Thanks it mostly did the trick – but still some issues. It seems token rollover didn’t work.
The crl issuance is trying to use casigner-1, but alias with current cert is for casigner-2. I also verified with openssl that crl issuance does work manually. Maybe this is a novice error, but I gathered from the docs that token rollover is automatic? Br, //HS -- % openxpkicmd --realm democa crl_issuance In catchall.log: 2024/01/17 16:58:30 openxpki.auth.INFO Login successful (user: Anonymous, role: System) [pid=45218|sid=wQyR|pki_realm=democa] 2024/01/17 16:58:30 openxpki.application.INFO start crl issue for ca casigner-1, workflow 5119 [pid=45218|user=Anonymous|role=System|sid=wQyR|wftype=crl_issuance|wfid=5119|pki_realm=democa] 2024/01/17 16:58:31 openxpki.system.ERROR OpenSSL error: engine "cloudhsm" set. Using configuration from /var/tmp/openxpki45218q4_fnUUO/openssl.cnf CA certificate and CA private key do not match However the aliases show: % openxpkiadm alias --realm democa === functional token === vault (datasafe): Alias : vault-2 Identifier: VkhM86XJuv84LuRmtw4eHHkL25M NotBefore : 2024-01-17 12:56:38 NotAfter : 2024-02-16 12:56:38 ratoken (scep): not set casigner (certsign): Alias : casigner-2 Identifier: iLC-b4Fn9EeZehIJqZ51gE3TGkU NotBefore : 2024-01-17 13:21:48 NotAfter : 2034-01-17 13:21:48 ratoken (cmcra): not set === root ca === current root ca: Alias : root-1 Identifier: 5zenJ7c7uwUc1cOr09_-eFIaLKw NotBefore : 2023-12-20 09:02:08 NotAfter : 2053-12-12 09:02:08 upcoming root ca: not set From: Oliver Welter <m...@oliwel.de> Sent: Wednesday, January 17, 2024 4:52 PM To: openxpki-users@lists.sourceforge.net Subject: Re: [OpenXPKI-users] AWS CloudHSM? Hi Henri, from the docs of the module ;) =head1 Configuration Set I<engine: AWSCloudHSM> and set the I<key> attribute to point to the fake-key file (supports local file or datapool as with plain OpenSSL software keys). best regards Oliver On 17.01.24 14:38, henri.sunde...@iki.fi <mailto:henri.sunde...@iki.fi> wrote: Is it possible to configure OpenXPKI with AWS CloudHSM Dynamic Engine? I tried something like this in crypto.yaml: casigner: backend: OpenXPKI::Crypto::Backend::OpenSSL key: /etc/openxpki/ca/subca_private_ref.pem engine: cloudhsm engine_section: | engine_id = cloudhsm MODULE_PATH = /opt/cloudhsm/lib/libcloudhsm_openssl_engine.so #PIN = __PIN__ init = 0 engine_usage: 'ALWAYS' key_store: OPENXPKI shell: /opt/openssl/bin/openssl randfile: /var/openxpki/rand wrapper: '' secret: signer ..but that fails to the fact it tries to download a perl module called cloudhsm.pm. The main difference to PKCS11 is that the private key reference is a fake private key pem file. There are no options to be passed, the HSM pin is expected to be in env variable. In practice I believe you need to just pass "-engine cloudhsm" to openssl for thus engine to work. Br, //HS _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net <mailto:OpenXPKI-users@lists.sourceforge.net> https://lists.sourceforge.net/lists/listinfo/openxpki-users -- Protect your environment - close windows and adopt a penguin!
_______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
