[OpenXPKI-users] Unable to delete certificate
On Tue, April 2, 2024 11:15, James B. Byrne wrote: > On Tue, April 2, 2024 10:37, Martin Bartosch wrote: >> openssl x509 parses this just fine, but the API requires a pure PEM block. >> This is not the same. >> I extracted the PEM format certificate and attempted to import it: openssl crl2pkcs7 -nocrl -certfile hllcerts/20160001.pem \ | openssl pkcs7 -print_certs \ | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/' \ > bare_20160001.pem openxpkicli import_certificate --realm hll_ca2016 --filearg data=bare_20160001.pem Error: Certificate already exists in database Now, the problem is I cannot find that certificate to delete it. I presume that something I did earlier put the certificate into the global space as I cannot find it in either the democa or hll_ca2016 realms. I cannot identify a command that will list all certificates regardless of realm. How do I identify the certificate entry and remove it?\ Thanks, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Unable to load key from datapool;
On Tue, April 2, 2024 10:37, Martin Bartosch wrote: > James, > > > The file you are trying to import is not a pure PEM cert but contains leading > text, and thus the input parameter is not passing the input data validation > step. > > openssl x509 parses this just fine, but the API requires a pure PEM block. > This > is not the same. > I wondered, but I had to ask before finding/creating an extract routine. Thanks, -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Unable to load key from datapool;
James, > openxpkicli --realm hll_ca2016 --filearg data=hllcerts/20160001.pem > import_certificate > Error: Error while executing API command >Attribute (data) does not pass the type constraint because: ''Certificate: >Data: >Version: 3 (0x2) >Serial Number: 538312705 (0x20160001) >Signature Algorithm: sha512WithRSAEncryption > > I checked the certificate using: > > openssl x509 -text -noout -in hllcerts/20160001.pem > > and it is a valid pem encoded certificate. What am I missing? The file you are trying to import is not a pure PEM cert but contains leading text, and thus the input parameter is not passing the input data validation step. openssl x509 parses this just fine, but the API requires a pure PEM block. This is not the same. Verify with cat hllcerts/20160001.pem If the output is anything more than a pure - BEGIN CERTIFICATE - - END CERTIFICATE - then this is your problem. Cheers Martin ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Unable to load key from datapool;
On Tue, April 2, 2024 02:26, Oliver Welter wrote: > Hi James, . . . > To import existing end-entity certificates you have to use "openxpkicli > import_certificate", . . . > I tried to import an old certificate using the command as given below. This game an error as shown. openxpkicli --realm hll_ca2016 --filearg data=hllcerts/20160001.pem import_certificate Error: Error while executing API command Attribute (data) does not pass the type constraint because: ''Certificate: Data: Version: 3 (0x2) Serial Number: 538312705 (0x20160001) Signature Algorithm: sha512WithRSAEncryption I checked the certificate using: openssl x509 -text -noout -in hllcerts/20160001.pem and it is a valid pem encoded certificate. What am I missing? Thanks for the help. I am gradually getting through this. Sincerely -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Unable to load key from datapool;
Hi James, you are holding it wrong - the alias command defines certificates with a special property, with "--token certsign" you tell OpenXPKI that this is a Issuing CA certificate which is obviously not the case. It then tries to find the key to this certificate based on the internal discovery patterns which fails. To import existing end-entity certificates you have to use "openxpkicli import_certificate", in case perldoc is installed, run "perldoc OpenXPKI::Server::API2::Plugin::Cert::import_certificate" to show the man page, otherwise you can find the help at https://github.com/openxpki/openxpki/blob/master/core/server/OpenXPKI/Server/API2/Plugin/Cert/import_certificate.pm Oliver On 01.04.24 21:37, James B. Byrne via OpenXPKI-users wrote: I resolved the 'The requested URL has no service assigned.' error. This was caused by having the realm_mode set to path in webui/default.conf and not having the hll_ca2016 realm actually mapped. I switch back to the default 'select' mode. Now I had a working system I decided to attempt to load our old certificates. This I did using the following. for CF in hllcerts/*.pem do openxpkiadm alias --realm hll_ca2016 --token certsign --file "$CF" done They all loaded successfully. However, I suspect that I used the wrong token. It appears that these were all loaded as CAs and are obviously missing their private keys. This is evidenced by the following errors in /va/log/openxpki/stderr.log: . . . 2024/04/01 14:59:58 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ => Unable to load key from datapool; __KEY__ => ca-signer-60 [pid=64808|sid=0Hbb] 2024/04/01 14:59:58 ERROR Unable to load key from datapool; __KEY__ => ca-signer-59 [pid=64808|sid=0Hbb] 2024/04/01 14:59:58 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ => Unable to load key from datapool; __KEY__ => ca-signer-59 [pid=64808|sid=0Hbb] So, my question is: what token am I supposed to use to load existing end-user certificates? Or am I not supposed to specify a token at all? I can delete all these and start over but I need to get clear in my head what these okens mean and how they are intended to be used. With respect to openxpi what is the relationship of the ca-signer token to the certificates it signed? What command should I have used? Thanks, -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users