Menu
▾
▴
Re: [SignServer-develop] SignServer HSM
|
From: Naldiello <nal...@gm...> - 2015-02-26 13:30:27
|
Hi Markus, I tried that but I'm still getting the same results. Jenner On Thu, 2015-02-26 at 14:27 +0100, Markus Kilås wrote: > On 02/26/2015 01:36 PM, Naldiello wrote: > > Hi, > > > > I was wondering if anyone can help figure out an error I'm getting on > > SignServer CE 3.6.2. > > > > I've been able to setup a Lab environment to get familiar and test both > > EJBCA and SignServer. I'm using softHSM for testing purposes and get it > > working on both servers. I got EJBCA CA and Sub-CA key store in softHSM, > > generated the CA certificates and CRLs are being issued. Just the basic > > setup. > > > > However, I have been working on setting up timestamp on SignServer and I > > keep getting the error "No signer certificate" when I run the command > > "bin/signserver getstatus complete <id>". Here are the steps I did to > > set it up: > > > > First Worker (CryptoToken) -> All Good! > > 1. Setup the configuration.properties > > bin/signserver setproperties > > $PATH/pkcs11-crypto-configuration.properties > > 2. Reload worker > > bin/signserver reload 1 > > 3. Activate CryptoToken > > bin/signserver activatecryptotoken 1 > > 4. Test CryptoToken > > bin/signserver testkey 1 > > > > First Worker (HSM KeepAlive) -> All Good! > > 1. Setup the configuration.properties > > bin/signserver setproperties > > $PATH/qs_hsmkeepalive_configuration.properties > > 2. Reload worker > > bin/signserver reload 2 > > > > First Worker (HSM KeepAlive) -> Almost Good! > > 1. Setup the configuration.properties > > bin/signserver setproperties > > $PATH/qs_timestamp_configuration.properties > > 2. Reload worker > > bin/signserver reload 3 > > 3. Upload Certificate Chain . The Chain file is PEM formated and > > contains the TSA Certificate first and then the CA Certificate. > > bin/signserver uploadsignercertificatechain 3 GLOB $PATH/Chain.pem > > 4. Reload worker > > bin/signserver reload 3 > > 5. Get Status > > bin/signserver getstatus complete 3 > > > > When I call for getstatus on the timestamp worker, these are the two (2) > > messages I'm getting: > > > > (1) Stating that there is no signer certificate installed: > > > > Error: > > - No signer certificate > > > > (2) That there is a signer certificate available. > > The current configuration use the following signer certificate : > > Subject DN: CN=softsatsap11.pilotserver.com > > Serial number: d6ce9b6c073d0f2 > > Issuer DN: CN=DevLab,OU=PKICore,O=DevLab LLC,C=COM > > Valid from: 2015-02-25 15:25:15 AST > > Valid until: 2015-06-05 15:25:15 AST > > > > The timestamp worker never becomes Active. > > > > I have also tried uploading the signer certificate directly > > (bin/signserver uploadsignercertificate 3 GLOB $PATH/tsa.pem) and I > > still get the same results. > > > > Any light on this matter will be greatly appreciated. > > > > Thank you, > > Jenner > > > > Hi Jenner, > > I think you have only run "uploadsignercertificatechain" but you also > need to run "uploadsignercertifiate" with only the signer certificate > like this: > > $ bin/signserver uploadsignercertificatechain 3 GLOB $PATH/cert.pem > > > > Cheers, > Markus > PrimeKey Solutions > > > PrimeKey Solutions offers a commercial EJBCA & SignServer support > subscription and training. Please see www.primekey.se or contact > in...@pr... for more information. > https://www.primekey.se/Services/Support/ > https://www.primekey.se/Services/Training/ > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for all > things parallel software development, from weekly thought leadership blogs to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop |
