Hi Nick, its great to hear that it is working now - if you want to disable a role you need to uncomment it in the auth/ section. The uicontrol is just to provide the menu and useless if there is no such role defined.
best regards Oliver Am 03.12.20 um 23:24 schrieb Nick Dawson: > > Check if the keys are in the database with "openxpkicli > list_data_pool_entries --arg namespace=certificate.privatekey" - > this should list the subject key hashes of the certs matching the > column in the certificates table. > > > Thanks Oliver! > The good news is that I can confirm the keys are in the DB. I created > a new cert and verified that the new key was also added. > > I got it working and wanted to share for anyone else who might run > into a similar issue… > > Bonehead issue… as is often the case. > > My RA Operator role was still commented out in roles.yaml from the > sample doc. > > It seems like I could still log in as an RA Operator, and I could > issue certs and revoke them. But uncommenting that unlocked the download. > > Thanks for the help and patience with this new user! > > > > > > On Thu, Dec 03, 2020 at 9:24 AM, Oliver Welter <[email protected] > <mailto:[email protected]>> wrote: > > Hi Nick, > > the download link in the certificate detail popup is created by > this item in the "uicontrol" section: > > https://github.com/openxpki/openxpki-config/blob/community/config.d/realm.tpl/uicontrol/_default.yaml#L43 > > In case you changed your roles setup, check this - the files have > the same names as the role, if none is defined with the role name > the rules in default are used. > > Check if the keys are in the database with "openxpkicli > list_data_pool_entries --arg namespace=certificate.privatekey" - > this should list the subject key hashes of the certs matching the > column in the certificates table. > > Oliver > > Am 03.12.20 um 05:49 schrieb Nick Dawson: >> Good evening/morning OpenXPKI team, >> >> After a few weeks of re-reading docs and lots of testing, I'm >> back where I started. I have a mostly working system except I >> cannot download keys. >> >> I'm logged in as an RA Operator. >> I generate the request within OpenXPKI >> I generate the password in OpenXPKI >> >> I approve the workflow and generate the certificate. I can tell >> from the logs that the key is also generated. >> >> However, when I select the certificate I have download options >> for the cert and the chain in various formats, but I do not have >> an option to download the key. >> >> I believe my datapool encryption is working since I'm using the >> datapool successfully for the vault, ca-signer, and SCEP keys >> with no (reported) issues. >> >> One question - I have not found docs that define the roles >> clearly and if they have access controls. For example, is it >> reasonable to assume the RA Operator can request a cert, use the >> built in CSR tools, approve and generate the cert, AND also >> download the corresponding keys? Alternatively, I'd be grateful >> to be pointed to any docs that outline roles and access, etc if >> that might be a potential source of my challenge. >> >> The only other potentially complicating factor in my setup is >> that I'm running on FreeBSD. >> >> To my previous posts and Oliver's hypothesis - once I added >> --authuser and --authpass to my openxpkicli command, I was able >> to successfully import keys. I resolved that in my previous test >> builds and it with that knowledge, it wasn't an issue in my >> current test environment. >> >> >> >> >> On Mon, Nov 09, 2020 at 11:45 PM, Oliver Welter <[email protected] >> <mailto:[email protected]>> wrote: >> >> Hi, >> >> this looks like you crashed your authentication system - I >> suggest you start over from scratch with a vanilla config and >> try to the get anything up and running once before changing >> things. >> >> Oliver >> >> Am 09.11.20 um 23:16 schrieb Nick Dawson: >>> thanks Martin and Oliver! >>> >>> I'm almost certain it is the later: >>> datapool encryption has not been set up properly on your system >>> >>> If I try and import keys into the datapool, I get an error. >>> >>> ➜ ~ openxpkicli set_data_pool_entry --arg >>> namespace=sys.crypto.keys \ >>> --arg key=scep-1 \ >>> --arg encrypt=1 \ >>> --filearg >>> value=/usr/local/etc/openxpki/ssl/dzsec/ca-one-scep-1.pem >>> Error: I18N_OPENXPKI_SERVER_AUTHENTICATION_INCORRECT_HANDLER >>> Unhandled service message. Stopped at >>> /usr/local/bin/openxpkicli line 355 >>> >>> >>> On Mon, Nov 09, 2020 at 10:17 AM, Martin Bartosch >>> <[email protected] >>> <mailto:[email protected]>> wrote: >>> >>> Hi, >>> >>> Thanks Oliver - what might it mean if I don't have >>> that section at all? I have the the download section >>> for the certs, and below that is "relations" and >>> below that is nothing. >>> >>> Some possible reasons are >>> - the system does not have the key (e. g. a PKCS#10 >>> request was submitted) >>> - you don't have permissions to download the key (e. g. >>> you are not the user who submitted the request) >>> - datapool encryption has not been set up properly on >>> your system >>> >>> Cheers >>> >>> Martin >>> >>> _______________________________________________ >>> OpenXPKI-users mailing list >>> [email protected] >>> <mailto:[email protected]> >>> https://lists.sourceforge.net/lists/listinfo/openxpki-users >>> <https://lists.sourceforge.net/lists/listinfo/openxpki-users> >>> >>> >>> >>> >>> _______________________________________________ >>> OpenXPKI-users mailing list >>> [email protected] >>> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> >> >> -- >> Protect your environment - close windows and adopt a penguin! >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> <mailto:[email protected]> >> https://lists.sourceforge.net/lists/listinfo/openxpki-users >> <https://lists.sourceforge.net/lists/listinfo/openxpki-users> >> >> >> >> >> _______________________________________________ >> OpenXPKI-users mailing list >> [email protected] >> https://lists.sourceforge.net/lists/listinfo/openxpki-users > > > -- > Protect your environment - close windows and adopt a penguin! > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
