Hi,
we installed a boulder test instance in our company. We can get certificates and all is up and working.
Now we want to replace the issuer certificates: ‘cackling cryptographer fake ROOT’ and the intermediate certificates with our own QA certificates.
In directory: '/usr/share/go/src/github.com/letsencrypt/boulder/test/'
I found these certificates and tried to replace them with our own root and intermediate certificates and keys.
test-ca2.pem test-ca.pem test-root.pem
test-ca2.key test-ca.key test-root.key
In this directory are also some configuration files for the keys:
test-root.key-pkcs11.json …
I don’t know, if and what, I have to do with them.
Our keys are not password protected.
But this simple approach doesn’t work. Boulder doesn’t start anymore.
I get following Error message: E141454 boulder-ca [AUDIT] Couldn’t load private key: Issuer key did not match issuer cert test/test-ca2.pem
What do I have to do to use our own Issuer Certificates?
You’ll also need to update test-ca.key.der and test-root.key.der with the DER format of your keys. That’s what gets loaded into SoftHSM via test/entrypoint.sh and used via PKCS#11 for signing. You can use openssl rsa to transform your PEM-formatted keys into DER format.
It’s possible that entrypoint.sh is failing to load the new key into the HSM. Do you see any error messages from that part of the script? Once boulder and the bhsm container are up and running, you should be able to set PKCS11_PROXY_SOCKET=tcp://boulder-hsm:5657 in a shell on your host and use the same pkcs11-tool commands to communicate with the HSM directly to load keys manually and see if that helps. Note that you’d need to compile and build pkcs11-proxy locally.
started exec listenbuddy -listen :19091 -speak publisher.boulder:9091 with pid 65
started exec listenbuddy -listen :19092 -speak va.boulder:9092 with pid 66
started exec listenbuddy -listen :19093 -speak ca.boulder:9093 with pid 67
started exec listenbuddy -listen :19094 -speak ra.boulder:9094 with pid 68
started exec listenbuddy -listen :19095 -speak sa.boulder:9095 with pid 81
started exec listenbuddy -listen :19096 -speak ca.boulder:9096 with pid 86
started exec listenbuddy -listen :19097 -speak va.boulder:9097 with pid 91
started exec listenbuddy -listen :19098 -speak va.boulder:9098 with pid 97
export GO15VENDOREXPERIMENT=1
GOBIN=/go/src/github.com/letsencrypt/boulder/bin go install ./...
gsb-test-srv: 2018/02/02 16:21:50 Starting GSB Test Server on ":6000"
Boulder itself has not been started:
root@jha-utm-02:/usr/share/go/src/github.com/letsencrypt/boulder# docker-compose ps
Name Command State Ports --------------------------------------------------------------------
boulder_bhsm_1 /usr/local/bin/pkcs11-daem ... Up 5657/tcp
boulder_bmysql_1 docker-entrypoint.sh mysql ... Up 3306/tcp
After the error message it exits:
E162150 boulder-ca [AUDIT] Couldn't load private key: Issuer key did not match issuer cert test/test-ca2.pem
These processes exited early (check above for their output):
'exec ./bin/boulder-ca --config test/config/ca.json' with pid 1080 exited 1
I successfully compiled locally pkcs11-proxy by following the steps in (...)boulder-tools/build.sh and I tried to import the key manually, but the connection refused.: