[OpenXPKI-users] Use of a custom CA

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Good morning,
I am currently working with OpenXPKI to implement a custom certificate chain. My goal is to establish a personalized CA hierarchy directly within the system.
According to the documentation, I have proceeded with creating a new realm, generating a private key, and setting up the CA certificate. You can find the batch file containing the configuration steps I followed here below:
set -euo pipefail
REALM_DIR="/etc/openxpki/ca/mia_ca"
REALM_NAME="mia_ca"
CONFIG_REALM_DIR="/etc/openxpki/config.d/realm/${REALM_NAME}"
SYSTEM_REALMS_FILE="/etc/openxpki/config.d/system/realms.yaml"
DEMO_DIR="/etc/openxpki/config.d/realm/democa"
CRYPTO_YAML="${CONFIG_REALM_DIR}/crypto.yaml"
CA_KEY="${REALM_DIR}/ca.key"
CA_CRT="${REALM_DIR}/ca.crt"
echo "Creazione directory per la CA: ${REALM_DIR}"
sudo mkdir -p "${REALM_DIR}"
echo "Generazione chiave privata"
sudo openssl genrsa -out "${CA_KEY}" 4096
sudo chmod 600 "${CA_KEY}"
echo "Generazione cert CA"
sudo openssl req -x509 -new -nodes -key "${CA_KEY}" -sha256 -days 3650 -subj "/CN=Mia Ca Interna/O=MiaAzienda/C=IT" -out "${CA_CRT}"
sudo chown root:root "${REALM_DIR}"/* || true
sudo chmod 644 "${CA_CRT}" || true
if [ -d "${DEMO_DIR}" ]; then
echo "Copia struttura democa in ${CONFIG_REALM_DIR}"
sudo cp -r "${DEMO_DIR}" "${CONFIG_REALM_DIR}"
else
echo "Attenzione: ${DEMO_DIR} non esiste"
sudo mkdir -p "${CONFIG_REALM_DIR}"
sudo mkdir -p "${CONFIG_REALM_DIR}/profile"
sudo mkdir -p "${CONFIG_REALM_DIR}/auth"
fi
if [ -f "${CRYPTO_YAML}" ]; then
echo "Rimuovo ${CRYPTO_YAML}"
sudo rm -f "${CRYPTO_YAML}"
fi
echo "Creazione ${CRYPTO_YAML}"
sudo tee "${CRYPTO_YAML}" > /dev/null <<YAML
type:
certsign: mia_ca_signer
token:
default:
backend: OpenSSL
engine: OpenSSL
key: /etc/openxpki/ca/mia_ca/ca.key
cert: /etc/openxpki/ca/mia_ca/ca.cert
YAML
sudo chmod 640 "${CRYPTO_YAML}"
AUTH_HANDLER="${CONFIG_REALM_DIR}/auth/handler.yaml"
echo "Creazione handler in ${AUTH_HANDLER}"
sudo tee "${AUTH_HANDLER}" > /dev/null <<'YAML'
Anonymous:
type: Anonymous
label: Anonymous
System:
type: Anonymous
label: System
Certificate:
type: ClientX509
role: User
arg: CN
trust_anchor:
realm: mia_ca
LocalPassword:
type: Password
user@: connector:auth.connector.userdb
Password:
type: Password
user:
emma:
digest: '{plain}admin123'
role: user
caop:
digest: '{plain}admin123'
role: CA operator
raop:
digest: '{plain}admin123'
role: RA operator
YAML
sudo chmod 640 "${AUTH_HANDLER}"
if grep -q "^${REALM_NAME}:" "${SYSTEM_REALMS_FILE}" 2>/dev/null; then
echo "Realm ${REALM_NAME} già presente in ${SYSTEM_REALMS_FILE}"
else
echo "Aggiungo ${REALM_NAME} a ${SYSTEM_REALMS_FILE}"
sudo mkdir -p "$(dirname "${SYSTEM_REALMS_FILE}")"
sudo tee -a "${SYSTEM_REALMS_FILE}" > /dev/null <<YAML
${REALM_NAME}:
label: Mia CA Interna
baseurl: https://localhost/webui
YAML
fi
if command -v openxpkiadm >/dev/null 2>&1; then
echo "Verifica realm con 'sudo openxpki certificate list --realm ${REALM_NAME}'"
sudo openxpkiadm certificate list --realm "${REALM_NAME}" || true
else
echo "openxpki non trovato"
fi
if command -v openxpkiadm >/dev/null 2>&1; then
echo "import della CA"
IMPORT_OUTPUT=$(sudo openxpkiadm certificate import --realm "${REALM_NAME}" --file "${CA_CRT}" 2>&1)
echo "${IMPORT_OUTPUT}"
IDENTIFIER=$(echo "${IMPORT_OUTPUT}" | grep -i "identifier" | sed 's/.*identifier[: ]*//i')
if [ -n "$IDENTIFIER" ]; then
echo "identifier trovato: $IDENTIFIER"
echo "aggiunta alias token"
sudo openxpkiadm alias --realm "${REALM_NAME}" --identifier "$IDENTIFIER" --token certsign
else
echo "Errore identfier"
fi
else
echo "Openxpkiadm non trovato"
fi
TLS_SERVER_PROFILE="${CONFIG_REALM_DIR}/profile/tls_server.yaml"
echo "Creazione profilo server in ${TLS_SERVER_PROFILE}"
sudo tee "${TLS_SERVER_PROFILE}" > /dev/null <<'YAML'
subject:
pattern: CN=%cn%,O=MiaAzienda,C=IT
fields:
cn:
label: Nome host server
description: inserisci host name server
type: freetext
extensions:
key_usage:
critical: 1
digital_signature: 1
key_encipherment: 1
extended_key_usage:
critical: 0
server_auth: 1
YAML
TLS_CLIENT_PROFILE="${CONFIG_REALM_DIR}/profile/tls_client.yaml"
echo "Creazione profilo client in ${TLS_CLIENT_PROFILE}"
sudo tee "${TLS_CLIENT_PROFILE}" > /dev/null <<'YAML'
subject:
pattern: CN=%cn%,O=MiaAzienda,C=IT
fields:
cn:
label: Nome utente
description: inserisci nome utente
type: freetext
ou:
label: unità
description: inserisci nome unità o gruppo utente
type: freetext
extensions:
key_usage:
critical: 1
digital_signature: 1
extended_key_usage:
critical: 0
client_auth: 1
YAML
exit 0

Unfortunately, this initial setup was unsuccessful. As a workaround, we attempted to remove the default CA in "democa" and replace it with our own. While this operation and the subsequent token creation were successful, we have encountered a critical issue: the token appears as offline within the OpenXPKI server.
Could you please advise if there is a more straightforward or better-documented procedure for importing a custom CA? Any guidance on why the token might be stuck offline would be greatly appreciated.

Thank you in advance for your assistance.
Best regards,
Erika

[http://signature.rse-web.it/_rse_logo.png]
Erika De Bardi

Ricerca sul Sistema Energetico - RSE S.p.A.
Via R. Rubattino 54 - 20134 Milano
www.rse-web.it<https://www.rse-web.it>

________________________________

[http://signature.rse-web.it/_Leaf.png] Pensa all'ambiente prima di stampare questa email
seguici su         [http://signature.rse-web.it/_linkedin.png] <https://it.linkedin.com/company/ricerca-sul-sistema-energetico---rse-spa>     [http://signature.rse-web.it/_twitter.png] <https://twitter.com/rsenergetico>     [http://signature.rse-web.it/_youtube.png] <https://www.youtube.com/user/RSEmedia>

RSE SpA ha adottato il Modello Organizzativo ai sensi del D.Lgs.231/2001, in forza del quale l'assunzione di obbligazioni da parte della Società avviene con firma di un procuratore, munito di idonei poteri. RSE adopts a Compliance Programme under the Italian Law (D.Lgs.231/2001). According to this RSE Compliance Programme, any commitment of RSE is taken by the signature of one Representative granted by a proper Power of Attorney.

Le informazioni contenute in questo messaggio di posta elettronica sono riservate e confidenziali e ne e' vietata la diffusione in qualsiasi modo o forma. Qualora Lei non fosse la persona destinataria del presente messaggio, La invitiamo a non diffonderlo e ad eliminarlo, dandone gentilmente comunicazione al mittente. The information included in this e-mail and any attachments are confidential and may also be privileged. If you are not the correct recipient, you are kindly requested to notify the sender immediately, to cancel it and not to disclose the contents to any other person.