Menu
▾
▴
signserver-develop
|
From: Antoine L. <ant...@yo...> - 2013-10-17 22:46:10
|
Hi everyone, I have an error for a pdf worker. The cryptotoken is offline, the error is : key usage limit exceeded or not initialized In my configuration of the worker, the value of KEYUSAGELIMIT is -1. Any ideas ? Thanks a lot ! -- Antoine Louiset |
|
From: Marcus L. <mar...@pr...> - 2013-10-18 07:18:53
|
tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset: > Hi everyone, > > I have an error for a pdf worker. The cryptotoken is offline, the > error is : key usage limit exceeded or not initialized > > In my configuration of the worker, the value of KEYUSAGELIMIT is -1. > > Any ideas ? > Hi Antoine! Could you try running: bin/signserver getstatus brief all And see what the output is regarding your pdf worker. Regards, Marcus Lundblad > Thanks a lot ! > > -- > Antoine Louiset > > > ------------------------------------------------------------------------------ > October Webinars: Code for Performance > Free Intel webinars can help you accelerate application performance. > Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > the latest Intel processors and coprocessors. See abstracts and register > > http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk > _______________________________________________ > SignServer-develop mailing list > Sig...@li... > https://lists.sourceforge.net/lists/listinfo/signserver-develop |
|
From: Antoine L. <ant...@yo...> - 2013-10-18 07:31:28
|
Hi,
Here is the result of getstatus brief all :
Current version of server is : SignServer 3.3.0alpha12
Status of Signer with Id 1 is :
Worker status : Offline
Token status : Active
Signings: 0
Errors:
Key usage limit exceeded or not initialized
and here is the result of getstatus complete all :
Current version of server is : SignServer 3.3.0alpha12
The Global Configuration of Properties are :
GLOB.WORKER1.SIGNERTOKEN.CLASSPATH=org.signserver.server.cryptotokens.JKSCryptoToken
GLOB.WORKER1.CLASSPATH=org.signserver.module.pdfsigner.PDFSigner
The global configuration is in sync with the database.
Status of Signer with Id 1 is :
Worker status : Offline
Token status : Active
Signings: 0
Errors:
Key usage limit exceeded or not initialized
Active Properties are :
ALLOW_REQUEST_PROPERTIES_OVERRIDE=LOCATION, REASON,
ADD_VISIBLE_SIGNATURE, EMBED_CRL, EMBED_OCSP_RESPONSE,
REJECT_PERMISSIONS, SET_PERMISSIONS,
REMOVE_PERMISSIONS,SET_OWNERPASSWORD,VISIBLE_SIGNATURE_PAGE,VISIBLE_SIGNATURE_RECTANGLE,VISIBLE_SIGNATURE_CUSTOM_IMAGE_BASE64,VISIBLE_SIGNATURE_CUSTOM_IMAGE_RESIZE_TO_RECTANGLE,CERTIFICATION_LEVEL
REASON=Signed by Yousign
CHECKCERTPRIVATEKEYVALIDITY=false
SIGNERCERTCHAIN=
KEYSTOREPATH=/etc/certificates/ysKeystore.jks
DEFAULTKEY=6
KEYUSAGELIMIT=-1
REQUIRE_REQUEST_PROPERTIES=ALIAS,AUTHPARAM,DEMAND
AUTHTYPE=org.signserver.server.YousignAuthorizer
NAME=YousignPDFSigner
SIGNERCERT=
KEYSTOREPASSWORD=xxxx
CLASSPATH=org.signserver.common.ProcessableConfig
KEYSTORETYPE=JKS
CHECKCERTVALIDITY=false
LOCATION=France
Active Authorized Clients are are (Cert DN, IssuerDN):
INFO IMPLICITLYCA_Q not set, using default.
INFO IMPLICITLYCA_A not set, using default.
INFO IMPLICITLYCA_B not set, using default.
INFO IMPLICITLYCA_G not set, using default.
INFO IMPLICITLYCA_N not set, using default.
The current configuration use the following signer certificate :
Subject DN: -----------
Serial number: -----------
Issuer DN: -----------
Valid from: 2013-10-11 12:55:46 CEST
Valid until: 2015-10-11 12:55:46 CEST
Thanks a lot !
Antoine
On Fri, 18 Oct 2013 09:18:35 +0200, Marcus Lundblad
<mar...@pr...> wrote:
> tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset:
>> Hi everyone,
>>
>> I have an error for a pdf worker. The cryptotoken is offline, the
>> error is : key usage limit exceeded or not initialized
>>
>> In my configuration of the worker, the value of KEYUSAGELIMIT is -1.
>>
>> Any ideas ?
>>
>
> Hi Antoine!
>
> Could you try running:
> bin/signserver getstatus brief all
>
> And see what the output is regarding your pdf worker.
>
> Regards,
> Marcus Lundblad
>
>> Thanks a lot !
>>
>> --
>> Antoine Louiset
>>
>>
>> ------------------------------------------------------------------------------
>> October Webinars: Code for Performance
>> Free Intel webinars can help you accelerate application performance.
>> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from
>> the latest Intel processors and coprocessors. See abstracts and register >
>> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk
>> _______________________________________________
>> SignServer-develop mailing list
>> Sig...@li...
>> https://lists.sourceforge.net/lists/listinfo/signserver-develop
--
Antoine Louiset
|
|
From: Marcus L. <mar...@pr...> - 2013-10-18 13:30:02
|
fre 2013-10-18 klockan 09:31 +0200 skrev Antoine Louiset: > CHECKCERTPRIVATEKEYVALIDITY=false > > SIGNERCERTCHAIN= > > KEYSTOREPATH=/etc/certificates/ysKeystore.jks > > DEFAULTKEY=6 How does the key aliases in the keystore look like, if you use: keytool -list -keystore /etc/certificates/ysKeystore.jks You could also try to take a look at the content of the KeyUsageCounter table in the database, to see if there is a row corresponding to the figerprint of the key in the keystore. Another thing that you could try to do set DISABLEKEYUSAGECOUNTER=true and (temporarily) remove the KEYUSAGELIMIT property (they can not both be defined simultaniously) to rule of that there could be something missing in the keystore, perhaps. Regards, Marcus Lundblad > > KEYUSAGELIMIT=-1 > > REQUIRE_REQUEST_PROPERTIES=ALIAS,AUTHPARAM,DEMAND > > AUTHTYPE=org.signserver.server.YousignAuthorizer > > NAME=YousignPDFSigner > > SIGNERCERT= > > KEYSTOREPASSWORD=xxxx > > CLASSPATH=org.signserver.common.ProcessableConfig > > KEYSTORETYPE=JKS > > CHECKCERTVALIDITY=false > > LOCATION=France > > > > Active Authorized Clients are are (Cert DN, IssuerDN): > INFO IMPLICITLYCA_Q not set, using default. > INFO IMPLICITLYCA_A not set, using default. > INFO IMPLICITLYCA_B not set, using default. > INFO IMPLICITLYCA_G not set, using default. > INFO IMPLICITLYCA_N not set, using default. > The current configuration use the following signer certificate : > > Subject DN: ----------- > Serial number: ----------- > Issuer DN: ----------- > Valid from: 2013-10-11 12:55:46 CEST > Valid until: 2015-10-11 12:55:46 CEST > > > > > > Thanks a lot ! > > > Antoine > > On Fri, 18 Oct 2013 09:18:35 +0200, Marcus Lundblad > <mar...@pr...> wrote: > > tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset: > >> Hi everyone, > >> > >> I have an error for a pdf worker. The cryptotoken is offline, the > >> error is : key usage limit exceeded or not initialized > >> > >> In my configuration of the worker, the value of KEYUSAGELIMIT is -1. > >> > >> Any ideas ? > >> > > > > Hi Antoine! > > > > Could you try running: > > bin/signserver getstatus brief all > > > > And see what the output is regarding your pdf worker. > > > > Regards, > > Marcus Lundblad > > > >> Thanks a lot ! > >> > >> -- > >> Antoine Louiset > >> > >> > >> ------------------------------------------------------------------------------ > >> October Webinars: Code for Performance > >> Free Intel webinars can help you accelerate application performance. > >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > >> the latest Intel processors and coprocessors. See abstracts and register > > >> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk > >> _______________________________________________ > >> SignServer-develop mailing list > >> Sig...@li... > >> https://lists.sourceforge.net/lists/listinfo/signserver-develop > |
|
From: Antoine L. <ant...@yo...> - 2013-10-18 23:46:16
|
Hi Marcus, Thanks for your answer ! Result of keytool command : Type Keystore : JKS Fournisseur Keystore : SUN Votre Keystore contient 3 entrée(s) 6, 11 oct. 2013, PrivateKeyEntry, Empreinte du certificat (MD5) : 3C:73:E1:46:8E:FC:B2:84:EE:58:DE:CB:D2:30:26:29 7ofi6mgp6dc6vaibcjyha3zrafb5my6c0qpftnnn, 19 oct. 2013, PrivateKeyEntry, Empreinte du certificat (MD5) : 11:0C:B2:5C:E1:77:76:77:17:F9:15:8A:D8:B5:89:82 7, 11 oct. 2013, PrivateKeyEntry, Empreinte du certificat (MD5) : 26:D5:6B:A1:FF:DD:A6:1E:7F:99:F4:2F:64:2C:03:4B The result of "select * from KeyUsageCounter;" +------------------------------------------------------------------+---------+ | keyHash | counter | +------------------------------------------------------------------+---------+ | 9f8966010dc45a88538b54413f94af2ff906172e6b7439360e3d1f3b363b8b7d | 0 | +------------------------------------------------------------------+---------+ I tried to launch activatecryptotoken but the worker was still offline. I add DISABLEKEYUSAGECOUNTER=true and now it works. It will be better to user the counter, have you got any ideas ? Thanks a lot !! Antoine On Fri, 18 Oct 2013 15:29:52 +0200, Marcus Lundblad <mar...@pr...> wrote: > fre 2013-10-18 klockan 09:31 +0200 skrev Antoine Louiset: > > >> CHECKCERTPRIVATEKEYVALIDITY=false >> >> SIGNERCERTCHAIN= >> >> KEYSTOREPATH=/etc/certificates/ysKeystore.jks >> >> DEFAULTKEY=6 > > How does the key aliases in the keystore look like, if you use: > keytool -list -keystore /etc/certificates/ysKeystore.jks > > You could also try to take a look at the content of the KeyUsageCounter > table in the database, to see if there is a row corresponding to the > figerprint of the key in the keystore. > > Another thing that you could try to do set DISABLEKEYUSAGECOUNTER=true > and (temporarily) remove the KEYUSAGELIMIT property (they can not both > be defined simultaniously) to rule of that there could be something > missing in the keystore, perhaps. > > Regards, > Marcus Lundblad >> >> KEYUSAGELIMIT=-1 >> >> REQUIRE_REQUEST_PROPERTIES=ALIAS,AUTHPARAM,DEMAND >> >> AUTHTYPE=org.signserver.server.YousignAuthorizer >> >> NAME=YousignPDFSigner >> >> SIGNERCERT= >> >> KEYSTOREPASSWORD=xxxx >> >> CLASSPATH=org.signserver.common.ProcessableConfig >> >> KEYSTORETYPE=JKS >> >> CHECKCERTVALIDITY=false >> >> LOCATION=France >> >> >> >> Active Authorized Clients are are (Cert DN, IssuerDN): >> INFO IMPLICITLYCA_Q not set, using default. >> INFO IMPLICITLYCA_A not set, using default. >> INFO IMPLICITLYCA_B not set, using default. >> INFO IMPLICITLYCA_G not set, using default. >> INFO IMPLICITLYCA_N not set, using default. >> The current configuration use the following signer certificate : >> >> Subject DN: ----------- >> Serial number: ----------- >> Issuer DN: ----------- >> Valid from: 2013-10-11 12:55:46 CEST >> Valid until: 2015-10-11 12:55:46 CEST >> >> >> >> >> >> Thanks a lot ! >> >> >> Antoine >> >> On Fri, 18 Oct 2013 09:18:35 +0200, Marcus Lundblad >> <mar...@pr...> wrote: >> > tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset: >> >> Hi everyone, >> >> >> >> I have an error for a pdf worker. The cryptotoken is offline, the >> >> error is : key usage limit exceeded or not initialized >> >> >> >> In my configuration of the worker, the value of KEYUSAGELIMIT is -1. >> >> >> >> Any ideas ? >> >> >> > >> > Hi Antoine! >> > >> > Could you try running: >> > bin/signserver getstatus brief all >> > >> > And see what the output is regarding your pdf worker. >> > >> > Regards, >> > Marcus Lundblad >> > >> >> Thanks a lot ! >> >> >> >> -- >> >> Antoine Louiset >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> October Webinars: Code for Performance >> >> Free Intel webinars can help you accelerate application performance. >> >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from >> >> the latest Intel processors and coprocessors. See abstracts and register > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk >> >> _______________________________________________ >> >> SignServer-develop mailing list >> >> Sig...@li... >> >> https://lists.sourceforge.net/lists/listinfo/signserver-develop >> -- Antoine Louiset |
|
From: Marcus L. <mar...@pr...> - 2013-10-21 06:41:28
|
lör 2013-10-19 klockan 01:28 +0200 skrev Antoine Louiset: > Hi Marcus, > > Thanks for your answer ! > > Result of keytool command : > > Type Keystore : JKS > Fournisseur Keystore : SUN > > Votre Keystore contient 3 entrée(s) > > 6, 11 oct. 2013, PrivateKeyEntry, > Empreinte du certificat (MD5) : > 3C:73:E1:46:8E:FC:B2:84:EE:58:DE:CB:D2:30:26:29 > 7ofi6mgp6dc6vaibcjyha3zrafb5my6c0qpftnnn, 19 oct. 2013, > PrivateKeyEntry, > Empreinte du certificat (MD5) : > 11:0C:B2:5C:E1:77:76:77:17:F9:15:8A:D8:B5:89:82 > 7, 11 oct. 2013, PrivateKeyEntry, > Empreinte du certificat (MD5) : > 26:D5:6B:A1:FF:DD:A6:1E:7F:99:F4:2F:64:2C:03:4B > > > The result of "select * from KeyUsageCounter;" > +------------------------------------------------------------------+---------+ > | keyHash | > counter | > +------------------------------------------------------------------+---------+ > | 9f8966010dc45a88538b54413f94af2ff906172e6b7439360e3d1f3b363b8b7d | > 0 | > +------------------------------------------------------------------+---------+ > > > I tried to launch activatecryptotoken but the worker was still offline. > > I add DISABLEKEYUSAGECOUNTER=true and now it works. > > It will be better to user the counter, have you got any ideas ? > I think I'll need to do some further investigations and try to reproduce the problem using worker configured using a JKSCryptoToken. Is this using MySQL by the way? Regards, Marcus > Thanks a lot !! > > > Antoine > > > On Fri, 18 Oct 2013 15:29:52 +0200, Marcus Lundblad > <mar...@pr...> wrote: > > fre 2013-10-18 klockan 09:31 +0200 skrev Antoine Louiset: > > > > > >> CHECKCERTPRIVATEKEYVALIDITY=false > >> > >> SIGNERCERTCHAIN= > >> > >> KEYSTOREPATH=/etc/certificates/ysKeystore.jks > >> > >> DEFAULTKEY=6 > > > > How does the key aliases in the keystore look like, if you use: > > keytool -list -keystore /etc/certificates/ysKeystore.jks > > > > You could also try to take a look at the content of the KeyUsageCounter > > table in the database, to see if there is a row corresponding to the > > figerprint of the key in the keystore. > > > > Another thing that you could try to do set DISABLEKEYUSAGECOUNTER=true > > and (temporarily) remove the KEYUSAGELIMIT property (they can not both > > be defined simultaniously) to rule of that there could be something > > missing in the keystore, perhaps. > > > > Regards, > > Marcus Lundblad > >> > >> KEYUSAGELIMIT=-1 > >> > >> REQUIRE_REQUEST_PROPERTIES=ALIAS,AUTHPARAM,DEMAND > >> > >> AUTHTYPE=org.signserver.server.YousignAuthorizer > >> > >> NAME=YousignPDFSigner > >> > >> SIGNERCERT= > >> > >> KEYSTOREPASSWORD=xxxx > >> > >> CLASSPATH=org.signserver.common.ProcessableConfig > >> > >> KEYSTORETYPE=JKS > >> > >> CHECKCERTVALIDITY=false > >> > >> LOCATION=France > >> > >> > >> > >> Active Authorized Clients are are (Cert DN, IssuerDN): > >> INFO IMPLICITLYCA_Q not set, using default. > >> INFO IMPLICITLYCA_A not set, using default. > >> INFO IMPLICITLYCA_B not set, using default. > >> INFO IMPLICITLYCA_G not set, using default. > >> INFO IMPLICITLYCA_N not set, using default. > >> The current configuration use the following signer certificate : > >> > >> Subject DN: ----------- > >> Serial number: ----------- > >> Issuer DN: ----------- > >> Valid from: 2013-10-11 12:55:46 CEST > >> Valid until: 2015-10-11 12:55:46 CEST > >> > >> > >> > >> > >> > >> Thanks a lot ! > >> > >> > >> Antoine > >> > >> On Fri, 18 Oct 2013 09:18:35 +0200, Marcus Lundblad > >> <mar...@pr...> wrote: > >> > tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset: > >> >> Hi everyone, > >> >> > >> >> I have an error for a pdf worker. The cryptotoken is offline, the > >> >> error is : key usage limit exceeded or not initialized > >> >> > >> >> In my configuration of the worker, the value of KEYUSAGELIMIT is -1. > >> >> > >> >> Any ideas ? > >> >> > >> > > >> > Hi Antoine! > >> > > >> > Could you try running: > >> > bin/signserver getstatus brief all > >> > > >> > And see what the output is regarding your pdf worker. > >> > > >> > Regards, > >> > Marcus Lundblad > >> > > >> >> Thanks a lot ! > >> >> > >> >> -- > >> >> Antoine Louiset > >> >> > >> >> > >> >> ------------------------------------------------------------------------------ > >> >> October Webinars: Code for Performance > >> >> Free Intel webinars can help you accelerate application performance. > >> >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > >> >> the latest Intel processors and coprocessors. See abstracts and register > > >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk > >> >> _______________________________________________ > >> >> SignServer-develop mailing list > >> >> Sig...@li... > >> >> https://lists.sourceforge.net/lists/listinfo/signserver-develop > >> > |
|
From: Antoine L. <ant...@yo...> - 2013-10-21 10:31:19
|
Hi, Yes I'm using mysql and I wonder if the problem could be that. Thanks for your answer ! On Mon, 21 Oct 2013 08:41:16 +0200, Marcus Lundblad <mar...@pr...> wrote: > lör 2013-10-19 klockan 01:28 +0200 skrev Antoine Louiset: >> Hi Marcus, >> >> Thanks for your answer ! >> >> Result of keytool command : >> >> Type Keystore : JKS >> Fournisseur Keystore : SUN >> >> Votre Keystore contient 3 entrée(s) >> >> 6, 11 oct. 2013, PrivateKeyEntry, >> Empreinte du certificat (MD5) : >> 3C:73:E1:46:8E:FC:B2:84:EE:58:DE:CB:D2:30:26:29 >> 7ofi6mgp6dc6vaibcjyha3zrafb5my6c0qpftnnn, 19 oct. 2013, >> PrivateKeyEntry, >> Empreinte du certificat (MD5) : >> 11:0C:B2:5C:E1:77:76:77:17:F9:15:8A:D8:B5:89:82 >> 7, 11 oct. 2013, PrivateKeyEntry, >> Empreinte du certificat (MD5) : >> 26:D5:6B:A1:FF:DD:A6:1E:7F:99:F4:2F:64:2C:03:4B >> >> >> The result of "select * from KeyUsageCounter;" >> +------------------------------------------------------------------+---------+ >> | keyHash | >> counter | >> +------------------------------------------------------------------+---------+ >> | 9f8966010dc45a88538b54413f94af2ff906172e6b7439360e3d1f3b363b8b7d | >> 0 | >> +------------------------------------------------------------------+---------+ >> >> >> I tried to launch activatecryptotoken but the worker was still offline. >> >> I add DISABLEKEYUSAGECOUNTER=true and now it works. >> >> It will be better to user the counter, have you got any ideas ? >> > > I think I'll need to do some further investigations and try to reproduce > the problem using worker configured using a JKSCryptoToken. > > Is this using MySQL by the way? > > Regards, Marcus > >> Thanks a lot !! >> >> >> Antoine >> >> >> On Fri, 18 Oct 2013 15:29:52 +0200, Marcus Lundblad >> <mar...@pr...> wrote: >> > fre 2013-10-18 klockan 09:31 +0200 skrev Antoine Louiset: >> > >> > >> >> CHECKCERTPRIVATEKEYVALIDITY=false >> >> >> >> SIGNERCERTCHAIN= >> >> >> >> KEYSTOREPATH=/etc/certificates/ysKeystore.jks >> >> >> >> DEFAULTKEY=6 >> > >> > How does the key aliases in the keystore look like, if you use: >> > keytool -list -keystore /etc/certificates/ysKeystore.jks >> > >> > You could also try to take a look at the content of the KeyUsageCounter >> > table in the database, to see if there is a row corresponding to the >> > figerprint of the key in the keystore. >> > >> > Another thing that you could try to do set DISABLEKEYUSAGECOUNTER=true >> > and (temporarily) remove the KEYUSAGELIMIT property (they can not both >> > be defined simultaniously) to rule of that there could be something >> > missing in the keystore, perhaps. >> > >> > Regards, >> > Marcus Lundblad >> >> >> >> KEYUSAGELIMIT=-1 >> >> >> >> REQUIRE_REQUEST_PROPERTIES=ALIAS,AUTHPARAM,DEMAND >> >> >> >> AUTHTYPE=org.signserver.server.YousignAuthorizer >> >> >> >> NAME=YousignPDFSigner >> >> >> >> SIGNERCERT= >> >> >> >> KEYSTOREPASSWORD=xxxx >> >> >> >> CLASSPATH=org.signserver.common.ProcessableConfig >> >> >> >> KEYSTORETYPE=JKS >> >> >> >> CHECKCERTVALIDITY=false >> >> >> >> LOCATION=France >> >> >> >> >> >> >> >> Active Authorized Clients are are (Cert DN, IssuerDN): >> >> INFO IMPLICITLYCA_Q not set, using default. >> >> INFO IMPLICITLYCA_A not set, using default. >> >> INFO IMPLICITLYCA_B not set, using default. >> >> INFO IMPLICITLYCA_G not set, using default. >> >> INFO IMPLICITLYCA_N not set, using default. >> >> The current configuration use the following signer certificate : >> >> >> >> Subject DN: ----------- >> >> Serial number: ----------- >> >> Issuer DN: ----------- >> >> Valid from: 2013-10-11 12:55:46 CEST >> >> Valid until: 2015-10-11 12:55:46 CEST >> >> >> >> >> >> >> >> >> >> >> >> Thanks a lot ! >> >> >> >> >> >> Antoine >> >> >> >> On Fri, 18 Oct 2013 09:18:35 +0200, Marcus Lundblad >> >> <mar...@pr...> wrote: >> >> > tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset: >> >> >> Hi everyone, >> >> >> >> >> >> I have an error for a pdf worker. The cryptotoken is offline, the >> >> >> error is : key usage limit exceeded or not initialized >> >> >> >> >> >> In my configuration of the worker, the value of KEYUSAGELIMIT is -1. >> >> >> >> >> >> Any ideas ? >> >> >> >> >> > >> >> > Hi Antoine! >> >> > >> >> > Could you try running: >> >> > bin/signserver getstatus brief all >> >> > >> >> > And see what the output is regarding your pdf worker. >> >> > >> >> > Regards, >> >> > Marcus Lundblad >> >> > >> >> >> Thanks a lot ! >> >> >> >> >> >> -- >> >> >> Antoine Louiset >> >> >> >> >> >> >> >> >> ------------------------------------------------------------------------------ >> >> >> October Webinars: Code for Performance >> >> >> Free Intel webinars can help you accelerate application performance. >> >> >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from >> >> >> the latest Intel processors and coprocessors. See abstracts and register > >> >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk >> >> >> _______________________________________________ >> >> >> SignServer-develop mailing list >> >> >> Sig...@li... >> >> >> https://lists.sourceforge.net/lists/listinfo/signserver-develop >> >> >> -- Antoine Louiset +33 6 76 66 80 34 |
|
From: Marcus L. <mar...@pr...> - 2013-10-21 13:00:23
|
mån 2013-10-21 klockan 10:05 +0200 skrev Antoine Louiset: > Hi, > > Yes I'm using mysql and I wonder if the problem could be that. > > Thanks for your answer ! > I tried setting up a test environment with a test PDF signer using a JKSCryptoToken, I'm running this on MySQL 5.5.33 (the version in Debian testing). It works correctly for me both using the default (no KEYUSAGELIMIT specified, default to -1), setting -1 implicitly and also using a limit of 100. Could you generate server log outputs when reloading the signer and when attempting to sign a document. Maybe I could get some hint there. Regards, Marcus > On Mon, 21 Oct 2013 08:41:16 +0200, Marcus Lundblad > <mar...@pr...> wrote: > > lör 2013-10-19 klockan 01:28 +0200 skrev Antoine Louiset: > >> Hi Marcus, > >> > >> Thanks for your answer ! > >> > >> Result of keytool command : > >> > >> Type Keystore : JKS > >> Fournisseur Keystore : SUN > >> > >> Votre Keystore contient 3 entrée(s) > >> > >> 6, 11 oct. 2013, PrivateKeyEntry, > >> Empreinte du certificat (MD5) : > >> 3C:73:E1:46:8E:FC:B2:84:EE:58:DE:CB:D2:30:26:29 > >> 7ofi6mgp6dc6vaibcjyha3zrafb5my6c0qpftnnn, 19 oct. 2013, > >> PrivateKeyEntry, > >> Empreinte du certificat (MD5) : > >> 11:0C:B2:5C:E1:77:76:77:17:F9:15:8A:D8:B5:89:82 > >> 7, 11 oct. 2013, PrivateKeyEntry, > >> Empreinte du certificat (MD5) : > >> 26:D5:6B:A1:FF:DD:A6:1E:7F:99:F4:2F:64:2C:03:4B > >> > >> > >> The result of "select * from KeyUsageCounter;" > >> +------------------------------------------------------------------+---------+ > >> | keyHash | > >> counter | > >> +------------------------------------------------------------------+---------+ > >> | 9f8966010dc45a88538b54413f94af2ff906172e6b7439360e3d1f3b363b8b7d | > >> 0 | > >> +------------------------------------------------------------------+---------+ > >> > >> > >> I tried to launch activatecryptotoken but the worker was still offline. > >> > >> I add DISABLEKEYUSAGECOUNTER=true and now it works. > >> > >> It will be better to user the counter, have you got any ideas ? > >> > > > > I think I'll need to do some further investigations and try to reproduce > > the problem using worker configured using a JKSCryptoToken. > > > > Is this using MySQL by the way? > > > > Regards, Marcus > > > >> Thanks a lot !! > >> > >> > >> Antoine > >> > >> > >> On Fri, 18 Oct 2013 15:29:52 +0200, Marcus Lundblad > >> <mar...@pr...> wrote: > >> > fre 2013-10-18 klockan 09:31 +0200 skrev Antoine Louiset: > >> > > >> > > >> >> CHECKCERTPRIVATEKEYVALIDITY=false > >> >> > >> >> SIGNERCERTCHAIN= > >> >> > >> >> KEYSTOREPATH=/etc/certificates/ysKeystore.jks > >> >> > >> >> DEFAULTKEY=6 > >> > > >> > How does the key aliases in the keystore look like, if you use: > >> > keytool -list -keystore /etc/certificates/ysKeystore.jks > >> > > >> > You could also try to take a look at the content of the KeyUsageCounter > >> > table in the database, to see if there is a row corresponding to the > >> > figerprint of the key in the keystore. > >> > > >> > Another thing that you could try to do set DISABLEKEYUSAGECOUNTER=true > >> > and (temporarily) remove the KEYUSAGELIMIT property (they can not both > >> > be defined simultaniously) to rule of that there could be something > >> > missing in the keystore, perhaps. > >> > > >> > Regards, > >> > Marcus Lundblad > >> >> > >> >> KEYUSAGELIMIT=-1 > >> >> > >> >> REQUIRE_REQUEST_PROPERTIES=ALIAS,AUTHPARAM,DEMAND > >> >> > >> >> AUTHTYPE=org.signserver.server.YousignAuthorizer > >> >> > >> >> NAME=YousignPDFSigner > >> >> > >> >> SIGNERCERT= > >> >> > >> >> KEYSTOREPASSWORD=xxxx > >> >> > >> >> CLASSPATH=org.signserver.common.ProcessableConfig > >> >> > >> >> KEYSTORETYPE=JKS > >> >> > >> >> CHECKCERTVALIDITY=false > >> >> > >> >> LOCATION=France > >> >> > >> >> > >> >> > >> >> Active Authorized Clients are are (Cert DN, IssuerDN): > >> >> INFO IMPLICITLYCA_Q not set, using default. > >> >> INFO IMPLICITLYCA_A not set, using default. > >> >> INFO IMPLICITLYCA_B not set, using default. > >> >> INFO IMPLICITLYCA_G not set, using default. > >> >> INFO IMPLICITLYCA_N not set, using default. > >> >> The current configuration use the following signer certificate : > >> >> > >> >> Subject DN: ----------- > >> >> Serial number: ----------- > >> >> Issuer DN: ----------- > >> >> Valid from: 2013-10-11 12:55:46 CEST > >> >> Valid until: 2015-10-11 12:55:46 CEST > >> >> > >> >> > >> >> > >> >> > >> >> > >> >> Thanks a lot ! > >> >> > >> >> > >> >> Antoine > >> >> > >> >> On Fri, 18 Oct 2013 09:18:35 +0200, Marcus Lundblad > >> >> <mar...@pr...> wrote: > >> >> > tor 2013-10-17 klockan 18:41 +0200 skrev Antoine Louiset: > >> >> >> Hi everyone, > >> >> >> > >> >> >> I have an error for a pdf worker. The cryptotoken is offline, the > >> >> >> error is : key usage limit exceeded or not initialized > >> >> >> > >> >> >> In my configuration of the worker, the value of KEYUSAGELIMIT is -1. > >> >> >> > >> >> >> Any ideas ? > >> >> >> > >> >> > > >> >> > Hi Antoine! > >> >> > > >> >> > Could you try running: > >> >> > bin/signserver getstatus brief all > >> >> > > >> >> > And see what the output is regarding your pdf worker. > >> >> > > >> >> > Regards, > >> >> > Marcus Lundblad > >> >> > > >> >> >> Thanks a lot ! > >> >> >> > >> >> >> -- > >> >> >> Antoine Louiset > >> >> >> > >> >> >> > >> >> >> ------------------------------------------------------------------------------ > >> >> >> October Webinars: Code for Performance > >> >> >> Free Intel webinars can help you accelerate application performance. > >> >> >> Explore tips for MPI, OpenMP, advanced profiling, and more. Get the most from > >> >> >> the latest Intel processors and coprocessors. See abstracts and register > > >> >> >> http://pubads.g.doubleclick.net/gampad/clk?id=60135031&iu=/4140/ostg.clktrk > >> >> >> _______________________________________________ > >> >> >> SignServer-develop mailing list > >> >> >> Sig...@li... > >> >> >> https://lists.sourceforge.net/lists/listinfo/signserver-develop > >> >> > >> > |
|
From: Markus K. <ejb...@pr...> - 2013-11-05 14:37:03
|
Hi Antoine, After activating the worker (or directly if you have specified the password in the configuration), make sure you issue an "reload WORKERID" so the key usage counter gets initialized. Notice that this has to be done after the worker is activated as the key-pair needs to be accessed as part of the activation. After the reload the token status might be offline in which case you will have to activate it again before both statuses changes to active. Best regards, Markus On 2013-10-17 18:41, Antoine Louiset wrote: > Hi everyone, > > I have an error for a pdf worker. The cryptotoken is offline, the > error is : key usage limit exceeded or not initialized > > In my configuration of the worker, the value of KEYUSAGELIMIT is -1. > > Any ideas ? > > Thanks a lot ! > > -- > Antoine Louiset > -- PrimeKey Solutions offers a commercial EJBCA support subscription and training for EJBCA. Please see www.primekey.se or contact in...@pr... for more information. http://www.primekey.se/Services/Support/ http://www.primekey.se/Services/Training/ |
Thanks for helping keep SourceForge clean.
X