As our internal test tools use aes256 encrypted keys by default I can definitely confirm that this is supported!
Am 08.06.21 um 12:17 schrieb Scott Thomas via OpenXPKI-users: > Hi, > > I encrypt the key with command *openssl pkey -in cakey.pem -out > ca-signer-1.pem -des* > > Then i configure file storage for CA key in OpenXPKI > > ca-signer: > inherit: default > key_store: OPENXPKI > key: /etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem > > I sepcify the password in /etc/openxpki/config.d/system/crypto.yaml > (XXXXXXX is the password) > > secret: > default: > label: Global secret group > export: 0 > method: literal > value: XXXXXXX > > > and place the encrypted key > at /etc/openxpki/local/keys/democa/ca-signer-1.pem > > The openxpkictl restart commands run successfully. No error is logged > /var/log/openxpki/openxpki.log > > But if i encrypt *openssl pkey -in cakey.pem -out ca-signer-1.pem** > -aes256* and repeat the whole process, > > i get the following error in /var/log/openxpki/openxpki.log > > 2021/06/08 14:55:21 INFO Loaded auth handler User Password [pid=1425|] > 2021/06/08 14:55:21 INFO Loaded auth handler Password Connector > [pid=1425|] > 2021/06/08 14:55:21 INFO Loaded auth handler Operator Password [pid=1425|] > 2021/06/08 14:55:21 INFO Loaded auth handler OneTimePassword [pid=1425|] > 2021/06/08 14:55:21 INFO Loaded auth handler TestAccounts [pid=1425|] > 2021/06/08 14:55:21 INFO Loaded auth handler User NoAuth [pid=1425|] > 2021/06/08 14:55:21 INFO Loaded auth handler Certificate [pid=1425|] > 2021/06/08 14:55:21 INFO Loaded auth handler Anonymous [pid=1425|] > 2021/06/08 14:55:21 INFO Loaded auth handler System [pid=1425|] > 2021/06/08 14:55:37 ERROR OpenSSL error: Using configuration from > /var/tmp/openxpki14317O2LyAWd/openssl.cnf > unable to load CA private key > 140036093678720:error:06065064:digital envelope > routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:597: > 140036093678720:error:23077074:PKCS12 routines:PKCS12_pbe_crypt:pkcs12 > cipherfinal error:../crypto/pkcs12/p12_decr.c:63: > 140036093678720:error:2306A075:PKCS12 > routines:PKCS12_item_decrypt_d2i:pkcs12 pbe crypt > error:../crypto/pkcs12/p12_decr.c:94: > 140036093678720:error:0907B00D:PEM > routines:PEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:88: > [pid=1431|sid=+2V1|wftype=crl_issuance|wfid=44799] > 2021/06/08 14:55:37 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; > __EXIT_STATUS__ => 256 [pid=1431|sid=+2V1|wftype=crl_issuance|wfid=44799] > 2021/06/08 14:55:37 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; > __COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::issue_crl, > __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ > => 256 [pid=1431|sid=+2V1|wftype=crl_issuance|wfid=44799] > 2021/06/08 14:55:37 ERROR > I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE; __ACTION__ => > global_nice_issue_crl, __ERROR__ => > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Backend::OpenSSL::Command::issue_crl, __ERRVAL__ => > I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256, > __EXCEPTION__ => OpenXPKI::Exception > [pid=1431|sid=+2V1|wftype=crl_issuance|wfid=44799] > 2021/06/08 14:55:37 ERROR Error executing workflow activity > 'crl_initialize' on workflow id 44799 (type crl_issuance): > I18N_OPENXPKI_SERVER_WORKFLOW_ERROR_ON_EXECUTE; __ACTION__ => > global_nice_issue_crl, __ERROR__ => > I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Backend::OpenSSL::Command::issue_crl, __ERRVAL__ => > I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __EXIT_STATUS__ => 256, > __EXCEPTION__ => OpenXPKI::Exception > [pid=1431|sid=+2V1|wftype=crl_issuance|wfid=44799] > > > *It means that OpenXPKI only uses DES encrypted CA key. How can i > change the DES to AES256 for CA Key encryption in OpenXPKI?* > > Regards > > > > On Tuesday, 8 June 2021, 02:11:07 pm GMT+5, Oliver Welter > <[email protected]> wrote: > > > Hi, > > the DataVault uses AES256-CBC to encrypt the key blob, the protection > of the keys themselves depend on the settings of your key generation - > the sampleconfig uses "openssl req -newkey", the used encryption > depends on the local system openssl version and system settings. > > Oliver > > > Am 08.06.21 um 10:32 schrieb Scott Thomas via OpenXPKI-users: > Hi, > > What is the default Algorithm for encryption for CA Keys in OpenXPKI > via "sampleconfig.sh" and Manual importing the keys? > > Regards > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > > > -- > Protect your environment - close windows and adopt a penguin! > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > <mailto:[email protected]> > https://lists.sourceforge.net/lists/listinfo/openxpki-users > <https://lists.sourceforge.net/lists/listinfo/openxpki-users> > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
