Re: [OpenXPKI-users] enrollment client using Windows CNG API - SCEP or EST

[Jeremy Jackson]

And a couple of hours of Googling later, an SCEP client written in PowerShell:

https://www.powershellgallery.com/packages/PSCertificateEnrollment/1.0.0/Content/Functions%5CGet-NDESCertificate.ps1

On 2024-01-16 17:36, Jeremy Jackson wrote:

Windows CNG looks great for using Virtual Smart Cards for domain logins.

Here is some recent work on adding CNG to OpenSSL 3

https://github.com/Lipovlan/cng-openssl-provider

I have only been able to find "sscep" which uses OpenSSL 1.1 CAPI Engine.

Are there any other known enrollment clients that work with OpenXPKI?

Thanks,

Jeremy



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] enrollment client using Windows CNG API - SCEP or EST

[Jeremy Jackson]

Windows CNG looks great for using Virtual Smart Cards for domain logins.

Here is some recent work on adding CNG to OpenSSL 3

https://github.com/Lipovlan/cng-openssl-provider

I have only been able to find "sscep" which uses OpenSSL 1.1 CAPI Engine.

Are there any other known enrollment clients that work with OpenXPKI?

Thanks,

Jeremy



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Help

[Oliver Welter]

Hi Ali,

according the logs you shared earlier the password of the vault token 
(default is "root") does not match the key you used. As the CA Token ist 
by default encrypted with this token on import, you are now unable to 
decrypt neither one. Make sure the password defined in the crypto.yaml 
secret section matches the one of the vault key AND the ca signer token.


Oliver


On 16.01.24 16:45, Ali Danakiran wrote:


Hi,

I have installed Openxpki on Debian 12 following the instructions.

It would have been the first start.

I generated the certificates myself.

Root-CA is root certificate

CA-Signer is an intermediate certificate

But if the problem is with tokens I will have a look in the mailing 
list maybe I will find something.


Thanks a lot



Oliver Welter  schrieb am Di. 16. Jan. 2024 um 16:38:

Hi,

what exactly have you done? Docker? Debian? Sample Config Script?
Self-Generated?

Did the tokens work back in time and just fell off or was it never
working?

There is a lot of questions and help on "token issues" on the
mailing list, so you might just want to check the archives for the
most common pitfalls.

Oliver

On 16.01.24 15:15, Ali Danakiran wrote:

Hi,

Would Error Log be useful information?

Martin Bartosch via OpenXPKI-users
 schrieb am Di. 16. Jan.
2024 um 14:47:

Hi,


> When I check with "openxpkiadm alias --realm ..." my CA
signer, Valut and Root CA are displayed. Is that correct or
not? Am I completely wrong or have I overlooked something?

Maybe it is correct, maybe it is not.

It is not possible to help you if you do not provide useful
information which would allow us to understand what you are
doing.

Cheers

Martin



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users


-- 
Protect your environment -  close windows and adopt a penguin!


___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users


--
Protect your environment -  close windows and adopt a penguin!
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Help

[Ali Danakiran]

Hi,

I have installed Openxpki on Debian 12 following the instructions.

It would have been the first start.

I generated the certificates myself.

Root-CA is root certificate

CA-Signer is an intermediate certificate

But if the problem is with tokens I will have a look in the mailing list
maybe I will find something.

Thanks a lot


Oliver Welter  schrieb am Di. 16. Jan. 2024 um 16:38:

> Hi,
>
> what exactly have you done? Docker? Debian? Sample Config Script?
> Self-Generated?
>
> Did the tokens work back in time and just fell off or was it never working?
>
> There is a lot of questions and help on "token issues" on the mailing
> list, so you might just want to check the archives for the most common
> pitfalls.
>
> Oliver
> On 16.01.24 15:15, Ali Danakiran wrote:
>
> Hi,
>
> Would Error Log be useful information?
>
> Martin Bartosch via OpenXPKI-users 
> schrieb am Di. 16. Jan. 2024 um 14:47:
>
>> Hi,
>>
>>
>> > When I check with "openxpkiadm alias --realm ..." my CA signer, Valut
>> and Root CA are displayed. Is that correct or not? Am I completely wrong or
>> have I overlooked something?
>>
>> Maybe it is correct, maybe it is not.
>>
>> It is not possible to help you if you do not provide useful information
>> which would allow us to understand what you are doing.
>>
>> Cheers
>>
>> Martin
>>
>>
>>
>> ___
>> OpenXPKI-users mailing list
>> OpenXPKI-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>
>
> ___
> OpenXPKI-users mailing 
> listOpenXPKI-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openxpki-users
>
> --
> Protect your environment -  close windows and adopt a penguin!
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Help

[Oliver Welter]

Hi,

what exactly have you done? Docker? Debian? Sample Config Script? 
Self-Generated?


Did the tokens work back in time and just fell off or was it never working?

There is a lot of questions and help on "token issues" on the mailing 
list, so you might just want to check the archives for the most common 
pitfalls.


Oliver

On 16.01.24 15:15, Ali Danakiran wrote:

Hi,

Would Error Log be useful information?

Martin Bartosch via OpenXPKI-users 
 schrieb am Di. 16. Jan. 2024 um 
14:47:


Hi,


> When I check with "openxpkiadm alias --realm ..." my CA signer,
Valut and Root CA are displayed. Is that correct or not? Am I
completely wrong or have I overlooked something?

Maybe it is correct, maybe it is not.

It is not possible to help you if you do not provide useful
information which would allow us to understand what you are doing.

Cheers

Martin



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users


--
Protect your environment -  close windows and adopt a penguin!
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Help

[Ali Danakiran]

Here are the error logs:

Catchall.log:

2024/01/16 15:13:11 openxpki.system.WARN Couldn't unlink
"/run/openxpkid.pid" [Permission denied] [pid=10283|pki_realm=test]

2024/01/16 15:13:43 openxpki.auth.INFO Loaded auth handler TestAccounts
[pid=10446|pki_realm=test]

2024/01/16 15:13:43 openxpki.auth.INFO Loaded auth handler Certificate
[pid=10446|pki_realm=test]

2024/01/16 15:13:43 openxpki.auth.INFO Loaded auth handler System
[pid=10446|pki_realm=test]

2024/01/16 15:13:43 openxpki.auth.INFO Loaded auth handler LocalPassword
[pid=10446|pki_realm=test]

2024/01/16 15:13:43 openxpki.auth.INFO Loaded auth handler Anonymous
[pid=10446|pki_realm=test]

2024/01/16 15:13:43 openxpki.audit.system.INFOserver was started
[pid=10446|pki_realm=test]

2024/01/16 15:13:43 openxpki.system.WARN Group Not Defined.  Defaulting to
EGID '0 0' [pid=10450|pki_realm=test]

2024/01/16 15:13:43 openxpki.system.WARN User Not Defined.  Defaulting to
EUID '0' [pid=10450|pki_realm=test]

2024/01/16 15:16:03 openxpki.system.ERROR OpenSSL error: Could not read
signing key from /var/tmp/openxpki104536klfijXq/ca-signer-1

404762AAE37F:error:1608010C:STORE
routines:ossl_store_handle_load_result:unsupported:../crypto/store/store_result.c:151:

404762AAE37F:error:1C800064:Provider
routines:ossl_cipher_unpadblock:bad
decrypt:../providers/implementations/ciphers/ciphercommon_block.c:129:

404762AAE37F:error:11800074:PKCS12 routines:PKCS12_pbe_crypt_ex:pkcs12
cipherfinal error:../crypto/pkcs12/p12_decr.c:86:maybe wrong password

 [pid=10453|sid=aDL3|rid=55607ce97d28|pki_realm=test]

2024/01/16 15:16:03 openxpki.system.ERROR
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
-nosmimecap -outform PEM -nodetach -in /var/tmp/openxpki104539s69H_uz
-inkey /var/tmp/openxpki104536klfijXq/ca-signer-1 -signer
/var/tmp/openxpki10453kGBffi2Q -out /var/tmp/openxpki10453KkC_vUKw -passin
env:pwd, __EXIT_STATUS__ => 512
[pid=10453|sid=aDL3|rid=55607ce97d28|pki_realm=test]

2024/01/16 15:16:03 openxpki.system.ERROR
I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
-nosmimecap -outform PEM -nodetach -in /var/tmp/openxpki104539s69H_uz
-inkey /var/tmp/openxpki104536klfijXq/ca-signer-1 -signer
/var/tmp/openxpki10453kGBffi2Q -out /var/tmp/openxpki10453KkC_vUKw -passin
env:pwd, __EXIT_STATUS__ => 512
[pid=10453|sid=aDL3|rid=55607ce97d28|pki_realm=test]

2024/01/16 15:34:15 openxpki.application.INFOPurged 1 expired sessions
[pid=10451|sid=FFmI|pki_realm=test]





Openxpki.log:

2024/01/16 15:13:11 WARN Couldn't unlink "/run/openxpkid.pid" [Permission
denied] [pid=10283|pki_realm=test]

2024/01/16 15:13:43 INFO Loaded auth handler TestAccounts
[pid=10446|pki_realm=test]

2024/01/16 15:13:43 INFO Loaded auth handler Certificate
[pid=10446|pki_realm=test]

2024/01/16 15:13:43 INFO Loaded auth handler System
[pid=10446|pki_realm=test]

2024/01/16 15:13:43 INFO Loaded auth handler LocalPassword
[pid=10446|pki_realm=test]

2024/01/16 15:13:43 INFO Loaded auth handler Anonymous
[pid=10446|pki_realm=test]

2024/01/16 15:13:43 WARN Group Not Defined.  Defaulting to EGID '0 0'
[pid=10450|pki_realm=test]

2024/01/16 15:13:43 WARN User Not Defined.  Defaulting to EUID '0'
[pid=10450|pki_realm=test]

2024/01/16 15:16:03 ERROR OpenSSL error: Could not read signing key from
/var/tmp/openxpki104536klfijXq/ca-signer-1

404762AAE37F:error:1608010C:STORE
routines:ossl_store_handle_load_result:unsupported:../crypto/store/store_result.c:151:

404762AAE37F:error:1C800064:Provider
routines:ossl_cipher_unpadblock:bad
decrypt:../providers/implementations/ciphers/ciphercommon_block.c:129:

404762AAE37F:error:11800074:PKCS12 routines:PKCS12_pbe_crypt_ex:pkcs12
cipherfinal error:../crypto/pkcs12/p12_decr.c:86:maybe wrong password

 [pid=10453|sid=aDL3|rid=55607ce97d28|pki_realm=test]

2024/01/16 15:16:03 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED;
__COMMAND__ => cms -sign -binary -nosmimecap -outform PEM -nodetach -in
/var/tmp/openxpki104539s69H_uz -inkey
/var/tmp/openxpki104536klfijXq/ca-signer-1 -signer
/var/tmp/openxpki10453kGBffi2Q -out /var/tmp/openxpki10453KkC_vUKw -passin
env:pwd, __EXIT_STATUS__ => 512
[pid=10453|sid=aDL3|rid=55607ce97d28|pki_realm=test]

2024/01/16 15:16:03 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__
=> OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
-nosmimecap -outform PEM -nodetach -in /var/tmp/openxpki104539s69H_uz
-inkey /var/tmp/openxpki104536klfijXq/ca-signer-1 -signer
/var/tmp/openxpki10453kGBffi2Q -out /var/tmp/openxpki10453KkC_vUKw -passin
env:pwd, __EXIT_STATUS__ => 512
[pid=10453|sid=aDL3|rid=55607ce97d28|pki_realm=test]
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net

Re: [OpenXPKI-users] Help

[Ali Danakiran]

Hi,

Would Error Log be useful information?

Martin Bartosch via OpenXPKI-users 
schrieb am Di. 16. Jan. 2024 um 14:47:

> Hi,
>
>
> > When I check with "openxpkiadm alias --realm ..." my CA signer, Valut
> and Root CA are displayed. Is that correct or not? Am I completely wrong or
> have I overlooked something?
>
> Maybe it is correct, maybe it is not.
>
> It is not possible to help you if you do not provide useful information
> which would allow us to understand what you are doing.
>
> Cheers
>
> Martin
>
>
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] OpenSSL 1 vs 3 support?

[Martin Bartosch via OpenXPKI-users]

Hi,

> I noticed that the community edition has dependency to OpenSSL version 3. I
> was wondering if OpenSSL 1 works as well, or is OpenSSL 3 a hard
> requirement?

OpenXPKI supports both versions. The reason that the debian package depends on 
OpenSSL 3 is that Debian ships this version by default.

FYI, the OpenXPKI Enterprise Edition packages for Red Hat 8 and SuSE SLES 15 
still reference (and use) OpenSSL 1, because both distributions still ship this 
version of OpenSSL.

OpenSSL is mainly used for the actual certificate and CRL issuance operations 
within OpenXPKI. We are constantly working on reducing dependencies into 
OpenSSL, we have already replaced OpenSSL with a native solution to parse 
certificate requests and process SCEP messages. 

Cheers

Martin





___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] OpenSSL 1 vs 3 support?

[henri.sundelin]

Hi,

I noticed that the community edition has dependency to OpenSSL version 3. I
was wondering if OpenSSL 1 works as well, or is OpenSSL 3 a hard
requirement?

Best regards,
//HS




___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Help

[Martin Bartosch via OpenXPKI-users]

Hi,


> When I check with "openxpkiadm alias --realm ..." my CA signer, Valut and 
> Root CA are displayed. Is that correct or not? Am I completely wrong or have 
> I overlooked something?

Maybe it is correct, maybe it is not.

It is not possible to help you if you do not provide useful information which 
would allow us to understand what you are doing.

Cheers

Martin



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Help

[Ali Danakiran]

Hello,

Thank you for your feedback.

When I check with "openxpkiadm alias --realm ..." my CA signer, Valut and
Root CA are displayed. Is that correct or not? Am I completely wrong or
have I overlooked something?



Ali Danakiran  schrieb am Di. 16. Jan. 2024 um
14:28:

> Hello,
>
> Thank you for your feedback.
>
> I'll add a picture. It looks like the certificates and tokens have been
> imported. Have I missed something or misunderstood something
>
>
> Mo Be  schrieb am Di. 16. Jan. 2024 um 14:17:
>
>> Hi,
>>
>> You can't do anything without those tokens (signer and datasafe) in
>> openxpki.
>> If you chose to run it with Docker, I guess you have already cloned the
>> repository  and in this
>> case, just follow the procedure til the end.
>> They provide a script that would create those tokens (certificates) for
>> you.
>> It's also defined in the Makefile, it might be faster and easier to just
>> run "make sample-config" (you might need to adapt the Makefile with respect
>> to your containers names, you'll see the errors if any)
>>
>> Otherwise, without Docker, you would need to create them yourself and
>> import them
>> 
>> to OpenXPKI.
>>
>> Once both of your tokens are online, you can then issue the CRL.
>>
>> Mohamed
>>
>> Le mar. 16 janv. 2024 à 13:53, Ali Danakiran 
>> a écrit :
>>
>>> Hello,
>>>
>>> I get the message when I want to check "LOAD_NEXT_CA_CRL_GET_NEXT_CA_0"
>>> CRL. On the Openxpki WebGui it shows me "No CRL found!" and my CA signer is
>>> apparently offline.
>>>
>>>
>>> ___
>>> OpenXPKI-users mailing list
>>> OpenXPKI-users@lists.sourceforge.net
>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>>
>> ___
>> OpenXPKI-users mailing list
>> OpenXPKI-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Help

[Mo Be]

Hi,

You can't do anything without those tokens (signer and datasafe) in
openxpki.
If you chose to run it with Docker, I guess you have already cloned the
repository  and in this case,
just follow the procedure til the end.
They provide a script that would create those tokens (certificates) for
you.
It's also defined in the Makefile, it might be faster and easier to just
run "make sample-config" (you might need to adapt the Makefile with respect
to your containers names, you'll see the errors if any)

Otherwise, without Docker, you would need to create them yourself and
import them

to OpenXPKI.

Once both of your tokens are online, you can then issue the CRL.

Mohamed

Le mar. 16 janv. 2024 à 13:53, Ali Danakiran  a
écrit :

> Hello,
>
> I get the message when I want to check "LOAD_NEXT_CA_CRL_GET_NEXT_CA_0"
> CRL. On the Openxpki WebGui it shows me "No CRL found!" and my CA signer is
> apparently offline.
>
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Help

[Martin Bartosch via OpenXPKI-users]

Hi

> I get the message when I want to check "LOAD_NEXT_CA_CRL_GET_NEXT_CA_0" CRL. 
> On the Openxpki WebGui it shows me "No CRL found!" and my CA signer is 
> apparently offline.

local CRL issuance within a PKI Realm only works if the CA signer tokens of 
this Realm are online, so make sure that this is the case before trying to 
proceed.

Cheers

Martin



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] Help

[Ali Danakiran]

Hello,

I get the message when I want to check "LOAD_NEXT_CA_CRL_GET_NEXT_CA_0"
CRL. On the Openxpki WebGui it shows me "No CRL found!" and my CA signer is
apparently offline.
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users