Re: [SignServer-develop] key usage limit exceeded or not initialized

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hi Marcus,

Thanks for your answer !

Result of keytool command :

Type Keystore : JKS
Fournisseur Keystore : SUN

Votre Keystore contient 3 entrée(s)

6, 11 oct. 2013, PrivateKeyEntry, 
Empreinte du certificat (MD5) :
3C:73:E1:46:8E:FC:B2:84:EE:58:DE:CB:D2:30:26:29
7ofi6mgp6dc6vaibcjyha3zrafb5my6c0qpftnnn, 19 oct. 2013,
PrivateKeyEntry, 
Empreinte du certificat (MD5) :
11:0C:B2:5C:E1:77:76:77:17:F9:15:8A:D8:B5:89:82
7, 11 oct. 2013, PrivateKeyEntry, 
Empreinte du certificat (MD5) :
26:D5:6B:A1:FF:DD:A6:1E:7F:99:F4:2F:64:2C:03:4B

The result of "select * from KeyUsageCounter;"
+------------------------------------------------------------------+---------+
| keyHash                                                          |
counter |
+------------------------------------------------------------------+---------+
| 9f8966010dc45a88538b54413f94af2ff906172e6b7439360e3d1f3b363b8b7d |   
  0 |
+------------------------------------------------------------------+---------+

I tried to launch activatecryptotoken but the worker was still offline.

I add DISABLEKEYUSAGECOUNTER=true and now it works.

It will be better to user the counter, have you got any ideas ?

Thanks a lot !!

Antoine

On Fri, 18 Oct 2013 15:29:52 +0200, Marcus Lundblad
<mar...@pr...> wrote:
> fre 2013-10-18 klockan 09:31 +0200 skrev Antoine Louiset:
> 
> 
>>   CHECKCERTPRIVATEKEYVALIDITY=false
>>
>>   SIGNERCERTCHAIN=
>>
>>   KEYSTOREPATH=/etc/certificates/ysKeystore.jks
>>
>>   DEFAULTKEY=6
> 
> How does the key aliases in the keystore look like, if you use:
> keytool -list -keystore /etc/certificates/ysKeystore.jks
> 
> You could also try to take a look at the content of the KeyUsageCounter
> table in the database, to see if there is a row corresponding to the
> figerprint of the key in the keystore.
> 
> Another thing that you could try to do set DISABLEKEYUSAGECOUNTER=true
> and (temporarily) remove the KEYUSAGELIMIT property (they can not both
> be defined simultaniously) to rule of that there could be something
> missing in the keystore, perhaps.
> 
> Regards,
> Marcus Lundblad
>>
>>   KEYUSAGELIMIT=-1
>>
>>   REQUIRE_REQUEST_PROPERTIES=ALIAS,AUTHPARAM,DEMAND
>>
>>   AUTHTYPE=org.signserver.server.YousignAuthorizer
>>
>>   NAME=YousignPDFSigner
>>
>>   SIGNERCERT=
>>
>>   KEYSTOREPASSWORD=xxxx
>>
>>   CLASSPATH=org.signserver.common.ProcessableConfig
>>
>>   KEYSTORETYPE=JKS
>>
>>   CHECKCERTVALIDITY=false
>>
>>   LOCATION=France
>>
>>
>>
>> Active Authorized Clients are are (Cert DN, IssuerDN):
>> INFO  IMPLICITLYCA_Q not set, using default.
>> INFO  IMPLICITLYCA_A not set, using default.
>> INFO  IMPLICITLYCA_B not set, using default.
>> INFO  IMPLICITLYCA_G not set, using default.
>> INFO  IMPLICITLYCA_N not set, using default.
>> The current configuration use the following signer certificate :
>>
>>              Subject DN:     -----------
>>              Serial number:  -----------
>>              Issuer DN:      -----------
>>              Valid from:     2013-10-11 12:55:46 CEST
>>              Valid until:    2015-10-11 12:55:46 CEST
>>
>>
>>
>>
>>
>> Thanks a lot !
>>
>>
>> Antoine
>>
>> On Fri, 18 Oct 2013 09:18:35 +0200, Marcus Lundblad
>> <mar...@pr...> wrote:
>> > tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset:
>> >> Hi everyone,
>> >>
>> >> I have an error for a pdf worker. The cryptotoken is offline, the
>> >> error is : key usage limit exceeded or not initialized
>> >>
>> >> In my configuration of the worker, the value of KEYUSAGELIMIT is -1.
>> >>
>> >> Any ideas ?
>> >>
>> >
>> > Hi Antoine!
>> >
>> > Could you try running:
>> > bin/signserver getstatus brief all
>> >
>> > And see what the output is regarding your pdf worker.
>> >
>> > Regards,
>> > Marcus Lundblad
>> >
>> >> Thanks a lot !
>> >>
>> >> --
>> >> Antoine Louiset
>> >>
>> >>
>> >> ------------------------------------------------------------------------------
>> >> October Webinars: Code for Performance
>> >> Free Intel webinars can help you accelerate application performance.
>> >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
>> >> the latest Intel processors and coprocessors. See abstracts and register >
>> >> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
>> >> _______________________________________________
>> >> SignServer-develop mailing list
>> >> Sig...@li...
>> >> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>>

-- 
Antoine Louiset