Re: [OpenXPKI-users] 1 secret groups not available
James, > openxpkiadm alias \ > --realm "hll_ca2016" \ > --token certsign \ > --file /CA_HLL_ROOT_2016/certs/02.pem \ > --key /CA_HLL_ROOT_2016/private/keys/02.key.aes256 This command - imported 02.pem as the first (a "--generation 1" is implicit when you import the very first token) signer token in realm hll_ca2016 - also imported 02.key.aes as the corresponding signer key for this token The system automatically created the signer token ca-signer-1 as one instance of the ca-signer token group. You can import additional signers a few years down the road to perform seamless CA rollovers in your realm, if you don't specify --generation they will be assigned the token aliases ca-signer-2, ca-signer-3 etc. > This is what I have in crypto.yaml ... > token: > default: > backend: OpenXPKI::Crypto::Backend::OpenSSL > > # Template to create key, available vars are > # ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1) > # KEY_IDENTIFIER (00:AA:BB...), IDENTIFIER (aGSNY1Z...) > key: /usr/local/etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem ... > > # Default value for import, recorded in database, can be overriden > secret: default > > ca-signer: > inherit:default > key_store: DATAPOOL > key:"[% ALIAS %]" > > > I infer from this error message: > > 2024/03/22 08:58:12 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => > OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ => > I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary > -nosmimecap -outform PEM -nodetach -in /var/tmp/openxpki7068rAhBRK43 -inkey > /var/tmp/openxpki7068HnLhAvaK/ca-signer-1 -signer > /var/tmp/openxpki7068wnbNYH_K > -out /var/tmp/openxpki7068BT1d_Hs4 -passin env:pwd, __EXIT_STATUS__ => 512 > [pid=7068|sid=IBVP] > > That the issue lies in the configuration of crypto.yaml. No, it indicates that the secret group "default" does not unlock the CA key for ca-signer-1 in the datapool. > I do not grasp the employment of tokens. The error message refers to > ca-signer-1. Is this a token name? If so, does it have to be explicitly > named > in crypto.yaml or does the openxpki software look for ca-signer? See above. ca-signer is the token group. ca-signer-1 is a token instance in this token group. > Assuming that ca-signer is searched for then what is the value returned by "[% > ALIAS %]"? Does this reference get used to SEARCH in the RDBMS? What is > returned? The key itself or the path to the key file? Maybe we did not explain this properly in one of the previous posts. In your config > key_store: DATAPOOL > key:"[% ALIAS %]" tells the system to look in the datapool and retrieve the private key by its alias from the datapool. During the import of the private key in the above openxpkiadm command the private key was read and stored in the datapool. This is not mandatory, if it confuses you it can also be placed in the file system. In that case simply don't override key_store in the ca_signer definition, and the key will be referenced from the default location specified in token.default. > When the 'openxpkiadm alias' command receives the '--key > /CA_HLL_ROOT_2016/private/keys/02.key.aes256' argument are the contents of > that > file stored in the DB or the path to the key file? Depends on the token configuration. If key_store: DATAPOOL is set, the key is stored in the datapool. If key_store: OPENXPKI is set, the key is referenced from the file system. You can deposit they key in the file system yourself (and leave out --key during import) or have openxpkiadm write the key to the file system. Cheers Martin ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] 1 secret groups not available
It has been awhile since I set this up, but essentially you end up generating 3 or 4 certificates. There is usually a script that you run after you change the placeholder values. I noticed that you have been trying to get this thing running for a while now on BSD. Has it ever worked for you yet since you have been emailing this list? Have you thought of just renting a VM with Debian and see if you can get it working. Perhaps you will find a missing piece of instruction while following the typical Debian setup. Thanks John -Original Message- From: James B. Byrne via OpenXPKI-users Sent: Friday, March 22, 2024 8:46 AM To: openxpki-users@lists.sourceforge.net Cc: James B. Byrne Subject: [OpenXPKI-users] 1 secret groups not available Logging on to another test realm, not democa, as an RA Operator I see this: Your system status is critical! OpenXPKI system status Secret groups 1 secret groups are NOT available No CRL found! --- Active Encryption Token vault-1 System Version 3.24.2 Hostnameopenxpki-3.internal.harte-lyne.ca. Config Version api 3.18 commit config 3.18 Tokens of type certsign Token Alias ca-signer-1 Certificate Identifier Yh03GEV0ZGEqIGMf-fxZ3lErPmk Token StatusOFFLINE not before 2016-11-01 00:00:00 UTC not after 2035-11-01 23:59:59 UTC Tokens of type datasafe Token Alias vault-1 Certificate Identifier IC6oLFDYdHybpJ4xwclmCOgQO9w Token StatusONLINE not before 2024-02-12 17:35:23 UTC not after 2124-02-13 17:35:23 UTC SO, what am I missing in the way of configuration? ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] 1 secret groups not available
This is how I loaded the issuing CA certificate and key for hll_ca2016: openxpkiadm alias \ --realm "hll_ca2016" \ --token certsign \ --file /CA_HLL_ROOT_2016/certs/02.pem \ --key /CA_HLL_ROOT_2016/private/keys/02.key.aes256 This is what I have in crypto.yaml type: certsign: ca-signer datasafe: vault cmcra:ratoken scep: scep # The actual token setup token: default: backend: OpenXPKI::Crypto::Backend::OpenSSL # Template to create key, available vars are # ALIAS (ca-signer-1), GROUP (ca-signer), GENERATION (1) # KEY_IDENTIFIER (00:AA:BB...), IDENTIFIER (aGSNY1Z...) key: /usr/local/etc/openxpki/local/keys/[% PKI_REALM %]/[% ALIAS %].pem # possible values are OpenSSL, nCipher, LunaCA engine: OpenSSL engine_section: '' engine_usage: '' key_store: OPENXPKI # OpenSSL binary location shell: /usr/bin/openssl # OpenSSL binary call gets wrapped with this command wrapper: '' # random file to use for OpenSSL randfile: /var/openxpki/rand # Default value for import, recorded in database, can be overriden secret: default ca-signer: inherit:default key_store: DATAPOOL key:"[% ALIAS %]" I infer from this error message: 2024/03/22 08:58:12 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary -nosmimecap -outform PEM -nodetach -in /var/tmp/openxpki7068rAhBRK43 -inkey /var/tmp/openxpki7068HnLhAvaK/ca-signer-1 -signer /var/tmp/openxpki7068wnbNYH_K -out /var/tmp/openxpki7068BT1d_Hs4 -passin env:pwd, __EXIT_STATUS__ => 512 [pid=7068|sid=IBVP] That the issue lies in the configuration of crypto.yaml. I do not grasp the employment of tokens. The error message refers to ca-signer-1. Is this a token name? If so, does it have to be explicitly named in crypto.yaml or does the openxpki software look for ca-signer? Assuming that ca-signer is searched for then what is the value returned by "[% ALIAS %]"? Does this reference get used to SEARCH in the RDBMS? What is returned? The key itself or the path to the key file? When the 'openxpkiadm alias' command receives the '--key /CA_HLL_ROOT_2016/private/keys/02.key.aes256' argument are the contents of that file stored in the DB or the path to the key file? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] 1 secret groups not available
On Fri, March 22, 2024 08:45, James B. Byrne wrote: > Logging on to another test realm, not democa, as an RA Operator I see this: > > > Your system status is critical! > > OpenXPKI system status > > Secret groups 1 secret groups are NOT available > No CRL found! --- > Active Encryption Token vault-1 > System Version3.24.2 > Hostname openxpki-3.internal.harte-lyne.ca. > Config Versionapi > 3.18 In /var/log/openxpki/openxpki.log I see this: 2024/03/22 08:57:23 ERROR I18N_OPENXPKI_SERVICE_DEFAULT_HANDLE_CONTINUE_SESSION_SESSION_CONTINUE_FAILED; __ID__ => zqnDv0To7hGpoNTf3lNPsA== [pid=7068|] 2024/03/22 08:58:11 INFO Login successful (user: byrnejb_hll, role: RA Operator) [pid=7068|sid=IBVP] 2024/03/22 08:58:12 ERROR OpenSSL error: unable to load signing key file 45354726268928:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:/usr/src/crypto/openssl/crypto/evp/evp_enc.c:612: 45354726268928:error:0906A065:PEM routines:PEM_do_header:bad decrypt:/usr/src/crypto/openssl/crypto/pem/pem_lib.c:461: [pid=7068|sid=IBVP] 2024/03/22 08:58:12 ERROR I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary -nosmimecap -outform PEM -nodetach -in /var/tmp/openxpki7068rAhBRK43 -inkey /var/tmp/openxpki7068HnLhAvaK/ca-signer-1 -signer /var/tmp/openxpki7068wnbNYH_K -out /var/tmp/openxpki7068BT1d_Hs4 -passin env:pwd, __EXIT_STATUS__ => 512 [pid=7068|sid=IBVP] 2024/03/22 08:58:12 ERROR I18N_OPENXPKI_TOOLKIT_COMMAND_FAILED; __COMMAND__ => OpenXPKI::Crypto::Backend::OpenSSL::Command::pkcs7_sign, __ERRVAL__ => I18N_OPENXPKI_CRYPTO_CLI_EXECUTE_FAILED; __COMMAND__ => cms -sign -binary -nosmimecap -outform PEM -nodetach -in /var/tmp/openxpki7068rAhBRK43 -inkey /var/tmp/openxpki7068HnLhAvaK/ca-signer-1 -signer /var/tmp/openxpki7068wnbNYH_K -out /var/tmp/openxpki7068BT1d_Hs4 -passin env:pwd, __EXIT_STATUS__ => 512 [pid=7068|sid=IBVP] I gather that either I cannot load ca-signer-1 or the key pass phrase value is wrong. How do I tell which? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
[OpenXPKI-users] 1 secret groups not available
Logging on to another test realm, not democa, as an RA Operator I see this: Your system status is critical! OpenXPKI system status Secret groups 1 secret groups are NOT available No CRL found! --- Active Encryption Token vault-1 System Version 3.24.2 Hostnameopenxpki-3.internal.harte-lyne.ca. Config Version api 3.18 commit config 3.18 Tokens of type certsign Token Alias ca-signer-1 Certificate Identifier Yh03GEV0ZGEqIGMf-fxZ3lErPmk Token StatusOFFLINE not before 2016-11-01 00:00:00 UTC not after 2035-11-01 23:59:59 UTC Tokens of type datasafe Token Alias vault-1 Certificate Identifier IC6oLFDYdHybpJ4xwclmCOgQO9w Token StatusONLINE not before 2024-02-12 17:35:23 UTC not after 2124-02-13 17:35:23 UTC SO, what am I missing in the way of configuration? ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users