Yes, creating secure and unique passwords is tricky. > If you are not confident how to do this properly I recommend that you seek the support of experts on this topic.One that’s not easy but not too complicated, personal but not too personal, long but not too long. Generate your Root CA separately, create your Issuing CA key and CSR, have it signed by the Root CA and import the generated CA certificate in OpenXPKI with the designated administrative commands. > In short: I strongly recommend not to use the script in production. You should take the time and plan your PKI properly, plan the architecture and logical topology, properly define CA and end entity certificate profiles, define your policies and processes and design your PKI to implement the plan. > Setting up a real PKI is not something you can let a script do for you. The key material produced is not protected properly and the certificate profiles are fine for a test environment but are surely not suitable for a production setup. The sample configuration is NOT meant to be used in a production environment. > The sampleconfig.sh script is exactly this: a sample configuration. How I can use this script for production? Is it so difficult? Could you help me with this? I spend few days for this problem and I can't understand why few words in config make this error 'ROOT_CA='Mycompany_root_ca' or ISSUING_CA_SUBJECT='/DC=com/DC=dn/DC=mycompany/DC=ca-one/CN=OpenXPKI CA-One SCEP RA 1'. > Everething in your documentation is good except this. > HOW I can modify script for use certificate with my information? > If I press on Publish CA I'll have error Unknown error (server workflow error on execute) > I pressed 'Issue a certificate revocation list(CRL)' and I got error "Unable to load workflow information." > then 'openxpkictl start' and open > Isee my tokens but they offline. > Then I use command openxpkiadm alias -realm ca-one I can see all cert like in your documentation > ISSUING_CA_SUBJECT='/DC=com/DC=dn/DC=mycompany/DC=ca-one/CN=OpenXPKI CA-One SCEP RA 1' > ISSUING_CA_SUBJECT='/DC=com/DC=dn/DC=mycompany/DC=ca-one/CN=OpenXPKI Issuing CA 1' > But I want to change some information in the script for using in prod. I installed openxpki with sampleconfig.sh and all works fine. > Could you tell me where I must change passwords? > sampleconfig script."""" I can't see any information what I must do > After this sentence """Here is what you need to do if you /dont/ use the I can't find any information in the documentation. > successfully imported into the database. I creat new root certificate and SCEP, DATAVAULT, SIGNER. That the key files have the correct file names (=name of the tokenĪlias) and are readable by the OpenXPKI daemon user. The passwords are in realn/ca-one/crypto.yaml, you must also make sure How I can do the same for others keys? ca-one-signer and ca-one-scep You can find a brief example in the "Connector" If you need more secure settings, you can use the "Connector" Features to hold the password inĪn extra file outside the configuration or use some kind of passwordĭaemon, e.g "KeyNanny". Label: another secret group of this realm You need to create secrete group for each key. If you use password for your keys you must add them to the file /etc/openxpki/config.d/realm/ca-one/crypto.yaml Place before this sentence """Now it is time to see if anything is fine:""" Works! :)Denis, you must add this information to the Quickstart guide! It's easy but I spent many ours.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |