Re: [SignServer-develop] key usage limit exceeded or not initialized

[Marcus L. <mar...@pr...>]

lör 2013-10-19 klockan 01:28 +0200 skrev Antoine Louiset:
> Hi Marcus,
> 
> Thanks for your answer !
> 
> Result of keytool command :
> 
> Type Keystore : JKS
> Fournisseur Keystore : SUN
> 
> Votre Keystore contient 3 entrée(s)
> 
> 6, 11 oct. 2013, PrivateKeyEntry, 
> Empreinte du certificat (MD5) :
> 3C:73:E1:46:8E:FC:B2:84:EE:58:DE:CB:D2:30:26:29
> 7ofi6mgp6dc6vaibcjyha3zrafb5my6c0qpftnnn, 19 oct. 2013,
> PrivateKeyEntry, 
> Empreinte du certificat (MD5) :
> 11:0C:B2:5C:E1:77:76:77:17:F9:15:8A:D8:B5:89:82
> 7, 11 oct. 2013, PrivateKeyEntry, 
> Empreinte du certificat (MD5) :
> 26:D5:6B:A1:FF:DD:A6:1E:7F:99:F4:2F:64:2C:03:4B
> 
> 
> The result of "select * from KeyUsageCounter;"
> +------------------------------------------------------------------+---------+
> | keyHash                                                          |
> counter |
> +------------------------------------------------------------------+---------+
> | 9f8966010dc45a88538b54413f94af2ff906172e6b7439360e3d1f3b363b8b7d |   
>   0 |
> +------------------------------------------------------------------+---------+
> 
> 
> I tried to launch activatecryptotoken but the worker was still offline.
> 
> I add DISABLEKEYUSAGECOUNTER=true and now it works.
> 
> It will be better to user the counter, have you got any ideas ?
> 

I think I'll need to do some further investigations and try to reproduce
the problem using worker configured using a JKSCryptoToken.

Is this using MySQL by the way?

Regards, Marcus

> Thanks a lot !!
> 
> 
> Antoine
> 
> 
> On Fri, 18 Oct 2013 15:29:52 +0200, Marcus Lundblad
> <mar...@pr...> wrote:
> > fre 2013-10-18 klockan 09:31 +0200 skrev Antoine Louiset:
> > 
> > 
> >>   CHECKCERTPRIVATEKEYVALIDITY=false
> >>
> >>   SIGNERCERTCHAIN=
> >>
> >>   KEYSTOREPATH=/etc/certificates/ysKeystore.jks
> >>
> >>   DEFAULTKEY=6
> > 
> > How does the key aliases in the keystore look like, if you use:
> > keytool -list -keystore /etc/certificates/ysKeystore.jks
> > 
> > You could also try to take a look at the content of the KeyUsageCounter
> > table in the database, to see if there is a row corresponding to the
> > figerprint of the key in the keystore.
> > 
> > Another thing that you could try to do set DISABLEKEYUSAGECOUNTER=true
> > and (temporarily) remove the KEYUSAGELIMIT property (they can not both
> > be defined simultaniously) to rule of that there could be something
> > missing in the keystore, perhaps.
> > 
> > Regards,
> > Marcus Lundblad
> >>
> >>   KEYUSAGELIMIT=-1
> >>
> >>   REQUIRE_REQUEST_PROPERTIES=ALIAS,AUTHPARAM,DEMAND
> >>
> >>   AUTHTYPE=org.signserver.server.YousignAuthorizer
> >>
> >>   NAME=YousignPDFSigner
> >>
> >>   SIGNERCERT=
> >>
> >>   KEYSTOREPASSWORD=xxxx
> >>
> >>   CLASSPATH=org.signserver.common.ProcessableConfig
> >>
> >>   KEYSTORETYPE=JKS
> >>
> >>   CHECKCERTVALIDITY=false
> >>
> >>   LOCATION=France
> >>
> >>
> >>
> >> Active Authorized Clients are are (Cert DN, IssuerDN):
> >> INFO  IMPLICITLYCA_Q not set, using default.
> >> INFO  IMPLICITLYCA_A not set, using default.
> >> INFO  IMPLICITLYCA_B not set, using default.
> >> INFO  IMPLICITLYCA_G not set, using default.
> >> INFO  IMPLICITLYCA_N not set, using default.
> >> The current configuration use the following signer certificate :
> >>
> >>              Subject DN:     -----------
> >>              Serial number:  -----------
> >>              Issuer DN:      -----------
> >>              Valid from:     2013-10-11 12:55:46 CEST
> >>              Valid until:    2015-10-11 12:55:46 CEST
> >>
> >>
> >>
> >>
> >>
> >> Thanks a lot !
> >>
> >>
> >> Antoine
> >>
> >> On Fri, 18 Oct 2013 09:18:35 +0200, Marcus Lundblad
> >> <mar...@pr...> wrote:
> >> > tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset:
> >> >> Hi everyone,
> >> >>
> >> >> I have an error for a pdf worker. The cryptotoken is offline, the
> >> >> error is : key usage limit exceeded or not initialized
> >> >>
> >> >> In my configuration of the worker, the value of KEYUSAGELIMIT is -1.
> >> >>
> >> >> Any ideas ?
> >> >>
> >> >
> >> > Hi Antoine!
> >> >
> >> > Could you try running:
> >> > bin/signserver getstatus brief all
> >> >
> >> > And see what the output is regarding your pdf worker.
> >> >
> >> > Regards,
> >> > Marcus Lundblad
> >> >
> >> >> Thanks a lot !
> >> >>
> >> >> --
> >> >> Antoine Louiset
> >> >>
> >> >>
> >> >> ------------------------------------------------------------------------------
> >> >> October Webinars: Code for Performance
> >> >> Free Intel webinars can help you accelerate application performance.
> >> >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
> >> >> the latest Intel processors and coprocessors. See abstracts and register >
> >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
> >> >> _______________________________________________
> >> >> SignServer-develop mailing list
> >> >> Sig...@li...
> >> >> https://lists.sourceforge.net/lists/listinfo/signserver-develop
> >>
>