Re: [OpenXPKI-users] examples of crypto.yaml desired.

Wed, 14 Feb 2024 00:29:21 -0800 

Hi James,
access to the certificates in the "null" realm via the CLI tools is unfortunately not working so in case you want to check this you need to look directly into the database :( 


However the "root" alias will be automatically populated on import of 
the signer certificate, so there is nothing to do from your side, just 
follow the steps from the manual to load the keys into the system. The 
passphrase for the token is read from the "secret" section in 
crypto.yaml, to make the automatic rollover of key work, it is advised 
to have the same passphrase at least for all keys of a certain type (so 
all CA keys of one realm should share one secret).


HTH

Oliver

On 13.02.24 21:32, James B. Byrne via OpenXPKI-users wrote:

I am at the point where I am ready to import the root and issuer certificates
for our existing PKI.

The Quickstart guide (qsg) contains this example:

$ openxpkiadm alias --realm democa

=== functional token ===
vault (datasafe):
Alias : vault-1
Identifier: lZILS1l6Km5aIGS6pA7P7azAJic
NotBefore : 2015-01-30 20:44:40
NotAfter : 2016-01-30 20:44:40
ca-signer (certsign):

Alias : ca-signer-1
Identifier: Sw_IY7AdoGUp28F_cFEdhbtI9pE
NotBefore : 2015-01-30 20:44:40
NotAfter : 2018-01-29 20:44:40
=== root ca ===
current root ca:

Alias : root-1
Identifier: fVrqJAlpotPaisOAsnxa9cglXCc
NotBefore : 2015-01-30 20:44:39
NotAfter : 2020-01-30 20:44:39
upcoming root ca:
  not set

For my setup I see this at the moment:

# openxpkiadm alias --realm hll_ca2016
=== functional token ===
scep (scep):
   not set

ratoken (cmcra):
   not set

ca-signer (certsign):
   not set

vault (datasafe):
   Alias     : vault-1
   Identifier: IC6oLFDYdHybpJ4xwclmCOgQO9w
   NotBefore : 2024-02-12 17:35:23
   NotAfter  : 2124-02-13 17:35:23

=== root ca ===
current root ca:
   not set

upcoming root ca:
   not set


I have the root CA key (01.key.aes256) and cert (01.pem) and the issuer CA key
(02.key.aes256) and cert (02.pem) .  Both keys are protected by pass phrases.

I previously imported the root CA cert using:

openxpkiadm certificate import --file ./CA_HLL_ROOT_2016/certs/01.pem

But I cannot see it:

openxpkiadm certificate list
Command failed: You must specify a realm using --realm

openxpkiadm certificate list --realm "hll_ca2016"

Certificates in hll_ca2016:

   Identifier: IC6oLFDYdHybpJ4xwclmCOgQO9w
     Alias:
       vault-1

openxpkiadm certificate list --all
Command failed: You must specify a realm using --realm

How do I display the previously loaded root certificate?

Thanks,



--
Protect your environment -  close windows and adopt a penguin!



_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users






















					Reply via email to