Am 05.08.24 um 18:10 schrieb Martin Bartosch:
Your particular OpenXPKI instance has been configured with a CA certificate that is valid until 2025-08-05 14:54:05 UTC. You seem to try to issue a certificate that would be valid until 2025-08-05 15:22:39 UTC (I suppose you kept the 1 year default validity), which is outside the validity of the Issuing CA certificate. Your OpenXPKI concludes that there is no matching CA Certificate which can perform this action and thus bails out with an error. Possible solutions: - perform an Issuing CA rollover (import a new CA Signer token with a validity that allows issuance of the certificate) - reduce the requested certificate validity (e. g. reduce to 6 months Yes, OpenXPKI is that cool B)
Oh well, I have no idea why i created 1y CA certs, stupid me. I retested with noafter: 0001 and it worked, thanks Martin. yes, the rollover is quite nice. One follow-up question: I saw the message only in debug=10, the WebUI simply says "wf_pause_msg: Backend Communication Error", instead of "No usable ca-signer found" or something like that. The message is a little bit misleading, at least for non-experts like me. Should I open an improvement issue or is it the designed way and maybe caused by technical reasons? Best, -ap _______________________________________________ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
