Hi James, > 2024/03/13 08:16:31 ERROR OpenSSL error: Using configuration from > /var/tmp/openxpki28821VniVdpfp/openssl.cnf > unable to load CA private key > . . . > > I guess that this is the problem: unable to load CA private key
Yep. > The realm was created using: > > openxpkiadm alias \ > --realm "democa" \ > --token certsign \ > --file > /root/CLCA/CAS/democa/certs/1A84E8FBE282453D5F22038C58A89786BCD6CCAC.pem \ > --key /root/CLCA/CAS/democa_i/private/democa_i_key.pem > > openxpkicli get_token_info --realm=democa --arg alias=vault-1 > { > "key_name" : "/usr/local/etc/openxpki/local/keys/vault-1.pem", > "key_secret" : 1, > "key_store" : "OPENXPKI", > "key_usable" : 1 > } > > I have verified that the private key password provided in > config/realm/democa/crypto.yaml is correct: > > . . > ca-signer: > inherit: default > key_store: DATAPOOL > key: "[% ALIAS %]" > . . . > secret: > > ca-signer: > label: Secret group for certsign Token > export: 1 > method: literal > value: "democa" 1. the output of openxpkicli get_token_info (file in file system) is not consistent with your configuration (key in datapool). I have no idea why, because I cannot see more details on your system, but to me it looks like the ca-signer token configuration is not the config the system is using 2. the config snippet is missing the definition for "default" in crypto.yaml where I assume the secret group is defined. If that does not match the secret group you seemingly intend to use for your ca signer tokens (which you named "ca-signer") then the passphrase will not be set correctly. Again, without being able to see more or your config it is impossible to tell. 2a. a fixed value for a CA key is not a good idea Bottom line: your system cannot access the private key, and this is either a permission problem or a problem with the CA passphrase. Cheers Martin _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users