Hi Olivier, Thank you for your reply.
I tried to reproduce the issue because I had to setup a new PKI because my certs were using the elliptic curve secp521r1 which is not supported by Chrome for web certs which bothers me.
I need to switch to a new root cert, so I created a new instance of OpenXPKI.
Here is what I did :- First of all, I'm using proxmox VE on my host dedicated server. I created a new container. FYI, it's an unprivileged container with default LXC apparmor profile and default Proxmox settings. It is a Debian 10 LXC container.
- I updated and upgraded the packages in the LXC. apt-get update && apt-get upgrade -y - I set the timezone (Europe/Paris) then the locale (fr_FR.UTF-8) dpkg-reconfigure tzdata dpkg-reconfigure locale - I'm used to PostgreSQL for databases, so I'm using it for OpenXPKI. apt-get install postgresql libdbd-pg-perl libdbd-pgsql - I created a user on the database su -c psql postgres CREATE USER openxpki WITH PASSWORD 'openxpki'; CREATE DATABASE openxpki OWNER openxpki; \q- I populated the database with the schema found here : https://raw.githubusercontent.com/Gregory-Widmer/openxpki-config/f2dbcaaf3a1e9a4989da26540f436cbf39eb93fd/contrib/sql/schema-psql.sql
wget https://raw.githubusercontent.com/Gregory-Widmer/openxpki-config/f2dbcaaf3a1e9a4989da26540f436cbf39eb93fd/contrib/sql/schema-psql.sql
psql -h 127.0.0.1 -d openxpki -U openxpki -W -f schema-psql.sql Password : <openxpki>- It's now time to install OpenXPKI. I first need to install gpg, then add the repo then install openxpki. (By the way, I always check the key's fingerprint)
apt-get install gpgwget https://packages.openxpki.org/v3/debian/Release.key -O - | apt-key add - echo "deb http://packages.openxpki.org/v3/debian/ buster release" > /etc/apt/sources.list.d/openxpki.list
apt update- I installed apache2 and the fcgid mod, then I enabled it. Also enabled the ssl mod.
apt install apache2 libapache2-mod-fcgid a2enmod fcgid a2enmod ssl systemctl restart apache2.service - I installed OpenXPKI apt install libopenxpki-perl openxpki-cgi-session-driver openxpki-i18n - I put the database credentials into the database.yaml file main: debug: 0 type: PostgreSQL name: openxpki host: localhost port: 5432 user: openxpki passwd: openxpki- It's now time to setup base certificates. I'm using the following openssl.cnf file :
HOME = . RANDFILE = .rnd [ ca ] default_ca = CA_default [ CA_default ] dir = . certs = ./certs crl_dir = ./ database = ./index.txt new_certs_dir = ./ serial = ./serial crlnumber = ./crlnumber crl = ./crl.pem private_key = ./cakey.pem RANDFILE = ~/.rand default_md = sha512 preserve = no policy = policy_none default_days = 3650 # x509_extensions = v3_ca_extensions # x509_extensions = v3_issuing_extensions # x509_extensions = v3_datavault_extensions # x509_extensions = v3_scep_extensions # x509_extensions = v3_web_extensions [policy_none] countryName = optional organizationName = optional domainComponent = optional organizationalUnitName = optional commonName = supplied [ req ] default_bits = 4096 distinguished_name = req_distinguished_name# x509_extensions = v3_ca_reqexts # not for root self signed, only for issuing ## x509_extensions = v3_datavault_reqexts # not required self signed
# x509_extensions = v3_scep_reqexts # x509_extensions = v3_web_reqexts [ req_distinguished_name ] domainComponent = Domain Component commonName = Common Name [ v3_ca_reqexts ] subjectKeyIdentifier = hash keyUsage = digitalSignature, keyCertSign, cRLSign [ v3_datavault_reqexts ] subjectKeyIdentifier = hash keyUsage = keyEncipherment extendedKeyUsage = emailProtection [ v3_scep_reqexts ] subjectKeyIdentifier = hash [ v3_web_reqexts ] subjectKeyIdentifier = hash keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth [ v3_ca_extensions ] subjectKeyIdentifier = hash keyUsage = digitalSignature, keyCertSign, cRLSign basicConstraints = critical,CA:TRUE authorityKeyIdentifier = keyid:always,issuer [ v3_issuing_extensions ] subjectKeyIdentifier = hash keyUsage = digitalSignature, keyCertSign, cRLSign basicConstraints = critical,CA:TRUE authorityKeyIdentifier = keyid:always,issuer:always [ v3_datavault_extensions ] subjectKeyIdentifier = hash keyUsage = keyEncipherment extendedKeyUsage = emailProtection basicConstraints = CA:FALSE authorityKeyIdentifier = keyid:always,issuer [ v3_scep_extensions ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE authorityKeyIdentifier = keyid,issuer [ v3_web_extensions ] subjectKeyIdentifier = hash keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth basicConstraints = critical,CA:FALSE subjectAltName = DNS:sorry.im.not.giving.it - I setup required files, I created a ECC key, then my root certificate touch serial touch index.txt touch index.txt.attr dd if=/dev/urandom of=.rnd bs=256 count=1 openssl ecparam -name secp384r1 -genkey -out cakey.pemopenssl req -config openssl.cnf -key cakey.pem -days 3650 -extensions v3_ca_extensions -x509 -out ca.crt
- I imported the certificate openxpkiadm certificate import --file ca.crt Starting import Successfully imported certificate into database: Subject: CN=Dummy Root CA Issuer: CN=Dummy Root CA Identifier: YrwPQKfhPYc9vdVfxuvuxsjojQE Realm: none- I created the DataVault key and certificate, then I imported it. It's now time to start OpenXPKI
openssl req -newkey rsa:4096 -keyout vault-1.pem -nodes -subj '/CN=Internal DataVault' -x509 -out vault.crt
mkdir -p /etc/openxpki/local/keys cp vault-1.pem /etc/openxpki/local/keys/vault-1.pem chmod 400 /etc/openxpki/local/keys/vault-1.pem chown openxpki.openxpki /etc/openxpki/local/keys/vault-1.pem openxpkiadm alias --realm democa --token datasafe --file vault.crt openxpkictl start - I checked my DataVault token : Le 25/04/2021 à 11:08, Oliver Welter a écrit :
Hi Gregory,I don't understand why the root alias does not show up, it is usually auto-generated when you import the "certsign" certificate.Anyway - for normal operations the alias is not required and it was added mainly for informational purpose to see what root certificates are in use by the PKI. We have used this in the past for advanced trust management, etc but this is all far beyond the scope of the default setup and needs support on the client side so you can just ignore this.In case you are able to reproduce this, I would appreciate detailed instructions on this.Oliver Am 22.04.21 um 18:59 schrieb Grégory Widmer:Hello,Today I did setup my OpenXPKI instance following the Quickstart documentation found here : https://openxpki.readthedocs.io/en/latest/quickstart.htmlEverything went smooth but there is something which bothers me. In the "Create Issuing CA Token" section, we should see something like the following when executing `openxpkiadm alias --realm <My Realm>` :$ openxpkiadm alias --realm democa === functional token === scep (scep): Alias : scep-1 Identifier: YsBNZ7JYTbx89F_-Z4jn_RPFFWo NotBefore : 2015-01-30 20:44:40 NotAfter : 2016-01-30 20:44:40 vault (datasafe): Alias : vault-1 Identifier: lZILS1l6Km5aIGS6pA7P7azAJic NotBefore : 2015-01-30 20:44:40 NotAfter : 2016-01-30 20:44:40 ca-signer (certsign): Alias : ca-signer-1 Identifier: Sw_IY7AdoGUp28F_cFEdhbtI9pE NotBefore : 2015-01-30 20:44:40 NotAfter : 2018-01-29 20:44:40 === root ca === current root ca: Alias : root-1 Identifier: fVrqJAlpotPaisOAsnxa9cglXCc NotBefore : 2015-01-30 20:44:39 NotAfter : 2020-01-30 20:44:39 upcoming root ca: not set But when I execute it, here is the output : root@OpenXPKI:~# openxpkiadm alias --realm <My Realm> === functional token === ca-signer (certsign): Alias : ca-signer-1 Identifier: EAcWynRnKvuqr3txMCCEofpIUBw NotBefore : 2021-04-22 13:42:52 NotAfter : 2031-04-20 13:42:52 vault (datasafe): Alias : vault-1 Identifier: zbOKQPsIG__VaSmUxmz3gbIecEk NotBefore : 2021-04-22 13:45:31 NotAfter : 2031-04-20 13:45:31 scep (scep): Alias : scep-1 Identifier: Ajiolk0EpqFXVLYpIFH2VJPsuJM NotBefore : 2021-04-22 13:48:45 NotAfter : 2031-04-20 13:48:45 === root ca === current root ca: not set upcoming root ca: not setAs said in the doc, ids and times will vary. But what bothers me is the fact that the current root ca is not set. It was imported earlier as you can see :root@OpenXPKI:~# openxpkiadm certificate list --all -v -v Certificates in <My Realm>: Identifier: Ajiolk0EpqFXVLYpIFH2VJPsuJM Alias: scep-1 (in realm: <My Realm>) Subject: CN=SCEP Certificate v1,O=<My org> Issuer DN: CN=Issuing CA v1,O=<My org> Chain:Ajiolk0EpqFXVLYpIFH2VJPsuJM -> EAcWynRnKvuqr3txMCCEofpIUBw -> KU_1utq7QXfgB1UXEm8sCMEYLUs(complete)Identifier: EAcWynRnKvuqr3txMCCEofpIUBw Alias: ca-signer-1 (in realm: <My Realm>) Subject: CN=Issuing CA v1,O=<My org> Issuer DN: CN=<My Org> Root CA v1,O=<My org> Chain:EAcWynRnKvuqr3txMCCEofpIUBw -> KU_1utq7QXfgB1UXEm8sCMEYLUs(complete)Identifier: zbOKQPsIG__VaSmUxmz3gbIecEk Alias: vault-1 (in realm: <My realm>) Subject: CN=<My Org> PKI DataVault Certificate Issuer DN: CN=<My Org> PKI DataVault Certificate Chain: zbOKQPsIG__VaSmUxmz3gbIecEk(complete) Identifier: KU_1utq7QXfgB1UXEm8sCMEYLUs Subject: CN=<My Org> Root CA v1,O=<My Org> Issuer DN: <Hidden Subject> Chain: KU_1utq7QXfgB1UXEm8sCMEYLUs(complete)The last certificate is the Root CA. Am I missing something from the doc, or is there something to do ?Is there any impact on the worflows if the Root CA is not set ? Thank you :D PS : OpenXPKI is great :D _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users-- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
-- *Grégory Widmer* /gregory.wid...@gwidmer.fr/ DevOps, System Administrator and Network Administrator PGP Fingerprint : 0x15DF 085D 9BED 6686 24AB E069 D69A 8416 9D1A 9CA8
smime.p7s
Description: Signature cryptographique S/MIME
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
