Hi,
> I run into the following error during trying to (automatically) sign a CSR
> for the factory_ca realm
>
> 2021/12/09 10:42:36 255 start cert issue for serial 255, workflow 255
> 2021/12/09 10:42:36 255 NICE backend error: Could not find token alias by
> group; __group__ => ca-signer, __noafter__ => 1670578956, __notbefore__ =>
> 1639042956, __pki_realm__ => factory_ca
>
> I checked the ca-signer inside openxpki client and it is Online under name
> ca-signer-1
> Which you can also see in the listing of the realm
>
> ca-signer (certsign):
> Alias : ca-signer-1
> Identifier: m8UxpPiH9ux60PrL3_c0NDkiRDg
> NotBefore : 2021-12-09 09:23:55
> NotAfter : 2022-12-09 09:23:55
>
> As far As I found in documentation. You dont need to update the -1 -2 etc on
> rollover.
>
> What am i missing here?
You are trying to issue a certificate which is valid until Fri, 09 Dec 2022
09:42:36 GMT, but your Issuing CA is only valid until 2022-12-09 09:23:55.
Hence your CA system can no find a suitable CA certificate which can issue the
requested certificate validity.
When designing your PKI you should align your CA validities properly with the
maximum required end entity validity (which does not seem to be the case here).
And you should also plan for the regular CA rollovers and prepare your system
by importing the new CA certificate and associating it with the private key. If
the regular CA rollover is executed properly your PKI will work indefinitely.
Cheers
Martin
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users
