Menu
▾
▴
Re: [SignServer-develop] key usage limit exceeded or not initialized
|
From: Marcus L. <mar...@pr...> - 2013-10-21 13:00:23
|
mån 2013-10-21 klockan 10:05 +0200 skrev Antoine Louiset: > Hi, > > Yes I'm using mysql and I wonder if the problem could be that. > > Thanks for your answer ! > I tried setting up a test environment with a test PDF signer using a JKSCryptoToken, I'm running this on MySQL 5.5.33 (the version in Debian testing). It works correctly for me both using the default (no KEYUSAGELIMIT specified, default to -1), setting -1 implicitly and also using a limit of 100. Could you generate server log outputs when reloading the signer and when attempting to sign a document. Maybe I could get some hint there. Regards, Marcus > On Mon, 21 Oct 2013 08:41:16 +0200, Marcus Lundblad > <mar...@pr...> wrote: > > lör 2013-10-19 klockan 01:28 +0200 skrev Antoine Louiset: > >> Hi Marcus, > >> > >> Thanks for your answer ! > >> > >> Result of keytool command : > >> > >> Type Keystore : JKS > >> Fournisseur Keystore : SUN > >> > >> Votre Keystore contient 3 entrée(s) > >> > >> 6, 11 oct. 2013, PrivateKeyEntry, > >> Empreinte du certificat (MD5) : > >> 3C:73:E1:46:8E:FC:B2:84:EE:58:DE:CB:D2:30:26:29 > >> 7ofi6mgp6dc6vaibcjyha3zrafb5my6c0qpftnnn, 19 oct. 2013, > >> PrivateKeyEntry, > >> Empreinte du certificat (MD5) : > >> 11:0C:B2:5C:E1:77:76:77:17:F9:15:8A:D8:B5:89:82 > >> 7, 11 oct. 2013, PrivateKeyEntry, > >> Empreinte du certificat (MD5) : > >> 26:D5:6B:A1:FF:DD:A6:1E:7F:99:F4:2F:64:2C:03:4B > >> > >> > >> The result of "select * from KeyUsageCounter;" > >> +------------------------------------------------------------------+---------+ > >> | keyHash | > >> counter | > >> +------------------------------------------------------------------+---------+ > >> | 9f8966010dc45a88538b54413f94af2ff906172e6b7439360e3d1f3b363b8b7d | > >> 0 | > >> +------------------------------------------------------------------+---------+ > >> > >> > >> I tried to launch activatecryptotoken but the worker was still offline. > >> > >> I add DISABLEKEYUSAGECOUNTER=true and now it works. > >> > >> It will be better to user the counter, have you got any ideas ? > >> > > > > I think I'll need to do some further investigations and try to reproduce > > the problem using worker configured using a JKSCryptoToken. > > > > Is this using MySQL by the way? > > > > Regards, Marcus > > > >> Thanks a lot !! > >> > >> > >> Antoine > >> > >> > >> On Fri, 18 Oct 2013 15:29:52 +0200, Marcus Lundblad > >> <mar...@pr...> wrote: > >> > fre 2013-10-18 klockan 09:31 +0200 skrev Antoine Louiset: > >> > > >> > > >> >> CHECKCERTPRIVATEKEYVALIDITY=false > >> >> > >> >> SIGNERCERTCHAIN= > >> >> > >> >> KEYSTOREPATH=/etc/certificates/ysKeystore.jks > >> >> > >> >> DEFAULTKEY=6 > >> > > >> > How does the key aliases in the keystore look like, if you use: > >> > keytool -list -keystore /etc/certificates/ysKeystore.jks > >> > > >> > You could also try to take a look at the content of the KeyUsageCounter > >> > table in the database, to see if there is a row corresponding to the > >> > figerprint of the key in the keystore. > >> > > >> > Another thing that you could try to do set DISABLEKEYUSAGECOUNTER=true > >> > and (temporarily) remove the KEYUSAGELIMIT property (they can not both > >> > be defined simultaniously) to rule of that there could be something > >> > missing in the keystore, perhaps. > >> > > >> > Regards, > >> > Marcus Lundblad > >> >> > >> >> KEYUSAGELIMIT=-1 > >> >> > >> >> REQUIRE_REQUEST_PROPERTIES=ALIAS,AUTHPARAM,DEMAND > >> >> > >> >> AUTHTYPE=org.signserver.server.YousignAuthorizer > >> >> > >> >> NAME=YousignPDFSigner > >> >> > >> >> SIGNERCERT= > >> >> > >> >> KEYSTOREPASSWORD=xxxx > >> >> > >> >> CLASSPATH=org.signserver.common.ProcessableConfig > >> >> > >> >> KEYSTORETYPE=JKS > >> >> > >> >> CHECKCERTVALIDITY=false > >> >> > >> >> LOCATION=France > >> >> > >> >> > >> >> > >> >> Active Authorized Clients are are (Cert DN, IssuerDN): > >> >> INFO IMPLICITLYCA_Q not set, using default. > >> >> INFO IMPLICITLYCA_A not set, using default. > >> >> INFO IMPLICITLYCA_B not set, using default. > >> >> INFO IMPLICITLYCA_G not set, using default. > >> >> INFO IMPLICITLYCA_N not set, using default. > >> >> The current configuration use the following signer certificate : > >> >> > >> >> Subject DN: ----------- > >> >> Serial number: ----------- > >> >> Issuer DN: ----------- > >> >> Valid from: 2013-10-11 12:55:46 CEST > >> >> Valid until: 2015-10-11 12:55:46 CEST > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> Thanks a lot ! > >> >> > >> >> > >> >> Antoine > >> >> > >> >> On Fri, 18 Oct 2013 09:18:35 +0200, Marcus Lundblad > >> >> <mar...@pr...> wrote: > >> >> > tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset: > >> >> >> Hi everyone, > >> >> >> > >> >> >> I have an error for a pdf worker. The cryptotoken is offline, the > >> >> >> error is : key usage limit exceeded or not initialized > >> >> >> > >> >> >> In my configuration of the worker, the value of KEYUSAGELIMIT is -1. > >> >> >> > >> >> >> Any ideas ? > >> >> >> > >> >> > > >> >> > Hi Antoine! > >> >> > > >> >> > Could you try running: > >> >> > bin/signserver getstatus brief all > >> >> > > >> >> > And see what the output is regarding your pdf worker. > >> >> > > >> >> > Regards, > >> >> > Marcus Lundblad > >> >> > > >> >> >> Thanks a lot ! > >> >> >> > >> >> >> -- > >> >> >> Antoine Louiset > >> >> >> > >> >> >> > >> >> >> ------------------------------------------------------------------------------ > >> >> >> October Webinars: Code for Performance > >> >> >> Free Intel webinars can help you accelerate application performance. > >> >> >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > >> >> >> the latest Intel processors and coprocessors. See abstracts and register > > >> >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk > >> >> >> _______________________________________________ > >> >> >> SignServer-develop mailing list > >> >> >> Sig...@li... > >> >> >> https://lists.sourceforge.net/lists/listinfo/signserver-develop > >> >> > >> > |
