Hi,
I encrypt the key with command openssl pkey -in cakey.pem -out ca-signer-1.pem
-des
Then i configure file storage for CA key in OpenXPKI
ca-signer: inherit: default key_store: OPENXPKI key:
/etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
I sepcify the password in /etc/openxpki/config.d/system/crypto.yaml (XXXXXXX is
the password)
secret: default: label: Global secret group export: 0
method: literal value: XXXXXXX
and place the encrypted key at /etc/openxpki/local/keys/democa/ca-signer-1.pem
The openxpkictl restart commands run successfully. No error is logged
/var/log/openxpki/openxpki.log
But if i encrypt openssl pkey -in cakey.pem -out ca-signer-1.pem -aes256 and
repeat the whole process,
i get the following error in /var/log/openxpki/openxpki.log
2021/06/08 14:55:21 INFO Loaded auth handler User Password
[pid=1425|]2021/06/08 14:55:21 INFO Loaded auth handler Password Connector
[pid=1425|]2021/06/08 14:55:21 INFO Loaded auth handler Operator Password
[pid=1425|]2021/06/08 14:55:21 INFO Loaded auth handler OneTimePassword
[pid=1425|]2021/06/08 14:55:21 INFO Loaded auth handler TestAccounts
[pid=1425|]2021/06/08 14:55:21 INFO Loaded auth handler User NoAuth
[pid=1425|]2021/06/08 14:55:21 INFO Loaded auth handler Certificate
[pid=1425|]2021/06/08 14:55:21 INFO Loaded auth handler Anonymous
[pid=1425|]2021/06/08 14:55:21 INFO Loaded auth handler System
[pid=1425|]2021/06/08 14:55:37 ERROR OpenSSL error: Using configuration from
/var/tmp/openxpki14317O2LyAWd/openssl.cnfunable to load CA private
key140036093678720:error:06065064:digital envelope
routines:EVP_DecryptFinal_ex:bad
decrypt:../crypto/evp/evp_enc.c:597:140036093678720:error:23077074:PKCS12
routines:PKCS12_pbe_crypt:pkcs12 cipherfinal
error:../crypto/pkcs12/p12_decr.c:63:140036093678720:error:2306A075:PKCS12
routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt
error:../crypto/pkcs12/p12_decr.c:94:140036093678720:error:0907B00D:PEM
routines:PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:88:
[pid=1431|sid=+2V1|wftype=crl_issuance|wfid=44799]2021/06/08 14:55:37 ERROR
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256
[pid=1431|sid=+2V1|wftype=crl_issuance|wfid=44799]2021/06/08 14:55:37 ERROR
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::issue_crl, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256
[pid=1431|sid=+2V1|wftype=crl_issuance|wfid=44799]2021/06/08 14:55:37 ERROR
I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE; __ACTION__ =>
global_nice_issue_crl, __ERROR__ => I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED;
__COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::issue_crl,
__ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256,
__EXCEPTION__ => OpenXPKI::Exception
[pid=1431|sid=+2V1|wftype=crl_issuance|wfid=44799]2021/06/08 14:55:37 ERROR
Error executing workflow activity 'crl_initialize' on workflow id 44799 (type
crl_issuance): I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE; __ACTION__ =>
global_nice_issue_crl, __ERROR__ => I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED;
__COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::issue_crl,
__ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256,
__EXCEPTION__ => OpenXPKI::Exception
[pid=1431|sid=+2V1|wftype=crl_issuance|wfid=44799]
It means that OpenXPKI only uses DES encrypted CA key. How can i change the DES
to AES256 for CA Key encryption in OpenXPKI?
Regards
On Tuesday, 8 June 2021, 02:11:07 pm GMT+5, Oliver Welter <[email protected]>
wrote:
Hi,
the DataVault uses AES256-CBC to encrypt the key blob, the protection of the
keys themselves depend on the settings of your key generation - the
sampleconfig uses "openssl req -newkey", the used encryption depends on the
local system openssl version and system settings.
Oliver
Am 08.06.21 um 10:32 schrieb Scott Thomas via OpenXPKI-users:
Hi,
What is the default Algorithm for encryption for CA Keys in OpenXPKI via
"sampleconfig.sh" and Manual importing the keys?
Regards
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
