Re: [SignServer-develop] signserver 4.0 error worker pdf-pkcs11

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On 10/31/2016 06:50 PM, Jose Alberto wrote:
> On Mon, Oct 31, 2016 at 6:02 AM, Markus Kilås <ma...@pr...
> <mailto:ma...@pr...>> wrote:
> 
>     On 10/31/2016 01:08 AM, Jose Alberto wrote:
>     > Hi.
>     >
>     >
>     > I Use SignServer 4.0   on Debian 8 amd64 with mariadb.
>     >
>     > The problem is when page demo,  i tried upload pdf. ===>>> signed 
>     ====>
>     >   download  pdf,  and  open with acrobat reader, show error in the
>     > certificate.
>     >
>     > signserver getstatus brief all
>     > Current version of server is : SignServer CE 4.0.0
>     >
>     > Status of CryptoWorker with id 1 (CryptoTokenP11) is:
>     >    Worker status : Active
>     >    Token status  : Active
>     >
>     > Status of Signer with id 2 (PDFSigner) is:
>     >    Worker status : Offline
>     >    Token status  : Active
>     >    Signings      : 0
>     >
>     >    Errors:
>     >       - Certificate does not match key
>     >       - Key usage limit exceeded or not initialized
>     >
>     >
>     >
>     > The certificate is on another PKI.    But the request (csr)    Must
>     > generate from server on pkcs11?
>     >
>     >
>     >
>     > My HSM is Utimaco Lan.
>     >
>     > Thanks,  sorry for my english.
>     >
>     >
>     > Jose  A
>     >
> 
>     Hi Jose,
>     Yes, the error shown in the PDF Reader is most likely because the error
>     in the PDFSigner.
> 
>     The error "certificate does not match key" means that the certificate
>     installed for the PDFSigner is not for the key in the crypto token.
> 
>     When you get a certificate for the key you need to make sure the CSR is
>     generated using the key the PDFSigner will be using.
>     Check in your PDFSigner that you have:
>     - CRYPTOTOKEN=CryptoTokenP11
>     - DEFAULTKEY with the name of the key you want to use
> 
>     Then generate the CSR using CLI or GUI and make sure the name of the
>     right key is specified.
> 
>     Then finally when you get the certificate, install it in the PDFSigner.
> 
>     There is no idea trying to sign anything until the "Worker status" is
>     "Active".
> 
> 
>     Regards,
>     Markus Kilås
>     PrimeKey Solutions
> 
>     Save time and money with an Enterprise support subscription. Please see
>     www.primekey.se <http://www.primekey.se> for more information.
>     https://www.primekey.se/technologies/products-overview/
>     <https://www.primekey.se/technologies/products-overview/>
>     https://www.primekey.se/service-support/support/
>     <https://www.primekey.se/service-support/support/>
> 
> Thanks Markus.
>
> I Solve  generated request (csr) from signserver pkcs11.
>
> signserver generatecertreq 1 "C=US,CN=firma" SHA256WithRSA peticion.csr
>
> My result:
>
> signserver getstatus brief all
> Current version of server is : SignServer CE 4.0.0
>
>
> Status of CryptoWorker with id 1 (CryptoTokenP11) is:
>    Worker status : Active
>    Token status  : Active
>
> Status of Signer with id 2 (PDFSigner) is:
>    Worker status : Active
>    Token status  : Active
>    Signings      : 0
>

Great that it is working.

Cheers,
Markus

-- 
Kind regards,
Markus Kilås
PKI Specialist

PrimeKey Solutions AB

Lundagatan 16
SE-171 63 Solna
Sweden

Phone: +46 70 424 94 85
Email: mar...@pr...

https://www.primekey.se