Hi Nick, I would not say you are an idiot - at least you found it out ;)
Yes you can just add a new signer certificate and its key. In case you are NOT using the "key in datapool" feature you need to make sure that the name of the key in your config is not hardcoded and the pattern expands to the right key name. best regards Oliver Am 09.05.22 um 23:21 schrieb Nick Dawson: > Well, I'm an idiot! > I was trying to sign a 2 year cert but my ca-signer expires before then. > Any way to delete this thread? Or just leave it for historic reference :) > > Last question - I can add a new, additional ca-signer (next > generation) and have it co-exist with my current one? That's the > roll-over feature, right? > > > On Mon, May 09, 2022 at 4:27 PM, Nick Dawson > <[email protected]> wrote: > > And, in case this provides any more insight, here's my aliases > > === functional token === > ca-signer (certsign): > Alias : ca-signer-1 > Identifier: H7_DJuEmAEppVvzsadtfPufca1Y > NotBefore : 2020-11-08 03:52:59 > NotAfter : 2023-11-08 03:52:59 > > scep (scep): > Alias : scep-1 > Identifier: t1PGk55B7nW5GAPxh_k30viFjDQ > NotBefore : 2021-06-22 18:11:29 > NotAfter : 2023-01-08 18:11:29 > > vault (datasafe): > Alias : vault-2 > Identifier: 8ztpZtRi0-qJDN8LN9WucwqvTC8 > NotBefore : 2021-10-13 19:15:38 > NotAfter : 2022-10-13 19:15:38 > > === root ca === > current root ca: > Alias : root-1 > Identifier: 1jrExIbjvaH32Gt95NvWKczZNvA > NotBefore : 2020-11-08 03:52:48 > NotAfter : 2025-11-08 03:52:48 > > > On Mon, May 09, 2022 at 4:18 PM, Nick Dawson > <[email protected] <mailto:[email protected]>> > wrote: > > Hey friends, > I needed sign some CSRs today and ran into a problem out of > the blue. All my attempts to issue a cert result in a paused > workflow. I'm hoping y'all might have some ideas for > troubleshooting (and hopefully fixing). It seems like the > system cannot find my ca-signer > > In the system status, it is all green and shows the signer > cert as online. > > Here's the error in my log: > > 2022/05/09 14:09:53 openxpki.application.ERROR NICE backend > error: Could not find token alias by group; __group__ => > ca-signer, __noafter__ => 1715285393, __notbefore__ => 1652126993, > > Here's my crypto.yml > > ca-signer: > inherit: default > key_store: DATAPOOL > key: "[% ALIAS %]" > #key: /usr/local/etc/openxpki/ca/dzsec/ca-one-signer-1.pem > secret: dzsecsec > > I tried to re-register the signer cert alias: > Certificate already registered as alias: > Alias : ca-signer-1 > Identifier: H7_DJuEmAEppVvzsadtfPufca1Y > NotBefore : 2020-11-08 03:52:59 > NotAfter : 2023-11-08 03:52:59 > > ERROR: certificate already exisits in group > Alias: ca-signer-1 > > Just for good measure, I tried to remove the alias: > openxpkiadm alias --realm dzsec --remove --alias ca-signer-1 > > And then re-added it successfully. I restarted mysql and > OpenXPKI and I still have the original issue. > > > > > _______________________________________________ > OpenXPKI-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openxpki-users
