Re: [SignServer-develop] Utimaco simulator and P12 import, Was: Consultation

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Dear Cristian,

(Please, use a new subject for posts concerning a new topic)

See answers below.

On 2014-01-09 00:31, Cristian Altamirano wrote:
> Dears.
>            I am testing utimaco Simulation with Signserver.
> But I cannot understand where is the property defaultkey.
> ¿Where is defaultkey in the image?
> Atach a image with the configuration Utimaco Simulation.
> 

The SignServer worker property DEFAULTKEY should contain the key alias
(label) of the key _in_ the HSM slot. In your configuration below you
have indicated that there should be a key named "tres" in the slot.

On the picture it looks like you have a _slot_ labeled tres however the
certificate is what is pointing out which key to use and it is labeled
(CKA_LABEL) "X509 Certifificate" (!).

Either you should use that as value for DEFAULTKEY or change that to be
"tres".

> 
> Then I made this configuration file.
> 
> ## Global properties
> 
> GLOB.WORKERGENID1.CLASSPATH = org.signserver.module.
> xmlsigner.XMLSigner
> GLOB.WORKERGENID1.SIGNERTOKEN.CLASSPATH =
> org.signserver.server.cryptotokens.PKCS11CryptoToken
> 
> 
> ## General properties
> 
> WORKERGENID1.NAME <http://WORKERGENID1.NAME>=XMLSignerTest
> WORKERGENID1.AUTHTYPE=NOAUTH
> 
> ## PKCS11CryptoToken properties
> 
> WORKERGENID1.sharedLibrary=/home/cristian/utimaco/Software/PKCS11/lib/Linux-x86-32/libcs2_pkcs11.so
> WORKERGENID1.slot=3
> WORKERGENID1.defaultKey=tres
> WORKERGENID1.pin tres
> 
> 
> The administrator of signserver say:
> 
> Status of Signer with Id 1 is :
>   Worker status : Offline
>   Token status  : Active
>   Signings: 0 (counter disabled)
>   Errors:
>     No signer certificate available
>     Certificate chain not available
> 
> Why?

Most likely offline because of the wrong name of the key as well as
because the certificate and certificate chain needs to be uploaded to
SignServer explicitly. See the quick install guide:
http://www.signserver.org/manual/installguide.html#Production%20configuration%20with%20HSM

Also note that SignServer (Java) has some requirements on the key
representation in the slot. It is normally best to use a Java tool when
creating or importing the key to the HSM to be sure it will be readable
by Java.

> 
> If I add certificate PKCS12 at slot 3 using p11tool.
> 
> Can I work with a certified pre-loaded on hsm?

SignServer does not use the certificate in the slot more than to point
out which key-pair to use. The certificate currently has to be uploaded
to SignServer explicitly as described in the quick install guide above.

Best regards,
Markus
PrimeKey Solutions

> 
> Regards.
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
> -- 
> Cristian Altamirano
> 
> 