On Fri, June 14, 2024 12:36, Martin Bartosch wrote:
>> I was wrong. How is this feature disabled?
>
> We discussed this before on May 10th.
I apologize for the repetition. This is still an experimental installation and
I have been away from this particular task for some weeks. Thus my memory
On Fri, June 14, 2024 12:28, Martin Bartosch wrote:
> James,
>
>
> You need to restart Apache for this modification to have effect.
>
> Martin
>
Ahhh. Thank you.
I would never have thought of that, at least not for some time. And, I can see
the confusion that I would experience when I
I would like to add an I18N message to a custom profile.
msgid "I18N_OPENXPKI_UI_PROFILE_HLL_MULTI_LABEL"
msgstr "HLL Multi Purpose Profile"
I have created a new openxpki.mo file using msgcat and msgfmt. I have moved
the custom mo file into the en_US subdirectory of locale. I have verified
On Fri, June 14, 2024 07:47, James B. Byrne wrote:
> On Fri, June 14, 2024 07:43, James B. Byrne wrote:
>> On Thu, June 13, 2024 16:01, Oliver Welter wrote:
>>> Hello James,
>>>
>>> the status "revocation pending" indicates that no CRL was created that
>>> includes this cert, so once you have
On Fri, June 14, 2024 07:43, James B. Byrne wrote:
> On Thu, June 13, 2024 16:01, Oliver Welter wrote:
>> Hello James,
>>
>> the status "revocation pending" indicates that no CRL was created that
>> includes this cert, so once you have triggered a next CRL it will move
>> to "revoked". But in any
On Thu, June 13, 2024 16:01, Oliver Welter wrote:
> Hello James,
>
> the status "revocation pending" indicates that no CRL was created that
> includes this cert, so once you have triggered a next CRL it will move
> to "revoked". But in any case revoking a certificate will not let you
> reuse the
I created an revoked a certificate:
This workflow has finished with success and can not be restarted
Certificate Revocation Request (CRR) (#4607)
Certificate Revoked
The certificate has been revoked and a revocation list was issued.
Certificate
m3vd2NMhovsdN4HsdRGa0WHDRDU
Does OpenXPKI support IP addresses as a SubjectAlternativename?
On Fri, May 10, 2024 12:00, James B. Byrne wrote:
How does one add an IP dotted quad as an alternate subject name when a signing
certificates? When added through the webui they appear as DNS:xxx.xxx.xxx.xxx.
I amused to seeing
How does one add an IP dotted quad as an alternate subject name when a signing
certificates? When added through the webui they appear as DNS:xxx.xxx.xxx.xxx.
I amused to seeing IP:xxx.xxx.xxx.xxx in the SAN in such cases.
--
*** e-Mail is NOT a SECURE channel ***
Do
I wish to enter custom notbefore / notafter dates. Our practice to use the ISO
8601 format of MMDDThh:mm:ss-hh:mm using a 24 hour clock and a +/- timezone
offset instead of names. The Edit Validity page says that all times are UTC,
which is fine. It also expects a AM/PM indicated 12 hour time
On Fri, May 10, 2024 02:08, Oliver Welter wrote:
> Hi James,
>
> this check is based on a "workflow attribute" which you can find in the
> table with the same name.
This is what workflow search in webui displays:
10232024-05-09
18:40:15certificate_signing_request_v2
Duplicate Key Error (Request)
The uploaded key was found to be used already by another certificate request
but it is not allowed to certify the same key twice.
The problem with this is that no certificates whatsoever have been issued from
this instance of openxpki. What occurred was that a
When issuing this command:
openxpkiadm certificate remove \
--realm 'hll_ca2016' \
--name yeLQaPyw7YGVcs7W7-X5pBcljCw
I see this error:
I18N_OPENXPKI_SERVER_CONTEXT_CTX_OBJECT_NOT_DEFINED
OBJECT: session
What does this mean?
It appears that using the --force option eliminates the
On Tue, May 7, 2024 10:02, Oliver Welter wrote:
> Hi James,
>
> the default workflows disallow reusing a private key which is pretty
> much what the message tries to tell you, the location where this key is
> already used should be visible from the WebUI.
>
> This behaviour can only be changed by
I have an existing host with an existing private key: 2016002C.key
I generated a new csr from the private key:
openssl req -new -key 2016002C.key -out 2016002C_20240507.csr
head -5 2016002C_20240507.csr
-BEGIN CERTIFICATE REQUEST-
On Tue, April 30, 2024 09:58, Stefan Goeman wrote:
> Hi
>
> I was not able to look into this issue any sooner.
>
> I checked the log files from apache and I indeed see some errors.
> I include the here below.
> I found something similar in the mail archive. But, I would need a more
> detailed
The data column of the certificate table contains the Base64 encoded
certificate. However, I note that there are + characters wherever the rsa
display contains . Are these artifacts inserted by openxpki itself when it
imports/creates a certificate?
--
*** e-Mail is NOT a SECURE
On Wed, April 17, 2024 05:29, Martin Bartosch wrote:
> James,
>
>> My question was imprecise. I had in mind a batch/cli type solution. After
>> further research this is what I am attempting to use.
>
>> openxpkicli --realm=hll_ca2016 get_private_key_for_cert \
>> --param
On Mon, April 15, 2024 15:02, Ali Danakiran wrote:
> Hey, I have changed the IP address and hostname of my Openxpki server and I
> have renewed the SSL certificate to the new IP. Now I have the following
> problem when I call up my Openxpki via DNS the page is displayed Https
> encrypted but when
On Mon, April 15, 2024 14:12, Martin Bartosch wrote:
> James,
>
>> I created csr where the option to create a private key was selected. How is
>> the private key created for this csr exported from openxpki?
>
> Click on the Certificate. Choose Action -> "Download private key/keystore
>
I created csr where the option to create a private key was selected. How is
the private key created for this csr exported from openxpki?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to
I have successfully imported an existing certificate into the hll_ca2016 realm,
finally.
openxpkiadm certificate list -v -v --realm hll_ca2016 --all
Certificates in hll_ca2016:
Identifier: 76QCIA3aO9WOjkW6g2SAGQXoATI
Subject:
For the 'openxpkicli import_certificate' command there is a additional
parameter named 'profile' which takes a string argument. Is this string a path
to a file; or just the name of a file; or something else?
openxpkicli --realm hll_ca2016 \
--filearg data=bare_20160001.pem \
--param
I have been struggling with the yaml profile mapping of certificate extensions
to openxpki profiles. I need some examples or a profile node key legend to
assist me in understanding how this works.
I am under the impression that the contents of
config.d/realm/realmname/profile/default.yaml are
On Thu, April 4, 2024 14:22, Martin Bartosch wrote:
>
> Check yo staging. Uh, permissions.
>
> Martin
>
>
I changed the permissions on /usr/local/www/download to 777. The CRL
publishing workflow now completes without error. However, there is no file
found in /usr/local/www/download/ after it
On Thu, April 4, 2024 12:45, Oliver Welter wrote:
> Hi James,
>
> something with your session setup seems to be fundamentally broken, I
> have no idea why this is the case.
>
> Have a look at system/server.yaml and try to switch to the "file"
> session handler.
>
I made this change to
On Wed, April 3, 2024 17:30, Oliver Welter wrote:
> the system is not really designed to work with externally provided
certificates, it is a PKI that manages the certificate lifecycle. . .
Tracking down the CRL problem with democa I found
./config.d/realm/democa/publishing.yaml which contains
On Wed, April 3, 2024 17:30, Oliver Welter wrote:
> the system is not really designed to work with externally provided
> certificates, it is a PKI that manages the certificate lifecycleif
I have returned to the democa realm to experiment with how profiles work. I
have encountered a problem
After further exploration I have discovered that the certificate chain for the
imported certificates appears complete and correct. For example:
openxpkiadm certificate list --realm hll_ca2016 --all -v -v
Certificates in hll_ca2016:
Identifier: 76QCIA3aO9WOjkW6g2SAGQXoATI
Subject:
On Tue, April 2, 2024 16:02, James B. Byrne wrote:
> I extracted the PEM format certificate and attempted to import it:
>
> openssl crl2pkcs7 -nocrl -certfile hllcerts/20160001.pem \
> | openssl pkcs7 -print_certs \
> | awk '/BEGIN CERTIFICATE/,/END CERTIFICATE/' \
> >
On Tue, April 2, 2024 11:15, James B. Byrne wrote:
> On Tue, April 2, 2024 10:37, Martin Bartosch wrote:
>> openssl x509 parses this just fine, but the API requires a pure PEM block.
>> This is not the same.
>>
I extracted the PEM format certificate and attempted to import it:
openssl crl2pkcs7
On Tue, April 2, 2024 10:37, Martin Bartosch wrote:
> James,
>
>
> The file you are trying to import is not a pure PEM cert but contains leading
> text, and thus the input parameter is not passing the input data validation
> step.
>
> openssl x509 parses this just fine, but the API requires a pure
On Tue, April 2, 2024 02:26, Oliver Welter wrote:
> Hi James,
. . .
> To import existing end-entity certificates you have to use "openxpkicli
> import_certificate", . . .
>
I tried to import an old certificate using the command as given below. This
game an error as shown.
openxpkicli --realm
I resolved the 'The requested URL has no service assigned.' error. This was
caused by having the realm_mode set to path in webui/default.conf and not
having the hll_ca2016 realm actually mapped. I switch back to the default
'select' mode.
Now I had a working system I decided to attempt to load
On Thu, March 28, 2024 12:35, James B. Byrne via OpenXPKI-users wrote:
> I ran into this issue before and fixed it but I cannot seem to resolve it
> myself this time. The error message issued by the web server is this:
>
I think that I have finally pinned down the source of thi
I ran into this issue before and fixed it but I cannot seem to resolve it
myself this time. The error message issued by the web server is this:
[Tue Mar 26 14:56:31.537586 2024] [fcgid:warn] [pid 44040] [client
192.168.216.89:32543] mod_fcgid: stderr: Can't call method "id" on an undefined
value
I resolved the issuing CA key's pass phrase. I was able ti use the webui to
create an initial CRL. I went to download the txt version or the CRL. Changed
my mind and returned to the home page and went to download it again, hoping to
view it in a text editor rather than downloading the txt file.
On Fri, March 22, 2024 12:32, j...@caffeinecode.biz wrote:
> It has been awhile since I set this up, but essentially you end up
> generating 3 or 4 certificates.
> There is usually a script that you run after you change the placeholder
> values.
That script is not really useable on FreeBSD as
This is how I loaded the issuing CA certificate and key for hll_ca2016:
openxpkiadm alias \
--realm "hll_ca2016" \
--token certsign \
--file /CA_HLL_ROOT_2016/certs/02.pem \
--key /CA_HLL_ROOT_2016/private/keys/02.key.aes256
This is what I have in crypto.yaml
type:
certsign:
On Fri, March 22, 2024 08:45, James B. Byrne wrote:
> Logging on to another test realm, not democa, as an RA Operator I see this:
>
>
> Your system status is critical!
>
> OpenXPKI system status
>
> Secret groups 1 secret groups are NOT available
> No CRL found! ---
On Fri, March 22, 2024 03:41, Oliver Welter wrote:
> Hi James,
>
> The admin tool is somewhat outdated and is only meant for bootstrapping
> the CA and not really for importing legacy stuff, you should use
> "openxpkicli import_certificate" for this which also allows you to let
> the certs look
Logging on to another test realm, not democa, as an RA Operator I see this:
Your system status is critical!
OpenXPKI system status
Secret groups 1 secret groups are NOT available
No CRL found! ---
Active Encryption Token vault-1
System Version
On Wed, March 20, 2024 14:12, James B. Byrne via OpenXPKI-users wrote:
> # openxpkiadm certificate import --realm democa --file newname_rsa.crt
> try/catch is experimental at
> /usr/local/lib/perl5/site_perl/OpenXPKI/Server/Init.pm line 103.
> try/catch is experimental at
> /usr/
Our existing domain has many certificates, some of which have expired and
others which been revoked. Plus the balance of active certificates. These
need to be imported.
I previously employed cacl to create the root and issuing CA for democa. These
certificates and the private key of the
On Tue, March 19, 2024 13:24, Oliver Welter wrote:
> When the certificate is issued, open the "certificate details" popup and
> look under "Actions", you should see a link there to download the key.
>
> On 19.03.24 18:04, James B. Byrne via OpenXPKI-users
How is the private key downloaded when one is created along with a certificate
request?
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit sensitive data via e-Mail
Unencrypted messages have no legal claim to privacy
Do NOT open attachments nor follow links
On Mon, March 18, 2024 11:51, Oliver Welter wrote:
> I have never seen this behavior before and therefore have no idea whats
> going on there :(
>
Sigh. . .
> There is a button "Reset Login" in the upper left corner, if it happends
> the next time, please try if clicking it or cleaning your
On Mon, March 18, 2024 11:02, James B. Byrne via OpenXPKI-users wrote:
> On Fri, March 15, 2024 15:13, James B. Byrne via OpenXPKI-users wrote:
>> I left a browser window open on the openxpki webpage after I logged out (well
>> terminated the session really). In any case when t
On Fri, March 15, 2024 15:13, James B. Byrne via OpenXPKI-users wrote:
> I left a browser window open on the openxpki webpage after I logged out (well
> terminated the session really). In any case when today I returned to openxpki
> I encountered this error when attempting to lo
I left a browser window open on the openxpki webpage after I logged out (well
terminated the session really). In any case when today I returned to openxpki
I encountered this error when attempting to login again:
2024/03/15 14:21:16 INF Resume backend session with id mE4yp/ji7hGn1dwq4FNPsA==
On Wed, March 13, 2024 18:00, Martin Bartosch wrote:
> Hi James,
. . .
>
>
> Yep, that's the problem. In the original default crypto.yaml we find
>
> ...
> # The actual token setup
> token:
> default:
> ...
># Default value for import, recorded in database, can be overriden
>secret:
On Wed, March 13, 2024 09:25, Martin Bartosch wrote:
> Hi James,
>
. . .
>
> 1. the output of openxpkicli get_token_info (file in file system) is not
> consistent with your configuration (key in datapool). I have no idea why,
> because I cannot see more details on your system, but to me it looks
On Wed, March 13, 2024 07:52, Martin Bartosch wrote:
> Hi James,
. . .
>
> You should get more information about the error in the openxpki.log file. I
> suspect something is wrong with the CSR or the CA key, but the details you
> posted do not contain sufficient detail to tell what exactly went
I am working with democa and tried to sign a csr. However I get this error:
Unexpected error
This workflow was interrupted by an unexpected event, it will not continue
without a manual interaction. Please contact the support team!
The csr was generated using:
openssl x509 -x509toreq -signkey
On Mon, March 11, 2024 11:27, Oliver Welter wrote:
> even in a complex field liegt PKI some solutions are quite simple :D
>
> I would appreciate if you can summarize and contribute a "FreeBSD Setup
> Guide" ;)
>
I have kept detailed notes and tracked all changes I made using git. I suspect
that
On Mon, March 11, 2024 11:05, Oliver Welter wrote:
> well
>
> On 11.03.24 15:49, James B. Byrne via OpenXPKI-users wrote:
>> . . .
>> locale_directory: /usr/share/locale
>> default_language: en_US
>> . . .
>
> does not fit
>
>> # ll /usr/local/share/
On Mon, March 11, 2024 10:08, Oliver Welter wrote:
> please check the locale related settings in webui/default.conf - the
> translations for the UI are done by the frontend having its own
> configuration.
In webui/default.conf:
[global]
. . .
locale_directory: /usr/share/locale
I would appreciate some help with debugging my difficulties with I18N in WebUI.
What I see are the variable names / translation keys In other words things
like I18N_OPENXPKI_UI_CLEAR_LOGIN). As far as I can determine the
configuration for translations is correct:
In config.d/system/server.yaml
This is what I get when browsing to the WebUI:
OpenXPKI
Open Source Trustcenter
I18N_OPENXPKI_UI_CLEAR_LOGIN
I18N_OPENXPKI_UI_LOGIN_PLEASE_LOG_IN
I18N_OPENXPKI_UI_LOGIN_REALM_SELECTION_DESC
I18N_OPENXPKI_UI_PKI_REALM_LABEL
I have these en_US locales installed:
ll -d
On Fri, February 23, 2024 08:56, Oliver Welter wrote:
> This sounds like the openxpki session driver is missing or not in the
> perl path, you can either grab this file from the repo and install it by
> hand
> https://github.com/openxpki/openxpki/tree/develop/core/server/CGI_Session_Driver
> or if
I changed the permissions on /usr/local/et/openxpki/ and
/usr/local/etc/openxpki/webui/ to 755 and the permissions problem disappeared.
To be replaced with:
Application Error
The server did not return the expected data.Maybe your authentication
session has expired or there is an internal
On Fri, February 23, 2024 02:46, Oliver Welter wrote:
> Check the permissions of the full path/folder and check if it s a real
> file or a (broken) symlink
# ll -d /usr/local/etc/openxpki/
drwxr-xr-- 13 openxpki openxpki 20 Feb 22 08:45 /usr/local/etc/openxpki/
# ll -d
I see this in the ssl error log:
[Thu Feb 22 16:02:49.970150 2024] [fcgid:warn] [pid 58293] [client
192.168.216.89:58932] mod_fcgid: stderr: [Thu Feb 22 16:02:49 2024] webui.fcgi:
Can't open config file '/usr/local/etc/openxpki/webui/default.conf' (permission
denied) at
Ok. I have discovered that mod_fcgid was not loaded, not withstanding the
report by apachectl. Having added the necessary LoadModule statement in
httpd.conf, ensuring that it follows the Loadmodule mod_unixd statement, and
restarting Apache I now have a new error:
On Thu, February 22, 2024 11:30, Martin Bartosch wrote:
> Hi,
>
>> I have discovered that my literal reading of README.md and the Quickstart
>> guide
>> led me to copy the /usr/local/share/examples/openxpki/htdocs/ directory to
>> /var/local/www/openxpki/ whereas it appears that I instead should
I have discovered that my literal reading of README.md and the Quickstart guide
led me to copy the /usr/local/share/examples/openxpki/htdocs/ directory to
/var/local/www/openxpki/ whereas it appears that I instead should have copied
the contents thereof. This I have now done and I get a different
On Thu, February 22, 2024 08:06, Martin Arendtsen wrote:
> Hi,
>
> I believe that Sergei (Thank you for your work!) follows a standard for the
> apache installed on FreeBSD.
> Remember that FreeBSD puts everything in /usr/local when it comes to
> packets and applications not part of the base
On Wed, February 21, 2024 13:10, Oliver Welter wrote:
> Hi James,
>
> the package should install default.html - just make a copy or a symlink
> to index.html and you should be good to go.
>
I found an index.html file in /usr/local/www/openxpki/htdocs. This file has
the same contents as
I am trying to get the web UI to at least start. When I browse to:
https://192.168.216.89/openxpki/
I see this:
Forbidden
You don't have permission to access this resource.
and I get this in the Apache error log:
[Wed Feb 21 11:55:43.048743 2024] [autoindex:error] [pid 98228] [client
On Wed, February 14, 2024 07:36, Oliver Welter wrote:
> Educated guess on the topic - you changed the key password used in the
> sampeconfig.sh but did not change the password in OpenXPKI (crypto.yaml,
> section secret). The sampleconfig is exactly what the name indicates, a
> quick way to get a
On Wed, February 14, 2024 04:41, Martin Bartosch via OpenXPKI-users wrote:
> Hi,
>
> Some background information may be useful here:
Thank you very much. This information is most useful.
On Wed, February 14, 2024 07:36, Oliver Welter wrote:
>
> please do not use OpenXPKI (and the sampleconfig)
I am at the point where I am ready to import the root and issuer certificates
for our existing PKI.
The Quickstart guide (qsg) contains this example:
$ openxpkiadm alias --realm democa
=== functional token ===
vault (datasafe):
Alias : vault-1
Identifier: lZILS1l6Km5aIGS6pA7P7azAJic
NotBefore :
On Tue, February 13, 2024 04:53, Oliver Welter wrote:
> Hi James,
>
> the key settings are in the realm/foobar/crypto.yaml
>
> Oliver
>
Before I wrote I had found that file, removed the link to realm.tpl, copied the
prototype file into the realm config, and altered it. What I failed to do was
to
OS FreeBSD-13.2p9
openxpki Version (core): 3.24.2
Following the Quickstart guide I got to this point:
openxpkiadm alias --realm hll_ca2016 --token datasafe --file
local/keys/vault.crt -key local/keys/vault.key
directory for '/etc/openxpki/local/keys/vault-1.pem' does not exists, won't
create it!
On Thu, February 8, 2024 14:20, Jens Berthold wrote:
> Hi James,
>
> it seems that the psql command connects to the server via UNIX domain socket
> /var/run/postgresql per default (so the first line in pg_hba.conf allow the
> access).
>
> OpenXPKI tries a TCP connection. So you need to modify the
openxpki-3.24.2
FreeBSD-13.2p9 (jail.1)
PostgreSQL-16.1
service postgresql status
g_ctl: server is running (PID: 26750)
/usr/local/bin/postgres "-D" "/var/db/postgres/data16"
When I run psql -U openxpki -d openxpki I connect:
psql -U openxpki -d openxpki
psql (16.1)
Type "help" for help.
On Tue, February 6, 2024 16:52, Sergei Vyshenski wrote:
> James ,
>
> Seems you make a number of strange moves.
>
Yes, I did.
I deleted the user and database, cleaned out /etc/openxpki, and restarted from
scratch. The issue was the lack of permissions on the table for the user
openxpki. I
On Tue, February 6, 2024 13:29, Lixin Liu wrote:
> Hi James,
>
> I am using "peer" instead of "trust" in my pg_hba.conf. You may want to try
> this.
>
Thanks, but changing this made no difference.
Regards,
--
*** e-Mail is NOT a SECURE channel ***
Do NOT transmit
PostgreSQL-16
FreeBSd-13.2p9
I am trying to setup openxpki using PostgreSQL as the data store. After
installing both postgresql16 and openxpki I completed the following steps
successfully using psql:
psql -U postgres -d postgres
CREATE USER openxpki;
CREATE DATABASE openxpki;
GRANT ALL
79 matches
Mail list logo