Menu
▾
▴
signserver-develop
|
From: Naldiello <nal...@gm...> - 2015-02-26 12:36:44
|
Hi,
I was wondering if anyone can help figure out an error I'm getting on
SignServer CE 3.6.2.
I've been able to setup a Lab environment to get familiar and test both
EJBCA and SignServer. I'm using softHSM for testing purposes and get it
working on both servers. I got EJBCA CA and Sub-CA key store in softHSM,
generated the CA certificates and CRLs are being issued. Just the basic
setup.
However, I have been working on setting up timestamp on SignServer and I
keep getting the error "No signer certificate" when I run the command
"bin/signserver getstatus complete <id>". Here are the steps I did to
set it up:
First Worker (CryptoToken) -> All Good!
1. Setup the configuration.properties
bin/signserver setproperties
$PATH/pkcs11-crypto-configuration.properties
2. Reload worker
bin/signserver reload 1
3. Activate CryptoToken
bin/signserver activatecryptotoken 1
4. Test CryptoToken
bin/signserver testkey 1
First Worker (HSM KeepAlive) -> All Good!
1. Setup the configuration.properties
bin/signserver setproperties
$PATH/qs_hsmkeepalive_configuration.properties
2. Reload worker
bin/signserver reload 2
First Worker (HSM KeepAlive) -> Almost Good!
1. Setup the configuration.properties
bin/signserver setproperties
$PATH/qs_timestamp_configuration.properties
2. Reload worker
bin/signserver reload 3
3. Upload Certificate Chain . The Chain file is PEM formated and
contains the TSA Certificate first and then the CA Certificate.
bin/signserver uploadsignercertificatechain 3 GLOB
$PATH/Chain.pem
4. Reload worker
bin/signserver reload 3
5. Get Status
bin/signserver getstatus complete 3
When I call for getstatus on the timestamp worker, these are the two (2)
messages I'm getting:
(1) Stating that there is no signer certificate installed:
Error:
- No signer certificate
(2) That there is a signer certificate available.
The current configuration use the following signer certificate :
Subject DN: CN=softsatsap11.pilotserver.com
Serial number: d6ce9b6c073d0f2
Issuer DN: CN=DevLab,OU=PKICore,O=DevLab LLC,C=COM
Valid from: 2015-02-25 15:25:15 AST
Valid until: 2015-06-05 15:25:15 AST
The timestamp worker never becomes Active.
I have also tried uploading the signer certificate directly
(bin/signserver uploadsignercertificate 3 GLOB $PATH/tsa.pem) and I
still get the same results.
Any light on this matter will be greatly appreciated.
Thank you,
Jenner
|
|
From: Markus K. <ma...@pr...> - 2015-02-26 13:28:02
|
On 02/26/2015 01:36 PM, Naldiello wrote: > Hi, > > I was wondering if anyone can help figure out an error I'm getting on > SignServer CE 3.6.2. > > I've been able to setup a Lab environment to get familiar and test both > EJBCA and SignServer. I'm using softHSM for testing purposes and get it > working on both servers. I got EJBCA CA and Sub-CA key store in softHSM, > generated the CA certificates and CRLs are being issued. Just the basic > setup. > > However, I have been working on setting up timestamp on SignServer and I > keep getting the error "No signer certificate" when I run the command > "bin/signserver getstatus complete <id>". Here are the steps I did to > set it up: > > First Worker (CryptoToken) -> All Good! > 1. Setup the configuration.properties > bin/signserver setproperties > $PATH/pkcs11-crypto-configuration.properties > 2. Reload worker > bin/signserver reload 1 > 3. Activate CryptoToken > bin/signserver activatecryptotoken 1 > 4. Test CryptoToken > bin/signserver testkey 1 > > First Worker (HSM KeepAlive) -> All Good! > 1. Setup the configuration.properties > bin/signserver setproperties > $PATH/qs_hsmkeepalive_configuration.properties > 2. Reload worker > bin/signserver reload 2 > > First Worker (HSM KeepAlive) -> Almost Good! > 1. Setup the configuration.properties > bin/signserver setproperties > $PATH/qs_timestamp_configuration.properties > 2. Reload worker > bin/signserver reload 3 > 3. Upload Certificate Chain . The Chain file is PEM formated and > contains the TSA Certificate first and then the CA Certificate. > bin/signserver uploadsignercertificatechain 3 GLOB $PATH/Chain.pem > 4. Reload worker > bin/signserver reload 3 > 5. Get Status > bin/signserver getstatus complete 3 > > When I call for getstatus on the timestamp worker, these are the two (2) > messages I'm getting: > > (1) Stating that there is no signer certificate installed: > > Error: > - No signer certificate > > (2) That there is a signer certificate available. > The current configuration use the following signer certificate : > Subject DN: CN=softsatsap11.pilotserver.com > Serial number: d6ce9b6c073d0f2 > Issuer DN: CN=DevLab,OU=PKICore,O=DevLab LLC,C=COM > Valid from: 2015-02-25 15:25:15 AST > Valid until: 2015-06-05 15:25:15 AST > > The timestamp worker never becomes Active. > > I have also tried uploading the signer certificate directly > (bin/signserver uploadsignercertificate 3 GLOB $PATH/tsa.pem) and I > still get the same results. > > Any light on this matter will be greatly appreciated. > > Thank you, > Jenner > Hi Jenner, I think you have only run "uploadsignercertificatechain" but you also need to run "uploadsignercertifiate" with only the signer certificate like this: $ bin/signserver uploadsignercertificatechain 3 GLOB $PATH/cert.pem Cheers, Markus PrimeKey Solutions PrimeKey Solutions offers a commercial EJBCA & SignServer support subscription and training. Please see www.primekey.se or contact in...@pr... for more information. https://www.primekey.se/Services/Support/ https://www.primekey.se/Services/Training/ |
|
From: Naldiello <nal...@gm...> - 2015-02-26 13:30:27
|
Hi Markus, I tried that but I'm still getting the same results. Jenner On Thu, 2015-02-26 at 14:27 +0100, Markus Kilås wrote: > On 02/26/2015 01:36 PM, Naldiello wrote: > > Hi, > > > > I was wondering if anyone can help figure out an error I'm getting on > > SignServer CE 3.6.2. > > > > I've been able to setup a Lab environment to get familiar and test both > > EJBCA and SignServer. I'm using softHSM for testing purposes and get it > > working on both servers. I got EJBCA CA and Sub-CA key store in softHSM, > > generated the CA certificates and CRLs are being issued. Just the basic > > setup. > > > > However, I have been working on setting up timestamp on SignServer and I > > keep getting the error "No signer certificate" when I run the command > > "bin/signserver getstatus complete <id>". Here are the steps I did to > > set it up: > > > > First Worker (CryptoToken) -> All Good! > > 1. Setup the configuration.properties > > bin/signserver setproperties > > $PATH/pkcs11-crypto-configuration.properties > > 2. Reload worker > > bin/signserver reload 1 > > 3. Activate CryptoToken > > bin/signserver activatecryptotoken 1 > > 4. Test CryptoToken > > bin/signserver testkey 1 > > > > First Worker (HSM KeepAlive) -> All Good! > > 1. Setup the configuration.properties > > bin/signserver setproperties > > $PATH/qs_hsmkeepalive_configuration.properties > > 2. Reload worker > > bin/signserver reload 2 > > > > First Worker (HSM KeepAlive) -> Almost Good! > > 1. Setup the configuration.properties > > bin/signserver setproperties > > $PATH/qs_timestamp_configuration.properties > > 2. Reload worker > > bin/signserver reload 3 > > 3. Upload Certificate Chain . The Chain file is PEM formated and > > contains the TSA Certificate first and then the CA Certificate. > > bin/signserver uploadsignercertificatechain 3 GLOB $PATH/Chain.pem > > 4. Reload worker > > bin/signserver reload 3 > > 5. Get Status > > bin/signserver getstatus complete 3 > > > > When I call for getstatus on the timestamp worker, these are the two (2) > > messages I'm getting: > > > > (1) Stating that there is no signer certificate installed: > > > > Error: > > - No signer certificate > > > > (2) That there is a signer certificate available. > > The current configuration use the following signer certificate : > > Subject DN: CN=softsatsap11.pilotserver.com > > Serial number: d6ce9b6c073d0f2 > > Issuer DN: CN=DevLab,OU=PKICore,O=DevLab LLC,C=COM > > Valid from: 2015-02-25 15:25:15 AST > > Valid until: 2015-06-05 15:25:15 AST > > > > The timestamp worker never becomes Active. > > > > I have also tried uploading the signer certificate directly > > (bin/signserver uploadsignercertificate 3 GLOB $PATH/tsa.pem) and I > > still get the same results. > > > > Any light on this matter will be greatly appreciated. > > > > Thank you, > > Jenner > > > > Hi Jenner, > > I think you have only run "uploadsignercertificatechain" but you also > need to run "uploadsignercertifiate" with only the signer certificate > like this: > > $ bin/signserver uploadsignercertificatechain 3 GLOB $PATH/cert.pem > > > > Cheers, > Markus > PrimeKey Solutions > > > PrimeKey Solutions offers a commercial EJBCA & SignServer support > subscription and training. Please see www.primekey.se or contact > in...@pr... for more information. > https://www.primekey.se/Services/Support/ > https://www.primekey.se/Services/Training/ > > > ------------------------------------------------------------------------------ > Dive into the World of Parallel Programming The Go Parallel Website, sponsored > by Intel and developed in partnership with Slashdot Media, is your hub for all > things parallel software development, from weekly thought leadership blogs to > news, videos, case studies, tutorials and more. Take a look and join the > conversation now. http://goparallel.sourceforge.net/ > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop |
|
From: Markus K. <ma...@pr...> - 2015-02-26 13:31:55
|
On 02/26/2015 02:27 PM, Markus Kilås wrote: > On 02/26/2015 01:36 PM, Naldiello wrote: >> Hi, >> >> I was wondering if anyone can help figure out an error I'm getting on >> SignServer CE 3.6.2. >> >> I've been able to setup a Lab environment to get familiar and test both >> EJBCA and SignServer. I'm using softHSM for testing purposes and get it >> working on both servers. I got EJBCA CA and Sub-CA key store in softHSM, >> generated the CA certificates and CRLs are being issued. Just the basic >> setup. >> >> However, I have been working on setting up timestamp on SignServer and I >> keep getting the error "No signer certificate" when I run the command >> "bin/signserver getstatus complete <id>". Here are the steps I did to >> set it up: >> >> First Worker (CryptoToken) -> All Good! >> 1. Setup the configuration.properties >> bin/signserver setproperties >> $PATH/pkcs11-crypto-configuration.properties >> 2. Reload worker >> bin/signserver reload 1 >> 3. Activate CryptoToken >> bin/signserver activatecryptotoken 1 >> 4. Test CryptoToken >> bin/signserver testkey 1 >> >> First Worker (HSM KeepAlive) -> All Good! >> 1. Setup the configuration.properties >> bin/signserver setproperties >> $PATH/qs_hsmkeepalive_configuration.properties >> 2. Reload worker >> bin/signserver reload 2 >> >> First Worker (HSM KeepAlive) -> Almost Good! >> 1. Setup the configuration.properties >> bin/signserver setproperties >> $PATH/qs_timestamp_configuration.properties >> 2. Reload worker >> bin/signserver reload 3 >> 3. Upload Certificate Chain . The Chain file is PEM formated and >> contains the TSA Certificate first and then the CA Certificate. >> bin/signserver uploadsignercertificatechain 3 GLOB $PATH/Chain.pem >> 4. Reload worker >> bin/signserver reload 3 >> 5. Get Status >> bin/signserver getstatus complete 3 >> >> When I call for getstatus on the timestamp worker, these are the two (2) >> messages I'm getting: >> >> (1) Stating that there is no signer certificate installed: >> >> Error: >> - No signer certificate >> >> (2) That there is a signer certificate available. >> The current configuration use the following signer certificate : >> Subject DN: CN=softsatsap11.pilotserver.com >> Serial number: d6ce9b6c073d0f2 >> Issuer DN: CN=DevLab,OU=PKICore,O=DevLab LLC,C=COM >> Valid from: 2015-02-25 15:25:15 AST >> Valid until: 2015-06-05 15:25:15 AST >> >> The timestamp worker never becomes Active. >> >> I have also tried uploading the signer certificate directly >> (bin/signserver uploadsignercertificate 3 GLOB $PATH/tsa.pem) and I >> still get the same results. >> >> Any light on this matter will be greatly appreciated. >> >> Thank you, >> Jenner >> > > Hi Jenner, > > I think you have only run "uploadsignercertificatechain" but you also > need to run "uploadsignercertifiate" with only the signer certificate > like this: > > $ bin/signserver uploadsignercertificatechain 3 GLOB $PATH/cert.pem Doh, I wrote the same thing again :) I meant like this: $ bin/signserver uploadsignercertificate 3 GLOB $PATH/cert.pem Then do reload to activate the change: $ bin/signserver reload 3 Cheers, Markus > > > > Cheers, > Markus > PrimeKey Solutions > > > PrimeKey Solutions offers a commercial EJBCA & SignServer support > subscription and training. Please see www.primekey.se or contact > in...@pr... for more information. > https://www.primekey.se/Services/Support/ > https://www.primekey.se/Services/Training/ > > |
Thanks for helping keep SourceForge clean.
X