Re: [OpenXPKI-users] SCEP enrolment: problem to reach "Initial enrolment"

2021-05-25 Thread Martin Bartosch via OpenXPKI-users 
Hi,

> Thanks you Oliver, I succeed with SSCEP to sign my client with the PKI#2 
> previously signed by PKI#1 (This post helped me 
> too:https://sourceforge.net/p/openxpki/mailman/message/36904820/)
>  
> But I have still two questions:
>   • The quick one; in case where I have 2 signers (e.g.: ca-signer-1 and 
> ca-signer-2) is it possible to set/configure that only ca-signer 1 signs a 
> certificate request? (SCEP enrollment) – because currently the last signer I 
> add, the last signer who signs the request.

See 
https://sourceforge.net/p/openxpki/mailman/openxpki-users/?viewmonth=202105=18=flat
 for a very similar question and answer.

>   • The second question arrived because I trying to do the on-behalf – 
> already made with SSCEP – now with Cryptlib.
> The PKI#1 (openxpki with workaround in the workflow) signs my client (START 
> INITIAL is triggered) – this part is OK. Then the PKI#2 trying to sign my 
> client (I trying to reach START ON-BEHALF) but I failing before that, I get 
> lot of errors from LibSCEP:
>  
> I don’t know which ASN1 field(s) have a problem, is it possible to know that?

Sorry, I currently don't have the time for ASN.1 diving...

Cheers

Martin



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] SCEP enrolment: problem to reach "Initial enrolment"

2021-05-25 Thread Eddy BODIN via OpenXPKI-users 
Thanks you Oliver, I succeed with SSCEP to sign my client with the PKI#2 
previously signed by PKI#1 (This post helped me too: 
https://sourceforge.net/p/openxpki/mailman/message/36904820/)

But I have still two questions:

  *   The quick one; in case where I have 2 signers (e.g.: ca-signer-1 and 
ca-signer-2) is it possible to set/configure that only ca-signer 1 signs a 
certificate request? (SCEP enrollment) - because currently the last signer I 
add, the last signer who signs the request.



  *   The second question arrived because I trying to do the on-behalf - 
already made with SSCEP - now with Cryptlib.
The PKI#1 (openxpki with workaround in the workflow) signs my client (START 
INITIAL is triggered) - this part is OK. Then the PKI#2 trying to sign my 
client (I trying to reach START ON-BEHALF) but I failing before that, I get lot 
of errors from LibSCEP:

I don't know which ASN1 field(s) have a problem, is it possible to know that?

...

==> /var/log/openxpki/catchall.log <==
2021/05/25 16:38:52 openxpki.system.ERROR message.c:882: Invalid messageType
LibSCEP.xs:1197: scep_unwrap failed
140272485020096:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num 
too large:../crypto/asn1/a_object.c:73:
140272485020096:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num 
too large:../crypto/asn1/a_object.c:73:
140272485020096:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num 
too large:../crypto/asn1/a_object.c:73:
140272485020096:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num 
too large:../crypto/asn1/a_object.c:73:
140272485020096:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num 
too large:../crypto/asn1/a_object.c:73:
140272485020096:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num 
too large:../crypto/asn1/a_object.c:73:
140272485020096:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num 
too large:../crypto/asn1/a_object.c:73:
[pid=921|sid=lQP4]

==> /var/log/openxpki/openxpki.log <==
2021/05/25 16:38:52 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => 
OpenXPKI::Crypto::Tool::LibSCEP::Command::unwrap, __ERRVAL__ => message.c:882: 
Invalid messageType
LibSCEP.xs:1197: scep_unwrap failed
140272485020096:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num 
too large:../crypto/asn1/a_object.c:73:
140272485020096:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num 
too large:../crypto/asn1/a_object.c:73:
140272485020096:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num 
too large:../crypto/asn1/a_object.c:73:
140272485020096:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num 
too large:../crypto/asn1/a_object.c:73:
140272485020096:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num 
too large:../crypto/asn1/a_object.c:73:
140272485020096:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num 
too large:../crypto/asn1/a_object.c:73:
140272485020096:error:0D06407A:asn1 encoding routines:a2d_ASN1_OBJECT:first num 
too large:../crypto/asn1/a_object.c:73:
[pid=921|sid=lQP4]

...

2021/05/25 16:38:52 DEB Decoded SCEP message:

MIINygYJKoZIhvcNAQcCoIINuzCCDbcCAQExDzANBglghkgBZQMEAgEFADCCBSEGCSqGSIb3DQEH
AaCCBRIEggUOMIIFCgYJKoZIhvcNAQcDoIIE+zCCBPcCAQAxggIOMIICCgIBADByMFoxCzAJBgNV
BAYTAkRFMREwDwYDVQQKDAhPcGVuWFBLSTEMMAoGA1UECwwDUEtJMSowKAYDVQQDDCFPcGVuWFBL
SSBEZW1vIElzc3VpbmcgQ0EgMjAyMTA1MjACFGXfOTqvmT40mV2LVGSp1Al7I2zCMA0GCSqGSIb3
DQEBAQUABIIBgBmkqcmHPXgXl0cWXColK1XysrGDqREmcqo/fRwBYBALBujQ1yC0uGXVBf3bVjpH
P9uFwGHFWwmoJcMpuRgcaKw1V//jFO5g7feoF08vUIRXQn/WWi9abZbs8FYw+HG1vgQs1YASlBuU
Jj7tsFFKvGBMP72XQKHDx7cMLL36BXXDXKrS1iXKy+7v8/FvHS71SwnxGiS/32H7RiRZ1RgeTVI7
aWkDugaCuAlOhzZv5vUCjIbL9D9Blo74UCjaa7CtGkGKqnchusstJB8UoWncwKce1ncfu1QDOJoi
y85akOJywUd+CINRWNnhXfjlg1fBx/Axb1qg8zUGgDo9fC9BVQTJYpSH4xhp4U/7zf7g3s0wB2es
U8nT6dgFSqKMfdcHyJGjO6yg1ybbB4iDeGjHud3dML+GJfRwj7UmNrxCp4KddYWrjEWeUBSQCJ/i
p0Czm0gud/1lRNeFdkW4XH+M4A+OGD+OMtiQapwmIaABTEQ6/PN4+omdEEAjKB0QmRIbtzCCAt4G
CSqGSIb3DQEHATAdBglghkgBZQMEAQIEEBTYZEVqzMEhAL4YOZEr1UOAggKwh38toenECW3eBf7t
klHZ9x78RKciBqp6wJPV6JZQAAdf9e03lJ7PSbgrFSOfFK5Th3cMHwKG49lGPtARGvynC/NJeLsI
8fmjIQBSsjyazfTBzYS2rrgalf7/36wMfdFnC4Dpm4cKhnba0Xe46el6Sxwx4cRqIwmkd5HcjNfT
k3cfEgyu6mVbMIE4d/KdajoGTs/HFlmFrnWAc/yB+1PkTMZj1NPbZckFYKV3qGRdrnRuMyC8MM7V
vzcucoA73J0m2Dte+Rl74yYJjEzvwupFMR3ipSqm2QvkR4TpWGOgHC0JkZndt+KL5caCtdC+8tho
/SJBzryrhk030Wmyvwlh+F1MThPQxnFdaWJ37Su1t5goW1ll8nSJrdTza9iAhz5UETKfrInR/V7n
TvP1zyPpsoo3YqP+umdlPT9cK5SJJ9b8HpiylzTb0K1uilmzC+n3kZrhGfNoqPK99jMPjwvD8nJ/
O5mM4bquq9BweOlAxiotAxpYffzI2Rh542PB+sO85B8D5G2PtJ97sM/kWC/yCC+FmXounduth6/X
0f8NhkBB56CAPBLYDVbuL2BdA3/0OHfyBeJBLUYwrnCklHf2ScUcX13mnYE7H59hSmrxBxsqVYza
OdENBKfJb/9btz8EV+94tQP/avEFHbH4xqjqKxKNhURDyUbUWXNJwS3rOgdneudTDnslEc72tU9j
LRFhcLbRSaA2saCDRt7QSlryy5WHkIEiJK9acbiGW5Xxz/+BMdo6/ZWoahgN4IX307YoNdzAnSNP
1TBoAl51pdHGjj5+pdYS+aSNrtKNF78yT439g6XTKqUD06XN7BsOrsZ0T5rY+yJTcaZmzKEazW4y

Re: [OpenXPKI-users] split secret is always Incomplete

2021-05-25 Thread Kseniya Blashchuk 
Thank you very much for your reply, I have looked through the code already
and figured out that "part" variable is not passed to backend, however I
did not know if it was a bug or not )

On Tue, May 25, 2021 at 10:37 AM Martin Bartosch via OpenXPKI-users <
openxpki-users@lists.sourceforge.net> wrote:

> Hi,
>
> > Does anybody have split secrets working actually? Configuring shares
> always gives incomplete results, no matter what is entered. When no shares
> are configured everything works well and the key is loaded.
> >
> > On Thu, May 20, 2021 at 7:20 PM Kseniya Blashchuk 
> wrote:
> > Hello everyone!
> > I am new to openxpki, I am trying to enter a split password via web
> interface, however it always shows me Incomplete (1/3), I have to enter 3
> shares. Split secret was created with clca tools. What am I doing wrong?
>
> TL;DR: Secret sharing with software keys is only supported by the OpenXPKI
> Enterprise Edition, not by the Community Edition.
>
> Shamir's Secret Sharing for software protected keys was removed from the
> OpenXPKI Community Edition some time ago. The version that was implemented
> in the CE required direct entry of the actual computed shares and thus was
> quite unwieldy. We reimplemented and improved the feature considerably for
> the Enterprise Edition, though.
>
> The configuration fragment you quote is also no longer contained in the
> upstream community configuration, so I guess you are using an older version
> of the sample configuration as your configuration base.
>
> Best regards,
>
> Martin
>
>
>
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] OpenXPKI: Serial Number of Certificates

2021-05-25 Thread Martin Bartosch via OpenXPKI-users 
Hi,

> Is it possible to configure OpenXPKI to start issuing certificates in a 
> sequence and starting from a particular number?

In all PKI designs I have touched in a long time randomized serials were a 
requirement, but of course it is possible to configure incrementing serials 
without a random portion. 
In the profile definition (typically in profile/default.yaml) set 
randomized_serial_bytes to 0 and increasing_serials to 1. In this case 
certificates should get incrementing serial numbers based on the last issued 
certificate in the PKI Realm.

Cheers

Martin






___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Change "democa" to Actual CA Name on OpenXPKI WebUI

2021-05-25 Thread Martin Bartosch via OpenXPKI-users 
Hi Scott,

> I did an exercise on this, replaced the "democa" in all files in 
> /etc/openxpki with a customCAName but when I import my issuing CA key and 
> cert, it gave an error about "Unknown/Undefined Realm".
> Please tell me in detail how can i replace the word democa.

As mentioned in my previous post:

>> However, the "section key" in the realms configuration (democa in your case) 
>> is the internal realm name used for grouping PKI Realm data in the database. 
>> It cannot easily be changed once it has been used. (It is technically 
>> possible to change this name by performing some database modification but we 
>> do not recommend to do this unless you exactly know what you are doing.)
>> 
>> When setting up the PKI the realm "key" of each realm should be set to a 
>> sensible sensible value, e. g. "serverca" or "userca". Do not change the 
>> name once it has been used.

In other words: do not change the internal realm name for an existing PKI Realm.

You have the following options:
a. create a new PKI Realm (possibly based on the configuration of the existing 
PKI Realm), possibly importing existing CA signer tokens/certificates and 
possibly existing EE certificates
b. living with the existing short name
c. hiding the existing short name by hacking the frontend CSS
d. modifying the entire CA database to use a different short name

I would recommend approach a or b.

Cheers

Martin



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] OpenXPKI: Serial Number of Certificates

2021-05-25 Thread Scott Thomas via OpenXPKI-users 
Hi.Is it possible to configure OpenXPKI to start issuing certificates in a 
sequence and starting from a particular number?Regards

Sent from Yahoo Mail on Android___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Change "democa" to Actual CA Name on OpenXPKI WebUI

2021-05-25 Thread Scott Thomas via OpenXPKI-users 
Hi Martin,
I did an exercise on this, replaced the "democa" in all files in /etc/openxpki 
with a customCAName but when I import my issuing CA key and cert, it gave an 
error about "Unknown/Undefined Realm".Please tell me in detail how can i 
replace the word democa.
ThanksRegards

Sent from Yahoo Mail on Android 
 
  On Tue, May 25, 2021 at 12:50 PM, Martin Bartosch wrote:   
Hi,

> I want to change the Realm: Example.org Demo CA (democa) to some actual CA 
> name on OpenXPKI WebUI.
> 
> The Example.org Demo CA can be replaced by modifying the "label" field in 
> file /etc/openxpki/config.d/system/realms.yaml
> 
> I am not able to modify the (democa) written in brackets on the WebUI.

As you mentioned the "label" in the realms configuration is the human readable 
representation of the PKI Realm name. It can be changed freely at any time 
which will reflect in the realm name displayed in the GUI.

However, the "section key" in the realms configuration (democa in your case) is 
the internal realm name used for grouping PKI Realm data in the database. It 
cannot easily be changed once it has been used. (It is technically possible to 
change this name by performing some database modification but we do not 
recommend to do this unless you exactly know what you are doing.)

When setting up the PKI the realm "key" of each realm should be set to a 
sensible sensible value, e. g. "serverca" or "userca". Do not change the name 
once it has been used.

Cheers

Martin

  
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Change "democa" to Actual CA Name on OpenXPKI WebUI

2021-05-25 Thread Martin Bartosch via OpenXPKI-users 
Hi,

> I want to change the Realm: Example.org Demo CA (democa) to some actual CA 
> name on OpenXPKI WebUI.
> 
> The Example.org Demo CA can be replaced by modifying the "label" field in 
> file /etc/openxpki/config.d/system/realms.yaml
> 
> I am not able to modify the (democa) written in brackets on the WebUI.

As you mentioned the "label" in the realms configuration is the human readable 
representation of the PKI Realm name. It can be changed freely at any time 
which will reflect in the realm name displayed in the GUI.

However, the "section key" in the realms configuration (democa in your case) is 
the internal realm name used for grouping PKI Realm data in the database. It 
cannot easily be changed once it has been used. (It is technically possible to 
change this name by performing some database modification but we do not 
recommend to do this unless you exactly know what you are doing.)

When setting up the PKI the realm "key" of each realm should be set to a 
sensible sensible value, e. g. "serverca" or "userca". Do not change the name 
once it has been used.

Cheers

Martin



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] split secret is always Incomplete

2021-05-25 Thread Martin Bartosch via OpenXPKI-users 
Hi,

> Does anybody have split secrets working actually? Configuring shares always 
> gives incomplete results, no matter what is entered. When no shares are 
> configured everything works well and the key is loaded.
> 
> On Thu, May 20, 2021 at 7:20 PM Kseniya Blashchuk  wrote:
> Hello everyone!
> I am new to openxpki, I am trying to enter a split password via web 
> interface, however it always shows me Incomplete (1/3), I have to enter 3 
> shares. Split secret was created with clca tools. What am I doing wrong?

TL;DR: Secret sharing with software keys is only supported by the OpenXPKI 
Enterprise Edition, not by the Community Edition.

Shamir's Secret Sharing for software protected keys was removed from the 
OpenXPKI Community Edition some time ago. The version that was implemented in 
the CE required direct entry of the actual computed shares and thus was quite 
unwieldy. We reimplemented and improved the feature considerably for the 
Enterprise Edition, though.

The configuration fragment you quote is also no longer contained in the 
upstream community configuration, so I guess you are using an older version of 
the sample configuration as your configuration base.

Best regards,

Martin




___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Disable Policy Check DNS for Web Server Certificate

2021-05-25 Thread Oliver Welter 
Good Morning,

I am quite sure that this question has been asked and answered on the ML
more than once, so you might consider to search the archives. Spoiler:
You need to change the workflow, there is no switch to turn it off.

If you are unhappy with the speed, quality, depth of the answers on the
ML you might want to try other support options:
http://www.openxpki.org/support.html

best regards

Oliver

Am 25.05.21 um 06:05 schrieb Scott Thomas via OpenXPKI-users:
> Hi 
> The response is still awaited on this thread.
> Regards
>
> Sent from Yahoo Mail on Android
> 
>
> On Thu, May 20, 2021 at 7:28 AM, Scott Thomas via OpenXPKI-users
>  wrote:
> Bonjour,
>
> I have an offline CA installation for issuance of certs to offline
> web servers and the DNS policy check causes unnecessary delays.
> How can i disable the Policy Check DNS for Web Server Certificate
>
> Regards
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
> 
>
>
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users


-- 
Protect your environment -  close windows and adopt a penguin! 

___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users