Hi Gabriel,
> I need to issue new realm certificates, both from ca-signer-1 and vault-1.
> Could you tell me what commands I should execute to issue the certificates.
If I understand you correctly you intend to perform a CA Rollover within your
PKI Realm, and you also wish to update the datasafe (vault) certificate.
In order to do the former, you need to issue a new CA Certificate which is
capable of issuing certificates for your PKI Realm. Make the CA private key
accessible to OpenXPKI, preferably in a way that the system can implicitly
reference the private key by its base name and the CA generation (the latter is
set during import of the CA signer certificate).
How to do that depends on your setup (e. g. key storage in database, in the
file system or as a HSM object).
Once the CA private key is accessible to the system, import the CA certificate
via openxpkiadm as a signer token into the PKI Realm. Once this is done, the
system will immediately be able to use the new CA certificate for issuance of
new certificate. The old CA certificate remains active and will be used to sign
CRLs for revoked certificates for the previous CA generation.
Note that these operations can be done without restarting OpenXPKI, during
regular runtime. Truly continuous CA operation :-)
Importing/activating a new datasafe certifiate is quite similar. Deploy and
configure the new datasafe private key at its designated location, import the
vault certificate as a datasafe token. If that certificate is issued by a CA in
the same PKI Realm, the certificate is already in the database and it is
sufficient to just set an alias.
The commands for these operations are very similar to the initial setup, please
refer to https://openxpki.readthedocs.io/en/latest/quickstart.html
Cheers
Martin
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users