Re: [OpenXPKI-users] Workflow Pause

2021-08-06 Thread Oliver Welter 
Hi Gabriel,

as Martin already wrote - the recommended way is to create a new CA
hierarchy every "X" years and perform a so called "CA Rollover" - for
the "standard use case" of TLS certificates we usually recommend 3 years
active operation for a CA generation to our customers and exchange the
full hierarchy every three years.  With a one year validity for
end-entity certificates and some operational reserve, 5 years validity
for the issuing certificate and 10 years for the root is a good rule of
thumb but ymmv.

On the OpenXPKI side a Ca rollover is as easy as importing the new CA
certificate (and its key of course) into the system the same way you do
with the initial one. OpenXPKI can have an unlimited number of CA
certificates in a single realm and just picks the one with the most
recent notbefore date, so there is no need to change anything else in
the software.

The "challenge" is to distribute the new root ca to your environment,
OpenXPKI supports this rollover as defined in SCEP and EST protocols,
our client software "CertNanny" can manage the client side.

best regards

Oliver

Am 05.08.21 um 19:29 schrieb Gabriel Carissimo:
> Oliver
> I have a question regarding the validity of the CA and the validity of
> the certificates, how is it when Ex: the validity of the CA is 5
> years, and the validity of the certificates is 2 years, which happens
> when the 4 year is reached validity of the CA and it is intended to
> generate certificates for 2 years, are the requests paused? What would
> be a good practice? have a CA with 50 years?
>
> thanks
> Gabriel
>
> El jue, 5 ago 2021 a las 12:14, Oliver Welter ( >) escribió:
>
> It looks like you want to issue a certificate with a validity of
> 15 years(hope you know what you are doing) but your CA
> certificate is not valid at this point in time.  OpenXPKI uses the
> "shell model" which requires that the CA lifetime is at least
> equal to the signed certificates lifetime.
>
> So either you reduce the validity or you must create a new issuing
> ca that has a sufficient long validity period.
>
> Oliver
>
> Am 05.08.21 um 16:14 schrieb Gabriel Carissimo:
>> Thank you very much, how always to you Oliver!
>>
>> The only error that I detect is the openxpki.log and it is the
>> following:
>> 2021/08/05 11:02:13 ERROR Could not find token alias by group;
>> __group__ => ca-signer, __noafter__ => 2101557733, __notbefore__
>> => 1628172133, __pki_realm__ => XX
>> [pid=22660|sid=PLa1|wftype=certificate_signing_request_v2|wfid=327935]
>> 2021/08/05 11:02:13 ERROR Caught exception from action: [Generic
>> exception]; reset workflow to old state
>> 'APPROVED_GLOBAL_PERSIST_CSR_0'
>> [pid=22660|sid=PLa1|wftype=certificate_signing_request_v2|wfid=327935]
>>
>> what should I do?
>>
>> thanks
>> Gabriel
>>
>> El jue, 5 ago 2021 a las 3:23, Oliver Welter (> >) escribió:
>>
>> Hi,
>>
>> I assume this is the CSR "issue certificate" step - the
>> backend error is usually a problem with the openssl call to
>> create the certificate, check the errors logs.
>>
>> Oliver
>>
>> Am 04.08.21 um 21:55 schrieb Gabriel Carissimo:
>>> Hi friends
>>> I am receiving this message, I attach an image, what could
>>> be happening?
>>>
>>>
>>> 
>>> https://drive.google.com/file/d/1Xh-snQqZLeIg8nM6225CkGHppRg1NBNG/view?usp=sharing
>>> 
>>> 
>>>
>>> thanks
>>>
>>>
>>> ___
>>> OpenXPKI-users mailing list
>>> OpenXPKI-users@lists.sourceforge.net 
>>> 
>>> https://lists.sourceforge.net/lists/listinfo/openxpki-users 
>>> 
>>
>>
>> -- 
>> Protect your environment -  close windows and adopt a penguin! 
>>
>> ___
>> OpenXPKI-users mailing list
>> OpenXPKI-users@lists.sourceforge.net
>> 
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>> 
>>
>>
>>
>> ___
>> OpenXPKI-users mailing list
>> OpenXPKI-users@lists.sourceforge.net 
>> 
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users 
>> 
>
>
> -- 
> Protect your environment -  close windows and adopt a penguin! 
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
>

Re: [OpenXPKI-users] Workflow Pause

2021-08-06 Thread Oliver Welter 
Am 05.08.21 um 17:48 schrieb Gabriel Carissimo:
> If Oliver are right, he had not realized that, was it a particular
> requirement that they made, that the certificates have a validity of
> 15 years, in what are the noafter and nobefore values expressed?

the values are unix epoch:

$ date -d@2101557733
Di 5. Aug 16:02:13 CEST 2036

-- 
Protect your environment -  close windows and adopt a penguin! 



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Workflow Pause

2021-08-05 Thread Gabriel Carissimo 
Oliver
I have a question regarding the validity of the CA and the validity of the
certificates, how is it when Ex: the validity of the CA is 5 years, and the
validity of the certificates is 2 years, which happens when the 4 year is
reached validity of the CA and it is intended to generate certificates for
2 years, are the requests paused? What would be a good practice? have a CA
with 50 years?

thanks
Gabriel

El jue, 5 ago 2021 a las 12:14, Oliver Welter () escribió:

> It looks like you want to issue a certificate with a validity of 15
> years(hope you know what you are doing) but your CA certificate is not
> valid at this point in time.  OpenXPKI uses the "shell model" which
> requires that the CA lifetime is at least equal to the signed certificates
> lifetime.
>
> So either you reduce the validity or you must create a new issuing ca that
> has a sufficient long validity period.
>
> Oliver
>
> Am 05.08.21 um 16:14 schrieb Gabriel Carissimo:
>
> Thank you very much, how always to you Oliver!
>
> The only error that I detect is the openxpki.log and it is the following:
> 2021/08/05 11:02:13 ERROR Could not find token alias by group; __group__
> => ca-signer, __noafter__ => 2101557733, __notbefore__ => 1628172133,
> __pki_realm__ => XX
> [pid=22660|sid=PLa1|wftype=certificate_signing_request_v2|wfid=327935]
> 2021/08/05 11:02:13 ERROR Caught exception from action: [Generic
> exception]; reset workflow to old state 'APPROVED_GLOBAL_PERSIST_CSR_0'
> [pid=22660|sid=PLa1|wftype=certificate_signing_request_v2|wfid=327935]
>
> what should I do?
>
> thanks
> Gabriel
>
> El jue, 5 ago 2021 a las 3:23, Oliver Welter () escribió:
>
>> Hi,
>>
>> I assume this is the CSR "issue certificate" step - the backend error is
>> usually a problem with the openssl call to create the certificate, check
>> the errors logs.
>>
>> Oliver
>>
>> Am 04.08.21 um 21:55 schrieb Gabriel Carissimo:
>>
>> Hi friends
>> I am receiving this message, I attach an image, what could be happening?
>>
>>
>>
>> https://drive.google.com/file/d/1Xh-snQqZLeIg8nM6225CkGHppRg1NBNG/view?usp=sharing
>>
>> thanks
>>
>>
>> ___
>> OpenXPKI-users mailing 
>> listOpenXPKI-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>>
>> --
>> Protect your environment -  close windows and adopt a penguin!
>>
>> ___
>> OpenXPKI-users mailing list
>> OpenXPKI-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>
>
> ___
> OpenXPKI-users mailing 
> listOpenXPKI-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
> --
> Protect your environment -  close windows and adopt a penguin!
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Workflow Pause

2021-08-05 Thread Gabriel Carissimo 
If Oliver are right, he had not realized that, was it a particular
requirement that they made, that the certificates have a validity of 15
years, in what are the noafter and nobefore values expressed?

thank you very much Oliver

El jue, 5 ago 2021 a las 12:14, Oliver Welter () escribió:

> It looks like you want to issue a certificate with a validity of 15
> years(hope you know what you are doing) but your CA certificate is not
> valid at this point in time.  OpenXPKI uses the "shell model" which
> requires that the CA lifetime is at least equal to the signed certificates
> lifetime.
>
> So either you reduce the validity or you must create a new issuing ca that
> has a sufficient long validity period.
>
> Oliver
>
> Am 05.08.21 um 16:14 schrieb Gabriel Carissimo:
>
> Thank you very much, how always to you Oliver!
>
> The only error that I detect is the openxpki.log and it is the following:
> 2021/08/05 11:02:13 ERROR Could not find token alias by group; __group__
> => ca-signer, __noafter__ => 2101557733, __notbefore__ => 1628172133,
> __pki_realm__ => XX
> [pid=22660|sid=PLa1|wftype=certificate_signing_request_v2|wfid=327935]
> 2021/08/05 11:02:13 ERROR Caught exception from action: [Generic
> exception]; reset workflow to old state 'APPROVED_GLOBAL_PERSIST_CSR_0'
> [pid=22660|sid=PLa1|wftype=certificate_signing_request_v2|wfid=327935]
>
> what should I do?
>
> thanks
> Gabriel
>
> El jue, 5 ago 2021 a las 3:23, Oliver Welter () escribió:
>
>> Hi,
>>
>> I assume this is the CSR "issue certificate" step - the backend error is
>> usually a problem with the openssl call to create the certificate, check
>> the errors logs.
>>
>> Oliver
>>
>> Am 04.08.21 um 21:55 schrieb Gabriel Carissimo:
>>
>> Hi friends
>> I am receiving this message, I attach an image, what could be happening?
>>
>>
>>
>> https://drive.google.com/file/d/1Xh-snQqZLeIg8nM6225CkGHppRg1NBNG/view?usp=sharing
>>
>> thanks
>>
>>
>> ___
>> OpenXPKI-users mailing 
>> listOpenXPKI-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>>
>> --
>> Protect your environment -  close windows and adopt a penguin!
>>
>> ___
>> OpenXPKI-users mailing list
>> OpenXPKI-users@lists.sourceforge.net
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>>
>
>
> ___
> OpenXPKI-users mailing 
> listOpenXPKI-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
> --
> Protect your environment -  close windows and adopt a penguin!
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Workflow Pause

2021-08-05 Thread Oliver Welter 
It looks like you want to issue a certificate with a validity of 15
years(hope you know what you are doing) but your CA certificate is
not valid at this point in time.  OpenXPKI uses the "shell model" which
requires that the CA lifetime is at least equal to the signed
certificates lifetime.

So either you reduce the validity or you must create a new issuing ca
that has a sufficient long validity period.

Oliver

Am 05.08.21 um 16:14 schrieb Gabriel Carissimo:
> Thank you very much, how always to you Oliver!
>
> The only error that I detect is the openxpki.log and it is the following:
> 2021/08/05 11:02:13 ERROR Could not find token alias by group;
> __group__ => ca-signer, __noafter__ => 2101557733, __notbefore__ =>
> 1628172133, __pki_realm__ => XX
> [pid=22660|sid=PLa1|wftype=certificate_signing_request_v2|wfid=327935]
> 2021/08/05 11:02:13 ERROR Caught exception from action: [Generic
> exception]; reset workflow to old state
> 'APPROVED_GLOBAL_PERSIST_CSR_0'
> [pid=22660|sid=PLa1|wftype=certificate_signing_request_v2|wfid=327935]
>
> what should I do?
>
> thanks
> Gabriel
>
> El jue, 5 ago 2021 a las 3:23, Oliver Welter ( >) escribió:
>
> Hi,
>
> I assume this is the CSR "issue certificate" step - the backend
> error is usually a problem with the openssl call to create the
> certificate, check the errors logs.
>
> Oliver
>
> Am 04.08.21 um 21:55 schrieb Gabriel Carissimo:
>> Hi friends
>> I am receiving this message, I attach an image, what could be
>> happening?
>>
>>
>> 
>> https://drive.google.com/file/d/1Xh-snQqZLeIg8nM6225CkGHppRg1NBNG/view?usp=sharing
>> 
>> 
>>
>> thanks
>>
>>
>> ___
>> OpenXPKI-users mailing list
>> OpenXPKI-users@lists.sourceforge.net 
>> 
>> https://lists.sourceforge.net/lists/listinfo/openxpki-users 
>> 
>
>
> -- 
> Protect your environment -  close windows and adopt a penguin! 
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> 
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
> 
>
>
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users


-- 
Protect your environment -  close windows and adopt a penguin! 

___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Workflow Pause

2021-08-05 Thread Martin Bartosch via OpenXPKI-users 
Hi,

> Thank you very much, how always to you Oliver!
> 
> The only error that I detect is the openxpki.log and it is the following:
> 2021/08/05 11:02:13 ERROR Could not find token alias by group; __group__ => 
> ca-signer, __noafter__ => 2101557733, __notbefore__ => 1628172133, 
> __pki_realm__ => XX 
> [pid=22660|sid=PLa1|wftype=certificate_signing_request_v2|wfid=327935]
> 2021/08/05 11:02:13 ERROR Caught exception from action: [Generic exception]; 
> reset workflow to old state 'APPROVED_GLOBAL_PERSIST_CSR_0' 
> [pid=22660|sid=PLa1|wftype=certificate_signing_request_v2|wfid=327935]
> 
> what should I do?


Looks very much like your system cannot find a suitable Issuing CA because the 
remaining validity of the current Issuing CA is not capable of issuing the 
requested end entity certificate validity. You should have prepared for this 
situation by issuing a rollover CA Certificate and configuring it in your 
system. This operation can be done without downtime, and the system will 
seamlessly roll over to the new Issuing CA if this is done properly.

Cheers

Martin



___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Workflow Pause

2021-08-05 Thread Gabriel Carissimo 
Thank you very much, how always to you Oliver!

The only error that I detect is the openxpki.log and it is the following:
2021/08/05 11:02:13 ERROR Could not find token alias by group; __group__ =>
ca-signer, __noafter__ => 2101557733, __notbefore__ => 1628172133,
__pki_realm__ => XX
[pid=22660|sid=PLa1|wftype=certificate_signing_request_v2|wfid=327935]
2021/08/05 11:02:13 ERROR Caught exception from action: [Generic
exception]; reset workflow to old state 'APPROVED_GLOBAL_PERSIST_CSR_0'
[pid=22660|sid=PLa1|wftype=certificate_signing_request_v2|wfid=327935]

what should I do?

thanks
Gabriel

El jue, 5 ago 2021 a las 3:23, Oliver Welter () escribió:

> Hi,
>
> I assume this is the CSR "issue certificate" step - the backend error is
> usually a problem with the openssl call to create the certificate, check
> the errors logs.
>
> Oliver
>
> Am 04.08.21 um 21:55 schrieb Gabriel Carissimo:
>
> Hi friends
> I am receiving this message, I attach an image, what could be happening?
>
>
>
> https://drive.google.com/file/d/1Xh-snQqZLeIg8nM6225CkGHppRg1NBNG/view?usp=sharing
>
> thanks
>
>
> ___
> OpenXPKI-users mailing 
> listOpenXPKI-users@lists.sourceforge.nethttps://lists.sourceforge.net/lists/listinfo/openxpki-users
>
>
> --
> Protect your environment -  close windows and adopt a penguin!
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users
>
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

Re: [OpenXPKI-users] Workflow Pause

2021-08-05 Thread Oliver Welter 
Hi,

I assume this is the CSR "issue certificate" step - the backend error is
usually a problem with the openssl call to create the certificate, check
the errors logs.

Oliver

Am 04.08.21 um 21:55 schrieb Gabriel Carissimo:
> Hi friends
> I am receiving this message, I attach an image, what could be happening?
>
>
> https://drive.google.com/file/d/1Xh-snQqZLeIg8nM6225CkGHppRg1NBNG/view?usp=sharing
> 
>
> thanks
>
>
> ___
> OpenXPKI-users mailing list
> OpenXPKI-users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openxpki-users


-- 
Protect your environment -  close windows and adopt a penguin! 

___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users

[OpenXPKI-users] Workflow Pause

2021-08-04 Thread Gabriel Carissimo 
Hi friends
I am receiving this message, I attach an image, what could be happening?


https://drive.google.com/file/d/1Xh-snQqZLeIg8nM6225CkGHppRg1NBNG/view?usp=sharing

thanks
___
OpenXPKI-users mailing list
OpenXPKI-users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openxpki-users