Hello, I managed to resolve the verify issue, my generated Issuing CA was missing Certificate Sign, CRL Sign in the X509v3 key usage.
However when I now try to load the SCEP certificate it gives a different error: root@a9e04f637ed4:/etc/openxpki/ca# openxpkiadm alias --realm testrealm --token scep --file emfytest_SCEP.crt --key emfytest_SCEP.key 2021/05/19 10:03:04 Could not find token alias by group Error running command: Could not find token alias by group at /usr/share/perl5/OpenXPKI/Client/Simple.pm line 461. However in the crypto.yaml the group is called scep: type: certsign: ca-signer datasafe: vault scep: scep Can anyone give a pointer where to look on how to solve this error? Cheers, Gerard On Mon, 17 May 2021 at 18:20, Gerard van den Bosch <[email protected]> wrote: > Hello, > > I am able to load a self signed Root CA and the Issuing CA into the > database using the openxpkiadmin command: > > root@a9e04f637ed4:/etc/openxpki/ca# openxpkiadm certificate import --file > emfytest_RootCA.crt --realm testrealm > Starting import > Successfully imported certificate into database: > Subject: > C=my,ST=pahang,L=kuantan,CN=emfytest_RootCA,OU=engineering,O=emfytech > Issuer: > C=my,ST=pahang,L=kuantan,CN=emfytest_RootCA,OU=engineering,O=emfytech > Identifier: yvxxDgY50iLu9UekXIF3aGV9DlU > Realm: testrealm > root@a9e04f637ed4:/etc/openxpki/ca# openxpkiadm certificate import --file > emfytest_IssuingCA.crt --realm testrealm > Starting import > Successfully imported certificate into database: > Subject: > C=my,ST=pahang,L=kuantan,CN=emfytest_IssuingCA,OU=engineering,O=emfytech > Issuer: > C=my,ST=pahang,L=kuantan,CN=emfytest_RootCA,OU=engineering,O=emfytech > Identifier: aauifzspWz-cX5SzHooYUTLYGGE > Realm: testrealm > > However when I tried to load the certificate for SCEP, I get a verify > error: > > root@a9e04f637ed4:/etc/openxpki/ca# openxpkiadm alias --realm testrealm > --token scep --file emfytest_SCEP.crt --key emfytest_SCEP.key > 2021/05/17 07:31:31 OpenSSL error: O = emfytech, OU = engineering, CN = > emfytest_SCEP, L = kuantan, ST = pahang, C = my > error 20 at 0 depth lookup: unable to get local issuer certificate > 2021/05/17 07:31:31 I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; > __EXIT_STATUS__ => 512 > 2021/05/17 07:31:31 I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Backend::OpenSSL::Command::verify_cert, __ERRVAL__ => > I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 512 > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED > __ERRVAL__: I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => > 512 > __COMMAND__: OpenXPKI::Crypto::Backend::OpenSSL::Command::verify_cert > > With openssl I can reproduce the error when I execute the following: > > openssl verify -CAfile emfytest_RootCA.crt -untrusted > emfytest_IssuingCA.crt emfytest_SCEP.crt > > The solution I found was to concat the IssuingCA and SCEP certificate and > execute following and it returns OK. > openssl verify -CAfile emfytest_RootCA.crt emfytest_Combined.crt > > How can I import the SCEP certificate with openxpkiadm that is excepts it? > > Cheers, > Gerard > > > > >
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
