Hello,
I finally figured it out.
There is a really important line missing on the readthedocs (or i
totally missed it).
If you have multiple roots or a deeper hierarchy please import all
certificates that will not be signer tokens to the current installation.
Always start with the self-signed root.
The line I did find on the quickstart of the config repository:
https://github.com/openxpki/openxpki-config/blob/community/QUICKSTART.md
The QUICKSTART from the config isnt something people tend to read (At
least me) when there is already quickstart on the readthedocs and the
docker repository
With kind regards,
Hans de Jong
On 12/2/21 10:31 AM, Hans de Jong wrote:
Hello,
I figured out an issue with my certificates.
However now i run into a different issue when importing the certificates.
I am working with a longer CA chain than the example.
Root CA > Factory Root CA > Factory CA
Before i used the certificate bundle/chain as signer-ca.crt and the
root certificate as root.crt
However that wouldnt validate.
Now I use Factory Root CA bundle as root.crt and the Factory CA as
signer-ca.crt
This will validate by openssl. However this runs into an issue when
trying to import these certificates into openxpki
See actions taken:
https://gist.github.com/Sult/3729e123e0d4f20dc9b5bc1702ce87b0
Certificates (testing):
root: https://gist.github.com/Sult/09f65ffb1f1bf4ae52dbee72983c5080
signer-ca: https://gist.github.com/Sult/51339d3a07e83c7238cd7527abc0a772
I am concluding I most likely am actually doing something with my
certificates instead of the password.
I did a password check on the sample-config certificates to see if i
changed them in the right location. which indeed would put them offline.
What should be the correct use of the certificates?
Both, root.crt as bundle or signer-ca as bundle, don't seem to work
With kind regards,
Hans de Jong
On 11/30/21 10:44 AM, Oliver Welter wrote:
Hello Hans,
the password section is referenced via the keyword "secret", not the
name of the token - please check your configuration against the example.
Oliver
Am 30.11.21 um 10:11 schrieb Hans de Jong:
Hello,
Thanks for your reply. I am however so far unable to get it fixed.
As you suggested I checked the token info for the ca-signer-1 and
that seems as expected:
root@03320e4aaa09:/var/log/openxpki# openxpkicli get_token_info
--arg alias=ca-signer-1
{
"key_name" : "ca-signer-1",
"key_secret" : 1,
"key_store" : "DATAPOOL",
"key_usable" : 1
}
However I keep getting that the certificate is offline.
So I first added the password in <realm>/crypto.yaml (also tried
ca-signer-1)
ca-signer:
label: CA signer secret group
export: 0
method: literal
value: root
First I had my own password, but to see if it worked with root (like
the sameplconfig) script, to try to avoid possible other parts i
might have missed. But even with root it wont work.
Naturally I recreated the certificates and keys with the root
password, and tested it on the server to make sure the password was
correct.
So it seems that even with same passwords and commands of the
sampleconfig script, i fail to get the ca-signer certificate online.
Do you have any other idea what this can be? I am using the docker
container, in case that could make any difference.
With kind regards,
Hans de Jong
PS: Is there a way to extend the workflows with bash scripts instead
of references to Perl code? I would like to add my own parts,
however I am not proficient with Perl
On 11/26/21 1:32 PM, Oliver Welter wrote:
Hello Hans,
please check with "openxpkicli get_token_info --arg
alias=ca-signer-1" if the key is properly found (key_usable = 1).
If this is the case, check if the password in the realms
crypto.yaml matches the password that was used when generating the key.
Oliver
|
|
Am 25.11.21 um 08:57 schrieb Hans de Jong:
Hello,
I have been trying to set up my own realm and certificates with
openxpki, however I keep running in the issue that my Signing CA
wont come online.
It does load it just fine, and the realm alias info lists it all.
But it stays offline.
The vault however does work.
What I do:
https://gist.github.com/Sult/8e67307bfdfbc66ed07d1d1891bbf94c
I did find in the documentation that the filename is important
(With default config)
https://openxpki.readthedocs.io/en/stable/operation/tokenconfig.html#initial-setup
The <realm>/ca says you would need to have keys in
local/keys/<realm> however the sample config doesnt follow this
convention. I have also tried by putting the keys there, but with
the same result. Signing CA wont come online
With kind regards,
Hans de Jong
PS: I dont know if this is useful but when i have everything
loaded, I get this output when showing the realm alias info.
root@6cc6f2267e07:/etc/openxpki/tmp# openxpkiadm alias --realm
provisioningca
=== functional token ===
scep (scep):
Alias : scep-1
Identifier: datk1dTh9DV2mUbP-YbctJn0Acw
NotBefore : 2021-11-23 10:41:01
NotAfter : 2022-11-23 10:41:01
vault (datasafe):
Alias : vault-1
Identifier: f56oyzMYYgI1tFl4YVCEQTQVDVI
NotBefore : 2021-11-24 13:25:59
NotAfter : 2024-11-28 13:25:59
ca-signer (certsign):
Alias : ca-signer-1
Identifier: a2YR8-rwPDRFHJZrMvkWM_YL-cA
NotBefore : 2021-11-23 10:40:54
NotAfter : 2022-11-23 10:40:54
ratoken (cmcra):
not set
=== root ca ===
current root ca:
Alias : root-1
Identifier: 0wwvnOUX2DNSYdjT0MNhPpfkyJg
NotBefore : 2021-11-23 10:40:49
NotAfter : 2031-11-21 10:40:49
upcoming root ca:
not set
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
--
Protect your environment - close windows and adopt a penguin!
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
