Check if the keys are in the database with "openxpkicli list_data_pool_entries --arg namespace=certificate.privatekey" - this should list the subject key hashes of the certs matching the column in the certificates table.
Thanks Oliver! The good news is that I can confirm the keys are in the DB. I created a new cert and verified that the new key was also added. I got it working and wanted to share for anyone else who might run into a similar issue… Bonehead issue… as is often the case. My RA Operator role was still commented out in roles.yaml from the sample doc. It seems like I could still log in as an RA Operator, and I could issue certs and revoke them. But uncommenting that unlocked the download. Thanks for the help and patience with this new user! On Thu, Dec 03, 2020 at 9:24 AM, Oliver Welter <[email protected]> wrote: > Hi Nick, > > the download link in the certificate detail popup is created by this item > in the "uicontrol" section: > https://github.com/openxpki/openxpki-config/blob/community/config.d/realm. > tpl/uicontrol/_default.yaml#L43 > > In case you changed your roles setup, check this - the files have the > same names as the role, if none is defined with the role name the rules in > default are used. > > Check if the keys are in the database with "openxpkicli > list_data_pool_entries --arg namespace=certificate.privatekey" - this > should list the subject key hashes of the certs matching the column in the > certificates table. > > Oliver > > Am 03.12.20 um 05:49 schrieb Nick Dawson: > > Good evening/morning OpenXPKI team, > > After a few weeks of re-reading docs and lots of testing, I'm back where I > started. I have a mostly working system except I cannot download keys. > > I'm logged in as an RA Operator. > I generate the request within OpenXPKI > I generate the password in OpenXPKI > > I approve the workflow and generate the certificate. I can tell from the > logs that the key is also generated. > > However, when I select the certificate I have download options for the > cert and the chain in various formats, but I do not have an option to > download the key. > > I believe my datapool encryption is working since I'm using the datapool > successfully for the vault, ca-signer, and SCEP keys with no (reported) > issues. > > One question - I have not found docs that define the roles clearly and if > they have access controls. For example, is it reasonable to assume the RA > Operator can request a cert, use the built in CSR tools, approve and > generate the cert, AND also download the corresponding keys? Alternatively, > I'd be grateful to be pointed to any docs that outline roles and access, > etc if that might be a potential source of my challenge. > > The only other potentially complicating factor in my setup is that I'm > running on FreeBSD. > > To my previous posts and Oliver's hypothesis - once I added --authuser and > --authpass to my openxpkicli command, I was able to successfully import > keys. I resolved that in my previous test builds and it with that > knowledge, it wasn't an issue in my current test environment. > > > > > On Mon, Nov 09, 2020 at 11:45 PM, Oliver Welter <[email protected]> wrote: > > Hi, > > this looks like you crashed your authentication system - I suggest you > start over from scratch with a vanilla config and try to the get anything > up and running once before changing things. > > Oliver > > Am 09.11.20 um 23:16 schrieb Nick Dawson: > > thanks Martin and Oliver! > > I'm almost certain it is the later: > datapool encryption has not been set up properly on your system > > If I try and import keys into the datapool, I get an error. > > ➜ ~ openxpkicli set_data_pool_entry --arg namespace=sys.crypto.keys \ > --arg key=scep-1 \ > --arg encrypt=1 \ > --filearg value=/usr/local/etc/openxpki/ssl/dzsec/ca-one-scep-1.pem > Error: I18N_OPENXPKI_SERVER_AUTHENTICATION_INCORRECT_HANDLER > Unhandled service message. Stopped at /usr/local/bin/openxpkicli line 355 > > > On Mon, Nov 09, 2020 at 10:17 AM, Martin Bartosch <openxpki-users@lists. > sourceforge.net> wrote: > > Hi, > > Thanks Oliver - what might it mean if I don't have that section at all? I > have the the download section for the certs, and below that is "relations" > and below that is nothing. > > Some possible reasons are > - the system does not have the key (e. g. a PKCS#10 request was submitted) > - you don't have permissions to download the key (e. g. you are not the > user who submitted the request) > - datapool encryption has not been set up properly on your system > > Cheers > > Martin > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > _______________________________________________ > OpenXPKI-users mailing > [email protected]https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > > > _______________________________________________ > OpenXPKI-users mailing > [email protected]https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users >
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
