Hi everyone
I have done test signing pdf file with P12 file. Now I want to sign pdf file with token. The token I use is ePass Auto 2002. I've configured the qs_pdfsigner_configuration.properties like this:
The slot id is sort of an partition in your token. If you have a
smartcard then most likely there is only one with id 0 or 1 so you could
try "0" as well.
Use reload with the ID of the worker to be sure that it has been
reloaded correctly. Watch the output of the setproperties command to see
the id of the worker if you have not specified one in the properties
file. Ie:
bin/signserver reload 47
bin/signserver getstatus brief all
The errors in the status output are because the cryptotoken is not working correctly. There should
be an large stacktrace in the server log which could provide more
information.
Best regards,
Markus
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
ERROR [org.ejbca.util.keystore.KeyTools] (WorkerThread#1[127.0.0.1:60637]) Error constructing pkcs11 provider: null
ERROR [org.signserver.server.cryptotokens.PKCS11CryptoToken] (WorkerThread#1[127.0.0.1:60637]) Error initializing PKCS11CryptoToken : Not possible to create provider. See cause.
org.ejbca.core.model.ca.catoken.CATokenOfflineException: Not possible to create provider. See cause.
ERROR [org.signserver.server.cryptotokens.PKCS11CryptoToken] (WorkerThread#1[127.0.0.1:60637]) Error auto activating PKCS11CryptoToken : Slot not initialized.
org.signserver.common.CryptoTokenOfflineException: Slot not initialized.
ERROR [org.signserver.module.pdfsigner.PDFSigner] (WorkerThread#1[127.0.0.1:60645]) Neither Signtoken or ProcessableConfig contains a certificate chain!
There are errors I caught in server.log file
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
the above post is errors when I config using slot=0.
there are errors when I use config slot=1.
ERROR [org.signserver.module.pdfsigner.PDFSigner] (WorkerThread#1[127.0.0.1:60673]) Neither Signtoken or ProcessableConfig contains a certificate chain!
ERROR [org.signserver.module.pdfsigner.PDFSigner] (WorkerThread#1[127.0.0.1:60681]) Neither Signtoken or ProcessableConfig contains a certificate chain!
ERROR [org.ejbca.core.model.ca.catoken.BaseCAToken] (WorkerThread#0[127.0.0.1:60746]) Can not read private key with alias 'tomicalab.com' from keystore, got null. If the key was generated after the latest application server start then restart the application server.
ERROR [org.ejbca.core.model.ca.catoken.PKCS11CAToken] (WorkerThread#0[127.0.0.1:60746]) Failed to initialize PKCS11 provider slot '1'.
java.lang.Exception: Activation test failed
ERROR [org.signserver.server.cryptotokens.PKCS11CryptoToken] (WorkerThread#0[127.0.0.1:60746]) Error auto activating PKCS11CryptoToken : Failed to initialize PKCS11 provider slot '1'.
org.signserver.common.CryptoTokenAuthenticationFailureException: Failed to initialize PKCS11 provider slot '1'.
ERROR [org.signserver.module.pdfsigner.PDFSigner] (WorkerThread#1[127.0.0.1:60753]) Neither Signtoken or ProcessableConfig contains a certificate chain!
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
When you get the "PKCS11CryptoToken : Slot not initialized" probably means that the slot id was wrong.
In that other case when you used slot=1 you get:
"Can not read private key with alias 'tomicalab.com' from keystore, got null. If the key was generated after the latest application server start then restart the application server."
This means that a certificate with label "tomicalab.com" and/or the associated private key was not found in the slot. How did you generate the key? For it to be accessible by SignServer it must follow the requirements by the Java PKCS#11 implementation. To be sure to follow those using an Java tool when generating the key-pair and certificate is probably the easiest way.
If you generated the key with an external tool after the application was started you will also have to restart it.
Best regards,
Markus
PrimeKey Solutions offers a commercial EJBCA & SignServer support subscription and training. Please see www.primekey.se or contact info@primekey.se for more information. [url]http://www.primekey.se/Services/Support/[/url] [url]http://www.primekey.se/Services/Training/[/url]
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi Markus
Thank you so much for your reply!
I use Token ePass2002Auto which contains one certificate, private key and public key. I don't know signserver support it, doesn't it?
I intent to use those keys that are already in the token. I've tried re-build, re-deploy Signserver, restart Jboss, but they dont help.
Look forward to your reply
Vu
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
bin/signserver activatecryptotoken 1 12345678
Trying to activate crypto token of worker with id : 1
Activation of worker was successful
But I got this error:
Neither Signtoken or ProcessableConfig contains a certificate chain!
I dont know what happen. But I have tested this SmartCard HSM with clientToolBox
./ejbcaClientToolBox.sh PKCS11HSMKeyTool test /usr/lib/opensc-pkcs11.so 1
Test of keystore with ID 1.
2013-07-12 19:44:30,286 INFO [org.ejbca.util.keystore.KeyTools] Using SUN PKCS11 provider: sun.security.pkcs11.SunPKCS11
PKCS11 Token [SunPKCS11-opensc-pkcs11.so-slot1] Password:
Testing of key: CTY TNHH MINH THONG
Private part:
SunPKCS11-opensc-pkcs11.so-slot1 RSA private key, 1024 bits (id 3031037904, token object, >sensitive, unextractable)
RSA key:
modulus: >e025c3212369e4b0af60e62c4843248b9c7fbb1ac80f30cd8565af2ac7b24f4070d0a966c6054547ac474f53fa74b77b9aa794ddc3b64b7a5ba362f0d9538ac773c274da73b1f678dbf891750e1fac889b5bbf7a44658ab86843e6dbf2ac51cab6ab14371839b5f74065c513860dde152f2c3e2289e42567c7c83b4a9cd3d7a1
public exponent: 10001
SunJCE version 1.6SunPKCS11-opensc-pkcs11.so-slot1 version 1.6; modulus length: 1024; byte >length 117. The decoded byte string is equal to the original!
Signature test of key CTY TNHH MINH THONG: signature length 128; first byte 31; verifying >true
Signings per second: 6
Decryptions per second: 6
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I have tried myself so much, but it still doesn't work...
I have a question and I hope that the answer will make I understand clearly..
I have a token which contains a certificate and keypair. Now I want to use this token to sign pdf with signserver. I have configured .properties file, do setproperties for signer, do activatecryptotoken...everything works successfully. But I get the problems:
No signer certificate available
Certificate chain not available
and the log file says:
Neither Signtoken or ProcessableConfig contains a certificate chain!
I don't know...Do I need to do uploadcertificate or uploadcertificatechain?
please help me..
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Dear Markus
You mean that I can't use the certificate in token to upload to signer and I have to issue a new certificate by using EJBCA base on certificate request just created
Best regards
Phuong
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hello
After trying myself I realized that I can't upload a certificate on token, I have to export them as pem format and using "uploadsignercertificate", "uploadsignercertificatechain" onto signserver, I mean if your certificates have been trusted (issued by Root CA), if not. You have to generate key by signserver on HSM device and create a CSR, use that CSR to request a trusted certificate from Root CA. After you received it, upload onto signserver.
Am I right?
Thank you and best regards
Phuong
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
If you can export the certificate from your token as well as getting hold of the root CA certificate you don't need to issue any new certificates. Upload should be enough.
Cheers
Anders
tech support
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Hi everyone
I have done test signing pdf file with P12 file. Now I want to sign pdf file with token. The token I use is ePass Auto 2002. I've configured the qs_pdfsigner_configuration.properties like this:
I am confused that
- what is slot value?
- defaultKey is Key alias
- pin is pin of token
- es_eps2k2a.so, Do I need iaika_pkcs11_wrapper.so for java?
After editing the configuration.properties file, I do:
and the problems are:
Do I complete it correctly?
Thank you in advance
Last edit: phuongvu_0203 2013-07-08
Hi,
The slot id is sort of an partition in your token. If you have a
smartcard then most likely there is only one with id 0 or 1 so you could
try "0" as well.
Use reload with the ID of the worker to be sure that it has been
reloaded correctly. Watch the output of the setproperties command to see
the id of the worker if you have not specified one in the properties
file. Ie:
bin/signserver reload 47
bin/signserver getstatus brief all
The errors in the status output are because the cryptotoken is not working correctly. There should
be an large stacktrace in the server log which could provide more
information.
Best regards,
Markus
There are errors I caught in server.log file
the above post is errors when I config using slot=0.
there are errors when I use config slot=1.
When you get the "PKCS11CryptoToken : Slot not initialized" probably means that the slot id was wrong.
In that other case when you used slot=1 you get:
"Can not read private key with alias 'tomicalab.com' from keystore, got null. If the key was generated after the latest application server start then restart the application server."
This means that a certificate with label "tomicalab.com" and/or the associated private key was not found in the slot. How did you generate the key? For it to be accessible by SignServer it must follow the requirements by the Java PKCS#11 implementation. To be sure to follow those using an Java tool when generating the key-pair and certificate is probably the easiest way.
If you generated the key with an external tool after the application was started you will also have to restart it.
Best regards,
Markus
PrimeKey Solutions offers a commercial EJBCA & SignServer support subscription and training. Please see www.primekey.se or contact info@primekey.se for more information.
[url]http://www.primekey.se/Services/Support/[/url]
[url]http://www.primekey.se/Services/Training/[/url]
Hi Markus
Thank you so much for your reply!
I use Token ePass2002Auto which contains one certificate, private key and public key. I don't know signserver support it, doesn't it?
I intent to use those keys that are already in the token. I've tried re-build, re-deploy Signserver, restart Jboss, but they dont help.
Look forward to your reply
Vu
Hi,
I tried testing with SmartCard HSM. I configured:
then, run commands:
But I got this error:
I dont know what happen. But I have tested this SmartCard HSM with clientToolBox
I have tried myself so much, but it still doesn't work...
I have a question and I hope that the answer will make I understand clearly..
I have a token which contains a certificate and keypair. Now I want to use this token to sign pdf with signserver. I have configured .properties file, do setproperties for signer, do activatecryptotoken...everything works successfully. But I get the problems:
and the log file says:
I don't know...Do I need to do uploadcertificate or uploadcertificatechain?
please help me..
SignServer does not depend on the certificate in the toke, only of the private key.
Therefore I believe you need to do these additional operations.
Cheers
Anders
tech support
Thanks Anders for your reply
Could you please tell me how to solve these errors?
Do I need to do uploadcertificate or uploadcertificatechain?
Yes, you will need use both commands.
See the following section of the quick start guide:
http://www.signserver.org/manual/installguide.html#Production%20configuration%20with%20HSM
Best regards,
Markus
Dear Markus
You mean that I can't use the certificate in token to upload to signer and I have to issue a new certificate by using EJBCA base on certificate request just created
Best regards
Phuong
Hello
After trying myself I realized that I can't upload a certificate on token, I have to export them as pem format and using "uploadsignercertificate", "uploadsignercertificatechain" onto signserver, I mean if your certificates have been trusted (issued by Root CA), if not. You have to generate key by signserver on HSM device and create a CSR, use that CSR to request a trusted certificate from Root CA. After you received it, upload onto signserver.
Am I right?
Thank you and best regards
Phuong
If you can export the certificate from your token as well as getting hold of the root CA certificate you don't need to issue any new certificates. Upload should be enough.
Cheers
Anders
tech support