Hello, Thank you for the answers. I have noticed that you have updated the documentation. Then I noticed that my installation missed the /etc/openxpki/contrib/ directory, so I copied it from https://github.com/openxpki/openxpki-config/tree/community Then I followed the updated document and stuck with strange error:
root@server:/home/admin# openssl req -new -keyout vault.key -out vault.crt -days 3650 -config /etc/openxpki/contrib/vault.openssl.cnf Ignoring -days; not generating a certificate Generating a RSA private key .........................++++ .......................................................................++++ writing new private key to 'vault.key' ----- Error Loading extension section v3_datavault_extensions 140436864996480:error:22077079:X509 V3 routines:v2i_AUTHORITY_KEYID:no issuer certificate:../crypto/x509v3/v3_akey.c:104: 140436864996480:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error in extension:../crypto/x509v3/v3_conf.c:47:name=authorityKeyIdentifier, value=keyid:always,issuer It only generates a key, but no certificate. Where in the filesystem this command has to be executed? Under root or other user? The system is Debian 10 installed 3 weeks ago, I have installed openxpki like 1 week ago with apt: apt install libopenxpki-perl openxpki-cgi-session-driver openxpki-i18n openxpkiadm version - Version (core): 3.10.2 I have "deb http://packages.openxpki.org/v3/debian/ buster release" in /etc/apt/sources.list.d/openxpki.list I tried apt upgrade, but no upgrades are available. I have searched for " v3_datavault_extensions", but no such mails were found in the mailing list. I went to https://github.com/openxpki/openxpki-config then to https://github.com/openxpki/openxpki-config/tree/community and did not found any " Upgrade" document. Only UPGRADEv3.md file was there which is 10 months old. I does not contain instructions on how to upgrade debian installation. The README.md talks about Config Update, git Merge, but nothing on classic debian apt installations. I do not use any git. Thank you. -----Original Message----- From: Martin Bartosch <vc-...@cynops.de> Sent: Monday, April 26, 2021 2:47 PM To: openxpki-users@lists.sourceforge.net Cc: Dimitri TIMOCHENKO <dimitri.timoche...@laposte.net> Subject: Re: [OpenXPKI-users] Cannot install. Where to obtain DataVault Key and DataVault certificate? Hi, > The problem is that while the OpenXPKI server is not yet operational > (installation not yet finished), the documentation still misses these 2 > critical steps. > You have proposed me to >> Refer to >> https://openxpki.readthedocs.io/en/latest/quickstart.html#create-datavault-token > This section says: > Create DataVault Token > The DataVault is a self-signed certificate using an RSA key, see #2 > above. > #2 above: > Create a key/certificate for the internal datavault (ca = false, can be below > the ca but can also be self-signed). [HOW?] > > Copy the DataVault key file [FROM WHERE?] to > /etc/openxpki/local/keys/vault-1.pem, it should have 0400 permission owned by > the openxpki user. > Now import the certificate: > $ openxpkiadm certificate import --file vault.crt [the file does not > exist] First of all please note that OpenXPKI does not actually need a vault certificate *unless* it needs to process sensitive user data. This means if the system is set up only to allow uploading of certificate requests from users (NOT allowing server side key generation where the user ultimately downloads the certificate AND the private key which was generated on the PKI system) no vault certificate is needed. The system complains about the missing certificate in the status page (this check can be disabled if desired) but it will work properly for processing of non-sensitive data only, i. e. signing user supplied certificate requests. > The problem is that the documentation does not say how to create these 2 > files: vault-1.pem and vault.crt. What commands should be used (examples?)? The author of this documentation assumed that the installer is familiar with generating a private key with the standard command openssl genrsa -aes256 -out vault-1.pem and a self-signed certificate request from this key like in openssl req -x509 -new -out vault-1.crt -key vault-1.pem -subj '/CN=my.openxpki.org:vault' -days 3650 Note that it is also possible to upload a CSR generated from the vault private key to the newly installed PKI and issue a TLS Server certificate from the request. In the end this does not really matter, as the certificate is only used for internal and optional database encryption. Also note that the expiration date on the vault certificate also does not matter. > At that point, the openxpki server is not yet configured nor started; the > "Create DataVault Token" section says nothing on where to find these files or > HOW to create them. Below I see some other examples on the green background, > but not on how to generate or obtain these 2 files. > What are the commands to create them? See above. > Do you require a payment for this knowledge, please? > I plan to install this platform privately at home, and I am not involved in > any business that could use your software or justify purchasing your > Enterprise Edition. No, we do not require our community edition users to pay us for help on this mailing list. What we *do* expect from users asking for free help on this mailing list is to - read and understand existing documentation - obtain the required base knowledge which is assumed in our documentation - research the mailing list archive before posting - to check if the same question possibly has been asked before - properly describe the problem in a way that persons who do not have the gift of remote vulcan mind linking can understand the question of the person who is asking the question In summary, if you explain your problem properly, describe what you are doing and which exact obstacles you are facing you will have a highly elevated chance that one of the developers takes the time to elaborate on the problem in a way that approximately matches your efforts. The user's chances roughly double if this is done in a polite way. We frequently see inquiries on this mailing list where a user poses a one-sentence question with a hand-waving generality that sometimes blows my mind, possibly expecting an elaborate, personal answer of Tolstoi dimensions. Users should not be surprised if our answer is of similar length and generality. In other words: the deal is that conversion on this mailing list shall help other people to solve their own problems and to foster the community. Free support is only provided by us on the premise that the community gets something back in return: The user takes the time to properly describe a problem and we take our time to properly answer it. This approach provides a lasting benefit to the community. Best regards, Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
