date:20230928

Re: [OpenXPKI-users] OpenXPKI woth YubiHSM2 - Unable to load module yubihsm_pkcs11

2023-09-28 Thread Martin Bartosch via OpenXPKI-users

Hi,

> Am 29.09.2023 um 04:08 schrieb Lixin Liu :
> 
> I am using RHEL system which is not officially supported. But from what I 
> see, there are
> only very minor difference. I have these:

Just to clarify: The Community Edition is available as source code and packaged 
for Debian. However, OpenXPKI Enterprise Edition is available packaged for Red 
Hat Enterprise Linux, SuSE SLES and Ubuntu LTS.

Any HSM that can successfully be used on the command line with OpenSSL via 
PKCS#11 should also work with OpenXPKI. How this exactly works depends on the 
HSM and its PKCS#11 implementation.

Some hints:
- it has already been mentioned, but make sure that any environment variables 
the driver needs is also set in OpenXPKI
- personally, I very much prefer the RFC 7512 URI scheme for specifying PKCS#11 
objects (keys) in the OpenXPKI configuration instead of the traditional (and 
somewhat obscure) slot notation. The GnuTLS p11tool is very useful in getting 
the proper information needed for a particular HSM.

Otherwise the suggestions provided on the list should help get this up and 
running.

Cheers

Martin




___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Active/Active Setup

2023-09-28 Thread Martin Bartosch via OpenXPKI-users

Hi,

>  we are planning to setup up an active/active system over two geo locations.
> Does anyone have experience with such a scenario and can share some best 
> practices?
> We would otherwise testing db replication or setting up different signing 
> ca’s within the datacenters, but I would rather have this in a way to be able 
> to control duplicated certificates.

Yes, active-active works without any problems with any number of worker nodes.

For an active-active setup you need:

- a redundant database, All OpenXPKI worker node need to access the same 
database instance
- any number of OpenXPKI worker nodes. All worker nodes must have the same 
configuration.
- the OpenXPKI web interface must be configured to store sessions in the 
database. For a long time this has been the default.
- a load balancer which proxies all the worker nodes' web interfaces. The load 
balancer shall be configured in a way that for a given worker node topology 
queries get routed to the same worker node based on the Source IP (e. g. source 
IP hash).

Cheers

Martin





___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] OpenXPKI woth YubiHSM2 - Unable to load module yubihsm_pkcs11

2023-09-28 Thread Lixin Liu

I am using RHEL system which is not officially supported. But from what I see, 
there are
only very minor difference. I have these:

inherit: default
  PIN= 
randfile: /var/openxpki/rand

You may want to set PIN to 0001password.

I assume your environment variables YUBIHSM_PKCS11_CONF YUBIHSM_PKCS11_MODULE
are set before you start openxpki.

Good luck.

Lixin.


From: Montajab Saleh 
Reply-To: "openxpki-users@lists.sourceforge.net" 

Date: Thursday, September 28, 2023 at 2:15 PM
To: "openxpki-users@lists.sourceforge.net" 

Subject: Re: [OpenXPKI-users] OpenXPKI woth YubiHSM2 - Unable to load module 
yubihsm_pkcs11

Hi Lixin,
It's a good sign,
I also tried this way, slot_0-label_rsakey but I don't think this is the issue 
her, the OpenXPKI log says it's  for some reasons can't load the 
yubihsm_pkcs11.so module
but, as you used YubiHSM2 successfully, do you think that I did the 
configuration correctly?
Thanks

On Thu, Sep 28, 2023 at 7:31 PM Lixin Liu mailto:l...@sfu.ca>> 
wrote:
I have successfully used YubiHSM2 (FIPS version). I used the label name for the 
signing key:

key: "slot_0-label_"

Cheers,

Lixin.

From: Montajab Saleh mailto:montajab.sa...@gmail.com>>
Sent: Thursday, September 28, 2023 2:19 AM
To: 
openxpki-users@lists.sourceforge.net
Subject: [OpenXPKI-users] OpenXPKI woth YubiHSM2 - Unable to load module 
yubihsm_pkcs11

Hello,
I'm trying to put the signer key in a secure token/hsm, I succeed using 
SmartCard-HSM and Nitrokey, but not YubiHSM2 (Unable to load module 
yubihsm_pkcs11.so)

following is the configuration I did, for the one that worked with 
SmartCard-HSM and Nitrokey (same config), and the failed ones with YubiHSM2
with the error log I have in OpenXPKI

Any help / idea would be appreciated
Thanks
=
Debian: 10
openxpki: 3.24.1
openssl: OpenSSL 1.1.1n

### Smartcard-hsm / Nitrokey ### worked perfectly
#
  ca-signer:
backend: OpenXPKI::Crypto::Backend::OpenSSL
key: "10"
engine: PKCS11
engine_section: |
  engine_id  = pkcs11
  dynamic_path   = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
  MODULE_PATH= /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
  PIN= __PIN__
  init   = 0
engine_usage: 'ALWAYS'
key_store: ENGINE
shell: /usr/bin/openssl
randfile: /dev/random
wrapper: ''
secret: signer

secret:
signer:
  label: SmartCard Pin
  method: literal
  value: 12345678
  cache: daemon

### YubiHSM2 ###

  ca-signer:
backend: OpenXPKI::Crypto::Backend::OpenSSL
# key: slot_0-label_rsakey
key: 0:0005
engine: PKCS11
engine_section: |
  engine_id  = pkcs11
  # dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
  MODULE_PATH= 
/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
  PIN= __PIN__
  init   = 0
engine_usage: 'ALWAYS'
key_store: ENGINE
shell: /usr/bin/openssl
randfile: /dev/random
wrapper: ''
secret: signer

secret:
signer:
  label: YubiHSM2 Pin
  method: literal
  value: 0001password
  cache: daemon

### environment variables ###
#
export YUBIHSM_PKCS11_CONF='/etc/yubihsm2/yubihsm_pkcs11.conf'
export 
YUBIHSM_PKCS11_MODULE='/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so'

### yubihsm_pkcs11.conf ###
###
connector = http://127.0.0.1:12345

### /usr/lib/ssl/openssl.cnf ###

...
openssl_conf = default_conf

[default_conf]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11

dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so

INIT_ARGS = connector=http://127.0.0.1:12345 debug
init = 0
...

### test dealing with YubiHSM2 ###
##
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so --login 
--pin 0001password --keypairgen --key-type rsa:2048 --label "my_key" 
--usage-sign
openssl req -new -x509 -days 365 -subj '/CN=my key/' -sha256 -engine pkcs11 
-keyform engine -key slot_0-label_rsakey -out cert.pem
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so --login 
-O

All executed successfully

### openxpki error log ###
##
Unable to load module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
PKCS11_get_private_key returned NULL
cannot load signing key file from engine
139887530206400:error:82065007:PKCS#11 module:pkcs11_check_token:Invalid 
arguments:p11_load.c:92:
139887530206400:error:26096080:engine routines:ENGINE_load_private_key:failed 
loading private key:../crypto/engine/eng_pkey.c:78:
unable to load signing key file

Re: [OpenXPKI-users] OpenXPKI woth YubiHSM2 - Unable to load module yubihsm_pkcs11

2023-09-28 Thread Montajab Saleh

Hi Lixin,
It's a good sign,
I also tried this way, *slot_0-label_rsakey* but I don't think this is the
issue her, the OpenXPKI log says it's  for some reasons can't load the
*yubihsm_pkcs11.so* module
but, as you used YubiHSM2 successfully, do you think that I did the
configuration correctly?
Thanks

On Thu, Sep 28, 2023 at 7:31 PM Lixin Liu  wrote:

> I have successfully used YubiHSM2 (FIPS version). I used the label name
> for the signing key:
>
>
>
> key: "slot_0-label_"
>
>
>
> Cheers,
>
>
>
> Lixin.
>
>
>
> *From:* Montajab Saleh 
> *Sent:* Thursday, September 28, 2023 2:19 AM
> *To:* openxpki-users@lists.sourceforge.net
> *Subject:* [OpenXPKI-users] OpenXPKI woth YubiHSM2 - Unable to load
> module yubihsm_pkcs11
>
>
>
> Hello,
>
> I'm trying to put the signer key in a secure token/hsm, I succeed using
> SmartCard-HSM and Nitrokey, but not YubiHSM2 (Unable to load module
> yubihsm_pkcs11.so)
>
>
>
> following is the configuration I did, for the one that worked with
> SmartCard-HSM and Nitrokey (same config), and the failed ones with YubiHSM2
> with the error log I have in OpenXPKI
>
>
>
> Any help / idea would be appreciated
>
> Thanks
> =
> Debian: 10
> openxpki: 3.24.1
> openssl: OpenSSL 1.1.1n
>
> ### Smartcard-hsm / Nitrokey ### worked perfectly
> #
>   ca-signer:
> backend: OpenXPKI::Crypto::Backend::OpenSSL
> key: "10"
> engine: PKCS11
> engine_section: |
>   engine_id  = pkcs11
>   dynamic_path   =
> /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
>   MODULE_PATH= /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
>   PIN= __PIN__
>   init   = 0
> engine_usage: 'ALWAYS'
> key_store: ENGINE
> shell: /usr/bin/openssl
> randfile: /dev/random
> wrapper: ''
> secret: signer
>
> secret:
> signer:
>   label: SmartCard Pin
>   method: literal
>   value: 12345678
>   cache: daemon
>
> ### YubiHSM2 ###
> 
>   ca-signer:
> backend: OpenXPKI::Crypto::Backend::OpenSSL
> # key: slot_0-label_rsakey
> key: 0:0005
> engine: PKCS11
> engine_section: |
>   engine_id  = pkcs11
>   # dynamic_path =
> /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
>   MODULE_PATH=
> /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
>   PIN= __PIN__
>   init   = 0
> engine_usage: 'ALWAYS'
> key_store: ENGINE
> shell: /usr/bin/openssl
> randfile: /dev/random
> wrapper: ''
> secret: signer
>
> secret:
> signer:
>   label: YubiHSM2 Pin
>   method: literal
>   value: 0001password
>   cache: daemon
>
> ### environment variables ###
> #
> export YUBIHSM_PKCS11_CONF='/etc/yubihsm2/yubihsm_pkcs11.conf'
> export
> YUBIHSM_PKCS11_MODULE='/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so'
>
> ### yubihsm_pkcs11.conf ###
> ###
> connector = http://127.0.0.1:12345
>
> ### /usr/lib/ssl/openssl.cnf ###
> 
> ...
> openssl_conf = default_conf
>
> [default_conf]
> engines = engine_section
>
> [engine_section]
> pkcs11 = pkcs11_section
>
> [pkcs11_section]
> engine_id = pkcs11
>
> dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
> MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
>
> INIT_ARGS = connector=http://127.0.0.1:12345 debug
> init = 0
> ...
>
> ### test dealing with YubiHSM2 ###
> ##
> pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
> --login --pin 0001password --keypairgen --key-type rsa:2048 --label
> "my_key" --usage-sign
> openssl req -new -x509 -days 365 -subj '/CN=my key/' -sha256 -engine
> pkcs11 -keyform engine -key slot_0-label_rsakey -out cert.pem
> pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
> --login -O
>
> All executed successfully
>
> ### openxpki error log ###
> ##
> Unable to load module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
> PKCS11_get_private_key returned NULL
> cannot load signing key file from engine
> 139887530206400:error:82065007:PKCS#11 module:pkcs11_check_token:Invalid
> arguments:p11_load.c:92:
> 139887530206400:error:26096080:engine
> routines:ENGINE_load_private_key:failed loading private
> key:../crypto/engine/eng_pkey.c:78:
> unable to load signing key file
>  [pid=783|sid=wnxs]
> 2023/09/28 11:41:19 openxpki.system.ERROR
> I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
> -nosmimecap -outform PEM -nodetach -engine pkcs11 -keyform engine -in
> /var/tmp/openxpki783zdpPQU49 -inkey 0:0005 -signer
> /var/tmp/openxpki783Nf839thW -out /var/tmp/openxpki783DXlzdsaV -passin
> env:pwd, __EXIT_STATUS__ => 512 [pid=783|sid=wnxs]
> 2023/09/28 11:41:19 openxpki.system.ERROR
>

Re: [OpenXPKI-users] Looking for an open source PKI software manager

2023-09-28 Thread Nick Dawson

I'm not the biggest expert on this list but my first thought was that you
could issue a signing cert from OpenXPKI for ACM and use ACM for the
Lambdas. Then use OpenXPKI directly for your internal sites and services.
I don't believe ACM supports SCEP or EST… but you might be able to build
something within your Lambda environment using SCEP or an RPC call to
directly manage certificates from OpenXPKI.
Ultimately, you should defer to the more qualified people on this list for
a more authorities answer.

On Thu, Sep 28, 2023 at 12:37 PM, Mike Schleif 
wrote:

> Will OpenPKI meet all of our needs?
>
>
>
> Sempris needs a certificate management system, specifically for:
>
> 1. AWS Lambdas
>
> 2. Internal web sites
>
> 3. Various internal services
>
>
>
> The first (AWS) is the biggest challenge. We anticipate managing between
> 100-200 different certificates. The AWS Certificate Manager (ACM) is one
> option that can work, but we need to consider alternatives.
>
>
>
> Please, advise. Thank you.
>
>
>
> --
>
> Best Regards,
>
>
>
> Mike Schleif
>
> 952-258-2122
>
>
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] Looking for an open source PKI software manager

2023-09-28 Thread Mike Schleif

Will OpenPKI meet all of our needs?

Sempris needs a certificate management system, specifically for:
1. AWS Lambdas
2. Internal web sites
3. Various internal services

The first (AWS) is the biggest challenge. We anticipate managing between 
100-200 different certificates. The AWS Certificate Manager (ACM) is one option 
that can work, but we need to consider alternatives.

Please, advise. Thank you.

--
Best Regards,

Mike Schleif
952-258-2122

___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] OpenXPKI woth YubiHSM2 - Unable to load module yubihsm_pkcs11

2023-09-28 Thread Lixin Liu

I have successfully used YubiHSM2 (FIPS version). I used the label name for the 
signing key:

key: "slot_0-label_"

Cheers,

Lixin.

From: Montajab Saleh 
Sent: Thursday, September 28, 2023 2:19 AM
To: openxpki-users@lists.sourceforge.net
Subject: [OpenXPKI-users] OpenXPKI woth YubiHSM2 - Unable to load module 
yubihsm_pkcs11

Hello,
I'm trying to put the signer key in a secure token/hsm, I succeed using 
SmartCard-HSM and Nitrokey, but not YubiHSM2 (Unable to load module 
yubihsm_pkcs11.so)

following is the configuration I did, for the one that worked with 
SmartCard-HSM and Nitrokey (same config), and the failed ones with YubiHSM2
with the error log I have in OpenXPKI

Any help / idea would be appreciated
Thanks
=
Debian: 10
openxpki: 3.24.1
openssl: OpenSSL 1.1.1n

### Smartcard-hsm / Nitrokey ### worked perfectly
#
  ca-signer:
backend: OpenXPKI::Crypto::Backend::OpenSSL
key: "10"
engine: PKCS11
engine_section: |
  engine_id  = pkcs11
  dynamic_path   = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
  MODULE_PATH= /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
  PIN= __PIN__
  init   = 0
engine_usage: 'ALWAYS'
key_store: ENGINE
shell: /usr/bin/openssl
randfile: /dev/random
wrapper: ''
secret: signer

secret:
signer:
  label: SmartCard Pin
  method: literal
  value: 12345678
  cache: daemon

### YubiHSM2 ###

  ca-signer:
backend: OpenXPKI::Crypto::Backend::OpenSSL
# key: slot_0-label_rsakey
key: 0:0005
engine: PKCS11
engine_section: |
  engine_id  = pkcs11
  # dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
  MODULE_PATH= 
/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
  PIN= __PIN__
  init   = 0
engine_usage: 'ALWAYS'
key_store: ENGINE
shell: /usr/bin/openssl
randfile: /dev/random
wrapper: ''
secret: signer

secret:
signer:
  label: YubiHSM2 Pin
  method: literal
  value: 0001password
  cache: daemon

### environment variables ###
#
export YUBIHSM_PKCS11_CONF='/etc/yubihsm2/yubihsm_pkcs11.conf'
export 
YUBIHSM_PKCS11_MODULE='/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so'

### yubihsm_pkcs11.conf ###
###
connector = http://127.0.0.1:12345

### /usr/lib/ssl/openssl.cnf ###

...
openssl_conf = default_conf

[default_conf]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11

dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so

INIT_ARGS = connector=http://127.0.0.1:12345 debug
init = 0
...

### test dealing with YubiHSM2 ###
##
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so --login 
--pin 0001password --keypairgen --key-type rsa:2048 --label "my_key" 
--usage-sign
openssl req -new -x509 -days 365 -subj '/CN=my key/' -sha256 -engine pkcs11 
-keyform engine -key slot_0-label_rsakey -out cert.pem
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so --login 
-O

All executed successfully

### openxpki error log ###
##
Unable to load module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
PKCS11_get_private_key returned NULL
cannot load signing key file from engine
139887530206400:error:82065007:PKCS#11 module:pkcs11_check_token:Invalid 
arguments:p11_load.c:92:
139887530206400:error:26096080:engine routines:ENGINE_load_private_key:failed 
loading private key:../crypto/engine/eng_pkey.c:78:
unable to load signing key file
 [pid=783|sid=wnxs]
2023/09/28 11:41:19 openxpki.system.ERROR 
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary 
-nosmimecap -outform PEM -nodetach -engine pkcs11 -keyform engine -in 
/var/tmp/openxpki783zdpPQU49 -inkey 0:0005 -signer /var/tmp/openxpki783Nf839thW 
-out /var/tmp/openxpki783DXlzdsaV -passin env:pwd, __EXIT_STATUS__ => 512 
[pid=783|sid=wnxs]
2023/09/28 11:41:19 openxpki.system.ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; 
__COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, 
__ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign 
-binary -nosmimecap -outform PEM -nodetach -engine pkcs11 -keyform engine -in 
/var/tmp/openxpki783zdpPQU49 -inkey 0:0005 -signer /var/tmp/openxpki783Nf839thW 
-out /var/tmp/openxpki783DXlzdsaV -passin env:pwd, __EXIT_STATUS__ => 512 
[pid=783|sid=wnxs]

--
Regards
Montajab Saleh
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] Active/Active Setup

2023-09-28 Thread Siekmann, Marco

Hello,

we are planning to setup up an active/active system over two geo locations.
Does anyone have experience with such a scenario and can share some best 
practices?
We would otherwise testing db replication or setting up different signing ca's 
within the datacenters, but I would rather have this in a way to be able to 
control duplicated certificates.

Cheers

Marco

___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] OpenXPKI woth YubiHSM2 - Unable to load module yubihsm_pkcs11

2023-09-28 Thread Montajab Saleh

Hello,
I'm trying to put the signer key in a secure token/hsm, I succeed using
SmartCard-HSM and Nitrokey, but not YubiHSM2 (Unable to load module
yubihsm_pkcs11.so)

following is the configuration I did, for the one that worked with
SmartCard-HSM and Nitrokey (same config), and the failed ones with YubiHSM2
with the error log I have in OpenXPKI

Any help / idea would be appreciated
Thanks
=
Debian: 10
openxpki: 3.24.1
openssl: OpenSSL 1.1.1n

### Smartcard-hsm / Nitrokey ### worked perfectly
#
  ca-signer:
backend: OpenXPKI::Crypto::Backend::OpenSSL
key: "10"
engine: PKCS11
engine_section: |
  engine_id  = pkcs11
  dynamic_path   =
/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
  MODULE_PATH= /usr/lib/x86_64-linux-gnu/opensc-pkcs11.so
  PIN= __PIN__
  init   = 0
engine_usage: 'ALWAYS'
key_store: ENGINE
shell: /usr/bin/openssl
randfile: /dev/random
wrapper: ''
secret: signer

secret:
signer:
  label: SmartCard Pin
  method: literal
  value: 12345678
  cache: daemon

### YubiHSM2 ###

  ca-signer:
backend: OpenXPKI::Crypto::Backend::OpenSSL
# key: slot_0-label_rsakey
key: 0:0005
engine: PKCS11
engine_section: |
  engine_id  = pkcs11
  # dynamic_path =
/usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
  MODULE_PATH=
/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
  PIN= __PIN__
  init   = 0
engine_usage: 'ALWAYS'
key_store: ENGINE
shell: /usr/bin/openssl
randfile: /dev/random
wrapper: ''
secret: signer

secret:
signer:
  label: YubiHSM2 Pin
  method: literal
  value: 0001password
  cache: daemon

### environment variables ###
#
export YUBIHSM_PKCS11_CONF='/etc/yubihsm2/yubihsm_pkcs11.conf'
export
YUBIHSM_PKCS11_MODULE='/usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so'

### yubihsm_pkcs11.conf ###
###
connector = http://127.0.0.1:12345

### /usr/lib/ssl/openssl.cnf ###

...
openssl_conf = default_conf

[default_conf]
engines = engine_section

[engine_section]
pkcs11 = pkcs11_section

[pkcs11_section]
engine_id = pkcs11

dynamic_path = /usr/lib/x86_64-linux-gnu/engines-1.1/pkcs11.so
MODULE_PATH = /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so

INIT_ARGS = connector=http://127.0.0.1:12345 debug
init = 0
...

### test dealing with YubiHSM2 ###
##
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
--login --pin 0001password --keypairgen --key-type rsa:2048 --label
"my_key" --usage-sign
openssl req -new -x509 -days 365 -subj '/CN=my key/' -sha256 -engine pkcs11
-keyform engine -key slot_0-label_rsakey -out cert.pem
pkcs11-tool --module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
--login -O

All executed successfully

### openxpki error log ###
##
Unable to load module /usr/lib/x86_64-linux-gnu/pkcs11/yubihsm_pkcs11.so
PKCS11_get_private_key returned NULL
cannot load signing key file from engine
139887530206400:error:82065007:PKCS#11 module:pkcs11_check_token:Invalid
arguments:p11_load.c:92:
139887530206400:error:26096080:engine
routines:ENGINE_load_private_key:failed loading private
key:../crypto/engine/eng_pkey.c:78:
unable to load signing key file
 [pid=783|sid=wnxs]
2023/09/28 11:41:19 openxpki.system.ERROR
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
-nosmimecap -outform PEM -nodetach -engine pkcs11 -keyform engine -in
/var/tmp/openxpki783zdpPQU49 -inkey 0:0005 -signer
/var/tmp/openxpki783Nf839thW -out /var/tmp/openxpki783DXlzdsaV -passin
env:pwd, __EXIT_STATUS__ => 512 [pid=783|sid=wnxs]
2023/09/28 11:41:19 openxpki.system.ERROR
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
-nosmimecap -outform PEM -nodetach -engine pkcs11 -keyform engine -in
/var/tmp/openxpki783zdpPQU49 -inkey 0:0005 -signer
/var/tmp/openxpki783Nf839thW -out /var/tmp/openxpki783DXlzdsaV -passin
env:pwd, __EXIT_STATUS__ => 512 [pid=783|sid=wnxs]

-- 
*Regards*
*Montajab Saleh*
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] OpenXPKI 3.26 debian 12 missing systemd service? openxpkid does not start after reboot

2023-09-28 Thread Oliver Welter


Hi Daniel,

thanks for the effort - I fixed this already two weeks ago and there are 
also updated packages on the server. I just forgot to push the repo to 
github :(


Oli

On 28.09.23 00:01, Daniel Hoffend wrote:

Hello Oliver

I fixed it for you. Here you go:
https://github.com/openxpki/openxpki/pull/88

I've tested the packaging tested in a Debian buster container and 
examined the contents of the .deb file afterwords. I haven't done a 
test installation yet, but at least the systemd unit is included again.


--
Best Regards
Daniel


Am 05.09.2023 um 14:18 schrieb Oliver Welter:

Hello Krzysztof,

looks like this got lost with the package updates.

I have created a bug ticket for this 
https://github.com/openxpki/openxpki/issues/883 - if anybody on the 
list has sufficient debian packaging knowledge feel free to look into 
it ;)


Oliver

On 01.09.23 12:06, Krzysztof Stryjek via OpenXPKI-users wrote:

Hi,

I was searching list archive also github sources. But I failed :-(((

I've found that in previous versions there is (should be) systemd
starting script:
lrwxrwxrwx 1 root root 37 2020-01-16 
/etc/systemd/system/multi-user.target.wants/openxpkid.service -> 
/lib/systemd/system/openxpkid.service


And after upgrades '/lib/systemd/system/openxpkid.service' desappeared.

So I've found on github, that there is systemd script:
https://github.com/openxpki/openxpki/blob/develop/package/debian/core/libopenxpki-perl.openxpkid.service 



So I've copied it to my Debian system as
'/lib/systemd/system/openxpkid.service'.

Unfortunatelly after reboot (I'm able to do meny reboots :-))) )
openxpkid does not start. Of course after login I'm able to start
openxpkid via:
service openxpkid start

So question is: what I'm doing wrong?

I'm not super familair with Debian so I've found that 'systemctl'
command disappeared in Debian 12. There is package 'systemctl' but 
it is

kind of wrapper (old version?) and this command complains about:
[Service]
Type=exec
^^

Thank you very much for any suggestions which can help resolve this
issue.

Greetings,





--
Protect your environment -  close windows and adopt a penguin!



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] OpenXPKI woth YubiHSM2 - Unable to load module yubihsm_pkcs11

Re: [OpenXPKI-users] Active/Active Setup

Re: [OpenXPKI-users] OpenXPKI woth YubiHSM2 - Unable to load module yubihsm_pkcs11

Re: [OpenXPKI-users] OpenXPKI woth YubiHSM2 - Unable to load module yubihsm_pkcs11

Re: [OpenXPKI-users] Looking for an open source PKI software manager

[OpenXPKI-users] Looking for an open source PKI software manager

Re: [OpenXPKI-users] OpenXPKI woth YubiHSM2 - Unable to load module yubihsm_pkcs11

[OpenXPKI-users] Active/Active Setup

[OpenXPKI-users] OpenXPKI woth YubiHSM2 - Unable to load module yubihsm_pkcs11

Re: [OpenXPKI-users] OpenXPKI 3.26 debian 12 missing systemd service? openxpkid does not start after reboot

10 matches

Site Navigation

Mail list logo

Footer information