This is how I loaded the issuing CA certificate and key for hll_ca2016:
openxpkiadm alias \
--realm "hll_ca2016" \
--token certsign \
--file /CA_HLL_ROOT_2016/certs/02.pem \
--key /CA_HLL_ROOT_2016/private/keys/02.key.aes256
This is what I have in crypto.yaml
type:
certsign: ca-signer
datasafe: vault
cmcra: ratoken
scep: scep
# The actual token setup
token:
default:
backend: OpenXPKI::Crypto::Backend::OpenSSL
# Template to create key, available vars are
# ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1)
# KEY_IDENTIFIER (00:AA:BB...), IDENTIFIER (aGSNY1Z...)
key: /usr/local/etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
# possible values are OpenSSL, nCipher, LunaCA
engine: OpenSSL
engine_section: ''
engine_usage: ''
key_store: OPENXPKI
# OpenSSL binary location
shell: /usr/bin/openssl
# OpenSSL binary call gets wrapped with this command
wrapper: ''
# random file to use for OpenSSL
randfile: /var/openxpki/rand
# Default value for import, recorded in database, can be overriden
secret: default
ca-signer:
inherit: default
key_store: DATAPOOL
key: "[% ALIAS %]"
I infer from this error message:
2024/03/22 08:58:12 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
-nosmimecap -outform PEM -nodetach -in /var/tmp/openxpki7068rAhBRK43 -inkey
/var/tmp/openxpki7068HnLhAvaK/ca-signer-1 -signer /var/tmp/openxpki7068wnbNYH_K
-out /var/tmp/openxpki7068BT1d_Hs4 -passin env:pwd, __EXIT_STATUS__ => 512
[pid=7068|sid=IBVP]
That the issue lies in the configuration of crypto.yaml.
I do not grasp the employment of tokens. The error message refers to
ca-signer-1. Is this a token name? If so, does it have to be explicitly named
in crypto.yaml or does the openxpki software look for ca-signer?
Assuming that ca-signer is searched for then what is the value returned by "[%
ALIAS %]"? Does this reference get used to SEARCH in the RDBMS? What is
returned? The key itself or the path to the key file?
When the 'openxpkiadm alias' command receives the '--key
/CA_HLL_ROOT_2016/private/keys/02.key.aes256' argument are the contents of that
file stored in the DB or the path to the key file?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to privacy
Do NOT open attachments nor follow links sent by e-Mail
James B. Byrne mailto:[email protected]
Harte & Lyne Limited http://www.harte-lyne.ca
9 Brockley Drive vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada L8E 3C3
_______________________________________________
OpenXPKI-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openxpki-users
