Hi Gabriel, > I need to issue new realm certificates, both from ca-signer-1 and vault-1. > Could you tell me what commands I should execute to issue the certificates.
If I understand you correctly you intend to perform a CA Rollover within your PKI Realm, and you also wish to update the datasafe (vault) certificate. In order to do the former, you need to issue a new CA Certificate which is capable of issuing certificates for your PKI Realm. Make the CA private key accessible to OpenXPKI, preferably in a way that the system can implicitly reference the private key by its base name and the CA generation (the latter is set during import of the CA signer certificate). How to do that depends on your setup (e. g. key storage in database, in the file system or as a HSM object). Once the CA private key is accessible to the system, import the CA certificate via openxpkiadm as a signer token into the PKI Realm. Once this is done, the system will immediately be able to use the new CA certificate for issuance of new certificate. The old CA certificate remains active and will be used to sign CRLs for revoked certificates for the previous CA generation. Note that these operations can be done without restarting OpenXPKI, during regular runtime. Truly continuous CA operation :-) Importing/activating a new datasafe certifiate is quite similar. Deploy and configure the new datasafe private key at its designated location, import the vault certificate as a datasafe token. If that certificate is issued by a CA in the same PKI Realm, the certificate is already in the database and it is sufficient to just set an alias. The commands for these operations are very similar to the initial setup, please refer to https://openxpki.readthedocs.io/en/latest/quickstart.html Cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
