Re: [OpenXPKI-users] ***Spam***RE: 1 secret groups not available

[john]

Ok James, 

I gotten woken up earlier than expected.

 

Can you send me the QUICKSTART.md file and the README.md files that are located 
in the /etc/openxpki or /usr/local/etc/openxpki if using BSD

I want to see how much variance of what you see and what I see at the moment.

Also can you confirm that you received my email sent to you on 2/22/2024 around 
4:55 PM EST

I don’t want to flood people with our every struggle just with the results when 
we get the expected outcome.

Thanks John

 



 

From: John Shelley 
Sent: Friday, March 22, 2024 2:34 PM
To: byrn...@harte-lyne.ca  
Cc: openxpki-users@lists.sourceforge.net 
 
Subject: RE: ***Spam***RE: [OpenXPKI-users] 1 secret groups not available

 

Response below

 

-Original Message-
From: James B. Byrne mailto:byrn...@harte-lyne.ca> > 
Sent: Friday, March 22, 2024 2:05 PM
To: John Shelley mailto:j...@papertracker.biz> >
Cc: openxpki-users@lists.sourceforge.net 
 
Subject: Re: ***Spam***RE: [OpenXPKI-users] 1 secret groups not available

 

On Fri, March 22, 2024 12:32,   
j...@caffeinecode.biz wrote:

> It has been awhile since I set this up, but essentially you end up 

> generating 3 or 4 certificates.

> There is usually a script that you run after you change the 

> placeholder values.

 

That script is not really useable on FreeBSD as shipped. I looked into using it 
but the paths need to be changed for a lot of the file references therein and 
some of the external scripts used are not packaged with Apache on FreeBSD.  In 
the end I decided that my time would be better spent on getting the software 
working than trying to modify a one-time script.

 

> I noticed that you have been trying to get this thing running for a 

> while now on BSD. Has it ever worked for you yet since you have been 

> emailing this list?

> 

 

Yes it is running on FreeBSD-13.2p9.  It works fine for democa.  I can issue 
certs an d keys.  I can sign csrs. I believe the certs are already made in the 
democa and that is why it’s working.

I would just create a brand new SELF signed cert for testing and use it to 
produce the other certs required by the system

 

I have done something odd with respect to the demo cert I produced so that it 
does not import. But that will eventually be resolved and in my opinion will 
come down to some missunderstanding on my part when generating the cert.

For hll_ca2016 I can log on.  The issues I have are almost certainly due to 
realm misconfiguration resulting from my ignorance.  That it what presently I 
am trying to address. Yes the terminology or taxonomy feels ambiguous at first, 
but its will become straight forward once you do it a few times action straight 
forward.

 

I am investigating the intricacies of properly configuring a realm other than 
democa.  The documentation is fine as an aide-mémoire but it makes a lot of 
assumptions respecting prior knowledge.  I am not clear on exactly what a token 
is or its relationship to certificates.  Does it refer to a specific 
certificate or a group of certificates issued by the same CA?  That is not 
clear to me. I worked all night upgrading my one of my Xamarin Forms apps to 
MAUI and I have to get some sleep.

Once I get some zees I will take a look at my setup and see if we can finally 
get this thing working for you.

 

> Have you thought of just renting a VM with Debian and see if you can 

> get it working. Perhaps you will find a missing piece of instruction 

> while following the typical Debian setup.

 

I am not presently considering switching to another OS and configuring a VM 
just to install a piece of software which, in the end, either runs on FreeBSD 
or we get something else. Understood but it might be worth $14-15 to go over 
the process once on Debian and generate the keys that are required (master key, 
offline store key, Signer 1 key Signer 2 key, etc. I bet I could get a Debian 
box up and running with the correct information albeit with Self Signed certs 
in under 35 min. The time and effort is better spent, in my opinion, on 
discovering the ins and outs of openxpki configuration. Ok well it was a though 
because I am sure your hair is getting thinner from once you first started, and 
perhaps you will see something you missed on a clean setup that could be the 
missing piece for your BOS setup. The object of the exercise to to arrive at a 
working CA installation with the documented steps of how to get this reproduced 
on any other FreeBSD system we may wish to employ in this role. If we getting 
working will at least share the details  I don’t use BSD, but I hear it has 
allot security baked in..

 

My current belief is that there are simply a few remaining issues of 
misunderstanding on my part as to how the private keys and pass phrases are 
managed and resolving in my own mind the matter of 

Re: [OpenXPKI-users] 1 secret groups not available

[Martin Bartosch via OpenXPKI-users]

James,

> openxpkiadm alias \
> --realm "hll_ca2016" \
> --token certsign  \
> --file /CA_HLL_ROOT_2016/certs/02.pem  \
> --key /CA_HLL_ROOT_2016/private/keys/02.key.aes256

This command
- imported 02.pem as the first (a "--generation 1" is implicit when you import 
the very first token) signer token in realm hll_ca2016
- also imported 02.key.aes as the corresponding signer key for this token

The system automatically created the signer token ca-signer-1 as one instance 
of the ca-signer token group.
You can import additional signers a few years down the road to perform seamless 
CA rollovers in your realm, if you don't specify --generation they will be 
assigned the token aliases ca-signer-2, ca-signer-3 etc.


> This is what I have in crypto.yaml
...
> token:
> default:
>   backend: OpenXPKI::Crypto::Backend::OpenSSL
> 
>   # Template to create key, available vars are
>   # ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1)
>   # KEY_IDENTIFIER (00:AA:BB...), IDENTIFIER (aGSNY1Z...)
>   key: /usr/local/etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem
...
> 
>   # Default value for import, recorded in database, can be overriden
>   secret: default
> 
> ca-signer:
>   inherit:default
>   key_store:  DATAPOOL
>   key:"[% ALIAS %]"
> 
> 
> I infer from this error message:
> 
> 2024/03/22 08:58:12 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
> OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ =>
> I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
> -nosmimecap -outform PEM -nodetach -in /var/tmp/openxpki7068rAhBRK43 -inkey
> /var/tmp/openxpki7068HnLhAvaK/ca-signer-1 -signer 
> /var/tmp/openxpki7068wnbNYH_K
> -out /var/tmp/openxpki7068BT1d_Hs4 -passin env:pwd, __EXIT_STATUS__ => 512
> [pid=7068|sid=IBVP]
> 
> That the issue lies in the configuration of crypto.yaml.

No, it indicates that the secret group "default" does not unlock the CA key for 
ca-signer-1 in the datapool.

> I do not grasp the employment of tokens.  The error message refers to
> ca-signer-1.  Is this a token name?  If so, does it have to be explicitly 
> named
> in crypto.yaml or does the openxpki software look for ca-signer?

See above. ca-signer is the token group. ca-signer-1 is a token instance in 
this token group.

> Assuming that ca-signer is searched for then what is the value returned by "[%
> ALIAS %]"?  Does this reference get used to SEARCH in the RDBMS?  What is
> returned? The key itself or the path to the key file?

Maybe we did not explain this properly in one of the previous posts.
In your config

>   key_store:  DATAPOOL
>   key:"[% ALIAS %]"


tells the system to look in the datapool and retrieve the private key by its 
alias from the datapool. During the import of the private key in the above 
openxpkiadm command the private key was read and stored in the datapool. This 
is not mandatory, if it confuses you it can also be placed in the file system. 
In that case simply don't override key_store in the ca_signer definition, and 
the key will be referenced from the default location specified in token.default.

> When the 'openxpkiadm alias' command receives the '--key
> /CA_HLL_ROOT_2016/private/keys/02.key.aes256' argument are the contents of 
> that
> file stored in the DB or the path to the key file?

Depends on the token configuration. If key_store: DATAPOOL is set, the key is 
stored in the datapool. If key_store: OPENXPKI is set, the key is referenced 
from the file system. You can deposit they key in the file system yourself (and 
leave out --key during import) or have openxpkiadm write the key to the file 
system.

Cheers

Martin




___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] 1 secret groups not available

[john]

It has been awhile since I set this up, but essentially you end up
generating 3 or 4 certificates.
There is usually a script that you run after you change the placeholder
values.
I noticed that you have been trying to get this thing running for a while
now on BSD.
Has it ever worked for you yet since you have been emailing this list?

Have you thought of just renting a VM with Debian and see if you can get it
working.
Perhaps you will find a missing piece of instruction while following the
typical Debian setup.
Thanks John

-Original Message-
From: James B. Byrne via OpenXPKI-users
 
Sent: Friday, March 22, 2024 8:46 AM
To: openxpki-users@lists.sourceforge.net
Cc: James B. Byrne 
Subject: [OpenXPKI-users] 1 secret groups not available

Logging on to another test realm, not democa, as an RA Operator I see this:


Your system status is critical!

OpenXPKI system status

Secret groups   1 secret groups are NOT available
No CRL found!   ---
Active Encryption Token vault-1
System Version  3.24.2
Hostnameopenxpki-3.internal.harte-lyne.ca.
Config Version  api
3.18
commit
config
3.18

Tokens of type certsign

Token Alias ca-signer-1
Certificate Identifier  Yh03GEV0ZGEqIGMf-fxZ3lErPmk
Token StatusOFFLINE
not before  2016-11-01 00:00:00 UTC
not after   2035-11-01 23:59:59 UTC

Tokens of type datasafe

Token Alias vault-1
Certificate Identifier  IC6oLFDYdHybpJ4xwclmCOgQO9w
Token StatusONLINE
not before  2024-02-12 17:35:23 UTC
not after   2124-02-13 17:35:23 UTC


SO, what am I missing in the way of configuration?




___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] ***Spam***RE: 1 secret groups not available

[James B. Byrne via OpenXPKI-users]

On Fri, March 22, 2024 12:32, j...@caffeinecode.biz wrote:
> It has been awhile since I set this up, but essentially you end up
> generating 3 or 4 certificates.
> There is usually a script that you run after you change the placeholder
> values.

That script is not really useable on FreeBSD as shipped. I looked into using it
but the paths need to be changed for a lot of the file references therein and
some of the external scripts used are not packaged with Apache on FreeBSD.  In
the end I decided that my time would be better spent on getting the software
working than trying to modify a one-time script.

> I noticed that you have been trying to get this thing running for a while
> now on BSD. Has it ever worked for you yet since you have been emailing
> this list?
>

Yes it is running on FreeBSD-13.2p9.  It works fine for democa.  I can issue
certs an d keys.  I can sign csrs.  I have done something odd with respect to
the demo cert I produced so that it does not import. But that will eventually
be resolved and in my opinion will come down to some missunderstanding on my
part when generating the cert.
For hll_ca2016 I can log on.  The issues I have are almost certainly due to
realm misconfiguration resulting from my ignorance.  That it what presently I
am trying to address.

I am investigating the intricacies of properly configuring a realm other than
democa.  The documentation is fine as an aide-mémoire but it makes a lot of
assumptions respecting prior knowledge.  I am not clear on exactly what a token
is or its relationship to certificates.  Does it refer to a specific
certificate or a group of certificates issued by the same CA?  That is not
clear to me.

> Have you thought of just renting a VM with Debian and see if you can get it
> working. Perhaps you will find a missing piece of instruction while following
> the typical Debian setup.

I am not presently considering switching to another OS and configuring a VM
just to install a piece of software which, in the end, either runs on FreeBSD
or we get something else.  The time and effort is better spent, in my opinion,
on discovering the ins and outs of openxpki configuration.  The object of the
exercise to to arrive at a working CA installation with the documented steps of
how to get this reproduced on any other FreeBSD system we may wish to employ in
this role.

My current belief is that there are simply a few remaining issues of
misunderstanding on my part as to how the private keys and pass phrases are
managed and resolving in my own mind the matter of what a token is and how it
is used with respect to certificates issued by the CA.

No doubt I will have further questions on how to set up profiles, but again,
that is simply obtaining knowledge of the mechanics of which files and what
contents.


Regards,


-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] 1 secret groups not available

[James B. Byrne via OpenXPKI-users]

This is how I loaded the issuing CA certificate and key for hll_ca2016:

openxpkiadm alias \
  --realm "hll_ca2016" \
  --token certsign  \
  --file /CA_HLL_ROOT_2016/certs/02.pem  \
  --key /CA_HLL_ROOT_2016/private/keys/02.key.aes256

This is what I have in crypto.yaml

type:
  certsign: ca-signer
  datasafe: vault
  cmcra:ratoken
  scep: scep

# The actual token setup
token:
  default:
backend: OpenXPKI::Crypto::Backend::OpenSSL

# Template to create key, available vars are
# ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1)
# KEY_IDENTIFIER (00:AA:BB...), IDENTIFIER (aGSNY1Z...)
key: /usr/local/etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem

# possible values are OpenSSL, nCipher, LunaCA
engine: OpenSSL
engine_section: ''
engine_usage: ''
key_store: OPENXPKI

# OpenSSL binary location
shell: /usr/bin/openssl

# OpenSSL binary call gets wrapped with this command
wrapper: ''

# random file to use for OpenSSL
randfile: /var/openxpki/rand

# Default value for import, recorded in database, can be overriden
secret: default

  ca-signer:
inherit:default
key_store:  DATAPOOL
key:"[% ALIAS %]"


I infer from this error message:

2024/03/22 08:58:12 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
-nosmimecap -outform PEM -nodetach -in /var/tmp/openxpki7068rAhBRK43 -inkey
/var/tmp/openxpki7068HnLhAvaK/ca-signer-1 -signer /var/tmp/openxpki7068wnbNYH_K
-out /var/tmp/openxpki7068BT1d_Hs4 -passin env:pwd, __EXIT_STATUS__ => 512
[pid=7068|sid=IBVP]

That the issue lies in the configuration of crypto.yaml.

I do not grasp the employment of tokens.  The error message refers to
ca-signer-1.  Is this a token name?  If so, does it have to be explicitly named
in crypto.yaml or does the openxpki software look for ca-signer?

Assuming that ca-signer is searched for then what is the value returned by "[%
ALIAS %]"?  Does this reference get used to SEARCH in the RDBMS?  What is
returned? The key itself or the path to the key file?

When the 'openxpkiadm alias' command receives the '--key
/CA_HLL_ROOT_2016/private/keys/02.key.aes256' argument are the contents of that
file stored in the DB or the path to the key file?

-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] 1 secret groups not available

[James B. Byrne via OpenXPKI-users]

On Fri, March 22, 2024 08:45, James B. Byrne wrote:
> Logging on to another test realm, not democa, as an RA Operator I see this:
>
>
> Your system status is critical!
>
> OpenXPKI system status
>
> Secret groups 1 secret groups are NOT available
> No CRL found! ---
> Active Encryption Token   vault-1
> System Version3.24.2
> Hostname  openxpki-3.internal.harte-lyne.ca.
> Config Versionapi
>   3.18

In /var/log/openxpki/openxpki.log I see this:

2024/03/22 08:57:23 ERROR
I18N_OPENXPKI_SERVICE_DEFAULT_HANDLE_CONTINUE_SESSION_SESSION_CONTINUE_FAILED;
__ID__ => zqnDv0To7hGpoNTf3lNPsA== [pid=7068|]
2024/03/22 08:58:11 INFO Login successful (user: byrnejb_hll, role: RA
Operator) [pid=7068|sid=IBVP]

2024/03/22 08:58:12 ERROR OpenSSL error: unable to load signing key file
45354726268928:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad
decrypt:/usr/src/crypto/openssl/crypto/evp/evp_enc.c:612:
45354726268928:error:0906A065:PEM routines:PEM_do_header:bad
decrypt:/usr/src/crypto/openssl/crypto/pem/pem_lib.c:461:
 [pid=7068|sid=IBVP]

2024/03/22 08:58:12 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__
=> cms -sign -binary -nosmimecap -outform PEM -nodetach -in
/var/tmp/openxpki7068rAhBRK43 -inkey /var/tmp/openxpki7068HnLhAvaK/ca-signer-1
-signer /var/tmp/openxpki7068wnbNYH_K -out /var/tmp/openxpki7068BT1d_Hs4
-passin env:pwd, __EXIT_STATUS__ => 512 [pid=7068|sid=IBVP]

2024/03/22 08:58:12 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ =>
OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ =>
I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary
-nosmimecap -outform PEM -nodetach -in /var/tmp/openxpki7068rAhBRK43 -inkey
/var/tmp/openxpki7068HnLhAvaK/ca-signer-1 -signer /var/tmp/openxpki7068wnbNYH_K
-out /var/tmp/openxpki7068BT1d_Hs4 -passin env:pwd, __EXIT_STATUS__ => 512
[pid=7068|sid=IBVP]


I gather that either I cannot load ca-signer-1 or the key pass phrase value is
wrong.  How do I tell which?

-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Importing a certificate created and signed outside openxpki

[James B. Byrne via OpenXPKI-users]

On Fri, March 22, 2024 03:41, Oliver Welter wrote:
> Hi James,
>
> The admin tool is somewhat outdated and is only meant for bootstrapping
> the CA and not really for importing legacy stuff, you should use
> "openxpkicli import_certificate" for this which also allows you to let
> the certs look like there were issued here, just importing it into the
> realm will not list them as they are not recognized as a "realm entity".
>

I will use openxpkicli in future. Thanks for the information.

I have moved on to the next stage of testing, on a different realm.  I have
setup the external user yaml database and logons work fine (providing I type in
the passwords correctly.. ahem)...

Regards,


-- 
***  e-Mail is NOT a SECURE channel  ***
Do NOT transmit sensitive data via e-Mail
   Unencrypted messages have no legal claim to privacy
 Do NOT open attachments nor follow links sent by e-Mail

James B. Byrnemailto:byrn...@harte-lyne.ca
Harte & Lyne Limited  http://www.harte-lyne.ca
9 Brockley Drive  vox: +1 905 561 1241
Hamilton, Ontario fax: +1 905 561 0757
Canada  L8E 3C3



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] 1 secret groups not available

[James B. Byrne via OpenXPKI-users]

Logging on to another test realm, not democa, as an RA Operator I see this:


Your system status is critical!

OpenXPKI system status

Secret groups   1 secret groups are NOT available
No CRL found!   ---
Active Encryption Token vault-1
System Version  3.24.2
Hostnameopenxpki-3.internal.harte-lyne.ca.
Config Version  api
3.18
commit
config
3.18

Tokens of type certsign

Token Alias ca-signer-1
Certificate Identifier  Yh03GEV0ZGEqIGMf-fxZ3lErPmk
Token StatusOFFLINE
not before  2016-11-01 00:00:00 UTC
not after   2035-11-01 23:59:59 UTC

Tokens of type datasafe

Token Alias vault-1
Certificate Identifier  IC6oLFDYdHybpJ4xwclmCOgQO9w
Token StatusONLINE
not before  2024-02-12 17:35:23 UTC
not after   2124-02-13 17:35:23 UTC


SO, what am I missing in the way of configuration?




___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Importing a certificate created and signed outside openxpki

[Oliver Welter]

Hi James,

I really dont have a clue why this is not working - the chain for the 
intermediate is build via the database when you import the certificate 
with the identifier and issuer_identifier fields, it might be the case 
that something went wrong at this stage already.


The admin tool is somewhat outdated and is only meant for bootstrapping 
the CA and not really for importing legacy stuff, you should use 
"openxpkicli import_certificate" for this which also allows you to let 
the certs look like there were issued here, just importing it into the 
realm will not list them as they are not recognized as a "realm entity".


Please also ensure the validities of the chain are ok, the verify 
command fails if a certificate exceeds the validity of its parent.


Oliver

On 20.03.24 20:01, James B. Byrne via OpenXPKI-users wrote:

On Wed, March 20, 2024 14:12, James B. Byrne via OpenXPKI-users wrote:


# openxpkiadm certificate import --realm democa --file newname_rsa.crt
try/catch is experimental at
/usr/local/lib/perl5/site_perl/OpenXPKI/Server/Init.pm line 103.
try/catch is experimental at
/usr/local/lib/perl5/site_perl/OpenXPKI/Server/Init.pm line 107.

Starting import

2024/03/20 12:40:19 OpenSSL error: C = CA, O = Harte & Lyne Limited, OU =
Networked Data Services, CN = openxpki-3.internal.harte-lyne.ca
error 20 at 0 depth lookup: unable to get local issuer certificate


The error I see is associated with the absence of a root CA certificate.
However, to the best of my ability to see the CA certificate chain is complete
and correct.


# openxpkiadm certificate list --realm democa -v -v

Certificates in democa:

   Identifier: IC6oLFDYdHybpJ4xwclmCOgQO9w
 Alias:
   vault-1
 Subject:
   CN=DataVault
 Issuer DN:
   CN=DataVault
 Chain:
   IC6oLFDYdHybpJ4xwclmCOgQO9w(complete)

   Identifier: OfdNydD4PfjsPh06Te0qh8dn_Kw
 Alias:
   root-1
 Subject:
   CN=OpenXPKI Root DUMMY CA 1,OU=PKI,O=OpenXPKI,C=DE
 Issuer DN:
   CN=OpenXPKI Root DUMMY CA 1,OU=PKI,O=OpenXPKI,C=DE
 Chain:
   OfdNydD4PfjsPh06Te0qh8dn_Kw(complete)

   Identifier: ctK9f4qbA2-d8heTMBu1P365Ckc
 Alias:
   ca-signer-1
 Subject:
   CN=democa_i.harte-lyne.ca,OU=IT,O=Harte & Lyne Demo,C=CA
 Issuer DN:
   CN=OpenXPKI Root DUMMY CA 1,OU=PKI,O=OpenXPKI,C=DE
 Chain:
   ctK9f4qbA2-d8heTMBu1P365Ckc -> OfdNydD4PfjsPh06Te0qh8dn_Kw(complete)

So, why does openxppkiadm certificate import not see it?


--
Protect your environment -  close windows and adopt a penguin!



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users