Hi James,
> 2024/03/13 08:16:31 ERROR OpenSSL error: Using configuration from
> /var/tmp/openxpki28821VniVdpfp/openssl.cnf
> unable to load CA private key
> . . .
>
> I guess that this is the problem: unable to load CA private key
Yep.
> The realm was created using:
>
> openxpkiadm alias \
> --realm "democa" \
> --token certsign \
> --file
> /root/CLCA/CAS/democa/certs/1A84E8FBE282453D5F22038C58A89786BCD6CCAC.pem \
> --key /root/CLCA/CAS/democa_i/private/democa_i_key.pem
>
> openxpkicli get_token_info --realm=democa --arg alias=vault-1
> {
> "key_name" : "/usr/local/etc/openxpki/local/keys/vault-1.pem",
> "key_secret" : 1,
> "key_store" : "OPENXPKI",
> "key_usable" : 1
> }
>
> I have verified that the private key password provided in
> config/realm/democa/crypto.yaml is correct:
>
> . .
> ca-signer:
> inherit: default
> key_store: DATAPOOL
> key: "[% ALIAS %]"
> . . .
> secret:
>
> ca-signer:
> label: Secret group for certsign Token
> export: 1
> method: literal
> value: "democa"
1. the output of openxpkicli get_token_info (file in file system) is not
consistent with your configuration (key in datapool). I have no idea why,
because I cannot see more details on your system, but to me it looks like the
ca-signer token configuration is not the config the system is using
2. the config snippet is missing the definition for "default" in crypto.yaml
where I assume the secret group is defined. If that does not match the secret
group you seemingly intend to use for your ca signer tokens (which you named
"ca-signer") then the passphrase will not be set correctly. Again, without
being able to see more or your config it is impossible to tell.
2a. a fixed value for a CA key is not a good idea
Bottom line: your system cannot access the private key, and this is either a
permission problem or a problem with the CA passphrase.
Cheers
Martin
_______________________________________________
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
