xipki / xipki Goto Github PK
View Code? Open in Web Editor NEWXiPKI: Compact open source PKI (CA, OCSP responder, certificate protocols ACME, CMP, EST, SCEP) with HSM support.
License: Apache License 2.0
XiPKI: Compact open source PKI (CA, OCSP responder, certificate protocols ACME, CMP, EST, SCEP) with HSM support.
License: Apache License 2.0
The syntax is specified in eIDAS standard EN 319 412.
PostgreSQL: 9.4.1207.jre7 --> 9.4.1211
H2: 1.4.191 --> 1.4.192
HSQLDB: 2.3.3 --> 2.3.4
MariaDB: 1.4.3 --> 1.5.3
In /xipki/ca/ca-client-shell/src/main/java/org/xipki/pki/ca/client/shell/completer/
RandomDnCompleter.java exists with 2 files :
RandomDnCompleter.java and RandomDNCompleter.java.
Maven doens't compile and gives a error. Removing RandomDNCompleter.java fixes the issue
Hello.
In file "ca-db.properties":
....
#encrypted password 123456
dataSource.password = PBE:B9A/zfIDGOTc+xhshvJGWMMdft32EjtEZPWGH9M0JvoWFA==
...
What crypt my own password for this set ?
For local lab with GNS3 (www.gns3.com)
IOS: c7200-adventerprisek9-mz.124-24.T5.image
!
hostname R1
ip domain name xipki.org
#conf t
R1(config)#
R1(config)#crypto key generate rsa label KEY2048 modulus 2048
Next, set trust:
!
crypto pki trustpoint SubCAwithCRL1
enrollment mode ra
enrollment url http://fqdn-host-ca-name:8080/scep/SubCAwithCRL/OCSP
serial-number
fqdn R1.xipki.org
subject-name CN=R1.xipki.org,O=xipki,C=DE
revocation-check crl none
rsakeypair KEY2048
hash sha1
!
Ubuntu 16 x64:
version xipki-pki-2.1.0
karaf@root()> source xipki/demo/demo.script SHA1 PKCS12 RSA 2048
...
all sucsess
back to cisco:
R1(config)#crypto pki authenticate SubCAwithCRL1
...
Trustpoint CA certificate accepted.
Good, next get cert:
R1(config)#crypto pki enroll SubCAwithCRL1
%
% Start certificate enrollment ..
% Create a challenge password. You will need to verbally provide this
password to the CA Administrator in order to revoke your certificate.
For security reasons your password will not be saved in the configuration.
Please make a note of it.
Password:
Re-enter password:
% The subject name in the certificate will include: CN=R1.xipki.org,O=xipki,C=DE
% The subject name in the certificate will include: R1.xipki.org
% The serial number in the certificate will be: 4279256517
% Include an IP address in the subject name? [no]:
Request certificate from CA? [yes/no]: yes
% Certificate request sent to Certificate Authority
% The 'show crypto pki certificate verbose SubCAwithCRL1' commandwill show the fingerprint.
R1(config)#
log cisco, last lines:
*Feb 21 19:31:47.670: CRYPTO_PKI: make trustedCerts list for SubCAwithCRL1
*Feb 21 19:31:47.670: CRYPTO_PKI: subject="cn=SCEP Responder1,o=xipki,c=DE" serial number= 61 62 0A 53 4A B5 E7 6E
*Feb 21 19:31:47.678: CRYPTO_PKI: subject="cn=PREFIX SubCAwithCRL1 SUFFIX,o=xipki,c=DE" serial number= 51 1F A4 32 DE A7 70 C4
*Feb 21 19:31:47.694: ../cert-c/source/asn1pub.c(283) : E_INVALID_PARAMETER : invalid function parameter (inputBER)
*Feb 21 19:31:47.694: ../cert-c/source/asn1pub.c(2843) : E_INVALID_PARAMETER : invalid function parameter ()
*Feb 21 19:31:47.694: ../cert-c/sour
R1(config)#ce/p7spprt.c(2433) : E_INVALID_PARAMETER : invalid function parameter ()
*Feb 21 19:31:47.694: ../cert-c/source/p7spprt.c(911) : E_BER_ENCODING : invalid encoding format for input data
*Feb 21 19:31:47.694: ../cert-c/source/p7spprt.c(614) : E_BER_ENCODING : invalid encoding format for input data
*Feb 21 19:31:47.710: CRYPTO_PKI: status = 0x701(E_BER_ENCODING : invalid encoding format for input data): failed to verify
*Feb 21 19:31:47.710: CRYPTO_PKI: status = 0x701(E_BER_ENCODING : invalid encoding format for input data): failed to process the inner content
*Feb 21 19:31:47.710: %PKI-6-CERTFAIL: Certificate enrollment failed.
*Feb 21 19:31:47.710: CRYPTO_PKI: All enrollment requests completed for trustpoint SubCAwithCRL1.
*Feb 21 19:31:47.710: CRYPTO_PKI: All enrollment requests completed for trustpoint SubCAwithCRL1.
*Feb 21 19:31:47.710: CRYPTO_PKI: All enrollment requests completed for trustpoint SubCAwithCRL1.
*Feb 21 19:31:47.714: CRYPTO_PKI: All enrollment requests comp
R1(config)#leted for trustpoint SubCAwithCRL1.
Back to xipki:
karaf.log:
2017-02-21 19:31:47,962 | INFO | tp1966794535-456 | AuditService | xipki.commons.audit.AuditService 69 | 116 - ki.commons.audit | AuditEvent INFO | SCEP - PERF: status: SUCCESSFUL duration: 0 name: SubCAwithCRL/OCSP reqType: SCEP mid: d38cbd85fe0fabf0 operation: GetCACaps
2017-02-21 19:31:48,544 | WARN | tp1966794535-453 | Scep | pki.pki.ca.server.impl.scep.Scep 372 | 122 - ki.pki.ca-server | tid=A48B441A902986C760285F4574F2E1B6: unsupported digest algorithm 1.2.840.113549.2.5
2017-02-21 19:31:48,545 | WARN | tp1966794535-453 | Scep | pki.pki.ca.server.impl.scep.Scep 393 | 122 - ki.pki.ca-server | tid=A48B441A902986C760285F4574F2E1B6: encryption with algorithm 1.3.14.3.2.7 is not permitted
2017-02-21 19:31:48,553 | INFO | tp1966794535-453 | AuditService | xipki.commons.audit.AuditService 69 | 116 - ki.commons.audit | AuditEvent INFO | SCEP - PERF: status: SUCCESSFUL duration: 19 name: SubCAwithCRL/OCSP reqType: SCEP mid: 7a76a7bbadb84d17 operation: PKIOperation tid: A48B441A902986C760285F4574F2E1B6 pkiStatus: FAILURE failInfo: badAlg
xiaudit.log:
2017-02-21 19:31:48,553 | INFO | SCEP - PERF: status: SUCCESSFUL duration: 19 name: SubCAwithCRL/OCSP reqType: SCEP mid: 7a76a7bbadb84d17 operation: PKIOperation tid: A48B441A902986C760285F4574F2E1B6 pkiStatus: FAILURE failInfo: badAlg
Mvn clean install fails with latest pull.
Also git checkout v2.3.0 fails with:
error: pathspec 'v2.3.0' did not match any file(s) known to git.
MVN Build examle:
[INFO] Scanning for projects...
[INFO]
[INFO] ------------------------------------------------------------------------
[INFO] Building XiPKI :: ca-api 2.3.0-SNAPSHOT
[INFO] ------------------------------------------------------------------------
[WARNING] The POM for org.xipki.tk:cmp:jar:2.3.0-SNAPSHOT is missing, no dependency information available
[WARNING] The POM for org.xipki.tk:datasource:jar:2.3.0-SNAPSHOT is missing, no dependency information available
[WARNING] The POM for org.xipki.tk:audit:jar:2.3.0-SNAPSHOT is missing, no dependency information available
[INFO] ------------------------------------------------------------------------
[INFO] BUILD FAILURE
[INFO] ------------------------------------------------------------------------
[INFO] Total time: 1.533 s
[INFO] Finished at: 2017-11-29T17:45:38-08:00
[INFO] Final Memory: 11M/303M
[INFO] ------------------------------------------------------------------------
[ERROR] Failed to execute goal on project ca-api: Could not resolve dependencies for project org.xipki.pki:ca-api:bundle:2.3.0-SNAPSHOT: The following artifacts could not be resolved: org.xipki.tk:cmp:jar:2.3.0-SNAPSHOT, org.xipki.tk:datasource:jar:2.3.0-SNAPSHOT, org.xipki.tk:audit:jar:2.3.0-SNAPSHOT: Failure to find org.xipki.tk:cmp:jar:2.3.0-SNAPSHOT in https://oss.sonatype.org/content/repositories/snapshots was cached in the local repository, resolution will not be reattempted until the update interval of sonatype-nexus-snapshots has elapsed or updates are forced -> [Help 1]
[ERROR]
[ERROR] To see the full stack trace of the errors, re-run Maven with the -e switch.
[ERROR] Re-run Maven using the -X switch to enable full debug logging.
[ERROR]
[ERROR] For more information about the errors and possible solutions, please read the following articles:
[ERROR] [Help 1] http://cwiki.apache.org/confluence/display/MAVEN/DependencyResolutionException
It would be nice to have a command to list certificates issued by a CA. Currently this is possible only via direct database queries.
An option for sorting order would also be useful. For example, sorting by expiration date could be used to list all the certificates that are about to expire.
If the CA is behind a reverse proxy apache httpd, configure the proxy to forward the headers via mod_proxy with the following configuration
RequestHeader set SSL_CLIENT_VERIFY "%{SSL_CLIENT_VERIFY}s"
RequestHeader set SSL_CLIENT_CERT "%{SSL_CLIENT_CERT}s"
For more details please refer to
Currently the column to save the base64-encoded certificate is limited to 3000, thus certificates with more than 2250 bytes cannot be saved. The limit should be extended to 4000 to save certificates up to 3000 bytes.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.