[OpenXPKI-users] Documentation is inconsistent ...

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello Oliver,

the problem is that the documentation has a lot of errors and is missing 
a lot:

I really tried to follow the all steps in README.md 
<https://github.com/openxpki/openxpki-config/blob/community/README.md> and 
QUICkSTART.md 
<https://github.com/openxpki/openxpki-config/blob/community/QUICKSTART.md> to 
initial create my realm.

But it is impossible to get it to work:

1.) When creating a key/cert the commands create files vault-1.pem and 
vault-1.crt. But already the next step uses file vault.pem and vault.crt 
... (OK, not a big problem but not good, when providing a copy button)
2.) After importing the certificate I should check with ```oxi api 
get_token_info --realm democa -- alias=ca-signer-13```, but it creates 
the following error:

TokenManager failed to create token for ca-signer-13; __ERRVAL__ => No 
certificate found for given alias; __alias__ => ca-signer-13

If I try to check the aliases for my domain with ```openxpkiadm alias 
--real democa```
I get:
=== functional token ===
svault (datasafe):
   Alias     : svault-1
   Identifier: 5yf1ovqpfe0p7zy8FjUmhh-L96g
   NotBefore : 2025-12-08 08:46:37
   NotAfter  : 2026-12-08 08:46:37

ca-signer (certsign):
   Alias     : ca-signer-1
   Identifier: aebqYQ1WlzrkQNPb6Tgsiq5prNY
   NotBefore : 2025-01-27 17:06:05
   NotAfter  : 2035-01-25 17:06:05

ratoken (cmcra):
   not set

ratoken (scep):
   not set

=== root ca ===
current root ca:
   Alias     : root-1
   Identifier: aebqYQ1WlzrkQNPb6Tgsiq5prNY
   NotBefore : 2025-01-27 17:06:05
   NotAfter  : 2035-01-25 17:06:05

upcoming root ca:
   not set

So there  is no alias ca-signer-13

But adjusting this to ca-signer-1 gives the next error:

vault instance id does not match id of encypted data

Sorry, but the documentation might be helpful if you are already 
Openxpki professional but not for a starter with > 30 years working as a 
sysadmin
in Linux and some experiences with PKI and certificates ...

And when I can't find a solution in the docs which I always check before 
asking I try to ask a AI to find maybe a solution.

Greetings,

Thomas

Am 05.12.25 um 19:37 schrieb Oliver Welter:
> Hi,
>
> as already said - please use docs and not AI generated configs and as 
> your config snippets do not match the errror message it is impossible 
> to help.
>
> best regards
>
> Oliver
>
> On 12/3/25 10:07, Thomas Gebert wrote:
>> Hello,
>>
>> I get the following error while starting the server:
>>
>> Dec 03 08:56:25 test-keycloak02.testing.edubw.link 
>> openxpkictl[278617]: Exception during server initialization: No type 
>> given for authentication handler BasicAuth (No type given for 
>> authentication handler BasicAuth) at 
>> /usr/share/perl5/OpenXPKI/Server.pm line 801, <DATA> line 1.
>>
>> But there are types given for the stack and the handler:
>>
>> stack.yaml:
>> _System:
>>   handler: System
>>
>> default:
>>   handler: BasicAuth
>>
>> BasicAuth:
>>   handler: ExternalAuth
>>   type: NoAuth
>>   label: "Keycloak SSO"
>>   param:
>>     envkeys:
>>       username: REMOTE_USER
>>       email: OIDC_CLAIM_email
>>       role: OPENXPKI_SSO_ROLE
>>
>> handler.yaml:
>>
>> # Those stacks are usually required so you should not remove them
>> Anonymous:
>>     type: Anonymous
>>     label: Anonymous
>>
>> System:
>>     type: Anonymous
>>     role: System
>>
>> # Read the userdata from a YAML file defined in auth/connector.yaml
>> LocalPassword:
>>     type: Password
>>     user@: connector:auth.connector.userdb
>>
>> ExternalAuth:
>>   label: Keycloak SSO (NoAuth)
>>   class: OpenXPKI::Server::Authentication::NoAuth
>>   type: NoAuth
>>
>>
>> So I don't understand the error in the log.
>>
>> What is wrong here?
>>
>> Kind regards,
>>
>> Thomas
>>
-- 
Heinlein Consulting GmbH
Schwedter Str. 8/9b, 10119 Berlin

https://www.heinlein-support.de

Tel: 030 / 40 50 51 - 0
Fax: 030 / 40 50 51 - 19

Amtsgericht Berlin-Charlottenburg - HRB 220009 B
Geschäftsführer: Peer Heinlein - Sitz: Berlin