Hi, the whole purpose of the PKI Software is to issue certificates with a CA token, so yes you definitly need one.
I can not see any problem in the Apache configuration, the two file names are 100% identical. Oliver Am 28.04.21 um 18:50 schrieb Dimitri TIMOCHENKO via OpenXPKI-users: > Hello, > Good, no more errors with -x509. > --small remark--- > I have not yet figured out how to configure CA token and I don't know if it > is necessary to configure it. Do I need it? > The command openxpkiadm alias --realm democa > says that current root ca: not set > although I have imported the root certificate before.... > ---/remark--- > The main problem now is the Apache TLS certificate. > The documentation says to place the key to > /etc/openxpki/tls/private/openxpki.pem and the certificate to > /etc/openxpki/tls/endentity/openxpki.crt. > > But the virtual site config says: > /etc/apache2/sites-enabled# cat openxpki.conf > SSLCertificateFile /etc/openxpki/tls/endentity/openxpki.crt > SSLCertificateChainFile /etc/openxpki/tls/endentity/openxpki.crt > SSLCertificateKeyFile /etc/openxpki/tls/private/openxpki.pem > > The paths are different. I doubt that this will work. Is this normal? > Thank you > -----Original Message----- > From: Martin Bartosch <vc-...@cynops.de> > Sent: Wednesday, April 28, 2021 5:35 PM > To: openxpki-users@lists.sourceforge.net > Cc: Dimitri TIMOCHENKO <dimitri.timoche...@laposte.net> > Subject: Re: [OpenXPKI-users] Cannot install. Where to obtain DataVault Key > and DataVault certificate? > > Hi, > > >> Then I followed the updated document and stuck with strange error: >> >> root@server:/home/admin# openssl req -new -keyout vault.key -out >> vault.crt -days 3650 -config /etc/openxpki/contrib/vault.openssl.cnf >> Ignoring -days; not generating a certificate Generating a RSA private >> key .........................++++ >> ...................................................................... >> .++++ writing new private key to 'vault.key' >> ----- >> Error Loading extension section v3_datavault_extensions >> 140436864996480:error:22077079:X509 V3 routines:v2i_AUTHORITY_KEYID:no >> issuer certificate:../crypto/x509v3/v3_akey.c:104: >> 140436864996480:error:22098080:X509 V3 routines:X509V3_EXT_nconf:error >> in >> extension:../crypto/x509v3/v3_conf.c:47:name=authorityKeyIdentifier, >> value=keyid:always,issuer >> >> It only generates a key, but no certificate. Where in the filesystem this >> command has to be executed? Under root or other user? > The command referenced in the documentation contains a small error. Retry, > adding -x509 on the command line, i. e.: > > openssl req -new -x509 -keyout vault.key -out vault.crt -days 3650 -config > /etc/openxpki/contrib/vault.openssl.cnf > > This command will generate the vault.crt certificate file. > > It does not matter where this command is executed and which user executes it, > as the generated key and certificate are imported into the OpenXPKI database > by the following two openxpkiadm commands. You can delete the generated key > and certificate after the import. > > cheers > > Martin > > > > > _______________________________________________ > OpenXPKI-users mailing list > OpenXPKI-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/openxpki-users > -- Protect your environment - close windows and adopt a penguin! _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
