Re: [SignServer-develop] key usage limit exceeded or not initialized

[Antoine L. <ant...@yo...>]

Hi,

Yes I'm using mysql and I wonder if the problem could be that.

Thanks for your answer !

On Mon, 21 Oct 2013 08:41:16 +0200, Marcus Lundblad
<mar...@pr...> wrote:
> lör 2013-10-19 klockan 01:28 +0200 skrev Antoine Louiset:
>> Hi Marcus,
>>
>> Thanks for your answer !
>>
>> Result of keytool command :
>>
>> Type Keystore : JKS
>> Fournisseur Keystore : SUN
>>
>> Votre Keystore contient 3 entrée(s)
>>
>> 6, 11 oct. 2013, PrivateKeyEntry,
>> Empreinte du certificat (MD5) :
>> 3C:73:E1:46:8E:FC:B2:84:EE:58:DE:CB:D2:30:26:29
>> 7ofi6mgp6dc6vaibcjyha3zrafb5my6c0qpftnnn, 19 oct. 2013,
>> PrivateKeyEntry,
>> Empreinte du certificat (MD5) :
>> 11:0C:B2:5C:E1:77:76:77:17:F9:15:8A:D8:B5:89:82
>> 7, 11 oct. 2013, PrivateKeyEntry,
>> Empreinte du certificat (MD5) :
>> 26:D5:6B:A1:FF:DD:A6:1E:7F:99:F4:2F:64:2C:03:4B
>>
>>
>> The result of "select * from KeyUsageCounter;"
>> +------------------------------------------------------------------+---------+
>> | keyHash                                                          |
>> counter |
>> +------------------------------------------------------------------+---------+
>> | 9f8966010dc45a88538b54413f94af2ff906172e6b7439360e3d1f3b363b8b7d |
>>   0 |
>> +------------------------------------------------------------------+---------+
>>
>>
>> I tried to launch activatecryptotoken but the worker was still offline.
>>
>> I add DISABLEKEYUSAGECOUNTER=true and now it works.
>>
>> It will be better to user the counter, have you got any ideas ?
>>
> 
> I think I'll need to do some further investigations and try to reproduce
> the problem using worker configured using a JKSCryptoToken.
> 
> Is this using MySQL by the way?
> 
> Regards, Marcus
> 
>> Thanks a lot !!
>>
>>
>> Antoine
>>
>>
>> On Fri, 18 Oct 2013 15:29:52 +0200, Marcus Lundblad
>> <mar...@pr...> wrote:
>> > fre 2013-10-18 klockan 09:31 +0200 skrev Antoine Louiset:
>> >
>> >
>> >>   CHECKCERTPRIVATEKEYVALIDITY=false
>> >>
>> >>   SIGNERCERTCHAIN=
>> >>
>> >>   KEYSTOREPATH=/etc/certificates/ysKeystore.jks
>> >>
>> >>   DEFAULTKEY=6
>> >
>> > How does the key aliases in the keystore look like, if you use:
>> > keytool -list -keystore /etc/certificates/ysKeystore.jks
>> >
>> > You could also try to take a look at the content of the KeyUsageCounter
>> > table in the database, to see if there is a row corresponding to the
>> > figerprint of the key in the keystore.
>> >
>> > Another thing that you could try to do set DISABLEKEYUSAGECOUNTER=true
>> > and (temporarily) remove the KEYUSAGELIMIT property (they can not both
>> > be defined simultaniously) to rule of that there could be something
>> > missing in the keystore, perhaps.
>> >
>> > Regards,
>> > Marcus Lundblad
>> >>
>> >>   KEYUSAGELIMIT=-1
>> >>
>> >>   REQUIRE_REQUEST_PROPERTIES=ALIAS,AUTHPARAM,DEMAND
>> >>
>> >>   AUTHTYPE=org.signserver.server.YousignAuthorizer
>> >>
>> >>   NAME=YousignPDFSigner
>> >>
>> >>   SIGNERCERT=
>> >>
>> >>   KEYSTOREPASSWORD=xxxx
>> >>
>> >>   CLASSPATH=org.signserver.common.ProcessableConfig
>> >>
>> >>   KEYSTORETYPE=JKS
>> >>
>> >>   CHECKCERTVALIDITY=false
>> >>
>> >>   LOCATION=France
>> >>
>> >>
>> >>
>> >> Active Authorized Clients are are (Cert DN, IssuerDN):
>> >> INFO  IMPLICITLYCA_Q not set, using default.
>> >> INFO  IMPLICITLYCA_A not set, using default.
>> >> INFO  IMPLICITLYCA_B not set, using default.
>> >> INFO  IMPLICITLYCA_G not set, using default.
>> >> INFO  IMPLICITLYCA_N not set, using default.
>> >> The current configuration use the following signer certificate :
>> >>
>> >>              Subject DN:     -----------
>> >>              Serial number:  -----------
>> >>              Issuer DN:      -----------
>> >>              Valid from:     2013-10-11 12:55:46 CEST
>> >>              Valid until:    2015-10-11 12:55:46 CEST
>> >>
>> >>
>> >>
>> >>
>> >>
>> >> Thanks a lot !
>> >>
>> >>
>> >> Antoine
>> >>
>> >> On Fri, 18 Oct 2013 09:18:35 +0200, Marcus Lundblad
>> >> <mar...@pr...> wrote:
>> >> > tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset:
>> >> >> Hi everyone,
>> >> >>
>> >> >> I have an error for a pdf worker. The cryptotoken is offline, the
>> >> >> error is : key usage limit exceeded or not initialized
>> >> >>
>> >> >> In my configuration of the worker, the value of KEYUSAGELIMIT is -1.
>> >> >>
>> >> >> Any ideas ?
>> >> >>
>> >> >
>> >> > Hi Antoine!
>> >> >
>> >> > Could you try running:
>> >> > bin/signserver getstatus brief all
>> >> >
>> >> > And see what the output is regarding your pdf worker.
>> >> >
>> >> > Regards,
>> >> > Marcus Lundblad
>> >> >
>> >> >> Thanks a lot !
>> >> >>
>> >> >> --
>> >> >> Antoine Louiset
>> >> >>
>> >> >>
>> >> >> ------------------------------------------------------------------------------
>> >> >> October Webinars: Code for Performance
>> >> >> Free Intel webinars can help you accelerate application performance.
>> >> >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
>> >> >> the latest Intel processors and coprocessors. See abstracts and register >
>> >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
>> >> >> _______________________________________________
>> >> >> SignServer-develop mailing list
>> >> >> Sig...@li...
>> >> >> https://lists.sourceforge.net/lists/listinfo/signserver-develop
>> >>
>>

-- 
Antoine Louiset
+33 6 76 66 80 34