Re: [OpenXPKI-users] Cannot generate a new certificate from external csr
On Tue, May 7, 2024 10:02, Oliver Welter wrote: > Hi James, > > the default workflows disallow reusing a private key which is pretty > much what the message tries to tell you, the location where this key is > already used should be visible from the WebUI. > > This behaviour can only be changed by modifing the workflows as we > consider this an elemental feature for security so there is no "flag" to > turn this off. > I have just managed to get back to this project after dealing with other matters. It appears that I had previously carried out the testing I am now attempting and I had forgotten doing. Still, this was a useful exercise in discovery. I see no benefit to be had by changing the default behaviour in this respect. I am torn now between simply destroying the existing database and starting afresh from the db pov; not touching the rest of the configuration. Or pressing on with what I have already done. I begin to lean towards the former. Everything else now appears to be working on FreeBSD without issue. I have comprehensive notes as to what I did and the order in which the steps were performed. However, I choose to do everything manually rather than employ the startup script provided. I also varied the setup provided in the FreeBSD ported package, particularly with respect to paths which I changed to conform to FreeBSD normal usage. The official package did not do much in that regard. I wrote a couple of helper scripts to properly set ownerships and permissions given the troubles I encountered with git behaviour. I wonder how much value someone else will obtain from the notes that I have. But if you would like them I can provide them. I cannot commit to cleaning them up however. Thanks for all the help and forbearance. -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Cannot generate a new certificate from external csr
Hi James, the default workflows disallow reusing a private key which is pretty much what the message tries to tell you, the location where this key is already used should be visible from the WebUI. This behaviour can only be changed by modifing the workflows as we consider this an elemental feature for security so there is no "flag" to turn this off. regards Oliver On 07.05.24 15:51, James B. Byrne via OpenXPKI-users wrote: I have an existing host with an existing private key: 2016002C.key I generated a new csr from the private key: openssl req -new -key 2016002C.key -out 2016002C_20240507.csr head -5 2016002C_20240507.csr -BEGIN CERTIFICATE REQUEST- MIIFLDCCAxQCAQAwgcExCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMREw DwYDVQQHDAhIYW1pbHRvbjEdMBsGA1UECgwUSGFydGUgJiBMeW5lIExpbWl0ZWQx IDAeBgNVBAsMF05ldHdvcmtlZCBEYXRhIFNlcnZpY2VzMSEwHwYDVQQDDBhvcGVu eHBraS0zLmhhcnRlLWx5bmUuY2ExKTAnBgkqhkiG9w0BCQEWGmNlcnRpZmljYXRl When I paste the entire .csr into openxpki webui I get this error: The uploaded key was found to be used already by another certificate request but it is not allowed to certify the same key twice. 1. What uploaded key does this message refer? 2. What specific series of events causes this message to be issued? 3. What am I misapprehending with respect to issuing certificates for existing hosts? -- Protect your environment - close windows and adopt a penguin! ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
Re: [OpenXPKI-users] Cannot generate a new certificate from external csr
James, > I generated a new csr from the private key: > > openssl req -new -key 2016002C.key -out 2016002C_20240507.csr No, you regenerated the same CSR from the same private key. > When I paste the entire .csr into openxpki webui I get this error: > > > The uploaded key was found to be used already by another certificate request > but it is not allowed to certify the same key twice. > > 1. What uploaded key does this message refer? To the public key in the (same) CSR you used before. > > 2. What specific series of events causes this message to be issued? The PKI design decision we implemented in OpenXPKI in order to prevent exactly this. > 3. What am I misapprehending with respect to issuing certificates for > existing > hosts? One of the reasons of having a NotAfter date in an X.509 Certificate is to limit exposure and active use of the associated private key. By default, OpenXPKI enforces this idea by not allowing reuse of the same private key for newly issued certificates. This is a good idea, but you can, of course, disable that if you so choose. Cheers Martin ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
[OpenXPKI-users] Cannot generate a new certificate from external csr
I have an existing host with an existing private key: 2016002C.key I generated a new csr from the private key: openssl req -new -key 2016002C.key -out 2016002C_20240507.csr head -5 2016002C_20240507.csr -BEGIN CERTIFICATE REQUEST- MIIFLDCCAxQCAQAwgcExCzAJBgNVBAYTAkNBMRAwDgYDVQQIDAdPbnRhcmlvMREw DwYDVQQHDAhIYW1pbHRvbjEdMBsGA1UECgwUSGFydGUgJiBMeW5lIExpbWl0ZWQx IDAeBgNVBAsMF05ldHdvcmtlZCBEYXRhIFNlcnZpY2VzMSEwHwYDVQQDDBhvcGVu eHBraS0zLmhhcnRlLWx5bmUuY2ExKTAnBgkqhkiG9w0BCQEWGmNlcnRpZmljYXRl When I paste the entire .csr into openxpki webui I get this error: The uploaded key was found to be used already by another certificate request but it is not allowed to certify the same key twice. 1. What uploaded key does this message refer? 2. What specific series of events causes this message to be issued? 3. What am I misapprehending with respect to issuing certificates for existing hosts? -- *** e-Mail is NOT a SECURE channel *** Do NOT transmit sensitive data via e-Mail Unencrypted messages have no legal claim to privacy Do NOT open attachments nor follow links sent by e-Mail James B. Byrnemailto:byrn...@harte-lyne.ca Harte & Lyne Limited http://www.harte-lyne.ca 9 Brockley Drive vox: +1 905 561 1241 Hamilton, Ontario fax: +1 905 561 0757 Canada L8E 3C3 ___ OpenXPKI-users mailing list OpenXPKI-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openxpki-users
