openxpki-devel Mailing List for OpenXPKI

Hi,

Ver. 1.52 still has the same problem:

t/01-proxy-proc-safeexec.t ...... 7/23 # Looks like you planned 23 tests 
but ran 24.

Looks like it is fixed in develop branch, but not in 1.52 release.

Regards, Sergei

On 14 Sep 23 Thu 13:52, Oliver Welter wrote:
> Hello Sergei,
>
> thanks for reporting, the issue is already fixed on github and Scott 
> is creating a new CPAN release today.
>
> Oliver
>
> On 14.09.23 00:38, Sergei Vyshenski wrote:
>> Hi Oliver,
>> Seems that test number count needs an increment.
>> Regards, Sergei
>> ---
>>  t/01-proxy-proc-safeexec.t | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/t/01-proxy-proc-safeexec.t b/t/01-proxy-proc-safeexec.t
>> index e1c76c6..d514f8b 100644
>> --- a/t/01-proxy-proc-safeexec.t
>> +++ b/t/01-proxy-proc-safeexec.t
>> @@ -6,7 +6,7 @@ use warnings;
>>  use English;
>>  use Syntax::Keyword::Try;
>>
>> -use Test::More tests => 23;
>> +use Test::More tests => 24;
>>
>>  use Log::Log4perl;
>>  Log::Log4perl->easy_init( { level   => 'ERROR' } );
>>
>>
>> _______________________________________________
>> OpenXPKI-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/openxpki-devel
>

Hello Sergei,

thanks for reporting, the issue is already fixed on github and Scott is 
creating a new CPAN release today.

Oliver

On 14.09.23 00:38, Sergei Vyshenski wrote:
> Hi Oliver,
> Seems that test number count needs an increment.
> Regards, Sergei
> ---
>  t/01-proxy-proc-safeexec.t | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/t/01-proxy-proc-safeexec.t b/t/01-proxy-proc-safeexec.t
> index e1c76c6..d514f8b 100644
> --- a/t/01-proxy-proc-safeexec.t
> +++ b/t/01-proxy-proc-safeexec.t
> @@ -6,7 +6,7 @@ use warnings;
>  use English;
>  use Syntax::Keyword::Try;
>
> -use Test::More tests => 23;
> +use Test::More tests => 24;
>
>  use Log::Log4perl;
>  Log::Log4perl->easy_init( { level   => 'ERROR' } );
>
>
> _______________________________________________
> OpenXPKI-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxpki-devel

-- 
Protect your environment -  close windows and adopt a penguin!

Hi Oliver,
Seems that test number count needs an increment.
Regards, Sergei
---
  t/01-proxy-proc-safeexec.t | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/t/01-proxy-proc-safeexec.t b/t/01-proxy-proc-safeexec.t
index e1c76c6..d514f8b 100644
--- a/t/01-proxy-proc-safeexec.t
+++ b/t/01-proxy-proc-safeexec.t
@@ -6,7 +6,7 @@ use warnings;
  use English;
  use Syntax::Keyword::Try;

-use Test::More tests => 23;
+use Test::More tests => 24;

  use Log::Log4perl;
  Log::Log4perl->easy_init( { level   => 'ERROR' } );

Dear OpenXPKI Fellows,

I am happy to announce the availabilty of the next OpenXPKI release 
v3.26 with some interessting new features and several bugfixes.

Please note that the provided packages are now for Debian 12 (bookworm)! 
Updated keys, source lists etc can be found on RTD as usual: 
https://openxpki.readthedocs.io/en/latest/quickstart.html

There will be no more releases made for Buster so please upgrade your 
installations! Inplace Upgrade should work, if you want to migrate to a 
new machine, moving your database and the /etc/openxpki folder should 
work for most installations.

New Features
  + Support PSS padding when signing certificates and CRLs
  + New parameter keep_expire in crl profile to control content of CRL
  + Browser for Datapool items (EE only)
  + Support JSON Web Signature in RPC Wrapper

Upgrades, Improvements and Bugfixes
   + Certificate profile fields (profile.template.*.yaml) now support 
the same attributes as workflow fields
   + Fix broken server response if custom translation strings contain 
special characters
   + Visual improvements of UI form fields (label hyphenation, 
continuation dots, sizing)
   + Breadcrumbs on most pages make it possible to see the latest 
actions at a glance
   + Popups now provide a Back button on follow-up popup pages
   + Auto-generated realm selection page
   + Debian packaging is now on Debian 12 "Bookworm"

Removals, Deprecations, Breaking Changes
   + Remove API command "get_cert_subject_styles"
   + Remove unused method 
OpenXPKI::Client::UI::Result::__register_wf_token_initial()
   + Remove openxpkictl option --foreground (use --no-detach instead)
   + Parameters validity, reason_code, remove_expired to IssueCRL are 
deprecated and will be removed with next release
   + Default behaviour of IssueCRL does now exclude expired certificates 
(compliant to RFC5280)
   + Code of the old SCEP layers has been removed (SCEP and LibSCEP)
   + Usage of PKCS7 wrapped JSON in RPC layer now requires explicit 
activation in wrapper config
   + x509 based auth handlers do no longer accept the default_role 
parameter, role must be used instead
   + Legacy format spec including mime type for download fields is no 
longer supported (format: download/mime/type)

In case of any questions or comments please use the mailing list ;)

best regards

Oliver and the rest of the OpenXPKI team

-- 
Protect your environment -  close windows and adopt a penguin!

Dear OpenXPKI Fellows,

we want to inform you about two vulnerabilities in OpenXPKI that might 
be used to run a cross-sites-scripting attack. Details on the problems 
can be found in the attached documents. Please note that you need to 
update code AND configuration!

An updated package v3.24.5 is available on the package servers, a 
minimal fix for the issue was added to the config repository.

Please note that our siging key expied recently and was replaced with a 
new one:
gpg --print-md sha256 Release.key (Updated 2023-06-21)
F88C6BFC 07ACE167 9399CDE5 21BD9148 4F9DA3EB B38E1BFC DA670B1C C96EB501

best regards

Oliver

-- 
White Rabbit Security GmbH, Werner-Heisenberg-Str. 8, 85254 Sulzemoos
Contact: +49 8135 314 000-0, of...@wh...
Director: Martin Bartosch, Scott T. Hardin, Dr. Oliver Welter

Hi Oliver,

It is a nice surprise for me that tests are working on linux.
Then it should be my responsibility to force them into working condition 
on freebsd.
Let me have a thorough check before disturbing you any further.

Regards, Sergei

On 6/20/2023 4:00 PM, Oliver Welter wrote:
> Hello Sergei,
>
> the tests are working on our linux dev environment so please share the 
> logs so we might be able to get this working.
>
> best regards
>
> Oliver
>
> On 08.06.23 00:36, Sergei Vyshenski wrote:
>> Thank you, Oliver.
>>
>> Correct. With that patched Makefile.PL the package builds and 
>> installs just fine at FreeBSD-13.2 with OpenSSL-3.1.1.
>>
>> This bring us to the second question.
>> What about plans to fix perl tests of the openxpki project?
>> Today "make test" says:
>> Result: FAIL
>> Failed 24/96 test programs. 2/1797 subtests failed.
>>
>> Want to see a log of tests?
>>
>> Regards, Sergei
>>
>> On 6/7/2023 4:26 PM, Oliver Welter wrote:
>>> Hi Sergei,
>>>
>>> this check is a leftover from the times we had a binding so I guess 
>>> if you just remove this section then the packages should build.
>>>
>>> Oliver
>>>
>>> On 07.06.23 00:14, Sergei Vyshenski wrote:
>>>>
>>>> Sorry for the noise. This log just show break because the present 
>>>> version of the openxpki package explicitly requires opnessl-1.
>>>>
>>>> ==================
>>>> Hi Oliver,
>>>>
>>>> Maybe you can see something useful from the build log at 
>>>> FreeBSD-14-beta (aka Current) and openssl-3:
>>>>
>>>> https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/p5-openxpki-3.24.1.log 
>>>>
>>>>
>>>> Regards, Sergei
>>>>
>>>> On 6/7/2023 12:53 AM, Oliver Welter wrote:
>>>>> Hello Sergei,
>>>>>
>>>>> we have not done any tests by now but as the CLI interface for the 
>>>>> relevant calls should not have changed with OpenSSL 3 and we got 
>>>>> rid of the binary bindings in the core project, it SHOULD not be a 
>>>>> problem to run OpenXPKI with OpenSSL 3. As we make extensive use 
>>>>> of the perl CryptX and other libraries which bind to OpenSSL, I 
>>>>> hope those have adapted the changes in the meantime.
>>>>>
>>>>> As we have Debian 12 support on the list for the second half of 
>>>>> the year which also comes with OpenSSL 3 we will see very soon if 
>>>>> this assumption holds.
>>>>>
>>>>> best regards
>>>>>
>>>>> Oliver
>>>>>
>>>>> On 06.06.23 23:22, Sergei Vyshenski wrote:
>>>>>> Hi,
>>>>>>
>>>>>> Could you please shed some light about plans for support of 
>>>>>> openssl-3 ?
>>>>>>
>>>>>> Asking because this summer we expect a new stable release 
>>>>>> FreeBSD-14, which has openssl-3 in base system.
>>>>>> After that using of openssl-1 at FreeBSD becomes a problem, if 
>>>>>> possible at all.
>>>>>> At the moment I am trying to persuade FreeBSD seniors to make 
>>>>>> some excuses for oepnssl-1, but they rarely hear pleas about 
>>>>>> keeping old libraries.
>>>>>>
>>>>>> Regards, Sergei
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> OpenXPKI-devel mailing list
>>>>>> Ope...@li...
>>>>>> https://lists.sourceforge.net/lists/listinfo/openxpki-devel
>>>>>>
>>>>
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenXPKI-devel mailing list
>>>> Ope...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/openxpki-devel
>>>>
>>
>>
>>
>> _______________________________________________
>> OpenXPKI-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/openxpki-devel
>>

Hello Sergei,

the tests are working on our linux dev environment so please share the 
logs so we might be able to get this working.

best regards

Oliver

On 08.06.23 00:36, Sergei Vyshenski wrote:
> Thank you, Oliver.
>
> Correct. With that patched Makefile.PL the package builds and installs 
> just fine at FreeBSD-13.2 with OpenSSL-3.1.1.
>
> This bring us to the second question.
> What about plans to fix perl tests of the openxpki project?
> Today "make test" says:
> Result: FAIL
> Failed 24/96 test programs. 2/1797 subtests failed.
>
> Want to see a log of tests?
>
> Regards, Sergei
>
> On 6/7/2023 4:26 PM, Oliver Welter wrote:
>> Hi Sergei,
>>
>> this check is a leftover from the times we had a binding so I guess 
>> if you just remove this section then the packages should build.
>>
>> Oliver
>>
>> On 07.06.23 00:14, Sergei Vyshenski wrote:
>>>
>>> Sorry for the noise. This log just show break because the present 
>>> version of the openxpki package explicitly requires opnessl-1.
>>>
>>> ==================
>>> Hi Oliver,
>>>
>>> Maybe you can see something useful from the build log at 
>>> FreeBSD-14-beta (aka Current) and openssl-3:
>>>
>>> https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/p5-openxpki-3.24.1.log 
>>>
>>>
>>> Regards, Sergei
>>>
>>> On 6/7/2023 12:53 AM, Oliver Welter wrote:
>>>> Hello Sergei,
>>>>
>>>> we have not done any tests by now but as the CLI interface for the 
>>>> relevant calls should not have changed with OpenSSL 3 and we got 
>>>> rid of the binary bindings in the core project, it SHOULD not be a 
>>>> problem to run OpenXPKI with OpenSSL 3. As we make extensive use of 
>>>> the perl CryptX and other libraries which bind to OpenSSL, I hope 
>>>> those have adapted the changes in the meantime.
>>>>
>>>> As we have Debian 12 support on the list for the second half of the 
>>>> year which also comes with OpenSSL 3 we will see very soon if this 
>>>> assumption holds.
>>>>
>>>> best regards
>>>>
>>>> Oliver
>>>>
>>>> On 06.06.23 23:22, Sergei Vyshenski wrote:
>>>>> Hi,
>>>>>
>>>>> Could you please shed some light about plans for support of 
>>>>> openssl-3 ?
>>>>>
>>>>> Asking because this summer we expect a new stable release 
>>>>> FreeBSD-14, which has openssl-3 in base system.
>>>>> After that using of openssl-1 at FreeBSD becomes a problem, if 
>>>>> possible at all.
>>>>> At the moment I am trying to persuade FreeBSD seniors to make some 
>>>>> excuses for oepnssl-1, but they rarely hear pleas about keeping 
>>>>> old libraries.
>>>>>
>>>>> Regards, Sergei
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> OpenXPKI-devel mailing list
>>>>> Ope...@li...
>>>>> https://lists.sourceforge.net/lists/listinfo/openxpki-devel
>>>>>
>>>
>>>
>>>
>>>
>>> _______________________________________________
>>> OpenXPKI-devel mailing list
>>> Ope...@li...
>>> https://lists.sourceforge.net/lists/listinfo/openxpki-devel
>>>
>
>
>
> _______________________________________________
> OpenXPKI-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxpki-devel
>
-- 
Protect your environment -  close windows and adopt a penguin!

Thank you, Oliver.

Correct. With that patched Makefile.PL the package builds and installs 
just fine at FreeBSD-13.2 with OpenSSL-3.1.1.

This bring us to the second question.
What about plans to fix perl tests of the openxpki project?
Today "make test" says:
Result: FAIL
Failed 24/96 test programs. 2/1797 subtests failed.

Want to see a log of tests?

Regards, Sergei

On 6/7/2023 4:26 PM, Oliver Welter wrote:
> Hi Sergei,
>
> this check is a leftover from the times we had a binding so I guess if 
> you just remove this section then the packages should build.
>
> Oliver
>
> On 07.06.23 00:14, Sergei Vyshenski wrote:
>>
>> Sorry for the noise. This log just show break because the present 
>> version of the openxpki package explicitly requires opnessl-1.
>>
>> ==================
>> Hi Oliver,
>>
>> Maybe you can see something useful from the build log at 
>> FreeBSD-14-beta (aka Current) and openssl-3:
>>
>> https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/p5-openxpki-3.24.1.log 
>>
>>
>> Regards, Sergei
>>
>> On 6/7/2023 12:53 AM, Oliver Welter wrote:
>>> Hello Sergei,
>>>
>>> we have not done any tests by now but as the CLI interface for the 
>>> relevant calls should not have changed with OpenSSL 3 and we got rid 
>>> of the binary bindings in the core project, it SHOULD not be a 
>>> problem to run OpenXPKI with OpenSSL 3. As we make extensive use of 
>>> the perl CryptX and other libraries which bind to OpenSSL, I hope 
>>> those have adapted the changes in the meantime.
>>>
>>> As we have Debian 12 support on the list for the second half of the 
>>> year which also comes with OpenSSL 3 we will see very soon if this 
>>> assumption holds.
>>>
>>> best regards
>>>
>>> Oliver
>>>
>>> On 06.06.23 23:22, Sergei Vyshenski wrote:
>>>> Hi,
>>>>
>>>> Could you please shed some light about plans for support of 
>>>> openssl-3 ?
>>>>
>>>> Asking because this summer we expect a new stable release 
>>>> FreeBSD-14, which has openssl-3 in base system.
>>>> After that using of openssl-1 at FreeBSD becomes a problem, if 
>>>> possible at all.
>>>> At the moment I am trying to persuade FreeBSD seniors to make some 
>>>> excuses for oepnssl-1, but they rarely hear pleas about keeping old 
>>>> libraries.
>>>>
>>>> Regards, Sergei
>>>>
>>>>
>>>> _______________________________________________
>>>> OpenXPKI-devel mailing list
>>>> Ope...@li...
>>>> https://lists.sourceforge.net/lists/listinfo/openxpki-devel
>>>>
>>
>>
>>
>>
>> _______________________________________________
>> OpenXPKI-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/openxpki-devel
>>

Hi Sergei,

this check is a leftover from the times we had a binding so I guess if 
you just remove this section then the packages should build.

Oliver

On 07.06.23 00:14, Sergei Vyshenski wrote:
>
> Sorry for the noise. This log just show break because the present 
> version of the openxpki package explicitly requires opnessl-1.
>
> ==================
> Hi Oliver,
>
> Maybe you can see something useful from the build log at 
> FreeBSD-14-beta (aka Current) and openssl-3:
>
> https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/p5-openxpki-3.24.1.log 
>
>
> Regards, Sergei
>
> On 6/7/2023 12:53 AM, Oliver Welter wrote:
>> Hello Sergei,
>>
>> we have not done any tests by now but as the CLI interface for the 
>> relevant calls should not have changed with OpenSSL 3 and we got rid 
>> of the binary bindings in the core project, it SHOULD not be a 
>> problem to run OpenXPKI with OpenSSL 3. As we make extensive use of 
>> the perl CryptX and other libraries which bind to OpenSSL, I hope 
>> those have adapted the changes in the meantime.
>>
>> As we have Debian 12 support on the list for the second half of the 
>> year which also comes with OpenSSL 3 we will see very soon if this 
>> assumption holds.
>>
>> best regards
>>
>> Oliver
>>
>> On 06.06.23 23:22, Sergei Vyshenski wrote:
>>> Hi,
>>>
>>> Could you please shed some light about plans for support of openssl-3 ?
>>>
>>> Asking because this summer we expect a new stable release 
>>> FreeBSD-14, which has openssl-3 in base system.
>>> After that using of openssl-1 at FreeBSD becomes a problem, if 
>>> possible at all.
>>> At the moment I am trying to persuade FreeBSD seniors to make some 
>>> excuses for oepnssl-1, but they rarely hear pleas about keeping old 
>>> libraries.
>>>
>>> Regards, Sergei
>>>
>>>
>>> _______________________________________________
>>> OpenXPKI-devel mailing list
>>> Ope...@li...
>>> https://lists.sourceforge.net/lists/listinfo/openxpki-devel
>>>
>
>
>
>
> _______________________________________________
> OpenXPKI-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxpki-devel
>
-- 
Protect your environment -  close windows and adopt a penguin!

Sorry for the noise. This log just show break because the present 
version of the openxpki package explicitly requires opnessl-1.

==================
Hi Oliver,

Maybe you can see something useful from the build log at FreeBSD-14-beta 
(aka Current) and openssl-3:

https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/p5-openxpki-3.24.1.log

Regards, Sergei

On 6/7/2023 12:53 AM, Oliver Welter wrote:
> Hello Sergei,
>
> we have not done any tests by now but as the CLI interface for the 
> relevant calls should not have changed with OpenSSL 3 and we got rid 
> of the binary bindings in the core project, it SHOULD not be a problem 
> to run OpenXPKI with OpenSSL 3. As we make extensive use of the perl 
> CryptX and other libraries which bind to OpenSSL, I hope those have 
> adapted the changes in the meantime.
>
> As we have Debian 12 support on the list for the second half of the 
> year which also comes with OpenSSL 3 we will see very soon if this 
> assumption holds.
>
> best regards
>
> Oliver
>
> On 06.06.23 23:22, Sergei Vyshenski wrote:
>> Hi,
>>
>> Could you please shed some light about plans for support of openssl-3 ?
>>
>> Asking because this summer we expect a new stable release FreeBSD-14, 
>> which has openssl-3 in base system.
>> After that using of openssl-1 at FreeBSD becomes a problem, if 
>> possible at all.
>> At the moment I am trying to persuade FreeBSD seniors to make some 
>> excuses for oepnssl-1, but they rarely hear pleas about keeping old 
>> libraries.
>>
>> Regards, Sergei
>>
>>
>> _______________________________________________
>> OpenXPKI-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/openxpki-devel
>>

Hi Oliver,

Maybe you can see something useful from the build log at FreeBSD-14-beta 
(aka Current) and openssl-3:

https://pkg-status.freebsd.org/gohan05/data/mainamd64openssl3-default/2023-06-05_08h50m07s/logs/errors/p5-openxpki-3.24.1.log

Regards, Sergei

On 6/7/2023 12:53 AM, Oliver Welter wrote:
> Hello Sergei,
>
> we have not done any tests by now but as the CLI interface for the 
> relevant calls should not have changed with OpenSSL 3 and we got rid 
> of the binary bindings in the core project, it SHOULD not be a problem 
> to run OpenXPKI with OpenSSL 3. As we make extensive use of the perl 
> CryptX and other libraries which bind to OpenSSL, I hope those have 
> adapted the changes in the meantime.
>
> As we have Debian 12 support on the list for the second half of the 
> year which also comes with OpenSSL 3 we will see very soon if this 
> assumption holds.
>
> best regards
>
> Oliver
>
> On 06.06.23 23:22, Sergei Vyshenski wrote:
>> Hi,
>>
>> Could you please shed some light about plans for support of openssl-3 ?
>>
>> Asking because this summer we expect a new stable release FreeBSD-14, 
>> which has openssl-3 in base system.
>> After that using of openssl-1 at FreeBSD becomes a problem, if 
>> possible at all.
>> At the moment I am trying to persuade FreeBSD seniors to make some 
>> excuses for oepnssl-1, but they rarely hear pleas about keeping old 
>> libraries.
>>
>> Regards, Sergei
>>
>>
>> _______________________________________________
>> OpenXPKI-devel mailing list
>> Ope...@li...
>> https://lists.sourceforge.net/lists/listinfo/openxpki-devel
>>

Hello Sergei,

we have not done any tests by now but as the CLI interface for the 
relevant calls should not have changed with OpenSSL 3 and we got rid of 
the binary bindings in the core project, it SHOULD not be a problem to 
run OpenXPKI with OpenSSL 3. As we make extensive use of the perl CryptX 
and other libraries which bind to OpenSSL, I hope those have adapted the 
changes in the meantime.

As we have Debian 12 support on the list for the second half of the year 
which also comes with OpenSSL 3 we will see very soon if this assumption 
holds.

best regards

Oliver

On 06.06.23 23:22, Sergei Vyshenski wrote:
> Hi,
>
> Could you please shed some light about plans for support of openssl-3 ?
>
> Asking because this summer we expect a new stable release FreeBSD-14, 
> which has openssl-3 in base system.
> After that using of openssl-1 at FreeBSD becomes a problem, if 
> possible at all.
> At the moment I am trying to persuade FreeBSD seniors to make some 
> excuses for oepnssl-1, but they rarely hear pleas about keeping old 
> libraries.
>
> Regards, Sergei
>
>
> _______________________________________________
> OpenXPKI-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxpki-devel
>
-- 
Protect your environment -  close windows and adopt a penguin!

Hi,

Could you please shed some light about plans for support of openssl-3 ?

Asking because this summer we expect a new stable release FreeBSD-14, 
which has openssl-3 in base system.
After that using of openssl-1 at FreeBSD becomes a problem, if possible 
at all.
At the moment I am trying to persuade FreeBSD seniors to make some 
excuses for oepnssl-1, but they rarely hear pleas about keeping old 
libraries.

Regards, Sergei

 yes i went through the link. It helps but can you please guide me the exact procedure to store RSA key on YubiHSM which can be easily accessed by OpenXPKI? 
    On Wednesday, 30 March 2022, 07:07:04 pm GMT+5, Martin Bartosch <vc...@cy...> wrote:  
 
 > Can you please share the YubiHSM configuration to generate or import RSA key along with the configuration of OpenXPKI to access RSA key from YubiHSM?

https://www.mail-archive.com/ope...@li.../msg00656.html


  

> Can you please share the YubiHSM configuration to generate or import RSA key along with the configuration of OpenXPKI to access RSA key from YubiHSM?

https://www.mail-archive.com/ope...@li.../msg00656.html

 Hi.
Saw the reply on https://www.mail-archive.com/ope...@li.../msg00654.html
Can you please share the YubiHSM configuration to generate or import RSA key along with the configuration of OpenXPKI to access RSA key from YubiHSM?
RegardsScott Thomas

    On Thursday, 17 March 2022, 12:00:07 pm GMT+5, Martin Bartosch <vc...@cy...> wrote:  
 
 
>> > Yubico YubiHSM2 is a FIPS 140-2 Level 3 HSM. It provides PKCS#11 API version 2.40 and full access to device capabilities through Yubico’s YubiHSM Core Libraries (C, Python)
>> > 
>> > Does OpenXPKI or CLCA support integration with Yubico YubiHSM 2 for the generation and storage of CA and SubCA keys?
>> 
>> 
>> both OpenXPKI and clca can use HSM protected keys via the PKCS#11 API.
> 
> 
> Good to hear this. Can you please share the OpenXPKI configuration to store the CA key on YubiHSM? 

https://openxpki.readthedocs.io/en/latest/reference/configuration/realm.html#token-setup

  

>> > Yubico YubiHSM2 is a FIPS 140-2 Level 3 HSM. It provides PKCS#11 API version 2.40 and full access to device capabilities through Yubico’s YubiHSM Core Libraries (C, Python)
>> > 
>> > Does OpenXPKI or CLCA support integration with Yubico YubiHSM 2 for the generation and storage of CA and SubCA keys?
>> 
>> 
>> both OpenXPKI and clca can use HSM protected keys via the PKCS#11 API.
> 
> 
> Good to hear this. Can you please share the OpenXPKI configuration to store the CA key on YubiHSM? 

https://openxpki.readthedocs.io/en/latest/reference/configuration/realm.html#token-setup

 Good to hear this. Can you please share the OpenXPKI configuration to store the CA key on YubiHSM? 
RegardsScott Thomas

    On Monday, 14 June 2021, 01:09:09 pm GMT+5, Martin Bartosch <vc...@cy...> wrote:  
 
 Hi,

> Yubico YubiHSM2 is a FIPS 140-2 Level 3 HSM. It provides PKCS#11 API version 2.40 and full access to device capabilities through Yubico’s YubiHSM Core Libraries (C, Python)
> 
> Does OpenXPKI or CLCA support integration with Yubico YubiHSM 2 for the generation and storage of CA and SubCA keys?

both OpenXPKI and clca can use HSM protected keys via the PKCS#11 API.

Cheers

Martin

  

Both products can use PKCS#11 - so yes it is supported and we already
had a PoC installation based on YubiHSM for a demo presentation.

Am 14.06.21 um 10:03 schrieb Scott Thomas via OpenXPKI-devel:
> Bonjour Developers,
>
> Yubico YubiHSM2 is a FIPS 140-2 Level 3 HSM. It provides PKCS#11 API
> version 2.40 and full access to device capabilities through Yubico’s
> YubiHSM Core Libraries (C, Python)
>
> Does OpenXPKI or CLCA support integration with Yubico YubiHSM 2 for
> the generation and storage of CA and SubCA keys?
>
> Regards
> Scott Thomas
>
>
> _______________________________________________
> OpenXPKI-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxpki-devel


-- 
Protect your environment -  close windows and adopt a penguin! 

Hi,

> Yubico YubiHSM2 is a FIPS 140-2 Level 3 HSM. It provides PKCS#11 API version 2.40 and full access to device capabilities through Yubico’s YubiHSM Core Libraries (C, Python)
> 
> Does OpenXPKI or CLCA support integration with Yubico YubiHSM 2 for the generation and storage of CA and SubCA keys?

both OpenXPKI and clca can use HSM protected keys via the PKCS#11 API.

Cheers

Martin

Bonjour Developers,
Yubico YubiHSM2 is a FIPS 140-2 Level 3 HSM. It provides PKCS#11 API version 2.40 and full access to device capabilities through Yubico’sYubiHSM Core Libraries (C, Python)
Does OpenXPKI or CLCA support integration with Yubico YubiHSM 2 for the generation and storage of CA and SubCA keys?
RegardsScott Thomas

Yes and the answer is already on the ML:
https://sourceforge.net/p/openxpki/mailman/message/37276620/

Option 3: Our company sells a Tool called CertNanny that can be used to
automate certificate request from Windows, Linux and Mac clients so you
can easily write a batch job with it, in case you are interessted
contact me via PM.

Am 20.05.21 um 04:28 schrieb Scott Thomas via OpenXPKI-devel:
> Is there any support on this feature?
>
> On Thursday, 6 May 2021, 09:03:54 am GMT+5, Node Developer via
> OpenXPKI-devel <ope...@li...> wrote:
>
>
> Dear Developers,
>
> Is there any option in OpenXPKI to automate the certificate request
> process from some data source for example i have a database of my
> company employees. I want the Request fields to be popped up with the
> data from DB to avoid manual data entry mistakes.
> Is it possible in OpenXPKI or through any other feature like bulk
> certificate requests?
>
> Regards
> _______________________________________________
> OpenXPKI-devel mailing list
> Ope...@li...
> <mailto:Ope...@li...>
> https://lists.sourceforge.net/lists/listinfo/openxpki-devel
> <https://lists.sourceforge.net/lists/listinfo/openxpki-devel>
>
>
> _______________________________________________
> OpenXPKI-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxpki-devel


-- 
Protect your environment -  close windows and adopt a penguin! 

 Is there any support on this feature?
    On Thursday, 6 May 2021, 09:03:54 am GMT+5, Node Developer via OpenXPKI-devel <ope...@li...> wrote:  
 
 Dear Developers,
Is there any option in OpenXPKI to automate the certificate request process from some data source for example i have a database of my company employees. I want the Request fields to be popped up with the data from DB to avoid manual data entry mistakes.Is it possible in OpenXPKI or through any other feature like bulk certificate requests?
Regards_______________________________________________
OpenXPKI-devel mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openxpki-devel
  

Hi,

if the users will request the certificates themselves and you have a
login system like LDAP or SAML you can import the users information into
the login session and use this information to populate the fields. If
you want a third party to request the certificates based on the
information you need to adjust the CSR workflow to load the information
from the database based on any former user input. You should be able to
use the "Connector" pattern for this and use
OpenXPKI::Server::Workflow::Activity::Tools::Connector::GetValue to load
the data into the workflow.

The other alternative would be to create a custom workflow that receives
this data from another process and creates the certificates from it.

You will find pointers to all approaches on readthedocs and in the
sample configurations.

best regards

Oliver


Am 06.05.21 um 06:03 schrieb Node Developer via OpenXPKI-devel:
> Dear Developers,
>
> Is there any option in OpenXPKI to automate the certificate request
> process from some data source for example i have a database of my
> company employees. I want the Request fields to be popped up with the
> data from DB to avoid manual data entry mistakes.
> Is it possible in OpenXPKI or through any other feature like bulk
> certificate requests?
>
> Regards
>
>
> _______________________________________________
> OpenXPKI-devel mailing list
> Ope...@li...
> https://lists.sourceforge.net/lists/listinfo/openxpki-devel


-- 
Protect your environment -  close windows and adopt a penguin! 

Dear Developers,
Is there any option in OpenXPKI to automate the certificate request process from some data source for example i have a database of my company employees. I want the Request fields to be popped up with the data from DB to avoid manual data entry mistakes.Is it possible in OpenXPKI or through any other feature like bulk certificate requests?
Regards