On 14/02/2024 13:36, Oliver Welter wrote:
Hi John,
Hi and thanks for responding!
please do not use OpenXPKI (and the sampleconfig) for the RootCA, please
do yourself a favour and make that a dedicated process and use e.g. our
"clca" tool for it.
Yes I knew you would say that ;-) I was just testing to see how it all
worked.
The reference to the clca is handy thanks.
Educated guess on the topic - you changed the key password used in the
sampeconfig.sh but did not change the password in OpenXPKI (crypto.yaml,
section secret).
Ah that makes some sense.
OK, I can see the passwords it created in the .pass files in /tmp dir.
I did a test and set up and added a password as per the crypto.yaml
openxpkiadm hashpwd -s argon2
method: plain
cache: daemon
kcv: $argon2id$v=19$m=32768,t=3,p=1$dVJZc3p5...foo
When I login I can add the Global Secret group password, but can't do
anything much else and it does not cure the system status.
The sampleconfig is exactly what the name indicates, a
quick way to get a democa up and running WITHOUT any securtiy.
Yes I read the notes at the head of the file :-)
However I know how complex a subject this is and trying to create your
own 'secure' CA from scratch is no mean feat, and probably no more
secure than the script!
I'd still like to get this vaguely working so I understand it better and
then I will sit down and try and work out something more convoluted so
any advice will be gratefully received.
B. Rgds
John
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
