Home

This Wiki is unsupported and will not be monitored by the OpenXPKI project team.

Refer to the project home page for more information.

The primary support channel is the mailing list https://sourceforge.net/projects/openxpki/lists/openxpki-users

[Vignesh Makeswaran]

Hi,
I am using nCipher HSM for my sigining, scep and datasafe keys. I am using the modified hsm supporting crypto.yaml realm file.

#Sample Mockup Config for Token config of a single realm
# The left side are fixed aliases used in the code, the right side
# are aribtrary chosen names, referencing the tokens below.
type:
  certsign: test-signer
  datasafe: test-vault
  scep: test-scep

# The actual token setup, based on current token.xml
token:
  default:
    backend: OpenXPKI::Crypto::Backend::OpenSSL

    # Template to create key, available vars are
    # ALIAS (ca-one-signer-1), GROUP (ca-one-signer), GENERATION (1)
    #key: /etc/openxpki/ssl/[% PKI_REALM %]/[% ALIAS %].pem

    # possible values are OpenSSL, nCipher, LunaCA
    engine: OpenSSL
    engine_section: ''
    engine_usage: ''
    key_store: OPENXPKI

    # OpenSSL binary location
    shell: /usr/bin/openssl

    # OpenSSL binary call gets wrapped with this command
    wrapper: ''

    # random file to use for OpenSSL
    randfile: /var/openxpki/rand

    # Default value for import, recorded in database, can be overriden
    secret: default

  test-hsm:
    inherit: default
    engine: nCipher
    engine_section: |
             engine_id = chil
             dynamic_path = /usr/local/ssl/lib/engines/libchil.so
             SO_PATH = /opt/nfast/toolkits/hwcrhk/libnfhwcrhk.so
             THREAD_LOCKING = 1
    engine_usage: ALWAYS
    key_store: ENGINE
    wrapper: ''
    randfile: /var/openxpki/rand

  test-signer:
    inherit: test-hsm
    key: rsa-signer

  test-vault:
    inherit: test-hsm
    key: rsa-vault 

  test-scep:
    inherit: test-hsm
    backend: OpenXPKI::Crypto::Tool::SCEP
    shell: /usr/bin/openca-scep
    key: rsa-scep
    #backend: OpenXPKI::Crypto::Tool::LibSCEP

  # A different scep token for another scep server, served from datapool
  #ca-one-special-scep:
  #  inherit: ca-one-scep
  #  key_store: DATAPOOL
  #  key: "[% ALIAS %]"

# Define the secret groups
secret:
  default:
    label: Default secret group of this realm
    #export: 0
    method: literal
    # this is only a dummy value, the actual key is HSM protected
    value: root
    cache: daemon

In a separate window i run my preload command as
/opt/nfast/bin/preload -M -f /opt/nfast/kmdata/tmp/preload pause
as my keys are module protected.

My certificates are online, i am using preload to load the keys. When i try to issue a certificate for a csr, i get the folowing errors:
2019/10/16 14:05:38 ERROR I18N_OPENXPKI_API_TOKEN_GET_TOKEN_ALIAS_BY_GROUP_NO_RESULT; GROUP => test-signer, NOAFTER => 1602849938, NOTBEFORE => 1571227538, PKI_REALM => test [pid=11095|sid=0hDP|wftype=certificate_signing_request_v2|wfid=30975]
2019/10/16 14:05:38 ERROR Caught exception from action: [Generic exception]; reset workflow to old state 'NICE_ISSUE_CERTIFICATE' [pid=11095|sid=0hDP|wftype=certificate_signing_request_v2|wfid=30975]

Any help please.
What is the reason for the I18N_OPENXPKI_API_TOKEN_GET_TOKEN_ALIAS_BY_GROUP_NO_RESULT error?
Regards,
Vignesh Makeswaran

[Sanju Kundu]

HI,
We have installed openxpki server in our organization. We want to create certificate using API (soap). Is this possible? if it is possible please tell us the procedure.

Thanks & Regards,
Sanju Kundu