On Wed, February 14, 2024 04:41, Martin Bartosch via OpenXPKI-users wrote:
> Hi,
>
> Some background information may be useful here:
Thank you very much. This information is most useful.
On Wed, February 14, 2024 07:36, Oliver Welter wrote:
>
> please do not use OpenXPKI (and the sampleconfig) for the RootCA, please
> do yourself a favour and make that a dedicated process and use e.g. our
> "clca" tool for it.
I am not using, and never intended to use, openxpki to manage our root key and
certificate. These already exist and were created back in 2016 using a simple
perl script named CSP. Changes to openssl have rendered CSP semi-functional
and that is the motivation to move to openxpki. When we have cause to reissue
the issuer CA certificate or generate a new issuer CA key and certificate we
will use some offline CA utility to do so. That bridge will be crossed later.
I have read the openxpki users guide to the extent that I created a unified pdf
file to refer to. It was not clear to me how openxpki handled things behind
the scenes so I was confused by the seeming disconnect between the
documentation examples and the expected results.
I had previously loaded the root CA certificate (in the 'null' realm I believe)
following the example given in the Quickstart guide. When I finally twigged to
the relationship of the crypto.yaml 'secret:' section and the token names used
by the alias command I was able to load our existing issuing CA certificate and
key. Following which 'openxpkiadm alias --realm hll_ca2016' displayed this:
=== functional token ===
vault (datasafe):
Alias : vault-1
Identifier: IC6oLFDYdHybpJ4xwclmCOgQO9w
NotBefore : 2024-02-12 17:35:23
NotAfter : 2124-02-13 17:35:23
ratoken (cmcra):
not set
ca-signer (certsign):
Alias : ca-signer-1
Identifier: Yh03GEV0ZGEqIGMf-fxZ3lErPmk
NotBefore : 2016-11-01 00:00:00
NotAfter : 2035-11-01 23:59:59
scep (scep):
not set
=== root ca ===
current root ca:
Alias : root-1
Identifier: CYQ4rXzn4X14_pPNKi8_Pq-Ywg8
NotBefore : 2016-11-01 00:00:00
NotAfter : 2036-10-31 23:59:59
upcoming root ca:
not set
Which is exactly what I was looking for.
At this stage I am configuring the webui. I will have other things to find out
no doubt.
Thank you all for the help, whether I mentioned you or not.
Regards,
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to privacy
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:[email protected]
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
