Hi, if you are using the default configuration you must setup the "datavault" token prior being able to load a key into the database.
Oliver Am 19.05.21 um 11:15 schrieb Gerard van den Bosch: > Hello, > > I managed to resolve the verify issue, my generated Issuing CA was > missing Certificate Sign, CRL Sign in the X509v3 key usage. > > However when I now try to load the SCEP certificate it gives a > different error: > > root@a9e04f637ed4:/etc/openxpki/ca# openxpkiadm alias --realm > testrealm --token scep --file emfytest_SCEP.crt --key emfytest_SCEP.key > 2021/05/19 10:03:04 Could not find token alias by group > Error running command: Could not find token alias by group at > /usr/share/perl5/OpenXPKI/Client/Simple.pm line 461. > > However in the crypto.yaml the group is called scep: > type: > certsign: ca-signer > datasafe: vault > scep: scep > > Can anyone give a pointer where to look on how to solve this error? > > Cheers, > Gerard > > On Mon, 17 May 2021 at 18:20, Gerard van den Bosch > <[email protected] <mailto:[email protected]>> wrote: > > Hello, > > I am able to load a self signed Root CA and the Issuing CA into > the database using the openxpkiadmin command: > > root@a9e04f637ed4:/etc/openxpki/ca# openxpkiadm certificate import > --file emfytest_RootCA.crt --realm testrealm > Starting import > Successfully imported certificate into database: > Subject: > C=my,ST=pahang,L=kuantan,CN=emfytest_RootCA,OU=engineering,O=emfytech > Issuer: > C=my,ST=pahang,L=kuantan,CN=emfytest_RootCA,OU=engineering,O=emfytech > Identifier: yvxxDgY50iLu9UekXIF3aGV9DlU > Realm: testrealm > root@a9e04f637ed4:/etc/openxpki/ca# openxpkiadm certificate import > --file emfytest_IssuingCA.crt --realm testrealm > Starting import > Successfully imported certificate into database: > Subject: > C=my,ST=pahang,L=kuantan,CN=emfytest_IssuingCA,OU=engineering,O=emfytech > Issuer: > C=my,ST=pahang,L=kuantan,CN=emfytest_RootCA,OU=engineering,O=emfytech > Identifier: aauifzspWz-cX5SzHooYUTLYGGE > Realm: testrealm > > However when I tried to load the certificate for SCEP, I get a > verify error: > > root@a9e04f637ed4:/etc/openxpki/ca# openxpkiadm alias --realm > testrealm --token scep --file emfytest_SCEP.crt --key > emfytest_SCEP.key > 2021/05/17 07:31:31 OpenSSL error: O = emfytech, OU = engineering, > CN = emfytest_SCEP, L = kuantan, ST = pahang, C = my > error 20 at 0 depth lookup: unable to get local issuer certificate > 2021/05/17 07:31:31 I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; > __EXIT_STATUS__ => 512 > 2021/05/17 07:31:31 I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; > __COMMAND__ => > OpenXPKI::Crypto::Backend::OpenSSL::Command::verify_cert, > __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; > __EXIT_STATUS__ => 512 > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED > __ERRVAL__: I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; > __EXIT_STATUS__ => 512 > __COMMAND__: > OpenXPKI::Crypto::Backend::OpenSSL::Command::verify_cert > > With openssl I can reproduce the error when I execute the following: > > openssl verify -CAfile emfytest_RootCA.crt -untrusted > emfytest_IssuingCA.crt emfytest_SCEP.crt > > The solution I found was to concat the IssuingCA and SCEP > certificate and execute following and it returns OK. > openssl verify -CAfile emfytest_RootCA.crt emfytest_Combined.crt > > How can I import the SCEP certificate with openxpkiadm that is > excepts it? > > Cheers, > Gerard > > > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
