Re: [SignServer-develop] SignServer HSM

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 02/26/2015 02:27 PM, Markus Kilås wrote:
> On 02/26/2015 01:36 PM, Naldiello wrote:
>> Hi,
>>
>> I was wondering if anyone can help figure out an error I'm getting on
>> SignServer CE 3.6.2.
>>
>> I've been able to setup a Lab environment to get familiar and test both
>> EJBCA and SignServer. I'm using softHSM for testing purposes and get it
>> working on both servers. I got EJBCA CA and Sub-CA key store in softHSM,
>> generated the CA certificates and CRLs are being issued. Just the basic
>> setup.
>>
>> However, I have been working on setting up timestamp on SignServer and I
>> keep getting the error "No signer certificate" when I run the command
>> "bin/signserver getstatus complete <id>".  Here are the steps I did to
>> set it up:
>>
>> First Worker (CryptoToken) -> All Good!
>> 1. Setup the configuration.properties
>>         bin/signserver setproperties
>> $PATH/pkcs11-crypto-configuration.properties
>> 2. Reload worker
>>         bin/signserver reload 1
>> 3. Activate CryptoToken
>>         bin/signserver activatecryptotoken 1
>> 4. Test CryptoToken
>>         bin/signserver testkey 1
>>
>> First Worker (HSM KeepAlive) -> All Good!
>> 1. Setup the configuration.properties
>>         bin/signserver setproperties
>> $PATH/qs_hsmkeepalive_configuration.properties
>> 2. Reload worker
>>         bin/signserver reload 2
>>
>> First Worker (HSM KeepAlive) -> Almost Good!
>> 1. Setup the configuration.properties
>>         bin/signserver setproperties
>> $PATH/qs_timestamp_configuration.properties
>> 2. Reload worker
>>         bin/signserver reload 3
>> 3. Upload Certificate Chain . The Chain file is PEM formated and
>> contains the TSA Certificate first and then the CA Certificate.
>>         bin/signserver uploadsignercertificatechain 3 GLOB $PATH/Chain.pem
>> 4. Reload worker
>>         bin/signserver reload 3
>> 5. Get Status
>>         bin/signserver getstatus complete 3
>>
>> When I call for getstatus on the timestamp worker, these are the two (2)
>> messages I'm getting:
>>
>> (1) Stating that there is no signer certificate installed:
>>
>> Error:
>>             - No signer certificate
>>
>> (2) That there is a signer certificate available.
>> The current configuration use the following signer certificate :
>>              Subject DN:     CN=softsatsap11.pilotserver.com
>>              Serial number:  d6ce9b6c073d0f2
>>              Issuer DN:      CN=DevLab,OU=PKICore,O=DevLab LLC,C=COM
>>              Valid from:     2015-02-25 15:25:15 AST
>>              Valid until:    2015-06-05 15:25:15 AST
>>
>> The timestamp worker never becomes Active.
>>
>> I have also tried uploading the signer certificate directly
>> (bin/signserver uploadsignercertificate 3 GLOB $PATH/tsa.pem) and I
>> still get the same results.
>>
>> Any light on this matter will be greatly appreciated.
>>
>> Thank you,
>> Jenner
>>
> 
> Hi Jenner,
> 
> I think you have only run "uploadsignercertificatechain" but you also
> need to run "uploadsignercertifiate" with only the signer certificate
> like this:
> 
> $ bin/signserver uploadsignercertificatechain 3 GLOB $PATH/cert.pem

Doh, I wrote the same thing again :) I meant like this:

$ bin/signserver uploadsignercertificate 3 GLOB $PATH/cert.pem

Then do reload to activate the change:
$ bin/signserver reload 3

Cheers,
Markus

> 
> 
> 
> Cheers,
> Markus
> PrimeKey Solutions
> 
> 
> PrimeKey Solutions offers a commercial EJBCA & SignServer support
> subscription and training. Please see www.primekey.se or contact
> in...@pr... for more information.
> https://www.primekey.se/Services/Support/
> https://www.primekey.se/Services/Training/
> 
> 