the built in CSR tools, > approve and generate the cert, AND also download the corresponding > keys? Alternatively, I'd be grateful to be pointed to any docs that > outline roles and access, etc if that might be a potential source of > my challenge. > > The only other potentially complicating factor in my setup is that I'm > running on FreeBSD. > > To my previous posts and Oliver's hypothesis - once I added --authuser > and --authpass to my openxpkicli command, I was able to successfully > import keys. I resolved that in my previous test builds and it with > that knowledge, it wasn't an issue in my current test environment. > > > > > On Mon, Nov 09, 2020 at 11:45 PM, Oliver Welter <[email protected] > <mailto:[email protected]>> wrote: > > Hi, > > this looks like you crashed your authentication system - I suggest > you start over from scratch with a vanilla config and try to the > get anything up and running once before changing things. > > Oliver > > Am 09.11.20 um 23:16 schrieb Nick Dawson: >> thanks Martin and Oliver! >> >> I'm almost certain it is the later: >> datapool encryption has not been set up properly on your system >> >> If I try and import keys into the datapool, I get an error. >> >> ➜ ~ openxpkicli set_data_pool_entry --arg >> namespace=sys.crypto.keys \ >> --arg key=scep-1 \ >> --arg encrypt=1 \ >> --filearg >> value=/usr/local/etc/openxpki/ssl/dzsec/ca-one-scep-1.pem >> Error: I18N_OPENXPKI_SERVER_AUTHENTICATION_INCORRECT_HANDLER >> Unhandled service message. Stopped at /usr/local/bin/openxpkicli >> line 355 >> >> >> On Mon, Nov 09, 2020 at 10:17 AM, Martin Bartosch >> <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi, >> >> Thanks Oliver - what might it mean if I don't have that >> section at all? I have the the download section for the >> certs, and below that is "relations" and below that is >> nothing. >> >> Some possible reasons are >> - the system does not have the key (e. g. a PKCS#10 request >> was submitted) >> - you don't have permissions to download the key (e. g. you >> are not the user who submitted the request) >> - datapool encryption has not been set up properly on your >> system >> >> Cheers >> >> Martin >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> <https://lists.sourceforge.net/lists/listinfo/openxpki-users> >> >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
