Hi Gregory, I don't understand why the root alias does not show up, it is usually auto-generated when you import the "certsign" certificate.
Anyway - for normal operations the alias is not required and it was added mainly for informational purpose to see what root certificates are in use by the PKI. We have used this in the past for advanced trust management, etc but this is all far beyond the scope of the default setup and needs support on the client side so you can just ignore this. In case you are able to reproduce this, I would appreciate detailed instructions on this. Oliver Am 22.04.21 um 18:59 schrieb Grégory Widmer: > Hello, > > Today I did setup my OpenXPKI instance following the Quickstart > documentation found here : > https://openxpki.readthedocs.io/en/latest/quickstart.html > > Everything went smooth but there is something which bothers me. In the > "Create Issuing CA Token" section, we should see something like the > following when executing `openxpkiadm alias --realm <My Realm>` : > > $ openxpkiadm alias --realm democa > > === functional token === > scep (scep): > Alias : scep-1 > Identifier: YsBNZ7JYTbx89F_-Z4jn_RPFFWo > NotBefore : 2015-01-30 20:44:40 > NotAfter : 2016-01-30 20:44:40 > > vault (datasafe): > Alias : vault-1 > Identifier: lZILS1l6Km5aIGS6pA7P7azAJic > NotBefore : 2015-01-30 20:44:40 > NotAfter : 2016-01-30 20:44:40 > > ca-signer (certsign): > Alias : ca-signer-1 > Identifier: Sw_IY7AdoGUp28F_cFEdhbtI9pE > NotBefore : 2015-01-30 20:44:40 > NotAfter : 2018-01-29 20:44:40 > > === root ca === > current root ca: > Alias : root-1 > Identifier: fVrqJAlpotPaisOAsnxa9cglXCc > NotBefore : 2015-01-30 20:44:39 > NotAfter : 2020-01-30 20:44:39 > > upcoming root ca: > > not set > > But when I execute it, here is the output : > > root@OpenXPKI:~# openxpkiadm alias --realm <My Realm> > > === functional token === > ca-signer (certsign): > Alias : ca-signer-1 > Identifier: EAcWynRnKvuqr3txMCCEofpIUBw > NotBefore : 2021-04-22 13:42:52 > NotAfter : 2031-04-20 13:42:52 > > vault (datasafe): > Alias : vault-1 > Identifier: zbOKQPsIG__VaSmUxmz3gbIecEk > NotBefore : 2021-04-22 13:45:31 > NotAfter : 2031-04-20 13:45:31 > > scep (scep): > Alias : scep-1 > Identifier: Ajiolk0EpqFXVLYpIFH2VJPsuJM > NotBefore : 2021-04-22 13:48:45 > NotAfter : 2031-04-20 13:48:45 > > === root ca === > current root ca: > not set > > upcoming root ca: > not set > > As said in the doc, ids and times will vary. But what bothers me is > the fact that the current root ca is not set. It was imported earlier > as you can see : > > root@OpenXPKI:~# openxpkiadm certificate list --all -v -v > > Certificates in <My Realm>: > > Identifier: Ajiolk0EpqFXVLYpIFH2VJPsuJM > Alias: > scep-1 (in realm: <My Realm>) > Subject: > CN=SCEP Certificate v1,O=<My org> > Issuer DN: > CN=Issuing CA v1,O=<My org> > Chain: > Ajiolk0EpqFXVLYpIFH2VJPsuJM -> EAcWynRnKvuqr3txMCCEofpIUBw -> > KU_1utq7QXfgB1UXEm8sCMEYLUs(complete) > > Identifier: EAcWynRnKvuqr3txMCCEofpIUBw > Alias: > ca-signer-1 (in realm: <My Realm>) > Subject: > CN=Issuing CA v1,O=<My org> > Issuer DN: > CN=<My Org> Root CA v1,O=<My org> > Chain: > EAcWynRnKvuqr3txMCCEofpIUBw -> > KU_1utq7QXfgB1UXEm8sCMEYLUs(complete) > > Identifier: zbOKQPsIG__VaSmUxmz3gbIecEk > Alias: > vault-1 (in realm: <My realm>) > Subject: > CN=<My Org> PKI DataVault Certificate > Issuer DN: > CN=<My Org> PKI DataVault Certificate > Chain: > zbOKQPsIG__VaSmUxmz3gbIecEk(complete) > > Identifier: KU_1utq7QXfgB1UXEm8sCMEYLUs > Subject: > CN=<My Org> Root CA v1,O=<My Org> > Issuer DN: > <Hidden Subject> > Chain: > KU_1utq7QXfgB1UXEm8sCMEYLUs(complete) > > The last certificate is the Root CA. Am I missing something from the > doc, or is there something to do ? > > Is there any impact on the worflows if the Root CA is not set ? > > Thank you :D > > PS : OpenXPKI is great :D > > > > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
