Re: [SignServer-develop] SignServer HSM

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 02/26/2015 01:36 PM, Naldiello wrote:
> Hi,
> 
> I was wondering if anyone can help figure out an error I'm getting on
> SignServer CE 3.6.2.
> 
> I've been able to setup a Lab environment to get familiar and test both
> EJBCA and SignServer. I'm using softHSM for testing purposes and get it
> working on both servers. I got EJBCA CA and Sub-CA key store in softHSM,
> generated the CA certificates and CRLs are being issued. Just the basic
> setup.
> 
> However, I have been working on setting up timestamp on SignServer and I
> keep getting the error "No signer certificate" when I run the command
> "bin/signserver getstatus complete <id>".  Here are the steps I did to
> set it up:
> 
> First Worker (CryptoToken) -> All Good!
> 1. Setup the configuration.properties
>         bin/signserver setproperties
> $PATH/pkcs11-crypto-configuration.properties
> 2. Reload worker
>         bin/signserver reload 1
> 3. Activate CryptoToken
>         bin/signserver activatecryptotoken 1
> 4. Test CryptoToken
>         bin/signserver testkey 1
> 
> First Worker (HSM KeepAlive) -> All Good!
> 1. Setup the configuration.properties
>         bin/signserver setproperties
> $PATH/qs_hsmkeepalive_configuration.properties
> 2. Reload worker
>         bin/signserver reload 2
> 
> First Worker (HSM KeepAlive) -> Almost Good!
> 1. Setup the configuration.properties
>         bin/signserver setproperties
> $PATH/qs_timestamp_configuration.properties
> 2. Reload worker
>         bin/signserver reload 3
> 3. Upload Certificate Chain . The Chain file is PEM formated and
> contains the TSA Certificate first and then the CA Certificate.
>         bin/signserver uploadsignercertificatechain 3 GLOB $PATH/Chain.pem
> 4. Reload worker
>         bin/signserver reload 3
> 5. Get Status
>         bin/signserver getstatus complete 3
> 
> When I call for getstatus on the timestamp worker, these are the two (2)
> messages I'm getting:
> 
> (1) Stating that there is no signer certificate installed:
> 
> Error:
>             - No signer certificate
> 
> (2) That there is a signer certificate available.
> The current configuration use the following signer certificate :
>              Subject DN:     CN=softsatsap11.pilotserver.com
>              Serial number:  d6ce9b6c073d0f2
>              Issuer DN:      CN=DevLab,OU=PKICore,O=DevLab LLC,C=COM
>              Valid from:     2015-02-25 15:25:15 AST
>              Valid until:    2015-06-05 15:25:15 AST
> 
> The timestamp worker never becomes Active.
> 
> I have also tried uploading the signer certificate directly
> (bin/signserver uploadsignercertificate 3 GLOB $PATH/tsa.pem) and I
> still get the same results.
> 
> Any light on this matter will be greatly appreciated.
> 
> Thank you,
> Jenner
> 

Hi Jenner,

I think you have only run "uploadsignercertificatechain" but you also
need to run "uploadsignercertifiate" with only the signer certificate
like this:

$ bin/signserver uploadsignercertificatechain 3 GLOB $PATH/cert.pem

Cheers,
Markus
PrimeKey Solutions

PrimeKey Solutions offers a commercial EJBCA & SignServer support
subscription and training. Please see www.primekey.se or contact
in...@pr... for more information.
https://www.primekey.se/Services/Support/
https://www.primekey.se/Services/Training/