Sorry, I sent my mail before it was complete :( I fixed 2 lines then added the end.
----------------------------------------------- Hi Olivier, Thank you for your reply.I tried to reproduce the issue because I had to setup a new PKI because my certs were using the elliptic curve secp521r1 which is not supported by Chrome for web certs which bothers me.
I need to switch to a new root cert, so I created a new instance of OpenXPKI.
Here is what I did :- First of all, I'm using proxmox VE on my host dedicated server. I created a new container. FYI, it's an unprivileged container with default LXC apparmor profile and default Proxmox settings. It is a Debian 10 LXC container.
- I updated and upgraded the packages in the LXC. apt-get update && apt-get upgrade -y - I set the timezone (Europe/Paris) then the locale (fr_FR.UTF-8) dpkg-reconfigure tzdata dpkg-reconfigure locale - I'm used to PostgreSQL for databases, so I'm using it for OpenXPKI. apt-get install postgresql libdbd-pg-perl libdbd-pgsql - I created a user on the database su -c psql postgres CREATE USER openxpki WITH PASSWORD 'openxpki'; CREATE DATABASE openxpki OWNER openxpki; \q- I populated the database with the schema found here : https://raw.githubusercontent.com/Gregory-Widmer/openxpki-config/f2dbcaaf3a1e9a4989da26540f436cbf39eb93fd/contrib/sql/schema-psql.sql
wget https://raw.githubusercontent.com/Gregory-Widmer/openxpki-config/f2dbcaaf3a1e9a4989da26540f436cbf39eb93fd/contrib/sql/schema-psql.sql
psql -h 127.0.0.1 -d openxpki -U openxpki -W -f schema-psql.sql Password : <openxpki>- It's now time to install OpenXPKI. I first need to install gpg, then add the repo then install openxpki. (By the way, I always check the key's fingerprint)
apt-get install gpgwget https://packages.openxpki.org/v3/debian/Release.key -O - | apt-key add - echo "deb http://packages.openxpki.org/v3/debian/ buster release" > /etc/apt/sources.list.d/openxpki.list
apt update- I installed apache2 and the fcgid mod, then I enabled it. Also enabled the ssl mod.
apt install apache2 libapache2-mod-fcgid a2enmod fcgid a2enmod ssl systemctl restart apache2.service - I installed OpenXPKI apt install libopenxpki-perl openxpki-cgi-session-driver openxpki-i18n - I put the database credentials into the database.yaml file main: debug: 0 type: PostgreSQL name: openxpki host: localhost port: 5432 user: openxpki passwd: openxpki- It's now time to setup base certificates. I'm using the following openssl.cnf file :
HOME = . RANDFILE = .rnd [ ca ] default_ca = CA_default [ CA_default ] dir = . certs = ./certs crl_dir = ./ database = ./index.txt new_certs_dir = ./ serial = ./serial crlnumber = ./crlnumber crl = ./crl.pem certificate = ./ca.crt private_key = ./cakey.pem RANDFILE = ~/.rand default_md = sha512 preserve = no policy = policy_none default_days = 3650 # x509_extensions = v3_ca_extensions # x509_extensions = v3_issuing_extensions # x509_extensions = v3_datavault_extensions # x509_extensions = v3_scep_extensions # x509_extensions = v3_web_extensions [policy_none] countryName = optional organizationName = optional domainComponent = optional organizationalUnitName = optional commonName = supplied [ req ] default_bits = 4096 distinguished_name = req_distinguished_name# x509_extensions = v3_ca_reqexts # not for root self signed, only for issuing ## x509_extensions = v3_datavault_reqexts # not required self signed
# x509_extensions = v3_scep_reqexts # x509_extensions = v3_web_reqexts [ req_distinguished_name ] domainComponent = Domain Component commonName = Common Name [ v3_ca_reqexts ] subjectKeyIdentifier = hash keyUsage = digitalSignature, keyCertSign, cRLSign [ v3_datavault_reqexts ] subjectKeyIdentifier = hash keyUsage = keyEncipherment extendedKeyUsage = emailProtection [ v3_scep_reqexts ] subjectKeyIdentifier = hash [ v3_web_reqexts ] subjectKeyIdentifier = hash keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth [ v3_ca_extensions ] subjectKeyIdentifier = hash keyUsage = digitalSignature, keyCertSign, cRLSign basicConstraints = critical,CA:TRUE authorityKeyIdentifier = keyid:always,issuer [ v3_issuing_extensions ] subjectKeyIdentifier = hash keyUsage = digitalSignature, keyCertSign, cRLSign basicConstraints = critical,CA:TRUE authorityKeyIdentifier = keyid:always,issuer:always [ v3_datavault_extensions ] subjectKeyIdentifier = hash keyUsage = keyEncipherment extendedKeyUsage = emailProtection basicConstraints = CA:FALSE authorityKeyIdentifier = keyid:always,issuer [ v3_scep_extensions ] subjectKeyIdentifier = hash basicConstraints = CA:FALSE authorityKeyIdentifier = keyid,issuer [ v3_web_extensions ] subjectKeyIdentifier = hash keyUsage = critical, digitalSignature, keyEncipherment extendedKeyUsage = serverAuth, clientAuth basicConstraints = critical,CA:FALSE subjectAltName = DNS:sorry.im.not.giving.it - I setup required files, I created a ECC key, then my root certificate echo 1000 > serial touch index.txt touch index.txt.attr echo 00 > crlnumber dd if=/dev/urandom of=.rnd bs=256 count=1 openssl ecparam -name secp384r1 -genkey -out cakey.pemopenssl req -config openssl.cnf -key cakey.pem -days 3650 -extensions v3_ca_extensions -x509 -out ca.crt
- I imported the certificate openxpkiadm certificate import --file ca.crt Starting import Successfully imported certificate into database: Subject: CN=Dummy Root CA Issuer: CN=Dummy Root CA Identifier: YrwPQKfhPYc9vdVfxuvuxsjojQE Realm: none- I created the DataVault key and certificate, then I imported it. It's now time to start OpenXPKI
openssl req -newkey rsa:4096 -keyout vault-1.pem -nodes -subj '/CN=Internal DataVault' -x509 -out vault.crt
mkdir -p /etc/openxpki/local/keys
cp vault-1.pem /etc/openxpki/local/keys/vault-1.pem
chmod 400 /etc/openxpki/local/keys/vault-1.pem
chown openxpki.openxpki /etc/openxpki/local/keys/vault-1.pem
openxpkiadm alias --realm democa --token datasafe --file vault.crt
openxpkictl start
- I checked my DataVault token :
openxpkicli get_token_info --arg alias=vault-1
{
"key_name" : "/etc/openxpki/local/keys/vault-1.pem",
"key_secret" : 1,
"key_store" : "OPENXPKI",
"key_usable" : 1
}
- I created my Dummy Issuing CA certificate, then I imported it.
openssl ecparam -name secp384r1 -genkey -out issuing_ca.key
openssl req -new -key issuing_ca.key -out issuing_ca.csr -subj
'/CN=Dummy Issuing CA'
openssl ca -config openssl.cnf -days 3650 -md sha512 -extensions
v3_ca_extensions -in issuing_ca.csr -out issuing_ca.crt
mkdir /etc/openxpki/local/keys/democa cp issuing_ca.key /etc/openxpki/local/keys/democa/ca-signer-1.pem chown openxpki.openxpki /etc/openxpki/local/keys/democa/ca-signer-1.pem chmod 400 /etc/openxpki/local/keys/democa/ca-signer-1.pemopenxpkiadm alias --realm democa --token certsign --file issuing_ca.crt --key issuing_ca.key
- My key was not usable due to crypto.yaml in realm democa. It was supposed to be in datapool, but I didn't want to. I changed the following in /etc/openxpki/config.d/realm/democa/crypto.yaml :
ca-signer:
inherit: default
key_store: OPENXPKI
key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
And same for SCEP :
scep:
inherit: default
backend: OpenXPKI::Crypto::Tool::LibSCEP
key_store: OPENXPKI
key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
- After restarting OpenXPKI, my key was usable :
openxpkicli get_token_info --arg alias=ca-signer-1
{
"key_name" : "/etc/openxpki/local/keys/democa/ca-signer-1.pem",
"key_secret" : 1,
"key_store" : "OPENXPKI",
"key_usable" : 1
}
- I imported my SCEP certificate so it was usable. Now, it's revelation
time. Will the Root ca be set ?
openxpkiadm alias --realm democa === functional token === vault (datasafe): Alias : vault-1 Identifier: l4UX_RYgF_30esbMt7vRsijpZ_4 NotBefore : 2021-04-25 12:25:37 NotAfter : 2021-05-25 12:25:37 scep (scep): Alias : scep-1 Identifier: e96l3zEznWh8IEHGkw9KZuJsGLM NotBefore : 2021-04-25 13:00:26 NotAfter : 2031-04-23 13:00:26 ca-signer (certsign): Alias : ca-signer-1 Identifier: jh2pdseEuS_lH6taaworf2jkS8I NotBefore : 2021-04-25 12:43:00 NotAfter : 2031-04-23 12:43:00 === root ca === current root ca: not set upcoming root ca: not setIt's not. So here is how to reproduce this. I wonder if it could be related to the fact that I'm using Psql as database ? I don't think so, but I don't know how the root ca is queried.
@Olivier : If you're not able to reproduce this or if you want to test things on my installation, I can provide you a Root SSH access if you give me a public SSH key. There's only OpenXPKI on this container, so I can give a temporarely access to the container. I'll send the FQDN of my server with the port if you send me this. I'll also setup the Web UI certificate to make this OpenXPKI instance available from the Internet, protected with HTTP basic auth. You can find my PGP Fingerprint below if you want to encrypt the conversation, my PK is available on SKS keyservers. http://hkps.pool.sks-keyservers.net/pks/lookup?op=get&search=0xD69A84169D1A9CA8
Thank you for reading, I hope this will help you. PGP Fingerprint : 0x15DF 085D 9BED 6686 24AB E069 D69A 8416 9D1A 9CA8 Le 25/04/2021 à 11:08, Oliver Welter a écrit :
Hi Gregory,I don't understand why the root alias does not show up, it is usually auto-generated when you import the "certsign" certificate.Anyway - for normal operations the alias is not required and it was added mainly for informational purpose to see what root certificates are in use by the PKI. We have used this in the past for advanced trust management, etc but this is all far beyond the scope of the default setup and needs support on the client side so you can just ignore this.In case you are able to reproduce this, I would appreciate detailed instructions on this.Oliver Am 22.04.21 um 18:59 schrieb Grégory Widmer:Hello,Today I did setup my OpenXPKI instance following the Quickstart documentation found here : https://openxpki.readthedocs.io/en/latest/quickstart.htmlEverything went smooth but there is something which bothers me. In the "Create Issuing CA Token" section, we should see something like the following when executing `openxpkiadm alias --realm <My Realm>` :$ openxpkiadm alias --realm democa === functional token === scep (scep): Alias : scep-1 Identifier: YsBNZ7JYTbx89F_-Z4jn_RPFFWo NotBefore : 2015-01-30 20:44:40 NotAfter : 2016-01-30 20:44:40 vault (datasafe): Alias : vault-1 Identifier: lZILS1l6Km5aIGS6pA7P7azAJic NotBefore : 2015-01-30 20:44:40 NotAfter : 2016-01-30 20:44:40 ca-signer (certsign): Alias : ca-signer-1 Identifier: Sw_IY7AdoGUp28F_cFEdhbtI9pE NotBefore : 2015-01-30 20:44:40 NotAfter : 2018-01-29 20:44:40 === root ca === current root ca: Alias : root-1 Identifier: fVrqJAlpotPaisOAsnxa9cglXCc NotBefore : 2015-01-30 20:44:39 NotAfter : 2020-01-30 20:44:39 upcoming root ca: not set But when I execute it, here is the output : root@OpenXPKI:~# openxpkiadm alias --realm <My Realm> === functional token === ca-signer (certsign): Alias : ca-signer-1 Identifier: EAcWynRnKvuqr3txMCCEofpIUBw NotBefore : 2021-04-22 13:42:52 NotAfter : 2031-04-20 13:42:52 vault (datasafe): Alias : vault-1 Identifier: zbOKQPsIG__VaSmUxmz3gbIecEk NotBefore : 2021-04-22 13:45:31 NotAfter : 2031-04-20 13:45:31 scep (scep): Alias : scep-1 Identifier: Ajiolk0EpqFXVLYpIFH2VJPsuJM NotBefore : 2021-04-22 13:48:45 NotAfter : 2031-04-20 13:48:45 === root ca === current root ca: not set upcoming root ca: not setAs said in the doc, ids and times will vary. But what bothers me is the fact that the current root ca is not set. It was imported earlier as you can see :root@OpenXPKI:~# openxpkiadm certificate list --all -v -v Certificates in <My Realm>: Identifier: Ajiolk0EpqFXVLYpIFH2VJPsuJM Alias: scep-1 (in realm: <My Realm>) Subject: CN=SCEP Certificate v1,O=<My org> Issuer DN: CN=Issuing CA v1,O=<My org> Chain:Ajiolk0EpqFXVLYpIFH2VJPsuJM -> EAcWynRnKvuqr3txMCCEofpIUBw -> KU_1utq7QXfgB1UXEm8sCMEYLUs(complete)Identifier: EAcWynRnKvuqr3txMCCEofpIUBw Alias: ca-signer-1 (in realm: <My Realm>) Subject: CN=Issuing CA v1,O=<My org> Issuer DN: CN=<My Org> Root CA v1,O=<My org> Chain:EAcWynRnKvuqr3txMCCEofpIUBw -> KU_1utq7QXfgB1UXEm8sCMEYLUs(complete)Identifier: zbOKQPsIG__VaSmUxmz3gbIecEk Alias: vault-1 (in realm: <My realm>) Subject: CN=<My Org> PKI DataVault Certificate Issuer DN: CN=<My Org> PKI DataVault Certificate Chain: zbOKQPsIG__VaSmUxmz3gbIecEk(complete) Identifier: KU_1utq7QXfgB1UXEm8sCMEYLUs Subject: CN=<My Org> Root CA v1,O=<My Org> Issuer DN: <Hidden Subject> Chain: KU_1utq7QXfgB1UXEm8sCMEYLUs(complete)The last certificate is the Root CA. Am I missing something from the doc, or is there something to do ?Is there any impact on the worflows if the Root CA is not set ? Thank you :D PS : OpenXPKI is great :D _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users-- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
-- *Grégory Widmer* /gregory.wid...@gwidmer.fr/ DevOps, System Administrator and Network Administrator PGP Fingerprint : 0x15DF 085D 9BED 6686 24AB E069 D69A 8416 9D1A 9CA8
smime.p7s
Description: Signature cryptographique S/MIME
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
