CA Connector can't create certificate

Hi,

I’ve set up the WebCA as described in
http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

When I try to roll out a new certificate I get:
‘X509Req’ object has no attribute ‘get_extensions’

There’s no certificate but the token will be displayed within the token
view.

Google tells me about some “wont fixes” with PyOpenSSL.

I’m using Debian 8 with latest packages from Trusty build.

Any ideas?

Thanks
Michael

Oh,
it looks like get_extensions was added to X509Req AFTER the release of
0.14.
Available in 0.15… :-/

Maybe I will pack a newer version of python-openssl.
Till then you would have to install at least 0.15. Or run in a python
virtualenv…

Kind regards
CorneliusAm Montag, den 06.06.2016, 13:20 -0700 schrieb Michael Muenz:

ii openssl 1.0.1t-1+deb8u2 amd64
Secure Sockets Layer toolkit - cryptographic utility
ii python-openssl 0.14-1 all
Python 2 wrapper around the OpenSSL library

[2016-06-06
22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]
Exception on /token/init [POST]
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py”,
line 57, in event_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/token.py”,
line 186, in init
tokenrealms=tokenrealms)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 912, in init_token
tokenobject.update(upd_params)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”, line 218, in update
crypto.FILETYPE_PEM, req))
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”, line 173, in sign_request
csr_extensions = csr_obj.get_extensions()
AttributeError: ‘X509Req’ object has no attribute ‘get_extensions’

On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote:
Hi,

    can you please post your privacyidea.log? 
    There should be a traceback. 
    
    Which version of pyopenssl and which version of openssl are
    you using? 
    
    Kind regards 
    Cornelius 
    
    Am Montag, den 06.06.2016, 06:33 -0700 schrieb Michael Muenz: 
    > Hi, 
    > 
    > 
    > I've set up the WebCA as described in 
    >
    http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html 
    > 
    > 
    > 
    > When I try to roll out a new certificate I get: 
    > 'X509Req' object has no attribute 'get_extensions' 
    > 
    > 
    > 
    > There's no certificate but the token will be displayed
    within the 
    > token view. 
    > 
    > 
    > Google tells me about some "wont fixes" with PyOpenSSL. 
    > 
    > 
    > I'm using Debian 8 with latest packages from Trusty build. 
    > 
    > 
    > 
    > 
    > Any ideas? 
    > 
    > 
    > Thanks 
    > Michael 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY: 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > Visit this group at
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/137ce9e3-bc5b-4dce-bd01-5fbd46e0f7da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi,

can you please post your privacyidea.log?
There should be a traceback.

Which version of pyopenssl and which version of openssl are you using?

Kind regards
CorneliusAm Montag, den 06.06.2016, 06:33 -0700 schrieb Michael Muenz:

Hi,

I’ve set up the WebCA as described in
http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

When I try to roll out a new certificate I get:
‘X509Req’ object has no attribute ‘get_extensions’

There’s no certificate but the token will be displayed within the
token view.

Google tells me about some “wont fixes” with PyOpenSSL.

I’m using Debian 8 with latest packages from Trusty build.

Any ideas?

Thanks
Michael

Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

ii openssl 1.0.1t-1+deb8u2 amd64
Secure Sockets Layer toolkit - cryptographic utility
ii python-openssl 0.14-1 all
Python 2 wrapper around the OpenSSL library

[2016-06-06
22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187] user
u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188] userid
resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187] user
u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188] userid
resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187] user
u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188] userid
resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187] user
u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188] userid
resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187] user
u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188] userid
resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187] user
u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188] userid
resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187] user
u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188] userid
resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423] Exception
on /token/init [POST]
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py”, line
57, in event_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line 180,
in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/token.py”, line
186, in init
tokenrealms=tokenrealms)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line 180,
in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”, line
912, in init_token
tokenobject.update(upd_params)
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py",
line 218, in update
crypto.FILETYPE_PEM, req))
File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py",
line 173, in sign_request
csr_extensions = csr_obj.get_extensions()
AttributeError: ‘X509Req’ object has no attribute 'get_extensions’On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote:

Hi,

can you please post your privacyidea.log?
There should be a traceback.

Which version of pyopenssl and which version of openssl are you using?

Kind regards
Cornelius

Am Montag, den 06.06.2016, 06:33 -0700 schrieb Michael Muenz:

Hi,

I’ve set up the WebCA as described in

http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

When I try to roll out a new certificate I get:
‘X509Req’ object has no attribute ‘get_extensions’

There’s no certificate but the token will be displayed within the
token view.

Google tells me about some “wont fixes” with PyOpenSSL.

I’m using Debian 8 with latest packages from Trusty build.

Any ideas?

Thanks
Michael

Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

The CSR extensions are not used at the moment.

So we could as well remove this line and then python-openssl 0.14 would
work fine, again.

Kind regards
CorneliusAm Montag, den 06.06.2016, 13:20 -0700 schrieb Michael Muenz:

ii openssl 1.0.1t-1+deb8u2 amd64
Secure Sockets Layer toolkit - cryptographic utility
ii python-openssl 0.14-1 all
Python 2 wrapper around the OpenSSL library

[2016-06-06
22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]
Exception on /token/init [POST]
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py”,
line 57, in event_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/token.py”,
line 186, in init
tokenrealms=tokenrealms)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 912, in init_token
tokenobject.update(upd_params)
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”, line 218, in update
crypto.FILETYPE_PEM, req))
File
“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”, line 173, in sign_request
csr_extensions = csr_obj.get_extensions()
AttributeError: ‘X509Req’ object has no attribute ‘get_extensions’

On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote:
Hi,

    can you please post your privacyidea.log? 
    There should be a traceback. 
    
    Which version of pyopenssl and which version of openssl are
    you using? 
    
    Kind regards 
    Cornelius 
    
    Am Montag, den 06.06.2016, 06:33 -0700 schrieb Michael Muenz: 
    > Hi, 
    > 
    > 
    > I've set up the WebCA as described in 
    >
    http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html 
    > 
    > 
    > 
    > When I try to roll out a new certificate I get: 
    > 'X509Req' object has no attribute 'get_extensions' 
    > 
    > 
    > 
    > There's no certificate but the token will be displayed
    within the 
    > token view. 
    > 
    > 
    > Google tells me about some "wont fixes" with PyOpenSSL. 
    > 
    > 
    > I'm using Debian 8 with latest packages from Trusty build. 
    > 
    > 
    > 
    > 
    > Any ideas? 
    > 
    > 
    > Thanks 
    > Michael 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY: 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > Visit this group at
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/137ce9e3-bc5b-4dce-bd01-5fbd46e0f7da%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Michael,

this very much depends on your overall PKI design.
As a matter of fact I am also doing PKI consultancy for enterprise sized
PKIs. Including hardware security modules and smartcards if needed.

Yes, setting up an Intermediate CA would make sense. But the
intermediate CA does not need the Root CA to sign a certificate.

You could however include the whole CA chain for download. But this is
also not required. So technically: No Root CA needed on this machine.

Kind regards
CorneliusAm Dienstag, den 07.06.2016, 02:25 -0700 schrieb Michael Muenz:

Hi,

true that! :slight_smile:

So what about users already running a company wide CA via OpenSSL?
Then I would create a new Intermediate CA with no PW, but then the
openssl command has to be edited to include the original
root-certificate in the chain.

Any chance to do this?

I’m not a PKI expert, but does this makes sense?

Michael

On Tuesday, June 7, 2016 at 10:15:14 AM UTC+2, Cornelius Kölbel wrote:
Hi Michael,

    I was thinking the passphrase on the ca key.
    In my opinion having a passphtase only makes limited sense.
    The passphrase would be encrypted in the database.  Encrypted
    with the encryption key, which is probably only protected by
    file access. So you can protect the ca key with file access in
    the first place.
    
    
    Think of the local ca as a working proof of concept  :-)
    Any feedback and input is appreciated.
    
    
    Kind regards
    Cornelius 
    
    
    
    
    
    
    Cornelius Kölbel 
    +49 151 2960 1417
    
    NetKnights GmbH
    Http://NetKnights. It
    +49 561 3166 797


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/ecd70d72-f2a1-4bb5-b21b-fa79b9a65474%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

I added the Jessie-Backports since they deliver 0.15, but when I wanted to
install it, it greps python-pyopenssl from the trusty ppa and brokes :slight_smile:
After that I forced it with aptitude -t jessie-backports and now I get a
Internal Server Error when accessing the startpage

[Tue Jun 07 09:53:37.895043 2016] [wsgi:error] [pid 489:tid
139726979172096]
/usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning:
Unicode column received non-unicode default value.
[Tue Jun 07 09:53:37.895273 2016] [wsgi:error] [pid 489:tid
139726979172096] default="/etc/privacyidea/dictionary")
[Tue Jun 07 09:53:37.921642 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] mod_wsgi (pid=489): Target WSGI script
’/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as Python module.
[Tue Jun 07 09:53:37.921834 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] mod_wsgi (pid=489): Exception occurred
processing WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’.
[Tue Jun 07 09:53:37.921948 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] Traceback (most recent call last):
[Tue Jun 07 09:53:37.922116 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/etc/privacyidea/privacyideaapp.wsgi", line 3, in
[Tue Jun 07 09:53:37.922265 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from privacyidea.app import create_app
[Tue Jun 07 09:53:37.922359 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/app.py", line 28, in
[Tue Jun 07 09:53:37.922952 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] import privacyidea.api.before_after
[Tue Jun 07 09:53:37.923097 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py", line
29, in
[Tue Jun 07 09:53:37.923599 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from …lib.user import
get_user_from_param
[Tue Jun 07 09:53:37.923697 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", line 55, in

[Tue Jun 07 09:53:37.924472 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from .resolver import
(get_resolver_object,
[Tue Jun 07 09:53:37.924585 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", line 47, in

[Tue Jun 07 09:53:37.925108 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from config import (get_resolver_types,
[Tue Jun 07 09:53:37.925207 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", line 47, in

[Tue Jun 07 09:53:37.926073 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from .caconnectors.localca import
BaseCAConnector
[Tue Jun 07 09:53:37.926233 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py",
line 173
[Tue Jun 07 09:53:37.926344 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] csr_extensions =
csr_obj.get_extensions()
[Tue Jun 07 09:53:37.926499 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] ^
[Tue Jun 07 09:53:37.926583 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] IndentationError: unexpected indent

I think I’m gonna reinstall from scratch …On Monday, June 6, 2016 at 11:36:09 PM UTC+2, Cornelius Kölbel wrote:

The CSR extensions are not used at the moment.

So we could as well remove this line and then python-openssl 0.14 would
work fine, again.

Kind regards
Cornelius

Am Montag, den 06.06.2016, 13:20 -0700 schrieb Michael Muenz:

ii openssl 1.0.1t-1+deb8u2 amd64
Secure Sockets Layer toolkit - cryptographic utility
ii python-openssl 0.14-1 all
Python 2 wrapper around the OpenSSL library

[2016-06-06
22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]
Exception on /token/init [POST]
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py”,
line 57, in event_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/token.py”,
line 186, in init
tokenrealms=tokenrealms)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 912, in init_token
tokenobject.update(upd_params)
File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”,
line 218, in update

crypto.FILETYPE_PEM, req)) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173, in sign_request

csr_extensions = csr_obj.get_extensions() 

AttributeError: ‘X509Req’ object has no attribute ‘get_extensions’

On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote:
Hi,

    can you please post your privacyidea.log? 
    There should be a traceback. 
    
    Which version of pyopenssl and which version of openssl are 
    you using? 
    
    Kind regards 
    Cornelius 
    
    Am Montag, den 06.06.2016, 06:33 -0700 schrieb Michael Muenz: 
    > Hi, 
    > 
    > 
    > I've set up the WebCA as described in 
    > 

http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

    > 
    > 
    > 
    > When I try to roll out a new certificate I get: 
    > 'X509Req' object has no attribute 'get_extensions' 
    > 
    > 
    > 
    > There's no certificate but the token will be displayed 
    within the 
    > token view. 
    > 
    > 
    > Google tells me about some "wont fixes" with PyOpenSSL. 
    > 
    > 
    > I'm using Debian 8 with latest packages from Trusty build. 
    > 
    > 
    > 
    > 
    > Any ideas? 
    > 
    > 
    > Thanks 
    > Michael 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two 
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL 
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and 
    LIABILITY: 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > Visit this group at 
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/137ce9e3-bc5b-4dce-bd01-5fbd46e0f7da%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi,

true that! :slight_smile:

So what about users already running a company wide CA via OpenSSL?
Then I would create a new Intermediate CA with no PW, but then the openssl
command has to be edited to include the original root-certificate in the
chain.

Any chance to do this?

I’m not a PKI expert, but does this makes sense?

MichaelOn Tuesday, June 7, 2016 at 10:15:14 AM UTC+2, Cornelius Kölbel wrote:

Hi Michael,

I was thinking the passphrase on the ca key.
In my opinion having a passphtase only makes limited sense.
The passphrase would be encrypted in the database. Encrypted with the
encryption key, which is probably only protected by file access. So you can
protect the ca key with file access in the first place.

Think of the local ca as a working proof of concept :slight_smile:
Any feedback and input is appreciated.

Kind regards
Cornelius

Cornelius Kölbel
+49 151 2960 1417

NetKnights GmbH
Http://NetKnights. It
+49 561 3166 797

Ok, removed the line and it works again.
Now I can download the PKCS12.

But I had to remove the password from the ca.key … will this be the final
version or do you plan some fields in the UI to enter the password for the
root-ca?

MichaelOn Tuesday, June 7, 2016 at 9:59:06 AM UTC+2, Michael Muenz wrote:

I added the Jessie-Backports since they deliver 0.15, but when I wanted to
install it, it greps python-pyopenssl from the trusty ppa and brokes :slight_smile:
After that I forced it with aptitude -t jessie-backports and now I get a
Internal Server Error when accessing the startpage

[Tue Jun 07 09:53:37.895043 2016] [wsgi:error] [pid 489:tid
139726979172096]
/usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning:
Unicode column received non-unicode default value.
[Tue Jun 07 09:53:37.895273 2016] [wsgi:error] [pid 489:tid
139726979172096] default="/etc/privacyidea/dictionary")
[Tue Jun 07 09:53:37.921642 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] mod_wsgi (pid=489): Target WSGI script
’/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as Python module.
[Tue Jun 07 09:53:37.921834 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] mod_wsgi (pid=489): Exception occurred
processing WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’.
[Tue Jun 07 09:53:37.921948 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] Traceback (most recent call last):
[Tue Jun 07 09:53:37.922116 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/etc/privacyidea/privacyideaapp.wsgi", line 3, in
[Tue Jun 07 09:53:37.922265 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from privacyidea.app import create_app
[Tue Jun 07 09:53:37.922359 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/app.py", line 28, in
[Tue Jun 07 09:53:37.922952 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] import privacyidea.api.before_after
[Tue Jun 07 09:53:37.923097 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py", line
29, in
[Tue Jun 07 09:53:37.923599 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from …lib.user import
get_user_from_param
[Tue Jun 07 09:53:37.923697 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", line 55, in

[Tue Jun 07 09:53:37.924472 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from .resolver import
(get_resolver_object,
[Tue Jun 07 09:53:37.924585 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", line 47, in

[Tue Jun 07 09:53:37.925108 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from config import (get_resolver_types,
[Tue Jun 07 09:53:37.925207 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", line 47, in

[Tue Jun 07 09:53:37.926073 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from .caconnectors.localca import
BaseCAConnector
[Tue Jun 07 09:53:37.926233 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py",
line 173
[Tue Jun 07 09:53:37.926344 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] csr_extensions =
csr_obj.get_extensions()
[Tue Jun 07 09:53:37.926499 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] ^
[Tue Jun 07 09:53:37.926583 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] IndentationError: unexpected indent

I think I’m gonna reinstall from scratch …

On Monday, June 6, 2016 at 11:36:09 PM UTC+2, Cornelius Kölbel wrote:

The CSR extensions are not used at the moment.

So we could as well remove this line and then python-openssl 0.14 would
work fine, again.

Kind regards
Cornelius

Am Montag, den 06.06.2016, 13:20 -0700 schrieb Michael Muenz:

ii openssl 1.0.1t-1+deb8u2 amd64
Secure Sockets Layer toolkit - cryptographic utility
ii python-openssl 0.14-1 all
Python 2 wrapper around the OpenSSL library

[2016-06-06
22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]
Exception on /token/init [POST]
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py”,
line 57, in event_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/token.py”,
line 186, in init
tokenrealms=tokenrealms)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 912, in init_token
tokenobject.update(upd_params)
File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”,
line 218, in update

crypto.FILETYPE_PEM, req)) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173, in sign_request

csr_extensions = csr_obj.get_extensions() 

AttributeError: ‘X509Req’ object has no attribute ‘get_extensions’

On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote:
Hi,

    can you please post your privacyidea.log? 
    There should be a traceback. 
    
    Which version of pyopenssl and which version of openssl are 
    you using? 
    
    Kind regards 
    Cornelius 
    
    Am Montag, den 06.06.2016, 06:33 -0700 schrieb Michael Muenz: 
    > Hi, 
    > 
    > 
    > I've set up the WebCA as described in 
    > 

http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

    > 
    > 
    > 
    > When I try to roll out a new certificate I get: 
    > 'X509Req' object has no attribute 'get_extensions' 
    > 
    > 
    > 
    > There's no certificate but the token will be displayed 
    within the 
    > token view. 
    > 
    > 
    > Google tells me about some "wont fixes" with PyOpenSSL. 
    > 
    > 
    > I'm using Debian 8 with latest packages from Trusty build. 
    > 
    > 
    > 
    > 
    > Any ideas? 
    > 
    > 
    > Thanks 
    > Michael 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two 
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL 
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and 
    LIABILITY: 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > Visit this group at 
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/137ce9e3-bc5b-4dce-bd01-5fbd46e0f7da%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

You should clearly state HOW you created the user certificate.
Especially HOW you created the keypair!Am Mittwoch, den 13.07.2016, 03:39 -0700 schrieb Michael Muenz:

:slight_smile:

No, I removed the password after our last discussion (for the testing
system)

The certificates get created and I can import them, but they don’t
have a password.

Am Mittwoch, 13. Juli 2016 12:38:14 UTC+2 schrieb Cornelius Kölbel:
To avoid confusion:

    The private key of the CA is not password protected! 
    
    Kind regards 
    Cornelius 
    
    Am Mittwoch, den 13.07.2016, 03:37 -0700 schrieb Michael
    Muenz: 
    > Hi, 
    > 
    > 
    > doesn't work for me. 
    > 
    > 
    > Hm, with my first setup I remember that it was working, but
    now when 
    > importing an existing CA there are no import pw's. 
    > 
    > 
    > Will try again with a CA from scratch. 
    > 
    > 
    > 
    > Am Mittwoch, 13. Juli 2016 12:16:14 UTC+2 schrieb Cornelius
    Kölbel: 
    >         Hi Michael, 
    >         
    >         this already can be done. 
    >         When setting the token PIN, this will be the
    password for the 
    >         pkcs12 
    >         file. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Mittwoch, den 13.07.2016, 02:45 -0700 schrieb
    Michael 
    >         Muenz: 
    >         > Hi, 
    >         > 
    >         > 
    >         > Again playing around with the CA connector. 
    >         > Are there any plans for setting an import password
    for the 
    >         generated 
    >         > PKCS12 files? 
    >         > 
    >         > 
    >         > Thanks 
    >         > Michael 
    >         > 
    >         > Am Dienstag, 7. Juni 2016 10:15:14 UTC+2 schrieb
    Cornelius 
    >         Kölbel: 
    >         >         Hi Michael, 
    >         >         
    >         >         
    >         >         I was thinking the passphrase on the ca
    key. 
    >         >         In my opinion having a passphtase only
    makes limited 
    >         sense. 
    >         >         The passphrase would be encrypted in the
    database. 
    >          Encrypted 
    >         >         with the encryption key, which is probably
    only 
    >         protected by 
    >         >         file access. So you can protect the ca key
    with file 
    >         access in 
    >         >         the first place. 
    >         >         
    >         >         
    >         >         Think of the local ca as a working proof
    of concept 
    >          :-) 
    >         >         Any feedback and input is appreciated. 
    >         >         
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Cornelius Kölbel 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         NetKnights GmbH 
    >         >         Http://NetKnights. It 
    >         >         +49 561 3166 797 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         -------- Ursprüngliche Nachricht -------- 
    >         >         Von: Michael Muenz <m.m...@gmail.com> 
    >         >         Datum: 07.06.16 10:04 (GMT+01:00) 
    >         >         An: privacyidea
    <priva...@googlegroups.com> 
    >         >         Betreff: Re: [privacyidea] CA Connector
    can't 
    >         create 
    >         >         certificate 
    >         >         
    >         >         
    >         >         Ok, removed the line and it works again. 
    >         >         Now I can download the PKCS12. 
    >         >         
    >         >         
    >         >         But I had to remove the password from the
    ca.key ... 
    >         will this 
    >         >         be the final version or do you plan some
    fields in 
    >         the UI to 
    >         >         enter the password for the root-ca? 
    >         >         
    >         >         
    >         >         Michael 
    >         >         
    >         >         On Tuesday, June 7, 2016 at 9:59:06 AM UTC +2,  Michael Muenz  wrote: 
    >         >                 I added the Jessie-Backports since
    they 
    >         deliver 0.15, 
    >         >                 but when I wanted to install it,
    it greps 
    >         >                 python-pyopenssl from the trusty
    ppa and 
    >         brokes :) 
    >         >                 After that I forced it with
    aptitude -t 
    >         >                 jessie-backports and now I get a
    Internal 
    >         Server Error 
    >         >                 when accessing the startpage 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 [Tue Jun 07 09:53:37.895043 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 
    >         > 
    >
    139726979172096] /usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning: Unicode column received non-unicode default value. 
    >         >                 [Tue Jun 07 09:53:37.895273 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] 
    >         >
    default="/etc/privacyidea/dictionary") 
    >         >                 [Tue Jun 07 09:53:37.921642 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         mod_wsgi 
    >         >                 (pid=489): Target WSGI script 
    >         >
    '/etc/privacyidea/privacyideaapp.wsgi' 
    >         cannot be 
    >         >                 loaded as Python module. 
    >         >                 [Tue Jun 07 09:53:37.921834 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         mod_wsgi 
    >         >                 (pid=489): Exception occurred
    processing 
    >         WSGI script 
    >         >
    '/etc/privacyidea/privacyideaapp.wsgi'. 
    >         >                 [Tue Jun 07 09:53:37.921948 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         Traceback 
    >         >                 (most recent call last): 
    >         >                 [Tue Jun 07 09:53:37.922116 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         File 
    >         >
    "/etc/privacyidea/privacyideaapp.wsgi", line 
    >         3, in 
    >         >                 <module> 
    >         >                 [Tue Jun 07 09:53:37.922265 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         from 
    >         >                 privacyidea.app import create_app 
    >         >                 [Tue Jun 07 09:53:37.922359 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         File 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/app.py", 
    >         >                 line 28, in <module> 
    >         >                 [Tue Jun 07 09:53:37.922952 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         import 
    >         >                 privacyidea.api.before_after 
    >         >                 [Tue Jun 07 09:53:37.923097 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         File 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py", line 29, in <module> 
    >         >                 [Tue Jun 07 09:53:37.923599 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         >                 from ..lib.user import
    get_user_from_param 
    >         >                 [Tue Jun 07 09:53:37.923697 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         File 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", 
    >         line 55, in <module> 
    >         >                 [Tue Jun 07 09:53:37.924472 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         >                 from .resolver import
    (get_resolver_object, 
    >         >                 [Tue Jun 07 09:53:37.924585 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         File 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", line 47, in <module> 
    >         >                 [Tue Jun 07 09:53:37.925108 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         from 
    >         >                 config import
    (get_resolver_types, 
    >         >                 [Tue Jun 07 09:53:37.925207 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         File 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", 
    >         line 47, in <module> 
    >         >                 [Tue Jun 07 09:53:37.926073 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         >                 from .caconnectors.localca import 
    >         BaseCAConnector 
    >         >                 [Tue Jun 07 09:53:37.926233 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         File 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173 
    >         >                 [Tue Jun 07 09:53:37.926344 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         >                 csr_extensions =
    csr_obj.get_extensions() 
    >         >                 [Tue Jun 07 09:53:37.926499 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         ^ 
    >         >                 [Tue Jun 07 09:53:37.926583 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote
    X:512] 
    >         >                 IndentationError: unexpected
    indent 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 I think I'm gonna reinstall from 
    >         scratch ... 
    >         >                 
    >         >                 On Monday, June 6, 2016 at 11:36:09 PM UTC  +2,  Cornelius Kölbel wrote: 
    >         >                         The CSR extensions are not
    used at 
    >         the 
    >         >                         moment. 
    >         >                         
    >         >                         So we could as well remove
    this line 
    >         and then 
    >         >                         python-openssl 0.14 would 
    >         >                         work fine, again. 
    >         >                         
    >         >                         Kind regards 
    >         >                         Cornelius 
    >         >                         
    >         >                         Am Montag, den 06.06.2016, 13:20  0700 schrieb 
    >         >                         Michael Muenz: 
    >         >                         > ii  openssl 
    >          1.0.1t-1 
    >         >                         +deb8u2             amd64 
    >         >                         >        Secure Sockets
    Layer 
    >         toolkit - 
    >         >                         cryptographic utility 
    >         >                         > ii  python-openssl 
    >         0.14-1 
    >         >                                            all 
    >         >                         >        Python 2 wrapper
    around the 
    >         OpenSSL 
    >         >                         library 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    >
    22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >                         > user u'mimu' found in
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    >
    22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    >
    22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >                         > user u'mimu' found in
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    >
    22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    >
    22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >                         > user u'mimu' found in
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    >
    22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    >
    22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >                         > user u'mimu' found in
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    >
    22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    >
    22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >                         > user u'mimu' found in
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    >
    22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    >
    22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >                         > user u'mimu' found in
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    >
    22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    >
    22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >                         > user u'mimu' found in
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    >
    22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    >
    22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423] 
    >         >                         > Exception on /token/init
    [POST] 
    >         >                         > Traceback (most recent
    call 
    >         last): 
    >         >                         >   File 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py",
    line 1817, 
    >         in 
    >         >                         > wsgi_app 
    >         >                         >     response = 
    >         self.full_dispatch_request() 
    >         >                         >   File 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py",
    line 1477, 
    >         in 
    >         >                         > full_dispatch_request 
    >         >                         >     rv = 
    >         self.handle_user_exception(e) 
    >         >                         >   File 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py",
    line 1381, 
    >         in 
    >         >                         > handle_user_exception 
    >         >                         >     reraise(exc_type,
    exc_value, 
    >         tb) 
    >         >                         >   File 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py",
    line 1475, 
    >         in 
    >         >                         > full_dispatch_request 
    >         >                         >     rv =
    self.dispatch_request() 
    >         >                         >   File 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py",
    line 1461, 
    >         in 
    >         >                         > dispatch_request 
    >         >                         >     return 
    >         > 
    >         self.view_functions[rule.endpoint](**req.view_args) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                         > line 104, in
    policy_wrapper 
    >         >                         >     return
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                         > line 104, in
    policy_wrapper 
    >         >                         >     return
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                         > line 104, in
    policy_wrapper 
    >         >                         >     return
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                         > line 104, in
    policy_wrapper 
    >         >                         >     return
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                         > line 104, in
    policy_wrapper 
    >         >                         >     return
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                         > line 104, in
    policy_wrapper 
    >         >                         >     return
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                         > line 104, in
    policy_wrapper 
    >         >                         >     return
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                         > line 104, in
    policy_wrapper 
    >         >                         >     return
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                         > line 104, in
    policy_wrapper 
    >         >                         >     return
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", 
    >         >                         > line 57, in
    event_wrapper 
    >         >                         >     f_result =
    func(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", 
    >         line 
    >         >                         > 180, in log_wrapper 
    >         >                         >     f_result =
    func(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", 
    >         >                         > line 186, in init 
    >         >                         >
    tokenrealms=tokenrealms) 
    >         >                         >   File 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", 
    >         line 
    >         >                         > 180, in log_wrapper 
    >         >                         >     f_result =
    func(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", 
    >         >                         > line 912, in init_token 
    >         >                         > 
    >         tokenobject.update(upd_params) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py", line 218, in update 
    >         >                         >     crypto.FILETYPE_PEM,
    req)) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173, in sign_request 
    >         >                         >     csr_extensions = 
    >         >                         csr_obj.get_extensions() 
    >         >                         > AttributeError:
    'X509Req' object 
    >         has no 
    >         >                         attribute
    'get_extensions' 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > On Monday, June 6, 2016 at 4:00:41  PM UTC+2,  Cornelius Kölbel wrote: 
    >         >                         >         Hi, 
    >         >                         >         
    >         >                         >         can you please
    post your 
    >         >                         privacyidea.log? 
    >         >                         >         There should be
    a 
    >         traceback. 
    >         >                         >         
    >         >                         >         Which version of
    pyopenssl 
    >         and which 
    >         >                         version of openssl are 
    >         >                         >         you using? 
    >         >                         >         
    >         >                         >         Kind regards 
    >         >                         >         Cornelius 
    >         >                         >         
    >         >                         >         Am Montag, den
    06.06.2016, 
    >         06:33 
    >         >                         -0700 schrieb Michael
    Muenz: 
    >         >                         >         > Hi, 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > I've set up
    the WebCA as 
    >         described 
    >         >                         in 
    >         >                         >         > 
    >         >                         > 
    >         > 
    >
    http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > When I try to
    roll out a 
    >         new 
    >         >                         certificate I get: 
    >         >                         >         > 'X509Req'
    object has no 
    >         attribute 
    >         >                         'get_extensions' 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > There's no
    certificate 
    >         but the 
    >         >                         token will be displayed 
    >         >                         >         within the 
    >         >                         >         > token view. 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > Google tells
    me about 
    >         some "wont 
    >         >                         fixes" with PyOpenSSL. 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > I'm using
    Debian 8 with 
    >         latest 
    >         >                         packages from Trusty
    build. 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > Any ideas? 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > Thanks 
    >         >                         >         > Michael 
    >         >                         >         > -- 
    >         >                         >         > Please read
    the blog 
    >         post about 
    >         >                         getting help 
    >         >                         >         > 
    >         > 
    >         https://www.privacyidea.org/getting-help/. 
    >         >                         >         >   
    >         >                         >         > For
    professional 
    >         services and 
    >         >                         consultancy regarding two 
    >         >                         >         factor 
    >         >                         >         > authentication
    please 
    >         visit 
    >         >                         >         > 
    >         > 
    >
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >                         >         >   
    >         >                         >         > In an
    enterprise 
    >         environment you 
    >         >                         should get a SERVICE
    LEVEL 
    >         >                         >         AGREEMENT 
    >         >                         >         > which suites
    your needs 
    >         for 
    >         >                         SECURITY, AVAILABILITY
    and 
    >         >                         >         LIABILITY: 
    >         >                         >         > 
    >         >                         > 
    >         > 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         >                         >         > --- 
    >         >                         >         > You received
    this 
    >         message because 
    >         >                         you are subscribed to the 
    >         >                         >         Google 
    >         >                         >         > Groups
    "privacyidea" 
    >         group. 
    >         >                         >         > To unsubscribe
    from this 
    >         group and 
    >         >                         stop receiving emails 
    >         >                         >         from it, send 
    >         >                         >         > an email to 
    >         >
    privacyidea...@googlegroups.com. 
    >         >                         >         > To post to
    this group, 
    >         send email 
    >         >                         to 
    >         >                         > 
    >         priva...@googlegroups.com. 
    >         >                         >         > Visit this
    group at 
    >         >                         > 
    >         > 
    >         https://groups.google.com/group/privacyidea. 
    >         >                         >         > To view this
    discussion 
    >         on the web 
    >         >                         visit 
    >         >                         >         > 
    >         >                         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com. 
    >         >                         >         > For more
    options, visit 
    >         >
    https://groups.google.com/d/optout. 
    >         >                         >         
    >         >                         >         -- 
    >         >                         >         Cornelius
    Kölbel 
    >         >                         >
    corneliu...@netknights.it 
    >         >                         >         +49 151 2960
    1417 
    >         >                         >         
    >         >                         >         NetKnights GmbH 
    >         >                         >
    http://www.netknights.it 
    >         >                         >
    Landgraf-Karl-Str. 19, 
    >         34131 Kassel, 
    >         >                         Germany 
    >         >                         >         Tel: +49 561
    3166797, Fax: 
    >         +49 561 
    >         >                         3166798 
    >         >                         >         
    >         >                         >         Amtsgericht
    Kassel, HRB 
    >         16405 
    >         >                         >         Geschäftsführer:
    Cornelius 
    >         Kölbel 
    >         >                         >         
    >         >                         >         
    >         >                         > -- 
    >         >                         > Please read the blog
    post about 
    >         getting 
    >         >                         help 
    >         >                         > 
    >         https://www.privacyidea.org/getting-help/. 
    >         >                         >   
    >         >                         > For professional
    services and 
    >         consultancy 
    >         >                         regarding two factor 
    >         >                         > authentication please
    visit 
    >         >                         > 
    >         > 
    >
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >                         >   
    >         >                         > In an enterprise
    environment you 
    >         should get 
    >         >                         a SERVICE LEVEL AGREEMENT 
    >         >                         > which suites your needs
    for 
    >         SECURITY, 
    >         >                         AVAILABILITY and
    LIABILITY: 
    >         >                         > 
    >         > 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         >                         > --- 
    >         >                         > You received this
    message because 
    >         you are 
    >         >                         subscribed to the Google 
    >         >                         > Groups "privacyidea"
    group. 
    >         >                         > To unsubscribe from this
    group and 
    >         stop 
    >         >                         receiving emails from it,
    send 
    >         >                         > an email to 
    >         >
    privacyidea...@googlegroups.com. 
    >         >                         > To post to this group,
    send email 
    >         to 
    >         >
    priva...@googlegroups.com. 
    >         >                         > Visit this group at 
    >         > 
    >         https://groups.google.com/group/privacyidea. 
    >         >                         > To view this discussion
    on the web 
    >         visit 
    >         >                         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/137ce9e3-bc5b-4dce-bd01-5fbd46e0f7da%40googlegroups.com. 
    >         >                         > For more options, visit 
    >         >
    https://groups.google.com/d/optout. 
    >         >                         
    >         >                         -- 
    >         >                         Cornelius Kölbel 
    >         >                         corneliu...@netknights.it 
    >         >                         +49 151 2960 1417 
    >         >                         
    >         >                         NetKnights GmbH 
    >         >                         http://www.netknights.it 
    >         >                         Landgraf-Karl-Str. 19,
    34131 Kassel, 
    >         Germany 
    >         >                         Tel: +49 561 3166797, Fax:
    +49 561 
    >         3166798 
    >         >                         
    >         >                         Amtsgericht Kassel, HRB
    16405 
    >         >                         Geschäftsführer: Cornelius
    Kölbel 
    >         >                         
    >         >                         
    >         > 
    >         > 
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY: 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > Visit this group at
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/82a9b56a-0708-45fe-81d4-67717ace99df%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/c8e30961-5972-4aaa-a38f-78e44f56a284%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hi Michael,

this already can be done.
When setting the token PIN, this will be the password for the pkcs12
file.

Kind regards
CorneliusAm Mittwoch, den 13.07.2016, 02:45 -0700 schrieb Michael Muenz:

Hi,

Again playing around with the CA connector.
Are there any plans for setting an import password for the generated
PKCS12 files?

Thanks
Michael

Am Dienstag, 7. Juni 2016 10:15:14 UTC+2 schrieb Cornelius Kölbel:
Hi Michael,

    I was thinking the passphrase on the ca key.
    In my opinion having a passphtase only makes limited sense.
    The passphrase would be encrypted in the database.  Encrypted
    with the encryption key, which is probably only protected by
    file access. So you can protect the ca key with file access in
    the first place.
    
    
    Think of the local ca as a working proof of concept  :-)
    Any feedback and input is appreciated.
    
    
    Kind regards
    Cornelius 
    
    
    
    
    
    
    Cornelius Kölbel 
    +49 151 2960 1417
    
    NetKnights GmbH
    Http://NetKnights. It
    +49 561 3166 797
    
    
    
    
    -------- Ursprüngliche Nachricht --------
    Von: Michael Muenz <m.m...@gmail.com> 
    Datum: 07.06.16 10:04 (GMT+01:00) 
    An: privacyidea <priva...@googlegroups.com> 
    Betreff: Re: [privacyidea] CA Connector can't create
    certificate 
    
    
    Ok, removed the line and it works again. 
    Now I can download the PKCS12. 
    
    
    But I had to remove the password from the ca.key ... will this
    be the final version or do you plan some fields in the UI to
    enter the password for the root-ca?
    
    
    Michael
    
    On Tuesday, June 7, 2016 at 9:59:06 AM UTC+2, Michael Muenz wrote:
            I added the Jessie-Backports since they deliver 0.15,
            but when I wanted to install it, it greps
            python-pyopenssl from the trusty ppa and brokes :)
            After that I forced it with aptitude -t
            jessie-backports and now I get a Internal Server Error
            when accessing the startpage
            
            
            
            
            [Tue Jun 07 09:53:37.895043 2016] [wsgi:error] [pid
            489:tid
            139726979172096] /usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning: Unicode column received non-unicode default value.
            [Tue Jun 07 09:53:37.895273 2016] [wsgi:error] [pid
            489:tid 139726979172096]
            default="/etc/privacyidea/dictionary")
            [Tue Jun 07 09:53:37.921642 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512] mod_wsgi
            (pid=489): Target WSGI script
            '/etc/privacyidea/privacyideaapp.wsgi' cannot be
            loaded as Python module.
            [Tue Jun 07 09:53:37.921834 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512] mod_wsgi
            (pid=489): Exception occurred processing WSGI script
            '/etc/privacyidea/privacyideaapp.wsgi'.
            [Tue Jun 07 09:53:37.921948 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512] Traceback
            (most recent call last):
            [Tue Jun 07 09:53:37.922116 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512]   File
            "/etc/privacyidea/privacyideaapp.wsgi", line 3, in
            <module>
            [Tue Jun 07 09:53:37.922265 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512]     from
            privacyidea.app import create_app
            [Tue Jun 07 09:53:37.922359 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512]   File
            "/usr/lib/python2.7/dist-packages/privacyidea/app.py",
            line 28, in <module>
            [Tue Jun 07 09:53:37.922952 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512]     import
            privacyidea.api.before_after
            [Tue Jun 07 09:53:37.923097 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512]   File
            "/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py", line 29, in <module>
            [Tue Jun 07 09:53:37.923599 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512]
            from ..lib.user import get_user_from_param
            [Tue Jun 07 09:53:37.923697 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512]   File
            "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", line 55, in <module>
            [Tue Jun 07 09:53:37.924472 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512]
            from .resolver import (get_resolver_object,
            [Tue Jun 07 09:53:37.924585 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512]   File
            "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", line 47, in <module>
            [Tue Jun 07 09:53:37.925108 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512]     from
            config import (get_resolver_types,
            [Tue Jun 07 09:53:37.925207 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512]   File
            "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", line 47, in <module>
            [Tue Jun 07 09:53:37.926073 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512]
            from .caconnectors.localca import BaseCAConnector
            [Tue Jun 07 09:53:37.926233 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512]   File
            "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173
            [Tue Jun 07 09:53:37.926344 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512]
            csr_extensions = csr_obj.get_extensions()
            [Tue Jun 07 09:53:37.926499 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512]     ^
            [Tue Jun 07 09:53:37.926583 2016] [wsgi:error] [pid
            489:tid 139726979172096] [remote X:512]
            IndentationError: unexpected indent
            
            
            
            
            I think I'm gonna reinstall from scratch ...
            
            On Monday, June 6, 2016 at 11:36:09 PM UTC+2, Cornelius Kölbel wrote:
                    The CSR extensions are not used at the
                    moment. 
                    
                    So we could as well remove this line and then
                    python-openssl 0.14 would 
                    work fine, again. 
                    
                    Kind regards 
                    Cornelius 
                    
                    Am Montag, den 06.06.2016, 13:20 -0700 schrieb
                    Michael Muenz: 
                    > ii  openssl                        1.0.1t-1
                    +deb8u2             amd64 
                    >        Secure Sockets Layer toolkit -
                    cryptographic utility 
                    > ii  python-openssl                 0.14-1
                                       all 
                    >        Python 2 wrapper around the OpenSSL
                    library 
                    > 
                    > 
                    > 
                    > 
                    > [2016-06-06 
                    >
                    22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187] 
                    > user u'mimu' found in resolver u'maxadmins' 
                    > [2016-06-06 
                    >
                    22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188] 
                    > userid resolved to
                    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
                    > [2016-06-06 
                    >
                    22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187] 
                    > user u'mimu' found in resolver u'maxadmins' 
                    > [2016-06-06 
                    >
                    22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188] 
                    > userid resolved to
                    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
                    > [2016-06-06 
                    >
                    22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187] 
                    > user u'mimu' found in resolver u'maxadmins' 
                    > [2016-06-06 
                    >
                    22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188] 
                    > userid resolved to
                    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
                    > [2016-06-06 
                    >
                    22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187] 
                    > user u'mimu' found in resolver u'maxadmins' 
                    > [2016-06-06 
                    >
                    22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188] 
                    > userid resolved to
                    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
                    > [2016-06-06 
                    >
                    22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187] 
                    > user u'mimu' found in resolver u'maxadmins' 
                    > [2016-06-06 
                    >
                    22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188] 
                    > userid resolved to
                    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
                    > [2016-06-06 
                    >
                    22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187] 
                    > user u'mimu' found in resolver u'maxadmins' 
                    > [2016-06-06 
                    >
                    22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188] 
                    > userid resolved to
                    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
                    > [2016-06-06 
                    >
                    22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187] 
                    > user u'mimu' found in resolver u'maxadmins' 
                    > [2016-06-06 
                    >
                    22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188] 
                    > userid resolved to
                    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
                    > [2016-06-06 
                    >
                    22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423] 
                    > Exception on /token/init [POST] 
                    > Traceback (most recent call last): 
                    >   File
                    "/usr/lib/python2.7/dist-packages/flask/app.py", line 1817, in 
                    > wsgi_app 
                    >     response = self.full_dispatch_request() 
                    >   File
                    "/usr/lib/python2.7/dist-packages/flask/app.py", line 1477, in 
                    > full_dispatch_request 
                    >     rv = self.handle_user_exception(e) 
                    >   File
                    "/usr/lib/python2.7/dist-packages/flask/app.py", line 1381, in 
                    > handle_user_exception 
                    >     reraise(exc_type, exc_value, tb) 
                    >   File
                    "/usr/lib/python2.7/dist-packages/flask/app.py", line 1475, in 
                    > full_dispatch_request 
                    >     rv = self.dispatch_request() 
                    >   File
                    "/usr/lib/python2.7/dist-packages/flask/app.py", line 1461, in 
                    > dispatch_request 
                    >     return
                    self.view_functions[rule.endpoint](**req.view_args) 
                    >   File 
                    >
                    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
                    > line 104, in policy_wrapper 
                    >     return wrapped_function(*args, **kwds) 
                    >   File 
                    >
                    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
                    > line 104, in policy_wrapper 
                    >     return wrapped_function(*args, **kwds) 
                    >   File 
                    >
                    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
                    > line 104, in policy_wrapper 
                    >     return wrapped_function(*args, **kwds) 
                    >   File 
                    >
                    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
                    > line 104, in policy_wrapper 
                    >     return wrapped_function(*args, **kwds) 
                    >   File 
                    >
                    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
                    > line 104, in policy_wrapper 
                    >     return wrapped_function(*args, **kwds) 
                    >   File 
                    >
                    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
                    > line 104, in policy_wrapper 
                    >     return wrapped_function(*args, **kwds) 
                    >   File 
                    >
                    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
                    > line 104, in policy_wrapper 
                    >     return wrapped_function(*args, **kwds) 
                    >   File 
                    >
                    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
                    > line 104, in policy_wrapper 
                    >     return wrapped_function(*args, **kwds) 
                    >   File 
                    >
                    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
                    > line 104, in policy_wrapper 
                    >     return wrapped_function(*args, **kwds) 
                    >   File
                    "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", 
                    > line 57, in event_wrapper 
                    >     f_result = func(*args, **kwds) 
                    >   File
                    "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 
                    > 180, in log_wrapper 
                    >     f_result = func(*args, **kwds) 
                    >   File
                    "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", 
                    > line 186, in init 
                    >     tokenrealms=tokenrealms) 
                    >   File
                    "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", line 
                    > 180, in log_wrapper 
                    >     f_result = func(*args, **kwds) 
                    >   File
                    "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", 
                    > line 912, in init_token 
                    >     tokenobject.update(upd_params) 
                    >   File 
                    >
                    "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py", line 218, in update 
                    >     crypto.FILETYPE_PEM, req)) 
                    >   File 
                    >
                    "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173, in sign_request 
                    >     csr_extensions =
                    csr_obj.get_extensions() 
                    > AttributeError: 'X509Req' object has no
                    attribute 'get_extensions' 
                    > 
                    > 
                    > 
                    > 
                    > 
                    > 
                    > 
                    > On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote: 
                    >         Hi, 
                    >         
                    >         can you please post your
                    privacyidea.log? 
                    >         There should be a traceback. 
                    >         
                    >         Which version of pyopenssl and which
                    version of openssl are 
                    >         you using? 
                    >         
                    >         Kind regards 
                    >         Cornelius 
                    >         
                    >         Am Montag, den 06.06.2016, 06:33
                    -0700 schrieb Michael Muenz: 
                    >         > Hi, 
                    >         > 
                    >         > 
                    >         > I've set up the WebCA as described
                    in 
                    >         > 
                    >
                    http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html 
                    >         > 
                    >         > 
                    >         > 
                    >         > When I try to roll out a new
                    certificate I get: 
                    >         > 'X509Req' object has no attribute
                    'get_extensions' 
                    >         > 
                    >         > 
                    >         > 
                    >         > There's no certificate but the
                    token will be displayed 
                    >         within the 
                    >         > token view. 
                    >         > 
                    >         > 
                    >         > Google tells me about some "wont
                    fixes" with PyOpenSSL. 
                    >         > 
                    >         > 
                    >         > I'm using Debian 8 with latest
                    packages from Trusty build. 
                    >         > 
                    >         > 
                    >         > 
                    >         > 
                    >         > Any ideas? 
                    >         > 
                    >         > 
                    >         > Thanks 
                    >         > Michael 
                    >         > -- 
                    >         > Please read the blog post about
                    getting help 
                    >         >
                    https://www.privacyidea.org/getting-help/. 
                    >         >   
                    >         > For professional services and
                    consultancy regarding two 
                    >         factor 
                    >         > authentication please visit 
                    >         >
                    https://netknights.it/en/leistungen/one-time-services/ 
                    >         >   
                    >         > In an enterprise environment you
                    should get a SERVICE LEVEL 
                    >         AGREEMENT 
                    >         > which suites your needs for
                    SECURITY, AVAILABILITY and 
                    >         LIABILITY: 
                    >         > 
                    >
                    https://netknights.it/en/leistungen/service-level-agreements/ 
                    >         > --- 
                    >         > You received this message because
                    you are subscribed to the 
                    >         Google 
                    >         > Groups "privacyidea" group. 
                    >         > To unsubscribe from this group and
                    stop receiving emails 
                    >         from it, send 
                    >         > an email to
                    privacyidea...@googlegroups.com. 
                    >         > To post to this group, send email
                    to 
                    >         priva...@googlegroups.com. 
                    >         > Visit this group at 
                    >
                    https://groups.google.com/group/privacyidea. 
                    >         > To view this discussion on the web
                    visit 
                    >         > 
                    >
                    https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com. 
                    >         > For more options, visit
                    https://groups.google.com/d/optout. 
                    >         
                    >         -- 
                    >         Cornelius Kölbel 
                    >         corneliu...@netknights.it 
                    >         +49 151 2960 1417 
                    >         
                    >         NetKnights GmbH 
                    >         http://www.netknights.it 
                    >         Landgraf-Karl-Str. 19, 34131 Kassel,
                    Germany 
                    >         Tel: +49 561 3166797, Fax: +49 561
                    3166798 
                    >         
                    >         Amtsgericht Kassel, HRB 16405 
                    >         Geschäftsführer: Cornelius Kölbel 
                    >         
                    >         
                    > -- 
                    > Please read the blog post about getting
                    help 
                    > https://www.privacyidea.org/getting-help/. 
                    >   
                    > For professional services and consultancy
                    regarding two factor 
                    > authentication please visit 
                    >
                    https://netknights.it/en/leistungen/one-time-services/ 
                    >   
                    > In an enterprise environment you should get
                    a SERVICE LEVEL AGREEMENT 
                    > which suites your needs for SECURITY,
                    AVAILABILITY and LIABILITY: 
                    >
                    https://netknights.it/en/leistungen/service-level-agreements/ 
                    > --- 
                    > You received this message because you are
                    subscribed to the Google 
                    > Groups "privacyidea" group. 
                    > To unsubscribe from this group and stop
                    receiving emails from it, send 
                    > an email to
                    privacyidea...@googlegroups.com. 
                    > To post to this group, send email to
                    priva...@googlegroups.com. 
                    > Visit this group at
                    https://groups.google.com/group/privacyidea. 
                    > To view this discussion on the web visit 
                    >
                    https://groups.google.com/d/msgid/privacyidea/137ce9e3-bc5b-4dce-bd01-5fbd46e0f7da%40googlegroups.com. 
                    > For more options, visit
                    https://groups.google.com/d/optout. 
                    
                    -- 
                    Cornelius Kölbel 
                    corneliu...@netknights.it 
                    +49 151 2960 1417 
                    
                    NetKnights GmbH 
                    http://www.netknights.it 
                    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
                    Tel: +49 561 3166797, Fax: +49 561 3166798 
                    
                    Amtsgericht Kassel, HRB 16405 
                    Geschäftsführer: Cornelius Kölbel 


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

    Hello Michael, 
    
    Please explain to me: In the moment you need to MOST help, you
    refuse to 
    get help. You try with a lot of effort to do everything on
    your own. 
    Why? 

Because I’m not the one in the company who decides to spend money
for :slight_smile: This will be the internal systems, so there’s no money to earn.
When we are so far to sell services, we’ll also order some consultancy
to check if everything is setup correctly.
Also, when the CA stuff doesn’t work the way we want, we’ll just don’t
use it and use CLI (as before), but the way PI does it, it’s a good
way to roll them out to the user.

Honestly I very much doubt this. At the moment you have a big pain. But
you (your company) is not willing. Why should they be later, when
everything runs smoothly? Well, we will see :wink:

Anyways: The PIN is not correctly set during the enrollment of the
token.
You need to

  1. set the PIN on the token details and then
  2. reload the the token details.
    Then you can download the PKCS12 PIN protected.

PKCS12 does not require to contain a CA certificate.

Kind regards
CorneliusAm Mittwoch, den 13.07.2016, 11:40 -0700 schrieb Michael Muenz:

Am Mittwoch, 13. Juli 2016 19:06:14 UTC+2 schrieb Cornelius Kölbel:

    > So, I created the CA as documented before and enrolled a
    certificate 
    > token for user e.g. mimu. 
    
    STOP. You say a complicated process very lightly in half a
    sentence? 
    Please think about it yourself: How did you enroll the
    certificate 
    token? There are many different ways to do so. This is
    important 
    information - also to you! 
    
    This is really what makes it very challenging for me to act on
    the 
    mailing list. Because most people to not take a look at what
    they are 
    doing. 

OK, I setup a small article with some pictures, hopefully you can
follow me now, sorry for not beeing clear enough:
http://www.routerperformance.net/howtos/debug-certificates-in-privacyidea/

I checked the privacyidea.log, no traceback (the certificate token
gets created mostly perfect) and apache log is also quit.

Thanks
Michael

    Here probably is your problem. "You enrolled the certificate
    token"... 
    Did it ever came up to your mind, that the problem the
    certificate token 
    does not behave as expected is due to the fact, that the token
    was not 
    enrolled as you thought you would? 
    So the logical consequence would be, to take a deeper look at
    the token 
    enrollment process. And not only drop this topic in half a
    sentence. 
    
    So again. How did you enroll the certificate token? 
    
    I very much recommend for all of you to study physics! 
    ...to train your analytic skills... 
    
    Kind regards 
    Cornelius 
    
    > Now I can download the certificate as PKCS12. Normally this
    file 
    > should include certificate, key and root cert. 
    > With a doubleclick I can install the certificate (PKCS12)
    but when 
    > asked for a import pw only a empty password works. 
    > 
    > 
    > Now, when opening the mmc snapin I can see the certificate
    unter Own 
    > Certificates. But there's no root ca installed. 
    > That's why I tried to extract the root ca from the pkcs12
    via openssl, 
    > but it's empty. 
    > 
    > 
    > I'm quite sure that with a first test machine with Ubuntu
    ppa version 
    > 2.12 it worked. 
    > Now I'm using PiP 2.13 
    > 
    > 
    > Michael 
    > 
    > 
    > 
    > Am Mittwoch, 13. Juli 2016 18:23:27 UTC+2 schrieb Cornelius
    Kölbel: 
    >         The below mentioned link does not contain any
    pkcs12. 
    >         
    >
    http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html 
    >         
    >         I am really not sure what you mean here. 
    >         
    >         Are you talking about the CA certificate, this is
    the 
    >         certificate 
    >         signing the others? 
    >         Or are you talking about a "certificate token", i.e.
    a user 
    >         certificate. 
    >         
    >         Which PKCS12 did you copy, export CA certificate? 
    >         This all makes no sense to me. 
    >         
    >         But no problem, I also provide great PKI workshops: 
    >
    https://netknights.it/en/leistungen/one-time-services/ 
    >         
    >         Please note: Certificates is a topic it is very
    important you 
    >         understand 
    >         the underlying processes, rules and crytpography. 
    >         privacyIDEA has very basic certificate management 
    >         capabilities. 
    >         But I am happy, if you help to improve the
    software. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Mittwoch, den 13.07.2016, 04:44 -0700 schrieb
    Michael 
    >         Muenz: 
    >         > I copied the pkcs12 to the otp machine and
    exported the CA 
    >         Cert but 
    >         > it's empty. 
    >         > There seems to be something wrong, but I'm not
    sure if it's 
    >         my 
    >         > fault. :/ 
    >         > 
    >         > 
    >         > root@otp1:~# openssl pkcs12 -in CRT000032EE.p12
    -cacerts 
    >         -nokeys -out 
    >         > cacert.pem 
    >         > Enter Import Password: 
    >         > MAC verified OK 
    >         > root@otp1:~# cat cacert.pem 
    >         > root@otp1:~# 
    >         > 
    >         > 
    >         > Did the same with an existing .p12 created for
    another 
    >         project and the 
    >         > corret root ca was exported. 
    >         > 
    >         > 
    >         > 
    >         > Am Mittwoch, 13. Juli 2016 13:25:22 UTC+2 schrieb
    Michael 
    >         Muenz: 
    >         >         Hm, I followed 
    >         >         now: 
    >
    http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html 
    >         >         
    >         >         
    >         >         mkdir /etc/privacyidea/CA 
    >         > 
    >
    cp /opt/privacyidea/lib/python2.7/site-packages/tests/testdata/ca/openssl.cnf /etc/privacyidea/CA/ 
    >         >         
    >         >         
    >         >         openssl req -days 3650 -new -x509 
    >         >         -keyout /etc/privacyidea/CA/ca.key \ 
    >         >
    -out /etc/privacyidea/CA/ca.crt \ 
    >         >
    -config /etc/privacyidea/CA/openssl.cnf 
    >         >         
    >         >         chmod 0600 /etc/privacyidea/CA/ca.key 
    >         >         touch /etc/privacyidea/CA/index.txt 
    >         >         echo 01 > /etc/privacyidea/CA/serial 
    >         >         openssl rsa -in ca.key -out ca-nopw.key 
    >         >         mv ca-nopw.key ca.key 
    >         >         chown -R privacyidea /etc/privacyidea/CA 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         I enroll a certificate and set a PW in the
    PIN 
    >         field, but I 
    >         >         can import it successfully with my W10 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Am Mittwoch, 13. Juli 2016 12:50:38 UTC+2 schrieb 
    >         Cornelius 
    >         >         Kölbel: 
    >         >                 You should clearly state HOW you
    created the 
    >         user 
    >         >                 certificate. 
    >         >                 Especially HOW you created the
    keypair! 
    >         >                 
    >         >                 Am Mittwoch, den 13.07.2016, 03:39 0700  schrieb 
    >         >                 Michael Muenz: 
    >         >                 > :) 
    >         >                 > 
    >         >                 > 
    >         >                 > No, I removed the password after
    our last 
    >         discussion 
    >         >                 (for the testing 
    >         >                 > system) 
    >         >                 > 
    >         >                 > 
    >         >                 > The certificates get created and
    I can 
    >         import them, 
    >         >                 but they don't 
    >         >                 > have a password. 
    >         >                 > 
    >         >                 > 
    >         >                 > Am Mittwoch, 13. Juli 2016 12:38:14 UTC+2  schrieb 
    >         >                 Cornelius Kölbel: 
    >         >                 >         To avoid confusion: 
    >         >                 >         
    >         >                 >         The private key of the
    CA is not 
    >         password 
    >         >                 protected! 
    >         >                 >         
    >         >                 >         Kind regards 
    >         >                 >         Cornelius 
    >         >                 >         
    >         >                 >         Am Mittwoch, den
    13.07.2016, 03:37 
    >         -0700 
    >         >                 schrieb Michael 
    >         >                 >         Muenz: 
    >         >                 >         > Hi, 
    >         >                 >         > 
    >         >                 >         > 
    >         >                 >         > doesn't work for me. 
    >         >                 >         > 
    >         >                 >         > 
    >         >                 >         > Hm, with my first
    setup I 
    >         remember that it 
    >         >                 was working, but 
    >         >                 >         now when 
    >         >                 >         > importing an existing
    CA there 
    >         are no 
    >         >                 import pw's. 
    >         >                 >         > 
    >         >                 >         > 
    >         >                 >         > Will try again with a
    CA from 
    >         scratch. 
    >         >                 >         > 
    >         >                 >         > 
    >         >                 >         > 
    >         >                 >         > Am Mittwoch, 13. Juli
    2016 
    >         12:16:14 UTC+2 
    >         >                 schrieb Cornelius 
    >         >                 >         Kölbel: 
    >         >                 >         >         Hi Michael, 
    >         >                 >         >         
    >         >                 >         >         this already
    can be 
    >         done. 
    >         >                 >         >         When setting
    the token 
    >         PIN, this 
    >         >                 will be the 
    >         >                 >         password for the 
    >         >                 >         >         pkcs12 
    >         >                 >         >         file. 
    >         >                 >         >         
    >         >                 >         >         Kind regards 
    >         >                 >         >         Cornelius 
    >         >                 >         >         
    >         >                 >         >         Am Mittwoch, den  13.07.2016, 02:45  0700 schrieb 
    >         >                 >         Michael 
    >         >                 >         >         Muenz: 
    >         >                 >         >         > Hi, 
    >         >                 >         >         > 
    >         >                 >         >         > 
    >         >                 >         >         > Again
    playing around 
    >         with the CA 
    >         >                 connector. 
    >         >                 >         >         > Are there
    any plans 
    >         for setting 
    >         >                 an import password 
    >         >                 >         for the 
    >         >                 >         >         generated 
    >         >                 >         >         > PKCS12
    files? 
    >         >                 >         >         > 
    >         >                 >         >         > 
    >         >                 >         >         > Thanks 
    >         >                 >         >         > Michael 
    >         >                 >         >         > 
    >         >                 >         >         > Am Dienstag, 7. Juni  2016  10:15:14 UTC+2 schrieb 
    >         >                 >         Cornelius 
    >         >                 >         >         Kölbel: 
    >         >                 >         >         >         Hi
    Michael, 
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         I
    was thinking 
    >         the 
    >         >                 passphrase on the ca 
    >         >                 >         key. 
    >         >                 >         >         >         In
    my opinion 
    >         having a 
    >         >                 passphtase only 
    >         >                 >         makes limited 
    >         >                 >         >         sense. 
    >         >                 >         >         >         The
    passphrase 
    >         would be 
    >         >                 encrypted in the 
    >         >                 >         database. 
    >         >                 >         >          Encrypted 
    >         >                 >         >         >         with
    the 
    >         encryption key, 
    >         >                 which is probably 
    >         >                 >         only 
    >         >                 >         >         protected by 
    >         >                 >         >         >         file
    access. 
    >         So you can 
    >         >                 protect the ca key 
    >         >                 >         with file 
    >         >                 >         >         access in 
    >         >                 >         >         >         the
    first 
    >         place. 
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >
    Think of the 
    >         local ca as 
    >         >                 a working proof 
    >         >                 >         of concept 
    >         >                 >         >          :-) 
    >         >                 >         >         >         Any
    feedback 
    >         and input 
    >         >                 is appreciated. 
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         Kind
    regards 
    >         >                 >         >         >
    Cornelius 
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >
    Cornelius 
    >         Kölbel 
    >         >                 >         >         >         +49
    151 2960 
    >         1417 
    >         >                 >         >         >         
    >         >                 >         >         >
    NetKnights 
    >         GmbH 
    >         >                 >         >         > 
    >         Http://NetKnights. It 
    >         >                 >         >         >         +49
    561 3166 
    >         797 
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >
    -------- 
    >         Ursprüngliche 
    >         >                 Nachricht -------- 
    >         >                 >         >         >         Von:
    Michael 
    >         Muenz 
    >         >                 <m.m...@gmail.com> 
    >         >                 >         >         >
    Datum: 
    >         07.06.16 10:04 
    >         >                 (GMT+01:00) 
    >         >                 >         >         >         An: 
    >         privacyidea 
    >         >                 >
    <priva...@googlegroups.com> 
    >         >                 >         >         >
    Betreff: Re: 
    >         >                 [privacyidea] CA Connector 
    >         >                 >         can't 
    >         >                 >         >         create 
    >         >                 >         >         >
    certificate 
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         Ok,
    removed 
    >         the line and 
    >         >                 it works again. 
    >         >                 >         >         >         Now
    I can 
    >         download the 
    >         >                 PKCS12. 
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         But
    I had to 
    >         remove the 
    >         >                 password from the 
    >         >                 >         ca.key ... 
    >         >                 >         >         will this 
    >         >                 >         >         >         be
    the final 
    >         version or 
    >         >                 do you plan some 
    >         >                 >         fields in 
    >         >                 >         >         the UI to 
    >         >                 >         >         >
    enter the 
    >         password for 
    >         >                 the root-ca? 
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >
    Michael 
    >         >                 >         >         >         
    >         >                 >         >         >         On Tuesday,  June 7, 2016  at 9:59:06 AM UTC  +2,  Michael Muenz  wrote: 
    >         >                 >         >         >
    I 
    >         added the 
    >         >                 Jessie-Backports since 
    >         >                 >         they 
    >         >                 >         >         deliver 0.15, 
    >         >                 >         >         >
    but 
    >         when I 
    >         >                 wanted to install it, 
    >         >                 >         it greps 
    >         >                 >         >         > 
    >         python-pyopenssl 
    >         >                 from the trusty 
    >         >                 >         ppa and 
    >         >                 >         >         brokes :) 
    >         >                 >         >         >
    After 
    >         that I 
    >         >                 forced it with 
    >         >                 >         aptitude -t 
    >         >                 >         >         > 
    >         jessie-backports 
    >         >                 and now I get a 
    >         >                 >         Internal 
    >         >                 >         >         Server Error 
    >         >                 >         >         >
    when 
    >         accessing 
    >         >                 the startpage 
    >         >                 >         >         >
        
    >         >                 >         >         >
        
    >         >                 >         >         >
        
    >         >                 >         >         >
        
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.895043 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    139726979172096] /usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning: Unicode column received non-unicode default value. 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.895273 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] 
    >         >                 >         >         > 
    >         >                 > 
    >         default="/etc/privacyidea/dictionary") 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.921642 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         mod_wsgi 
    >         >                 >         >         > 
    >         (pid=489): 
    >         >                 Target WSGI script 
    >         >                 >         >         > 
    >         >                 > 
    >         '/etc/privacyidea/privacyideaapp.wsgi' 
    >         >                 >         >         cannot be 
    >         >                 >         >         >
    loaded 
    >         as Python 
    >         >                 module. 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.921834 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         mod_wsgi 
    >         >                 >         >         > 
    >         (pid=489): 
    >         >                 Exception occurred 
    >         >                 >         processing 
    >         >                 >         >         WSGI script 
    >         >                 >         >         > 
    >         >                 > 
    >         '/etc/privacyidea/privacyideaapp.wsgi'. 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.921948 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         Traceback 
    >         >                 >         >         >
    (most 
    >         recent 
    >         >                 call last): 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.922116 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         File 
    >         >                 >         >         > 
    >         >                 > 
    >         "/etc/privacyidea/privacyideaapp.wsgi", 
    >         >                 line 
    >         >                 >         >         3, in 
    >         >                 >         >         > 
    >         <module> 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.922265 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         from 
    >         >                 >         >         > 
    >         privacyidea.app 
    >         >                 import create_app 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.922359 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/app.py", 
    >         >                 >         >         >
    line 
    >         28, in 
    >         >                 <module> 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.922952 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         import 
    >         >                 >         >         > 
    >         >                 privacyidea.api.before_after 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.923097 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py", line 29, in <module> 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.923599 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         > 
    >         from ..lib.user 
    >         >                 import 
    >         >                 >         get_user_from_param 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.923697 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", 
    >         >                 >         >         line 55, in
    <module> 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.924472 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         > 
    >         from .resolver 
    >         >                 import 
    >         >                 >         (get_resolver_object, 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.924585 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", line 47, in <module> 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.925108 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         from 
    >         >                 >         >         >
    config 
    >         import 
    >         >                 >         (get_resolver_types, 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.925207 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", 
    >         >                 >         >         line 47, in
    <module> 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.926073 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         > 
    >         >                 from .caconnectors.localca import 
    >         >                 >         >
    BaseCAConnector 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.926233 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.926344 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         > 
    >         csr_extensions 
    >         >                 = 
    >         >                 >
    csr_obj.get_extensions() 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.926499 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         ^ 
    >         >                 >         >         >
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.926583 2016] 
    >         >                 >         >         [wsgi:error]
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         > 
    >         >                 IndentationError: unexpected 
    >         >                 >         indent 
    >         >                 >         >         >
        
    >         >                 >         >         >
        
    >         >                 >         >         >
        
    >         >                 >         >         >
        
    >         >                 >         >         >
    I 
    >         think I'm 
    >         >                 gonna reinstall from 
    >         >                 >         >         scratch ... 
    >         >                 >         >         >
        
    >         >                 >         >         >
    On  Monday, June  6, 2016 at  11:36:09 PM UTC  +2,  Cornelius Kölbel  wrote: 
    >         >                 >         >         > 
    >         The CSR 
    >         >                 extensions are not 
    >         >                 >         used at 
    >         >                 >         >         the 
    >         >                 >         >         > 
    >         moment. 
    >         >                 >         >         > 
    >           
    >         >                 >         >         > 
    >         So we 
    >         >                 could as well remove 
    >         >                 >         this line 
    >         >                 >         >         and then 
    >         >                 >         >         > 
    >         >                 python-openssl 0.14 would 
    >         >                 >         >         > 
    >         work 
    >         >                 fine, again. 
    >         >                 >         >         > 
    >           
    >         >                 >         >         > 
    >         Kind 
    >         >                 regards 
    >         >                 >         >         > 
    >         >                 Cornelius 
    >         >                 >         >         > 
    >           
    >         >                 >         >         > 
    >         Am  Montag, den 06.06.2016,  13:20  0700 schrieb 
    >         >                 >         >         > 
    >         Michael 
    >         >                 Muenz: 
    >         >                 >         >         > 
    >         > ii 
    >         >                  openssl 
    >         >                 >         >          1.0.1t-1 
    >         >                 >         >         > 
    >         +deb8u2 
    >         >                 amd64 
    >         >                 >         >         > 
    >         > 
    >         >                  Secure Sockets 
    >         >                 >         Layer 
    >         >                 >         >         toolkit - 
    >         >                 >         >         > 
    >         >                 cryptographic utility 
    >         >                 >         >         > 
    >         > ii 
    >         >                  python-openssl 
    >         >                 >         >         0.14-1 
    >         >                 >         >         > 
    >         >                            all 
    >         >                 >         >         > 
    >         > 
    >         >                  Python 2 wrapper 
    >         >                 >         around the 
    >         >                 >         >         OpenSSL 
    >         >                 >         >         > 
    >         library 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >                 >         >         > 
    >         > user 
    >         >                 u'mimu' found in 
    >         >                 >         resolver 
    >         >                 >         >         u'maxadmins' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >                 >         >         > 
    >         > userid 
    >         >                 resolved to 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >
    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >                 >         >         > 
    >         > user 
    >         >                 u'mimu' found in 
    >         >                 >         resolver 
    >         >                 >         >         u'maxadmins' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >                 >         >         > 
    >         > userid 
    >         >                 resolved to 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >
    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >                 >         >         > 
    >         > user 
    >         >                 u'mimu' found in 
    >         >                 >         resolver 
    >         >                 >         >         u'maxadmins' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >                 >         >         > 
    >         > userid 
    >         >                 resolved to 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >
    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >                 >         >         > 
    >         > user 
    >         >                 u'mimu' found in 
    >         >                 >         resolver 
    >         >                 >         >         u'maxadmins' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >                 >         >         > 
    >         > userid 
    >         >                 resolved to 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >
    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >                 >         >         > 
    >         > user 
    >         >                 u'mimu' found in 
    >         >                 >         resolver 
    >         >                 >         >         u'maxadmins' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >                 >         >         > 
    >         > userid 
    >         >                 resolved to 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >
    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >                 >         >         > 
    >         > user 
    >         >                 u'mimu' found in 
    >         >                 >         resolver 
    >         >                 >         >         u'maxadmins' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >                 >         >         > 
    >         > userid 
    >         >                 resolved to 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >
    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >                 >         >         > 
    >         > user 
    >         >                 u'mimu' found in 
    >         >                 >         resolver 
    >         >                 >         >         u'maxadmins' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >                 >         >         > 
    >         > userid 
    >         >                 resolved to 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >
    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423] 
    >         >                 >         >         > 
    >         > 
    >         >                 Exception on /token/init 
    >         >                 >         [POST] 
    >         >                 >         >         > 
    >         > 
    >         >                 Traceback (most recent 
    >         >                 >         call 
    >         >                 >         >         last): 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >         >                 >         line 1817, 
    >         >                 >         >         in 
    >         >                 >         >         > 
    >         > 
    >         >                 wsgi_app 
    >         >                 >         >         > 
    >         > 
    >         >                 response = 
    >         >                 >         > 
    >         self.full_dispatch_request() 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >         >                 >         line 1477, 
    >         >                 >         >         in 
    >         >                 >         >         > 
    >         > 
    >         >                 full_dispatch_request 
    >         >                 >         >         > 
    >         >     rv 
    >         >                 = 
    >         >                 >         > 
    >         self.handle_user_exception(e) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >         >                 >         line 1381, 
    >         >                 >         >         in 
    >         >                 >         >         > 
    >         > 
    >         >                 handle_user_exception 
    >         >                 >         >         > 
    >         > 
    >         >                 reraise(exc_type, 
    >         >                 >         exc_value, 
    >         >                 >         >         tb) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >         >                 >         line 1475, 
    >         >                 >         >         in 
    >         >                 >         >         > 
    >         > 
    >         >                 full_dispatch_request 
    >         >                 >         >         > 
    >         >     rv 
    >         >                 = 
    >         >                 >         self.dispatch_request() 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >         >                 >         line 1461, 
    >         >                 >         >         in 
    >         >                 >         >         > 
    >         > 
    >         >                 dispatch_request 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    >         self.view_functions[rule.endpoint](**req.view_args) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", 
    >         >                 >         >         > 
    >         > line 
    >         >                 57, in 
    >         >                 >         event_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 f_result = 
    >         >                 >         func(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", 
    >         >                 >         >         line 
    >         >                 >         >         > 
    >         > 180, 
    >         >                 in log_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 f_result = 
    >         >                 >         func(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", 
    >         >                 >         >         > 
    >         > line 
    >         >                 186, in init 
    >         >                 >         >         > 
    >         > 
    >         >                 >
    tokenrealms=tokenrealms) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", 
    >         >                 >         >         line 
    >         >                 >         >         > 
    >         > 180, 
    >         >                 in log_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 f_result = 
    >         >                 >         func(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", 
    >         >                 >         >         > 
    >         > line 
    >         >                 912, in init_token 
    >         >                 >         >         > 
    >         > 
    >         >                 >         > 
    >         tokenobject.update(upd_params) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py", line 218, in update 
    >         >                 >         >         > 
    >         > 
    >         >                 crypto.FILETYPE_PEM, 
    >         >                 >         req)) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173, in sign_request 
    >         >                 >         >         > 
    >         > 
    >         >                 csr_extensions = 
    >         >                 >         >         > 
    >         >                 csr_obj.get_extensions() 
    >         >                 >         >         > 
    >         > 
    >         >                 AttributeError: 
    >         >                 >         'X509Req' object 
    >         >                 >         >         has no 
    >         >                 >         >         > 
    >         >                 attribute 
    >         >                 >         'get_extensions' 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > On  Monday, June 6, 2016  at 4:00:41  PM UTC+2,  Cornelius Kölbel wrote: 
    >         >                 >         >         > 
    >         > 
    >         >                 Hi, 
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > 
    >         >                 can you please 
    >         >                 >         post your 
    >         >                 >         >         > 
    >         >                 privacyidea.log? 
    >         >                 >         >         > 
    >         > 
    >         >                 There should be 
    >         >                 >         a 
    >         >                 >         >         traceback. 
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > 
    >         >                 Which version of 
    >         >                 >         pyopenssl 
    >         >                 >         >         and which 
    >         >                 >         >         > 
    >         version 
    >         >                 of openssl are 
    >         >                 >         >         > 
    >         > 
    >         >                 you using? 
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > 
    >         >                 Kind regards 
    >         >                 >         >         > 
    >         > 
    >         >                 Cornelius 
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > 
    >         >                 Am Montag, den 
    >         >                 >         06.06.2016, 
    >         >                 >         >         06:33 
    >         >                 >         >         > 
    >         -0700 
    >         >                 schrieb Michael 
    >         >                 >         Muenz: 
    >         >                 >         >         > 
    >         > 
    >         >                 > Hi, 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > I've set up 
    >         >                 >         the WebCA as 
    >         >                 >         >         described 
    >         >                 >         >         > 
    >         in 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > When I try to 
    >         >                 >         roll out a 
    >         >                 >         >         new 
    >         >                 >         >         > 
    >         >                 certificate I get: 
    >         >                 >         >         > 
    >         > 
    >         >                 > 'X509Req' 
    >         >                 >         object has no 
    >         >                 >         >         attribute 
    >         >                 >         >         > 
    >         >                 'get_extensions' 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > There's no 
    >         >                 >         certificate 
    >         >                 >         >         but the 
    >         >                 >         >         > 
    >         token 
    >         >                 will be displayed 
    >         >                 >         >         > 
    >         > 
    >         >                 within the 
    >         >                 >         >         > 
    >         > 
    >         >                 > token view. 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > Google tells 
    >         >                 >         me about 
    >         >                 >         >         some "wont 
    >         >                 >         >         > 
    >         fixes" 
    >         >                 with PyOpenSSL. 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > I'm using 
    >         >                 >         Debian 8 with 
    >         >                 >         >         latest 
    >         >                 >         >         > 
    >         packages 
    >         >                 from Trusty 
    >         >                 >         build. 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > Any ideas? 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > Thanks 
    >         >                 >         >         > 
    >         > 
    >         >                 > Michael 
    >         >                 >         >         > 
    >         > 
    >         >                 > -- 
    >         >                 >         >         > 
    >         > 
    >         >                 > Please read 
    >         >                 >         the blog 
    >         >                 >         >         post about 
    >         >                 >         >         > 
    >         getting 
    >         >                 help 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >
    https://www.privacyidea.org/getting-help/. 
    >         >                 >         >         > 
    >         > 
    >         >                 >   
    >         >                 >         >         > 
    >         > 
    >         >                 > For 
    >         >                 >         professional 
    >         >                 >         >         services and 
    >         >                 >         >         > 
    >         >                 consultancy regarding two 
    >         >                 >         >         > 
    >         > 
    >         >                 factor 
    >         >                 >         >         > 
    >         > 
    >         >                 > authentication 
    >         >                 >         please 
    >         >                 >         >         visit 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >                 >         >         > 
    >         > 
    >         >                 >   
    >         >                 >         >         > 
    >         > 
    >         >                 > In an 
    >         >                 >         enterprise 
    >         >                 >         >         environment
    you 
    >         >                 >         >         > 
    >         should 
    >         >                 get a SERVICE 
    >         >                 >         LEVEL 
    >         >                 >         >         > 
    >         > 
    >         >                 AGREEMENT 
    >         >                 >         >         > 
    >         > 
    >         >                 > which suites 
    >         >                 >         your needs 
    >         >                 >         >         for 
    >         >                 >         >         > 
    >         >                 SECURITY, AVAILABILITY 
    >         >                 >         and 
    >         >                 >         >         > 
    >         > 
    >         >                 LIABILITY: 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         >                 >         >         > 
    >         > 
    >         >                 > --- 
    >         >                 >         >         > 
    >         > 
    >         >                 > You received 
    >         >                 >         this 
    >         >                 >         >         message
    because 
    >         >                 >         >         > 
    >         you are 
    >         >                 subscribed to the 
    >         >                 >         >         > 
    >         > 
    >         >                 Google 
    >         >                 >         >         > 
    >         > 
    >         >                 > Groups 
    >         >                 >         "privacyidea" 
    >         >                 >         >         group. 
    >         >                 >         >         > 
    >         > 
    >         >                 > To unsubscribe 
    >         >                 >         from this 
    >         >                 >         >         group and 
    >         >                 >         >         > 
    >         stop 
    >         >                 receiving emails 
    >         >                 >         >         > 
    >         > 
    >         >                 from it, send 
    >         >                 >         >         > 
    >         > 
    >         >                 > an email to 
    >         >                 >         >         > 
    >         >                 >
    privacyidea...@googlegroups.com. 
    >         >                 >         >         > 
    >         > 
    >         >                 > To post to 
    >         >                 >         this group, 
    >         >                 >         >         send email 
    >         >                 >         >         > 
    >         to 
    >         >                 >         >         > 
    >         > 
    >         >                 >         > 
    >         priva...@googlegroups.com. 
    >         >                 >         >         > 
    >         > 
    >         >                 > Visit this 
    >         >                 >         group at 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    >         https://groups.google.com/group/privacyidea. 
    >         >                 >         >         > 
    >         > 
    >         >                 > To view this 
    >         >                 >         discussion 
    >         >                 >         >         on the web 
    >         >                 >         >         > 
    >         visit 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com. 
    >         >                 >         >         > 
    >         > 
    >         >                 > For more 
    >         >                 >         options, visit 
    >         >                 >         >         > 
    >         >                 > 
    >         https://groups.google.com/d/optout. 
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > 
    >         >                 -- 
    >         >                 >         >         > 
    >         > 
    >         >                 Cornelius 
    >         >                 >         Kölbel 
    >         >                 >         >         > 
    >         > 
    >         >                 >
    corneliu...@netknights.it 
    >         >                 >         >         > 
    >         > 
    >         >                 +49 151 2960 
    >         >                 >         1417 
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > 
    >         >                 NetKnights GmbH 
    >         >                 >         >         > 
    >         > 
    >         >                 >
    http://www.netknights.it 
    >         >                 >         >         > 
    >         > 
    >         >                 >         Landgraf-Karl-Str. 19, 
    >         >                 >         >         34131 Kassel, 
    >         >                 >         >         > 
    >         Germany 
    >         >                 >         >         > 
    >         > 
    >         >                 Tel: +49 561 
    >         >                 >         3166797, Fax: 
    >         >                 >         >         +49 561 
    >         >                 >         >         > 
    >         3166798 
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > 
    >         >                 Amtsgericht 
    >         >                 >         Kassel, HRB 
    >         >                 >         >         16405 
    >         >                 >         >         > 
    >         > 
    >         >                 Geschäftsführer: 
    >         >                 >         Cornelius 
    >         >                 >         >         Kölbel 
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > -- 
    >         >                 >         >         > 
    >         > Please 
    >         >                 read the blog 
    >         >                 >         post about 
    >         >                 >         >         getting 
    >         >                 >         >         > 
    >         help 
    >         >                 >         >         > 
    >         > 
    >         >                 >         > 
    >         >
    https://www.privacyidea.org/getting-help/. 
    >         >                 >         >         > 
    >         >   
    >         >                 >         >         > 
    >         > For 
    >         >                 professional 
    >         >                 >         services and 
    >         >                 >         >         consultancy 
    >         >                 >         >         > 
    >         >                 regarding two factor 
    >         >                 >         >         > 
    >         > 
    >         >                 authentication please 
    >         >                 >         visit 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >                 >         >         > 
    >         >   
    >         >                 >         >         > 
    >         > In an 
    >         >                 enterprise 
    >         >                 >         environment you 
    >         >                 >         >         should get 
    >         >                 >         >         > 
    >         a 
    >         >                 SERVICE LEVEL AGREEMENT 
    >         >                 >         >         > 
    >         > which 
    >         >                 suites your needs 
    >         >                 >         for 
    >         >                 >         >         SECURITY, 
    >         >                 >         >         > 
    >         >                 AVAILABILITY and 
    >         >                 >         LIABILITY: 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         >                 >         >         > 
    >         > --- 
    >         >                 >         >         > 
    >         > You 
    >         >                 received this 
    >         >                 >         message because 
    >         >                 >         >         you are 
    >         >                 >         >         > 
    >         >                 subscribed to the Google 
    >         >                 >         >         > 
    >         > Groups 
    >         >                 "privacyidea" 
    >         >                 >         group. 
    >         >                 >         >         > 
    >         > To 
    >         >                 unsubscribe from this 
    >         >                 >         group and 
    >         >                 >         >         stop 
    >         >                 >         >         > 
    >         >                 receiving emails from it, 
    >         >                 >         send 
    >         >                 >         >         > 
    >         > an 
    >         >                 email to 
    >         >                 >         >         > 
    >         >                 >
    privacyidea...@googlegroups.com. 
    >         >                 >         >         > 
    >         > To 
    >         >                 post to this group, 
    >         >                 >         send email 
    >         >                 >         >         to 
    >         >                 >         >         > 
    >         >                 >
    priva...@googlegroups.com. 
    >         >                 >         >         > 
    >         > Visit 
    >         >                 this group at 
    >         >                 >         >         > 
    >         >                 >         >         
    >         >         ... 
    >         > -- 
    >         > Please read the blog post about getting help 
    >         > https://www.privacyidea.org/getting-help/. 
    >         >   
    >         > For professional services and consultancy
    regarding two 
    >         factor 
    >         > authentication please visit 
    >         >
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >   
    >         > In an enterprise environment you should get a
    SERVICE LEVEL 
    >         AGREEMENT 
    >         > which suites your needs for SECURITY, AVAILABILITY
    and 
    >         LIABILITY: 
    >         > 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         > --- 
    >         > You received this message because you are
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > Visit this group at 
    >         https://groups.google.com/group/privacyidea. 
    >         > To view this discussion on the web visit 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/91212e60-bed1-45dc-8e3b-45ee56faa34b%40googlegroups.com. 
    >         > For more options, visit
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY: 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > Visit this group at
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/df8a609c-66f5-4d1b-be20-27e7f0daaf32%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/6366a308-d759-4698-b199-e5af5f13d6b8%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Hm, I followed now:
http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html
http://www.google.com/url?q=http%3A%2F%2Fprivacyidea.readthedocs.io%2Fen%2Flatest%2Fconfiguration%2Fcaconnectors.html&sa=D&sntz=1&usg=AFQjCNE2YGHa26p_SdTwuiZ1zsgC-AHgTA

mkdir /etc/privacyidea/CA
cp
/opt/privacyidea/lib/python2.7/site-packages/tests/testdata/ca/openssl.cnf
/etc/privacyidea/CA/

openssl req -days 3650 -new -x509 -keyout /etc/privacyidea/CA/ca.key
-out /etc/privacyidea/CA/ca.crt
-config /etc/privacyidea/CA/openssl.cnf
chmod 0600 /etc/privacyidea/CA/ca.key
touch /etc/privacyidea/CA/index.txt
echo 01 > /etc/privacyidea/CA/serial
openssl rsa -in ca.key -out ca-nopw.key
mv ca-nopw.key ca.key
chown -R privacyidea /etc/privacyidea/CA

I enroll a certificate and set a PW in the PIN field, but I can import it
successfully with my W10Am Mittwoch, 13. Juli 2016 12:50:38 UTC+2 schrieb Cornelius Kölbel:

You should clearly state HOW you created the user certificate.
Especially HOW you created the keypair!

Am Mittwoch, den 13.07.2016, 03:39 -0700 schrieb Michael Muenz:

:slight_smile:

No, I removed the password after our last discussion (for the testing
system)

The certificates get created and I can import them, but they don’t
have a password.

Am Mittwoch, 13. Juli 2016 12:38:14 UTC+2 schrieb Cornelius Kölbel:
To avoid confusion:

    The private key of the CA is not password protected! 
    
    Kind regards 
    Cornelius 
    
    Am Mittwoch, den 13.07.2016, 03:37 -0700 schrieb Michael 
    Muenz: 
    > Hi, 
    > 
    > 
    > doesn't work for me. 
    > 
    > 
    > Hm, with my first setup I remember that it was working, but 
    now when 
    > importing an existing CA there are no import pw's. 
    > 
    > 
    > Will try again with a CA from scratch. 
    > 
    > 
    > 
    > Am Mittwoch, 13. Juli 2016 12:16:14 UTC+2 schrieb Cornelius 
    Kölbel: 
    >         Hi Michael, 
    >         
    >         this already can be done. 
    >         When setting the token PIN, this will be the 
    password for the 
    >         pkcs12 
    >         file. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Mittwoch, den 13.07.2016, 02:45 -0700 schrieb 
    Michael 
    >         Muenz: 
    >         > Hi, 
    >         > 
    >         > 
    >         > Again playing around with the CA connector. 
    >         > Are there any plans for setting an import password 
    for the 
    >         generated 
    >         > PKCS12 files? 
    >         > 
    >         > 
    >         > Thanks 
    >         > Michael 
    >         > 
    >         > Am Dienstag, 7. Juni 2016 10:15:14 UTC+2 schrieb 
    Cornelius 
    >         Kölbel: 
    >         >         Hi Michael, 
    >         >         
    >         >         
    >         >         I was thinking the passphrase on the ca 
    key. 
    >         >         In my opinion having a passphtase only 
    makes limited 
    >         sense. 
    >         >         The passphrase would be encrypted in the 
    database. 
    >          Encrypted 
    >         >         with the encryption key, which is probably 
    only 
    >         protected by 
    >         >         file access. So you can protect the ca key 
    with file 
    >         access in 
    >         >         the first place. 
    >         >         
    >         >         
    >         >         Think of the local ca as a working proof 
    of concept 
    >          :-) 
    >         >         Any feedback and input is appreciated. 
    >         >         
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Cornelius Kölbel 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         NetKnights GmbH 
    >         >         Http://NetKnights. It 
    >         >         +49 561 3166 797 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         -------- Ursprüngliche Nachricht -------- 
    >         >         Von: Michael Muenz <m.m...@gmail.com> 
    >         >         Datum: 07.06.16 10:04 (GMT+01:00) 
    >         >         An: privacyidea 
    <priva...@googlegroups.com> 
    >         >         Betreff: Re: [privacyidea] CA Connector 
    can't 
    >         create 
    >         >         certificate 
    >         >         
    >         >         
    >         >         Ok, removed the line and it works again. 
    >         >         Now I can download the PKCS12. 
    >         >         
    >         >         
    >         >         But I had to remove the password from the 
    ca.key ... 
    >         will this 
    >         >         be the final version or do you plan some 
    fields in 
    >         the UI to 
    >         >         enter the password for the root-ca? 
    >         >         
    >         >         
    >         >         Michael 
    >         >         
    >         >         On Tuesday, June 7, 2016 at 9:59:06 AM UTC  +2,  Michael Muenz  wrote: 
    >         >                 I added the Jessie-Backports since 
    they 
    >         deliver 0.15, 
    >         >                 but when I wanted to install it, 
    it greps 
    >         >                 python-pyopenssl from the trusty 
    ppa and 
    >         brokes :) 
    >         >                 After that I forced it with 
    aptitude -t 
    >         >                 jessie-backports and now I get a 
    Internal 
    >         Server Error 
    >         >                 when accessing the startpage 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 [Tue Jun 07 09:53:37.895043 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 
    >         > 
    > 
    139726979172096] 

/usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning:
Unicode column received non-unicode default value.

    >         >                 [Tue Jun 07 09:53:37.895273 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] 
    >         > 
    default="/etc/privacyidea/dictionary") 
    >         >                 [Tue Jun 07 09:53:37.921642 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         mod_wsgi 
    >         >                 (pid=489): Target WSGI script 
    >         > 
    '/etc/privacyidea/privacyideaapp.wsgi' 
    >         cannot be 
    >         >                 loaded as Python module. 
    >         >                 [Tue Jun 07 09:53:37.921834 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         mod_wsgi 
    >         >                 (pid=489): Exception occurred 
    processing 
    >         WSGI script 
    >         > 
    '/etc/privacyidea/privacyideaapp.wsgi'. 
    >         >                 [Tue Jun 07 09:53:37.921948 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         Traceback 
    >         >                 (most recent call last): 
    >         >                 [Tue Jun 07 09:53:37.922116 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         File 
    >         > 
    "/etc/privacyidea/privacyideaapp.wsgi", line 
    >         3, in 
    >         >                 <module> 
    >         >                 [Tue Jun 07 09:53:37.922265 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         from 
    >         >                 privacyidea.app import create_app 
    >         >                 [Tue Jun 07 09:53:37.922359 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/app.py", 
    >         >                 line 28, in <module> 
    >         >                 [Tue Jun 07 09:53:37.922952 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         import 
    >         >                 privacyidea.api.before_after 
    >         >                 [Tue Jun 07 09:53:37.923097 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         File 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py”, line
29, in

    >         >                 [Tue Jun 07 09:53:37.923599 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         >                 from ..lib.user import 
    get_user_from_param 
    >         >                 [Tue Jun 07 09:53:37.923697 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", 
    >         line 55, in <module> 
    >         >                 [Tue Jun 07 09:53:37.924472 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         >                 from .resolver import 
    (get_resolver_object, 
    >         >                 [Tue Jun 07 09:53:37.924585 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", 

line 47, in

    >         >                 [Tue Jun 07 09:53:37.925108 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         from 
    >         >                 config import 
    (get_resolver_types, 
    >         >                 [Tue Jun 07 09:53:37.925207 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", 
    >         line 47, in <module> 
    >         >                 [Tue Jun 07 09:53:37.926073 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         >                 from .caconnectors.localca import 
    >         BaseCAConnector 
    >         >                 [Tue Jun 07 09:53:37.926233 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         File 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173

    >         >                 [Tue Jun 07 09:53:37.926344 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         >                 csr_extensions = 
    csr_obj.get_extensions() 
    >         >                 [Tue Jun 07 09:53:37.926499 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         ^ 
    >         >                 [Tue Jun 07 09:53:37.926583 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         >                 IndentationError: unexpected 
    indent 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 I think I'm gonna reinstall from 
    >         scratch ... 
    >         >                 
    >         >                 On Monday, June 6, 2016 at  11:36:09 PM UTC  +2,  Cornelius Kölbel wrote: 
    >         >                         The CSR extensions are not 
    used at 
    >         the 
    >         >                         moment. 
    >         >                         
    >         >                         So we could as well remove 
    this line 
    >         and then 
    >         >                         python-openssl 0.14 would 
    >         >                         work fine, again. 
    >         >                         
    >         >                         Kind regards 
    >         >                         Cornelius 
    >         >                         
    >         >                         Am Montag, den 06.06.2016,  13:20  0700 schrieb 
    >         >                         Michael Muenz: 
    >         >                         > ii  openssl 
    >          1.0.1t-1 
    >         >                         +deb8u2             amd64 
    >         >                         >        Secure Sockets 
    Layer 
    >         toolkit - 
    >         >                         cryptographic utility 
    >         >                         > ii  python-openssl 
    >         0.14-1 
    >         >                                            all 
    >         >                         >        Python 2 wrapper 
    around the 
    >         OpenSSL 
    >         >                         library 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                         > user u'mimu' found in 
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                         > user u'mimu' found in 
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                         > user u'mimu' found in 
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                         > user u'mimu' found in 
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                         > user u'mimu' found in 
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                         > user u'mimu' found in 
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                         > user u'mimu' found in 
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]

    >         >                         > Exception on /token/init 
    [POST] 
    >         >                         > Traceback (most recent 
    call 
    >         last): 
    >         >                         >   File 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    line 1817, 
    >         in 
    >         >                         > wsgi_app 
    >         >                         >     response = 
    >         self.full_dispatch_request() 
    >         >                         >   File 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    line 1477, 
    >         in 
    >         >                         > full_dispatch_request 
    >         >                         >     rv = 
    >         self.handle_user_exception(e) 
    >         >                         >   File 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    line 1381, 
    >         in 
    >         >                         > handle_user_exception 
    >         >                         >     reraise(exc_type, 
    exc_value, 
    >         tb) 
    >         >                         >   File 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    line 1475, 
    >         in 
    >         >                         > full_dispatch_request 
    >         >                         >     rv = 
    self.dispatch_request() 
    >         >                         >   File 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    line 1461, 
    >         in 
    >         >                         > dispatch_request 
    >         >                         >     return 
    >         > 
    >         self.view_functions[rule.endpoint](**req.view_args) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", 
    >         >                         > line 57, in 
    event_wrapper 
    >         >                         >     f_result = 
    func(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", 
    >         line 
    >         >                         > 180, in log_wrapper 
    >         >                         >     f_result = 
    func(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", 
    >         >                         > line 186, in init 
    >         >                         > 
    tokenrealms=tokenrealms) 
    >         >                         >   File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", 
    >         line 
    >         >                         > 180, in log_wrapper 
    >         >                         >     f_result = 
    func(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", 
    >         >                         > line 912, in init_token 
    >         >                         > 
    >         tokenobject.update(upd_params) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”,
line 218, in update

    >         >                         >     crypto.FILETYPE_PEM, 
    req)) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173, in sign_request

    >         >                         >     csr_extensions = 
    >         >                         csr_obj.get_extensions() 
    >         >                         > AttributeError: 
    'X509Req' object 
    >         has no 
    >         >                         attribute 
    'get_extensions' 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > On Monday, June 6, 2016  at 4:00:41  PM UTC+2,  Cornelius Kölbel wrote: 
    >         >                         >         Hi, 
    >         >                         >         
    >         >                         >         can you please 
    post your 
    >         >                         privacyidea.log? 
    >         >                         >         There should be 
    a 
    >         traceback. 
    >         >                         >         
    >         >                         >         Which version of 
    pyopenssl 
    >         and which 
    >         >                         version of openssl are 
    >         >                         >         you using? 
    >         >                         >         
    >         >                         >         Kind regards 
    >         >                         >         Cornelius 
    >         >                         >         
    >         >                         >         Am Montag, den 
    06.06.2016, 
    >         06:33 
    >         >                         -0700 schrieb Michael 
    Muenz: 
    >         >                         >         > Hi, 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > I've set up 
    the WebCA as 
    >         described 
    >         >                         in 
    >         >                         >         > 
    >         >                         > 
    >         > 
    > 

http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > When I try to 
    roll out a 
    >         new 
    >         >                         certificate I get: 
    >         >                         >         > 'X509Req' 
    object has no 
    >         attribute 
    >         >                         'get_extensions' 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > There's no 
    certificate 
    >         but the 
    >         >                         token will be displayed 
    >         >                         >         within the 
    >         >                         >         > token view. 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > Google tells 
    me about 
    >         some "wont 
    >         >                         fixes" with PyOpenSSL. 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > I'm using 
    Debian 8 with 
    >         latest 
    >         >                         packages from Trusty 
    build. 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > Any ideas? 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > Thanks 
    >         >                         >         > Michael 
    >         >                         >         > -- 
    >         >                         >         > Please read 
    the blog 
    >         post about 
    >         >                         getting help 
    >         >                         >         > 
    >         > 
    >         https://www.privacyidea.org/getting-help/. 
    >         >                         >         >   
    >         >                         >         > For 
    professional 
    >         services and 
    >         >                         consultancy regarding two 
    >         >                         >         factor 
    >         >                         >         > authentication 
    please 
    >         visit 
    >         >                         >         > 
    >         > 
    > 
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >                         >         >   
    >         >                         >         > In an 
    enterprise 
    >         environment you 
    >         >                         should get a SERVICE 
    LEVEL 
    >         >                         >         AGREEMENT 
    >         >                         >         > which suites 
    your needs 
    >         for 
    >         >                         SECURITY, AVAILABILITY 
    and 
    >         >                         >         LIABILITY: 
    >         >                         >         > 
    >         >                         > 
    >         > 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         >                         >         > --- 
    >         >                         >         > You received 
    this 
    >         message because 
    >         >                         you are subscribed to the 
    >         >                         >         Google 
    >         >                         >         > Groups 
    "privacyidea" 
    >         group. 
    >         >                         >         > To unsubscribe 
    from this 
    >         group and 
    >         >                         stop receiving emails 
    >         >                         >         from it, send 
    >         >                         >         > an email to 
    >         > 
    privacyidea...@googlegroups.com. 
    >         >                         >         > To post to 
    this group, 
    >         send email 
    >         >                         to 
    >         >                         > 
    >         priva...@googlegroups.com. 
    >         >                         >         > Visit this 
    group at 
    >         >                         > 
    >         > 
    >         https://groups.google.com/group/privacyidea. 
    >         >                         >         > To view this 
    discussion 
    >         on the web 
    >         >                         visit 
    >         >                         >         > 
    >         >                         > 
    >         > 
    > 

https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com.

    >         >                         >         > For more 
    options, visit 
    >         > 
    https://groups.google.com/d/optout. 
    >         >                         >         
    >         >                         >         -- 
    >         >                         >         Cornelius 
    Kölbel 
    >         >                         > 
    corneliu...@netknights.it 
    >         >                         >         +49 151 2960 
    1417 
    >         >                         >         
    >         >                         >         NetKnights GmbH 
    >         >                         > 
    http://www.netknights.it 
    >         >                         > 
    Landgraf-Karl-Str. 19, 
    >         34131 Kassel, 
    >         >                         Germany 
    >         >                         >         Tel: +49 561 
    3166797, Fax: 
    >         +49 561 
    >         >                         3166798 
    >         >                         >         
    >         >                         >         Amtsgericht 
    Kassel, HRB 
    >         16405 
    >         >                         >         Geschäftsführer: 
    Cornelius 
    >         Kölbel 
    >         >                         >         
    >         >                         >         
    >         >                         > -- 
    >         >                         > Please read the blog 
    post about 
    >         getting 
    >         >                         help 
    >         >                         > 
    >         https://www.privacyidea.org/getting-help/. 
    >         >                         >   
    >         >                         > For professional 
    services and 
    >         consultancy 
    >         >                         regarding two factor 
    >         >                         > authentication please 
    visit 
    >         >                         > 
    >         > 
    > 
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >                         >   
    >         >                         > In an enterprise 
    environment you 
    >         should get 
    >         >                         a SERVICE LEVEL AGREEMENT 
    >         >                         > which suites your needs 
    for 
    >         SECURITY, 
    >         >                         AVAILABILITY and 
    LIABILITY: 
    >         >                         > 
    >         > 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         >                         > --- 
    >         >                         > You received this 
    message because 
    >         you are 
    >         >                         subscribed to the Google 
    >         >                         > Groups "privacyidea" 
    group. 
    >         >                         > To unsubscribe from this 
    group and 
    >         stop 
    >         >                         receiving emails from it, 
    send 
    >         >                         > an email to 
    >         > 
    privacyidea...@googlegroups.com. 
    >         >                         > To post to this group, 
    send email 
    >         to 
    >         > 
    priva...@googlegroups.com. 
    >         >                         > Visit this group at 
    >         > 
    >         https://groups.google.com/group/privacyidea. 
    >         >                         > To view this discussion 
    on the web 
    >         visit 
    >         >                         > 
    >         > 
    > 

https://groups.google.com/d/msgid/privacyidea/137ce9e3-bc5b-4dce-bd01-5fbd46e0f7da%40googlegroups.com.

    >         >                         > For more options, visit 
    >         > 
    https://groups.google.com/d/optout. 
    >         >                         
    >         >                         -- 
    >         >                         Cornelius Kölbel 
    >         >                         corneliu...@netknights.it 
    >         >                         +49 151 2960 1417 
    >         >                         
    >         >                         NetKnights GmbH 
    >         >                         http://www.netknights.it 
    >         >                         Landgraf-Karl-Str. 19, 
    34131 Kassel, 
    >         Germany 
    >         >                         Tel: +49 561 3166797, Fax: 
    +49 561 
    >         3166798 
    >         >                         
    >         >                         Amtsgericht Kassel, HRB 
    16405 
    >         >                         Geschäftsführer: Cornelius 
    Kölbel 
    >         >                         
    >         >                         
    >         > 
    >         > 
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two 
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL 
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and 
    LIABILITY: 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > Visit this group at 
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/82a9b56a-0708-45fe-81d4-67717ace99df%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/c8e30961-5972-4aaa-a38f-78e44f56a284%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

I copied the pkcs12 to the otp machine and exported the CA Cert but it’s
empty.
There seems to be something wrong, but I’m not sure if it’s my fault. :confused:

root@otp1:~# openssl pkcs12 -in CRT000032EE.p12 -cacerts -nokeys -out
cacert.pem
Enter Import Password:
MAC verified OK
root@otp1:~# cat cacert.pem
root@otp1:~#

Did the same with an existing .p12 created for another project and the
corret root ca was exported.Am Mittwoch, 13. Juli 2016 13:25:22 UTC+2 schrieb Michael Muenz:

Hm, I followed now:
http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html
http://www.google.com/url?q=http%3A%2F%2Fprivacyidea.readthedocs.io%2Fen%2Flatest%2Fconfiguration%2Fcaconnectors.html&sa=D&sntz=1&usg=AFQjCNE2YGHa26p_SdTwuiZ1zsgC-AHgTA

mkdir /etc/privacyidea/CA
cp
/opt/privacyidea/lib/python2.7/site-packages/tests/testdata/ca/openssl.cnf
/etc/privacyidea/CA/

openssl req -days 3650 -new -x509 -keyout /etc/privacyidea/CA/ca.key
-out /etc/privacyidea/CA/ca.crt
-config /etc/privacyidea/CA/openssl.cnf
chmod 0600 /etc/privacyidea/CA/ca.key
touch /etc/privacyidea/CA/index.txt
echo 01 > /etc/privacyidea/CA/serial
openssl rsa -in ca.key -out ca-nopw.key
mv ca-nopw.key ca.key
chown -R privacyidea /etc/privacyidea/CA

I enroll a certificate and set a PW in the PIN field, but I can import it
successfully with my W10

Am Mittwoch, 13. Juli 2016 12:50:38 UTC+2 schrieb Cornelius Kölbel:

You should clearly state HOW you created the user certificate.
Especially HOW you created the keypair!

Am Mittwoch, den 13.07.2016, 03:39 -0700 schrieb Michael Muenz:

:slight_smile:

No, I removed the password after our last discussion (for the testing
system)

The certificates get created and I can import them, but they don’t
have a password.

Am Mittwoch, 13. Juli 2016 12:38:14 UTC+2 schrieb Cornelius Kölbel:
To avoid confusion:

    The private key of the CA is not password protected! 
    
    Kind regards 
    Cornelius 
    
    Am Mittwoch, den 13.07.2016, 03:37 -0700 schrieb Michael 
    Muenz: 
    > Hi, 
    > 
    > 
    > doesn't work for me. 
    > 
    > 
    > Hm, with my first setup I remember that it was working, but 
    now when 
    > importing an existing CA there are no import pw's. 
    > 
    > 
    > Will try again with a CA from scratch. 
    > 
    > 
    > 
    > Am Mittwoch, 13. Juli 2016 12:16:14 UTC+2 schrieb Cornelius 
    Kölbel: 
    >         Hi Michael, 
    >         
    >         this already can be done. 
    >         When setting the token PIN, this will be the 
    password for the 
    >         pkcs12 
    >         file. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Mittwoch, den 13.07.2016, 02:45 -0700 schrieb 
    Michael 
    >         Muenz: 
    >         > Hi, 
    >         > 
    >         > 
    >         > Again playing around with the CA connector. 
    >         > Are there any plans for setting an import password 
    for the 
    >         generated 
    >         > PKCS12 files? 
    >         > 
    >         > 
    >         > Thanks 
    >         > Michael 
    >         > 
    >         > Am Dienstag, 7. Juni 2016 10:15:14 UTC+2 schrieb 
    Cornelius 
    >         Kölbel: 
    >         >         Hi Michael, 
    >         >         
    >         >         
    >         >         I was thinking the passphrase on the ca 
    key. 
    >         >         In my opinion having a passphtase only 
    makes limited 
    >         sense. 
    >         >         The passphrase would be encrypted in the 
    database. 
    >          Encrypted 
    >         >         with the encryption key, which is probably 
    only 
    >         protected by 
    >         >         file access. So you can protect the ca key 
    with file 
    >         access in 
    >         >         the first place. 
    >         >         
    >         >         
    >         >         Think of the local ca as a working proof 
    of concept 
    >          :-) 
    >         >         Any feedback and input is appreciated. 
    >         >         
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Cornelius Kölbel 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         NetKnights GmbH 
    >         >         Http://NetKnights <http://NetKnights>. It 
    >         >         +49 561 3166 797 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         -------- Ursprüngliche Nachricht -------- 
    >         >         Von: Michael Muenz <m.m...@gmail.com> 
    >         >         Datum: 07.06.16 10:04 (GMT+01:00) 
    >         >         An: privacyidea 
    <priva...@googlegroups.com> 
    >         >         Betreff: Re: [privacyidea] CA Connector 
    can't 
    >         create 
    >         >         certificate 
    >         >         
    >         >         
    >         >         Ok, removed the line and it works again. 
    >         >         Now I can download the PKCS12. 
    >         >         
    >         >         
    >         >         But I had to remove the password from the 
    ca.key ... 
    >         will this 
    >         >         be the final version or do you plan some 
    fields in 
    >         the UI to 
    >         >         enter the password for the root-ca? 
    >         >         
    >         >         
    >         >         Michael 
    >         >         
    >         >         On Tuesday, June 7, 2016 at 9:59:06 AM UTC  +2,  Michael Muenz  wrote: 
    >         >                 I added the Jessie-Backports since 
    they 
    >         deliver 0.15, 
    >         >                 but when I wanted to install it, 
    it greps 
    >         >                 python-pyopenssl from the trusty 
    ppa and 
    >         brokes :) 
    >         >                 After that I forced it with 
    aptitude -t 
    >         >                 jessie-backports and now I get a 
    Internal 
    >         Server Error 
    >         >                 when accessing the startpage 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 [Tue Jun 07 09:53:37.895043 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 
    >         > 
    > 
    139726979172096] 

/usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning:
Unicode column received non-unicode default value.

    >         >                 [Tue Jun 07 09:53:37.895273 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] 
    >         > 
    default="/etc/privacyidea/dictionary") 
    >         >                 [Tue Jun 07 09:53:37.921642 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         mod_wsgi 
    >         >                 (pid=489): Target WSGI script 
    >         > 
    '/etc/privacyidea/privacyideaapp.wsgi' 
    >         cannot be 
    >         >                 loaded as Python module. 
    >         >                 [Tue Jun 07 09:53:37.921834 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         mod_wsgi 
    >         >                 (pid=489): Exception occurred 
    processing 
    >         WSGI script 
    >         > 
    '/etc/privacyidea/privacyideaapp.wsgi'. 
    >         >                 [Tue Jun 07 09:53:37.921948 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         Traceback 
    >         >                 (most recent call last): 
    >         >                 [Tue Jun 07 09:53:37.922116 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         File 
    >         > 
    "/etc/privacyidea/privacyideaapp.wsgi", line 
    >         3, in 
    >         >                 <module> 
    >         >                 [Tue Jun 07 09:53:37.922265 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         from 
    >         >                 privacyidea.app import create_app 
    >         >                 [Tue Jun 07 09:53:37.922359 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/app.py", 
    >         >                 line 28, in <module> 
    >         >                 [Tue Jun 07 09:53:37.922952 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         import 
    >         >                 privacyidea.api.before_after 
    >         >                 [Tue Jun 07 09:53:37.923097 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         File 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py”, line
29, in

    >         >                 [Tue Jun 07 09:53:37.923599 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         >                 from ..lib.user import 
    get_user_from_param 
    >         >                 [Tue Jun 07 09:53:37.923697 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", 
    >         line 55, in <module> 
    >         >                 [Tue Jun 07 09:53:37.924472 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         >                 from .resolver import 
    (get_resolver_object, 
    >         >                 [Tue Jun 07 09:53:37.924585 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", 

line 47, in

    >         >                 [Tue Jun 07 09:53:37.925108 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         from 
    >         >                 config import 
    (get_resolver_types, 
    >         >                 [Tue Jun 07 09:53:37.925207 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", 
    >         line 47, in <module> 
    >         >                 [Tue Jun 07 09:53:37.926073 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         >                 from .caconnectors.localca import 
    >         BaseCAConnector 
    >         >                 [Tue Jun 07 09:53:37.926233 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         File 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173

    >         >                 [Tue Jun 07 09:53:37.926344 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         >                 csr_extensions = 
    csr_obj.get_extensions() 
    >         >                 [Tue Jun 07 09:53:37.926499 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         ^ 
    >         >                 [Tue Jun 07 09:53:37.926583 2016] 
    >         [wsgi:error] [pid 
    >         >                 489:tid 139726979172096] [remote 
    X:512] 
    >         >                 IndentationError: unexpected 
    indent 
    >         >                 
    >         >                 
    >         >                 
    >         >                 
    >         >                 I think I'm gonna reinstall from 
    >         scratch ... 
    >         >                 
    >         >                 On Monday, June 6, 2016 at  11:36:09 PM UTC  +2,  Cornelius Kölbel wrote: 
    >         >                         The CSR extensions are not 
    used at 
    >         the 
    >         >                         moment. 
    >         >                         
    >         >                         So we could as well remove 
    this line 
    >         and then 
    >         >                         python-openssl 0.14 would 
    >         >                         work fine, again. 
    >         >                         
    >         >                         Kind regards 
    >         >                         Cornelius 
    >         >                         
    >         >                         Am Montag, den 06.06.2016,  13:20  0700 schrieb 
    >         >                         Michael Muenz: 
    >         >                         > ii  openssl 
    >          1.0.1t-1 
    >         >                         +deb8u2             amd64 
    >         >                         >        Secure Sockets 
    Layer 
    >         toolkit - 
    >         >                         cryptographic utility 
    >         >                         > ii  python-openssl 
    >         0.14-1 
    >         >                                            all 
    >         >                         >        Python 2 wrapper 
    around the 
    >         OpenSSL 
    >         >                         library 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                         > user u'mimu' found in 
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                         > user u'mimu' found in 
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                         > user u'mimu' found in 
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                         > user u'mimu' found in 
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                         > user u'mimu' found in 
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                         > user u'mimu' found in 
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                         > user u'mimu' found in 
    resolver 
    >         u'maxadmins' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                         > userid resolved to 
    >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                         > [2016-06-06 
    >         >                         > 
    >         > 
    > 

22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]

    >         >                         > Exception on /token/init 
    [POST] 
    >         >                         > Traceback (most recent 
    call 
    >         last): 
    >         >                         >   File 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    line 1817, 
    >         in 
    >         >                         > wsgi_app 
    >         >                         >     response = 
    >         self.full_dispatch_request() 
    >         >                         >   File 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    line 1477, 
    >         in 
    >         >                         > full_dispatch_request 
    >         >                         >     rv = 
    >         self.handle_user_exception(e) 
    >         >                         >   File 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    line 1381, 
    >         in 
    >         >                         > handle_user_exception 
    >         >                         >     reraise(exc_type, 
    exc_value, 
    >         tb) 
    >         >                         >   File 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    line 1475, 
    >         in 
    >         >                         > full_dispatch_request 
    >         >                         >     rv = 
    self.dispatch_request() 
    >         >                         >   File 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    line 1461, 
    >         in 
    >         >                         > dispatch_request 
    >         >                         >     return 
    >         > 
    >         self.view_functions[rule.endpoint](**req.view_args) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                         > line 104, in 
    policy_wrapper 
    >         >                         >     return 
    wrapped_function(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", 
    >         >                         > line 57, in 
    event_wrapper 
    >         >                         >     f_result = 
    func(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", 
    >         line 
    >         >                         > 180, in log_wrapper 
    >         >                         >     f_result = 
    func(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", 
    >         >                         > line 186, in init 
    >         >                         > 
    tokenrealms=tokenrealms) 
    >         >                         >   File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", 
    >         line 
    >         >                         > 180, in log_wrapper 
    >         >                         >     f_result = 
    func(*args, 
    >         **kwds) 
    >         >                         >   File 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", 
    >         >                         > line 912, in init_token 
    >         >                         > 
    >         tokenobject.update(upd_params) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”,
line 218, in update

    >         >                         >     crypto.FILETYPE_PEM, 
    req)) 
    >         >                         >   File 
    >         >                         > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173, in sign_request

    >         >                         >     csr_extensions = 
    >         >                         csr_obj.get_extensions() 
    >         >                         > AttributeError: 
    'X509Req' object 
    >         has no 
    >         >                         attribute 
    'get_extensions' 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > 
    >         >                         > On Monday, June 6, 2016  at 4:00:41  PM UTC+2,  Cornelius Kölbel wrote: 
    >         >                         >         Hi, 
    >         >                         >         
    >         >                         >         can you please 
    post your 
    >         >                         privacyidea.log? 
    >         >                         >         There should be 
    a 
    >         traceback. 
    >         >                         >         
    >         >                         >         Which version of 
    pyopenssl 
    >         and which 
    >         >                         version of openssl are 
    >         >                         >         you using? 
    >         >                         >         
    >         >                         >         Kind regards 
    >         >                         >         Cornelius 
    >         >                         >         
    >         >                         >         Am Montag, den 
    06.06.2016, 
    >         06:33 
    >         >                         -0700 schrieb Michael 
    Muenz: 
    >         >                         >         > Hi, 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > I've set up 
    the WebCA as 
    >         described 
    >         >                         in 
    >         >                         >         > 
    >         >                         > 
    >         > 
    > 

http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > When I try to 
    roll out a 
    >         new 
    >         >                         certificate I get: 
    >         >                         >         > 'X509Req' 
    object has no 
    >         attribute 
    >         >                         'get_extensions' 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > There's no 
    certificate 
    >         but the 
    >         >                         token will be displayed 
    >         >                         >         within the 
    >         >                         >         > token view. 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > Google tells 
    me about 
    >         some "wont 
    >         >                         fixes" with PyOpenSSL. 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > I'm using 
    Debian 8 with 
    >         latest 
    >         >                         packages from Trusty 
    build. 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > Any ideas? 
    >         >                         >         > 
    >         >                         >         > 
    >         >                         >         > Thanks 
    >         >                         >         > Michael 
    >         >                         >         > -- 
    >         >                         >         > Please read 
    the blog 
    >         post about 
    >         >                         getting help 
    >         >                         >         > 
    >         > 
    >         https://www.privacyidea.org/getting-help/. 
    >         >                         >         >   
    >         >                         >         > For 
    professional 
    >         services and 
    >         >                         consultancy regarding two 
    >         >                         >         factor 
    >         >                         >         > authentication 
    please 
    >         visit 
    >         >                         >         > 
    >         > 
    > 
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >                         >         >   
    >         >                         >         > In an 
    enterprise 
    >         environment you 
    >         >                         should get a SERVICE 
    LEVEL 
    >         >                         >         AGREEMENT 
    >         >                         >         > which suites 
    your needs 
    >         for 
    >         >                         SECURITY, AVAILABILITY 
    and 
    >         >                         >         LIABILITY: 
    >         >                         >         > 
    >         >                         > 
    >         > 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         >                         >         > --- 
    >         >                         >         > You received 
    this 
    >         message because 
    >         >                         you are subscribed to the 
    >         >                         >         Google 
    >         >                         >         > Groups 
    "privacyidea" 
    >         group. 
    >         >                         >         > To unsubscribe 
    from this 
    >         group and 
    >         >                         stop receiving emails 
    >         >                         >         from it, send 
    >         >                         >         > an email to 
    >         > 
    privacyidea...@googlegroups.com. 
    >         >                         >         > To post to 
    this group, 
    >         send email 
    >         >                         to 
    >         >                         > 
    >         priva...@googlegroups.com. 
    >         >                         >         > Visit this 
    group at 
    >         >                         > 
    >         > 
    >         https://groups.google.com/group/privacyidea. 
    >         >                         >         > To view this 
    discussion 
    >         on the web 
    >         >                         visit 
    >         >                         >         > 
    >         >                         > 
    >         > 
    > 

https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com.

    >         >                         >         > For more 
    options, visit 
    >         > 
    https://groups.google.com/d/optout. 
    >         >                         >         
    >         >                         >         -- 
    >         >                         >         Cornelius 
    Kölbel 
    >         >                         > 
    corneliu...@netknights.it 
    >         >                         >         +49 151 2960 
    1417 
    >         >                         >         
    >         >                         >         NetKnights GmbH 
    >         >                         > 
    http://www.netknights.it 
    >         >                         > 
    Landgraf-Karl-Str. 19, 
    >         34131 Kassel, 
    >         >                         Germany 
    >         >                         >         Tel: +49 561 
    3166797, Fax: 
    >         +49 561 
    >         >                         3166798 
    >         >                         >         
    >         >                         >         Amtsgericht 
    Kassel, HRB 
    >         16405 
    >         >                         >         Geschäftsführer: 
    Cornelius 
    >         Kölbel 
    >         >                         >         
    >         >                         >         
    >         >                         > -- 
    >         >                         > Please read the blog 
    post about 
    >         getting 
    >         >                         help 
    >         >                         > 
    >         https://www.privacyidea.org/getting-help/. 
    >         >                         >   
    >         >                         > For professional 
    services and 
    >         consultancy 
    >         >                         regarding two factor 
    >         >                         > authentication please 
    visit 
    >         >                         > 
    >         > 
    > 
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >                         >   
    >         >                         > In an enterprise 
    environment you 
    >         should get 
    >         >                         a SERVICE LEVEL AGREEMENT 
    >         >                         > which suites your needs 
    for 
    >         SECURITY, 
    >         >                         AVAILABILITY and 
    LIABILITY: 
    >         >                         > 
    >         > 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         >                         > --- 
    >         >                         > You received this 
    message because 
    >         you are 
    >         >                         subscribed to the Google 
    >         >                         > Groups "privacyidea" 
    group. 
    >         >                         > To unsubscribe from this 
    group and 
    >         stop 
    >         >                         receiving emails from it, 
    send 
    >         >                         > an email to 
    >         > 
    privacyidea...@googlegroups.com. 
    >         >                         > To post to this group, 
    send email 
    >         to 
    >         > 
    priva...@googlegroups.com. 
    >         >                         > Visit this group at 
    >         > 
    >         

Cornelius,

I’ll definitely order some hours when the first server goes into
production, but for now I’m evaluating all features internally here.

So, I created the CA as documented before and enrolled a certificate token
for user e.g. mimu.
Now I can download the certificate as PKCS12. Normally this file should
include certificate, key and root cert.
With a doubleclick I can install the certificate (PKCS12) but when asked
for a import pw only a empty password works.

Now, when opening the mmc snapin I can see the certificate unter Own
Certificates. But there’s no root ca installed.
That’s why I tried to extract the root ca from the pkcs12 via openssl, but
it’s empty.

I’m quite sure that with a first test machine with Ubuntu ppa version 2.12
it worked.
Now I’m using PiP 2.13

MichaelAm Mittwoch, 13. Juli 2016 18:23:27 UTC+2 schrieb Cornelius Kölbel:

The below mentioned link does not contain any pkcs12.

http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

I am really not sure what you mean here.

Are you talking about the CA certificate, this is the certificate
signing the others?
Or are you talking about a “certificate token”, i.e. a user certificate.

Which PKCS12 did you copy, export CA certificate?
This all makes no sense to me.

But no problem, I also provide great PKI workshops:
https://netknights.it/en/leistungen/one-time-services/

Please note: Certificates is a topic it is very important you understand
the underlying processes, rules and crytpography.
privacyIDEA has very basic certificate management capabilities.
But I am happy, if you help to improve the software.

Kind regards
Cornelius

Am Mittwoch, den 13.07.2016, 04:44 -0700 schrieb Michael Muenz:

I copied the pkcs12 to the otp machine and exported the CA Cert but
it’s empty.
There seems to be something wrong, but I’m not sure if it’s my
fault. :confused:

root@otp1:~# openssl pkcs12 -in CRT000032EE.p12 -cacerts -nokeys -out
cacert.pem
Enter Import Password:
MAC verified OK
root@otp1:~# cat cacert.pem
root@otp1:~#

Did the same with an existing .p12 created for another project and the
corret root ca was exported.

Am Mittwoch, 13. Juli 2016 13:25:22 UTC+2 schrieb Michael Muenz:
Hm, I followed
now:
http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

    mkdir /etc/privacyidea/CA 
    cp 

/opt/privacyidea/lib/python2.7/site-packages/tests/testdata/ca/openssl.cnf
/etc/privacyidea/CA/

    openssl req -days 3650 -new -x509 
    -keyout /etc/privacyidea/CA/ca.key \ 
                -out /etc/privacyidea/CA/ca.crt \ 
                -config /etc/privacyidea/CA/openssl.cnf 
    
    chmod 0600 /etc/privacyidea/CA/ca.key 
    touch /etc/privacyidea/CA/index.txt 
    echo 01 > /etc/privacyidea/CA/serial 
    openssl rsa -in ca.key -out ca-nopw.key 
    mv ca-nopw.key ca.key 
    chown -R privacyidea /etc/privacyidea/CA 
    
    
    
    
    
    
    I enroll a certificate and set a PW in the PIN field, but I 
    can import it successfully with my W10 
    
    
    
    
    
    
    
    Am Mittwoch, 13. Juli 2016 12:50:38 UTC+2 schrieb Cornelius 
    Kölbel: 
            You should clearly state HOW you created the user 
            certificate. 
            Especially HOW you created the keypair! 
            
            Am Mittwoch, den 13.07.2016, 03:39 -0700 schrieb 
            Michael Muenz: 
            > :) 
            > 
            > 
            > No, I removed the password after our last discussion 
            (for the testing 
            > system) 
            > 
            > 
            > The certificates get created and I can import them, 
            but they don't 
            > have a password. 
            > 
            > 
            > Am Mittwoch, 13. Juli 2016 12:38:14 UTC+2 schrieb 
            Cornelius Kölbel: 
            >         To avoid confusion: 
            >         
            >         The private key of the CA is not password 
            protected! 
            >         
            >         Kind regards 
            >         Cornelius 
            >         
            >         Am Mittwoch, den 13.07.2016, 03:37 -0700 
            schrieb Michael 
            >         Muenz: 
            >         > Hi, 
            >         > 
            >         > 
            >         > doesn't work for me. 
            >         > 
            >         > 
            >         > Hm, with my first setup I remember that it 
            was working, but 
            >         now when 
            >         > importing an existing CA there are no 
            import pw's. 
            >         > 
            >         > 
            >         > Will try again with a CA from scratch. 
            >         > 
            >         > 
            >         > 
            >         > Am Mittwoch, 13. Juli 2016 12:16:14 UTC+2 
            schrieb Cornelius 
            >         Kölbel: 
            >         >         Hi Michael, 
            >         >         
            >         >         this already can be done. 
            >         >         When setting the token PIN, this 
            will be the 
            >         password for the 
            >         >         pkcs12 
            >         >         file. 
            >         >         
            >         >         Kind regards 
            >         >         Cornelius 
            >         >         
            >         >         Am Mittwoch, den 13.07.2016, 02:45  0700 schrieb 
            >         Michael 
            >         >         Muenz: 
            >         >         > Hi, 
            >         >         > 
            >         >         > 
            >         >         > Again playing around with the CA 
            connector. 
            >         >         > Are there any plans for setting 
            an import password 
            >         for the 
            >         >         generated 
            >         >         > PKCS12 files? 
            >         >         > 
            >         >         > 
            >         >         > Thanks 
            >         >         > Michael 
            >         >         > 
            >         >         > Am Dienstag, 7. Juni 2016  10:15:14 UTC+2 schrieb 
            >         Cornelius 
            >         >         Kölbel: 
            >         >         >         Hi Michael, 
            >         >         >         
            >         >         >         
            >         >         >         I was thinking the 
            passphrase on the ca 
            >         key. 
            >         >         >         In my opinion having a 
            passphtase only 
            >         makes limited 
            >         >         sense. 
            >         >         >         The passphrase would be 
            encrypted in the 
            >         database. 
            >         >          Encrypted 
            >         >         >         with the encryption key, 
            which is probably 
            >         only 
            >         >         protected by 
            >         >         >         file access. So you can 
            protect the ca key 
            >         with file 
            >         >         access in 
            >         >         >         the first place. 
            >         >         >         
            >         >         >         
            >         >         >         Think of the local ca as 
            a working proof 
            >         of concept 
            >         >          :-) 
            >         >         >         Any feedback and input 
            is appreciated. 
            >         >         >         
            >         >         >         
            >         >         >         Kind regards 
            >         >         >         Cornelius 
            >         >         >         
            >         >         >         
            >         >         >         
            >         >         >         
            >         >         >         
            >         >         >         
            >         >         >         Cornelius Kölbel 
            >         >         >         +49 151 2960 1417 
            >         >         >         
            >         >         >         NetKnights GmbH 
            >         >         >         Http://NetKnights. It 
            >         >         >         +49 561 3166 797 
            >         >         >         
            >         >         >         
            >         >         >         
            >         >         >         
            >         >         >         -------- Ursprüngliche 
            Nachricht -------- 
            >         >         >         Von: Michael Muenz 
            <m.m...@gmail.com> 
            >         >         >         Datum: 07.06.16 10:04 
            (GMT+01:00) 
            >         >         >         An: privacyidea 
            >         <priva...@googlegroups.com> 
            >         >         >         Betreff: Re: 
            [privacyidea] CA Connector 
            >         can't 
            >         >         create 
            >         >         >         certificate 
            >         >         >         
            >         >         >         
            >         >         >         Ok, removed the line and 
            it works again. 
            >         >         >         Now I can download the 
            PKCS12. 
            >         >         >         
            >         >         >         
            >         >         >         But I had to remove the 
            password from the 
            >         ca.key ... 
            >         >         will this 
            >         >         >         be the final version or 
            do you plan some 
            >         fields in 
            >         >         the UI to 
            >         >         >         enter the password for 
            the root-ca? 
            >         >         >         
            >         >         >         
            >         >         >         Michael 
            >         >         >         
            >         >         >         On Tuesday, June 7, 2016  at 9:59:06 AM UTC  +2,  Michael Muenz  wrote: 
            >         >         >                 I added the 
            Jessie-Backports since 
            >         they 
            >         >         deliver 0.15, 
            >         >         >                 but when I 
            wanted to install it, 
            >         it greps 
            >         >         >                 python-pyopenssl 
            from the trusty 
            >         ppa and 
            >         >         brokes :) 
            >         >         >                 After that I 
            forced it with 
            >         aptitude -t 
            >         >         >                 jessie-backports 
            and now I get a 
            >         Internal 
            >         >         Server Error 
            >         >         >                 when accessing 
            the startpage 
            >         >         >                 
            >         >         >                 
            >         >         >                 
            >         >         >                 
            >         >         >                 [Tue Jun 07 
            09:53:37.895043 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            >         >         > 
            >         > 
            > 
            139726979172096] 

/usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning:
Unicode column received non-unicode default value.

            >         >         >                 [Tue Jun 07 
            09:53:37.895273 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] 
            >         >         > 
            >         default="/etc/privacyidea/dictionary") 
            >         >         >                 [Tue Jun 07 
            09:53:37.921642 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         mod_wsgi 
            >         >         >                 (pid=489): 
            Target WSGI script 
            >         >         > 
            >         '/etc/privacyidea/privacyideaapp.wsgi' 
            >         >         cannot be 
            >         >         >                 loaded as Python 
            module. 
            >         >         >                 [Tue Jun 07 
            09:53:37.921834 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         mod_wsgi 
            >         >         >                 (pid=489): 
            Exception occurred 
            >         processing 
            >         >         WSGI script 
            >         >         > 
            >         '/etc/privacyidea/privacyideaapp.wsgi'. 
            >         >         >                 [Tue Jun 07 
            09:53:37.921948 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         Traceback 
            >         >         >                 (most recent 
            call last): 
            >         >         >                 [Tue Jun 07 
            09:53:37.922116 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         File 
            >         >         > 
            >         "/etc/privacyidea/privacyideaapp.wsgi", 
            line 
            >         >         3, in 
            >         >         >                 <module> 
            >         >         >                 [Tue Jun 07 
            09:53:37.922265 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         from 
            >         >         >                 privacyidea.app 
            import create_app 
            >         >         >                 [Tue Jun 07 
            09:53:37.922359 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         File 
            >         >         > 
            >         > 
            > 
            "/usr/lib/python2.7/dist-packages/privacyidea/app.py", 
            >         >         >                 line 28, in 
            <module> 
            >         >         >                 [Tue Jun 07 
            09:53:37.922952 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         import 
            >         >         > 
            privacyidea.api.before_after 
            >         >         >                 [Tue Jun 07 
            09:53:37.923097 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         File 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py”, line
29, in

            >         >         >                 [Tue Jun 07 
            09:53:37.923599 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         >                 from ..lib.user 
            import 
            >         get_user_from_param 
            >         >         >                 [Tue Jun 07 
            09:53:37.923697 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         File 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py”,

            >         >         line 55, in <module> 
            >         >         >                 [Tue Jun 07 
            09:53:37.924472 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         >                 from .resolver 
            import 
            >         (get_resolver_object, 
            >         >         >                 [Tue Jun 07 
            09:53:37.924585 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         File 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py”, line 47, in

            >         >         >                 [Tue Jun 07 
            09:53:37.925108 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         from 
            >         >         >                 config import 
            >         (get_resolver_types, 
            >         >         >                 [Tue Jun 07 
            09:53:37.925207 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         File 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py”,

            >         >         line 47, in <module> 
            >         >         >                 [Tue Jun 07 
            09:53:37.926073 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         > 
            from .caconnectors.localca import 
            >         >         BaseCAConnector 
            >         >         >                 [Tue Jun 07 
            09:53:37.926233 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         File 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173

            >         >         >                 [Tue Jun 07 
            09:53:37.926344 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         >                 csr_extensions 
            = 
            >         csr_obj.get_extensions() 
            >         >         >                 [Tue Jun 07 
            09:53:37.926499 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         ^ 
            >         >         >                 [Tue Jun 07 
            09:53:37.926583 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            139726979172096] [remote 
            >         X:512] 
            >         >         > 
            IndentationError: unexpected 
            >         indent 
            >         >         >                 
            >         >         >                 
            >         >         >                 
            >         >         >                 
            >         >         >                 I think I'm 
            gonna reinstall from 
            >         >         scratch ... 
            >         >         >                 
            >         >         >                 On Monday, June  6, 2016 at  11:36:09 PM UTC  +2,  Cornelius Kölbel  wrote: 
            >         >         >                         The CSR 
            extensions are not 
            >         used at 
            >         >         the 
            >         >         >                         moment. 
            >         >         >                         
            >         >         >                         So we 
            could as well remove 
            >         this line 
            >         >         and then 
            >         >         > 
            python-openssl 0.14 would 
            >         >         >                         work 
            fine, again. 
            >         >         >                         
            >         >         >                         Kind 
            regards 
            >         >         > 
            Cornelius 
            >         >         >                         
            >         >         >                         Am  Montag, den 06.06.2016,  13:20  0700 schrieb 
            >         >         >                         Michael 
            Muenz: 
            >         >         >                         > ii 
             openssl 
            >         >          1.0.1t-1 
            >         >         >                         +deb8u2 
            amd64 
            >         >         >                         > 
             Secure Sockets 
            >         Layer 
            >         >         toolkit - 
            >         >         > 
            cryptographic utility 
            >         >         >                         > ii 
             python-openssl 
            >         >         0.14-1 
            >         >         > 
                       all 
            >         >         >                         > 
             Python 2 wrapper 
            >         around the 
            >         >         OpenSSL 
            >         >         >                         library 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         > 
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]

            >         >         >                         > user 
            u'mimu' found in 
            >         resolver 
            >         >         u'maxadmins' 
            >         >         >                         > 
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]

            >         >         >                         > userid 
            resolved to 
            >         >         > 
            >         > 
            u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
            >         >         >                         > 
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]

            >         >         >                         > user 
            u'mimu' found in 
            >         resolver 
            >         >         u'maxadmins' 
            >         >         >                         > 
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]

            >         >         >                         > userid 
            resolved to 
            >         >         > 
            >         > 
            u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
            >         >         >                         > 
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]

            >         >         >                         > user 
            u'mimu' found in 
            >         resolver 
            >         >         u'maxadmins' 
            >         >         >                         > 
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]

            >         >         >                         > userid 
            resolved to 
            >         >         > 
            >         > 
            u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
            >         >         >                         > 
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]

            >         >         >                         > user 
            u'mimu' found in 
            >         resolver 
            >         >         u'maxadmins' 
            >         >         >                         > 
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]

            >         >         >                         > userid 
            resolved to 
            >         >         > 
            >         > 
            u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
            >         >         >                         > 
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]

            >         >         >                         > user 
            u'mimu' found in 
            >         resolver 
            >         >         u'maxadmins' 
            >         >         >                         > 
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]

            >         >         >                         > userid 
            resolved to 
            >         >         > 
            >         > 
            u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
            >         >         >                         > 
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]

            >         >         >                         > user 
            u'mimu' found in 
            >         resolver 
            >         >         u'maxadmins' 
            >         >         >                         > 
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]

            >         >         >                         > userid 
            resolved to 
            >         >         > 
            >         > 
            u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
            >         >         >                         > 
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]

            >         >         >                         > user 
            u'mimu' found in 
            >         resolver 
            >         >         u'maxadmins' 
            >         >         >                         > 
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]

            >         >         >                         > userid 
            resolved to 
            >         >         > 
            >         > 
            u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
            >         >         >                         > 
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]

            >         >         >                         > 
            Exception on /token/init 
            >         [POST] 
            >         >         >                         > 
            Traceback (most recent 
            >         call 
            >         >         last): 
            >         >         >                         > 
            File 
            >         >         > 
            >         > 
            "/usr/lib/python2.7/dist-packages/flask/app.py", 
            >         line 1817, 
            >         >         in 
            >         >         >                         > 
            wsgi_app 
            >         >         >                         > 
            response = 
            >         >         self.full_dispatch_request() 
            >         >         >                         > 
            File 
            >         >         > 
            >         > 
            "/usr/lib/python2.7/dist-packages/flask/app.py", 
            >         line 1477, 
            >         >         in 
            >         >         >                         > 
            full_dispatch_request 
            >         >         >                         >     rv 
            = 
            >         >         self.handle_user_exception(e) 
            >         >         >                         > 
            File 
            >         >         > 
            >         > 
            "/usr/lib/python2.7/dist-packages/flask/app.py", 
            >         line 1381, 
            >         >         in 
            >         >         >                         > 
            handle_user_exception 
            >         >         >                         > 
            reraise(exc_type, 
            >         exc_value, 
            >         >         tb) 
            >         >         >                         > 
            File 
            >         >         > 
            >         > 
            "/usr/lib/python2.7/dist-packages/flask/app.py", 
            >         line 1475, 
            >         >         in 
            >         >         >                         > 
            full_dispatch_request 
            >         >         >                         >     rv 
            = 
            >         self.dispatch_request() 
            >         >         >                         > 
            File 
            >         >         > 
            >         > 
            "/usr/lib/python2.7/dist-packages/flask/app.py", 
            >         line 1461, 
            >         >         in 
            >         >         >                         > 
            dispatch_request 
            >         >         >                         > 
            return 
            >         >         > 
            >         > 
            self.view_functions[rule.endpoint](**req.view_args) 
            >         >         >                         > 
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

            >         >         >                         > line 
            104, in 
            >         policy_wrapper 
            >         >         >                         > 
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         > 
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

            >         >         >                         > line 
            104, in 
            >         policy_wrapper 
            >         >         >                         > 
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         > 
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

            >         >         >                         > line 
            104, in 
            >         policy_wrapper 
            >         >         >                         > 
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         > 
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

            >         >         >                         > line 
            104, in 
            >         policy_wrapper 
            >         >         >                         > 
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         > 
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

            >         >         >                         > line 
            104, in 
            >         policy_wrapper 
            >         >         >                         > 
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         > 
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

            >         >         >                         > line 
            104, in 
            >         policy_wrapper 
            >         >         >                         > 
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         > 
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

            >         >         >                         > line 
            104, in 
            >         policy_wrapper 
            >         >         >                         > 
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         > 
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

            >         >         >                         > line 
            104, in 
            >         policy_wrapper 
            >         >         >                         > 
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         > 
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

            >         >         >                         > line 
            104, in 
            >         policy_wrapper 
            >         >         >                         > 
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         > 
            File 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py”,

            >         >         >                         > line 
            57, in 
            >         event_wrapper 
            >         >         >                         > 
            f_result = 
            >         func(*args, 
            >         >         **kwds) 
            >         >         >                         > 
            File 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”,

            >         >         line 
            >         >         >                         > 180, 
            in log_wrapper 
            >         >         >                         > 
            f_result = 
            >         func(*args, 
            >         >         **kwds) 
            >         >         >                         > 
            File 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/token.py”,

            >         >         >                         > line 
            186, in init 
            >         >         >                         > 
            >         tokenrealms=tokenrealms) 
            >         >         >                         > 
            File 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”,

            >         >         line 
            >         >         >                         > 180, 
            in log_wrapper 
            >         >         >                         > 
            f_result = 
            >         func(*args, 
            >         >         **kwds) 
            >         >         >                         > 
            File 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,

            >         >         >                         > line 
            912, in init_token 
            >         >         >                         > 
            >         >         tokenobject.update(upd_params) 
            >         >         >                         > 
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”,
line 218, in update

            >         >         >                         > 
            crypto.FILETYPE_PEM, 
            >         req)) 
            >         >         >                         > 
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173, in sign_request

            >         >         >                         > 
            csr_extensions = 
            >         >         > 
            csr_obj.get_extensions() 
            >         >         >                         > 
            AttributeError: 
            >         'X509Req' object 
            >         >         has no 
            >         >         > 
            attribute 
            >         'get_extensions' 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         > On  Monday, June 6, 2016  at 4:00:41  PM UTC+2,  Cornelius Kölbel wrote: 
            >         >         >                         > 
            Hi, 
            >         >         >                         > 
              
            >         >         >                         > 
            can you please 
            >         post your 
            >         >         > 
            privacyidea.log? 
            >         >         >                         > 
            There should be 
            >         a 
            >         >         traceback. 
            >         >         >                         > 
              
            >         >         >                         > 
            Which version of 
            >         pyopenssl 
            >         >         and which 
            >         >         >                         version 
            of openssl are 
            >         >         >                         > 
            you using? 
            >         >         >                         > 
              
            >         >         >                         > 
            Kind regards 
            >         >         >                         > 
            Cornelius 
            >         >         >                         > 
              
            >         >         >                         > 
            Am Montag, den 
            >         06.06.2016, 
            >         >         06:33 
            >         >         >                         -0700 
            schrieb Michael 
            >         Muenz: 
            >         >         >                         > 
            > Hi, 
            >         >         >                         > 
            > 
            >         >         >                         > 
            > 
            >         >         >                         > 
            > I've set up 
            >         the WebCA as 
            >         >         described 
            >         >         >                         in 
            >         >         >                         > 
            > 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

            >         >         >                         > 
            > 
            >         >         >                         > 
            > 
            >         >         >                         > 
            > 
            >         >         >                         > 
            > When I try to 
            >         roll out a 
            >         >         new 
            >         >         > 
            certificate I get: 
            >         >         >                         > 
            > 'X509Req' 
            >         object has no 
            >         >         attribute 
            >         >         > 
            'get_extensions' 
            >         >         >                         > 
            > 
            >         >         >                         > 
            > 
            >         >         >                         > 
            > 
            >         >         >                         > 
            > There's no 
            >         certificate 
            >         >         but the 
            >         >         >                         token 
            will be displayed 
            >         >         >                         > 
            within the 
            >         >         >                         > 
            > token view. 
            >         >         >                         > 
            > 
            >         >         >                         > 
            > 
            >         >         >                         > 
            > Google tells 
            >         me about 
            >         >         some "wont 
            >         >         >                         fixes" 
            with PyOpenSSL. 
            >         >         >                         > 
            > 
            >         >         >                         > 
            > 
            >         >         >                         > 
            > I'm using 
            >         Debian 8 with 
            >         >         latest 
            >         >         >                         packages 
            from Trusty 
            >         build. 
            >         >         >                         > 
            > 
            >         >         >                         > 
            > 
            >         >         >                         > 
            > 
            >         >         >                         > 
            > 
            >         >         >                         > 
            > Any ideas? 
            >         >         >                         > 
            > 
            >         >         >                         > 
            > 
            >         >         >                         > 
            > Thanks 
            >         >         >                         > 
            > Michael 
            >         >         >                         > 
            > -- 
            >         >         >                         > 
            > Please read 
            >         the blog 
            >         >         post about 
            >         >         >                         getting 
            help 
            >         >         >                         > 
            > 
            >         >         > 
            >         > 
            https://www.privacyidea.org/getting-help/. 
            >         >         >                         > 
            >   
            >         >         >                         > 
            > For 
            >         professional 
            >         >         services and 
            >         >         > 
            consultancy regarding two 
            >         >         >                         > 
            factor 
            >         >         >                         > 
            > authentication 
            >         please 
            >         >         visit 
            >         >         >                         > 
            > 
            >         >         > 
            >         > 
            > 
            https://netknights.it/en/leistungen/one-time-services/ 
            >         >         >                         > 
            >   
            >         >         >                         > 
            > In an 
            >         enterprise 
            >         >         environment you 
            >         >         >                         should 
            get a SERVICE 
            >         LEVEL 
            >         >         >                         > 
            AGREEMENT 
            >         >         >                         > 
            > which suites 
            >         your needs 
            >         >         for 
            >         >         > 
            SECURITY, AVAILABILITY 
            >         and 
            >         >         >                         > 
            LIABILITY: 
            >         >         >                         > 
            > 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

https://netknights.it/en/leistungen/service-level-agreements/

            >         >         >                         > 
            > --- 
            >         >         >                         > 
            > You received 
            >         this 
            >         >         message because 
            >         >         >                         you are 
            subscribed to the 
            >         >         >                         > 
            Google 
            >         >         >                         > 
            > Groups 
            >         "privacyidea" 
            >         >         group. 
            >         >         >                         > 
            > To unsubscribe 
            >         from this 
            >         >         group and 
            >         >         >                         stop 
            receiving emails 
            >         >         >                         > 
            from it, send 
            >         >         >                         > 
            > an email to 
            >         >         > 
            >         privacyidea...@googlegroups.com. 
            >         >         >                         > 
            > To post to 
            >         this group, 
            >         >         send email 
            >         >         >                         to 
            >         >         >                         > 
            >         >         priva...@googlegroups.com. 
            >         >         >                         > 
            > Visit this 
            >         group at 
            >         >         >                         > 
            >         >         > 
            >         > 
            https://groups.google.com/group/privacyidea. 
            >         >         >                         > 
            > To view this 
            >         discussion 
            >         >         on the web 
            >         >         >                         visit 
            >         >         >                         > 
            > 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com.

            >         >         >                         > 
            > For more 
            >         options, visit 
            >         >         > 
            >         https://groups.google.com/d/optout. 
            >         >         >                         > 
              
            >         >         >                         > 
            -- 
            >         >         >                         > 
            Cornelius 
            >         Kölbel 
            >         >         >                         > 
            >         corneliu...@netknights.it 
            >         >         >                         > 
            +49 151 2960 
            >         1417 
            >         >         >                         > 
              
            >         >         >                         > 
            NetKnights GmbH 
            >         >         >                         > 
            >         http://www.netknights.it 
            >         >         >                         > 
            >         Landgraf-Karl-Str. 19, 
            >         >         34131 Kassel, 
            >         >         >                         Germany 
            >         >         >                         > 
            Tel: +49 561 
            >         3166797, Fax: 
            >         >         +49 561 
            >         >         >                         3166798 
            >         >         >                         > 
              
            >         >         >                         > 
            Amtsgericht 
            >         Kassel, HRB 
            >         >         16405 
            >         >         >                         > 
            Geschäftsführer: 
            >         Cornelius 
            >         >         Kölbel 
            >         >         >                         > 
              
            >         >         >                         > 
              
            >         >         >                         > -- 
            >         >         >                         > Please 
            read the blog 
            >         post about 
            >         >         getting 
            >         >         >                         help 
            >         >         >                         > 
            >         > 
            https://www.privacyidea.org/getting-help/. 
            >         >         >                         >   
            >         >         >                         > For 
            professional 
            >         services and 
            >         >         consultancy 
            >         >         > 
            regarding two factor 
            >         >         >                         > 
            authentication please 
            >         visit 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 
            https://netknights.it/en/leistungen/one-time-services/ 
            >         >         >                         >   
            >         >         >                         > In an 
            enterprise 
            >         environment you 
            >         >         should get 
            >         >         >                         a 
            SERVICE LEVEL AGREEMENT 
            >         >         >                         > which 
            suites your needs 
            >         for 
            >         >         SECURITY, 
            >         >         > 
            AVAILABILITY and 
            >         LIABILITY: 
            >         >         >                         > 
            >         >         > 
            >         > 
            > 

https://netknights.it/en/leistungen/service-level-agreements/

            >         >         >                         > --- 
            >         >         >                         > You 
            received this 
            >         message because 
            >         >         you are 
            >         >         > 
            subscribed to the Google 
            >         >         >                         > Groups 
            "privacyidea" 
            >         group. 
            >         >         >                         > To 
            unsubscribe from this 
            >         group and 
            >         >         stop 
            >         >         > 
            receiving emails from it, 
            >         send 
            >         >         >                         > an 
            email to 
            >         >         > 
            >         privacyidea...@googlegroups.com. 
            >         >         >                         > To 
            post to this group, 
            >         send email 
            >         >         to 
            >         >         > 
            >         priva...@googlegroups.com. 
            >         >         >                         > Visit 
            this group at 
            >         >         > 
            >         >         
    ... 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/91212e60-bed1-45dc-8e3b-45ee56faa34b%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hello Michael,

Please explain to me: In the moment you need to MOST help, you refuse to
get help. You try with a lot of effort to do everything on your own.
Why?

Because I’m not the one in the company who decides to spend money for :slight_smile:
This will be the internal systems, so there’s no money to earn.
When we are so far to sell services, we’ll also order some consultancy to
check if everything is setup correctly.
Also, when the CA stuff doesn’t work the way we want, we’ll just don’t use
it and use CLI (as before), but the way PI does it, it’s a good way to roll
them out to the user.

So, I created the CA as documented before and enrolled a certificate
token for user e.g. mimu.

STOP. You say a complicated process very lightly in half a sentence?
Please think about it yourself: How did you enroll the certificate
token? There are many different ways to do so. This is important
information - also to you!

This is really what makes it very challenging for me to act on the
mailing list. Because most people to not take a look at what they are
doing.

OK, I setup a small article with some pictures, hopefully you can follow me
now, sorry for not beeing clear enough:
http://www.routerperformance.net/howtos/debug-certificates-in-privacyidea/

I checked the privacyidea.log, no traceback (the certificate token gets
created mostly perfect) and apache log is also quit.

Thanks
MichaelAm Mittwoch, 13. Juli 2016 19:06:14 UTC+2 schrieb Cornelius Kölbel:

Here probably is your problem. “You enrolled the certificate token”…
Did it ever came up to your mind, that the problem the certificate token
does not behave as expected is due to the fact, that the token was not
enrolled as you thought you would?
So the logical consequence would be, to take a deeper look at the token
enrollment process. And not only drop this topic in half a sentence.

So again. How did you enroll the certificate token?

I very much recommend for all of you to study physics!
…to train your analytic skills…

Kind regards
Cornelius

Now I can download the certificate as PKCS12. Normally this file
should include certificate, key and root cert.
With a doubleclick I can install the certificate (PKCS12) but when
asked for a import pw only a empty password works.

Now, when opening the mmc snapin I can see the certificate unter Own
Certificates. But there’s no root ca installed.
That’s why I tried to extract the root ca from the pkcs12 via openssl,
but it’s empty.

I’m quite sure that with a first test machine with Ubuntu ppa version
2.12 it worked.
Now I’m using PiP 2.13

Michael

Am Mittwoch, 13. Juli 2016 18:23:27 UTC+2 schrieb Cornelius Kölbel:
The below mentioned link does not contain any pkcs12.

http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

    I am really not sure what you mean here. 
    
    Are you talking about the CA certificate, this is the 
    certificate 
    signing the others? 
    Or are you talking about a "certificate token", i.e. a user 
    certificate. 
    
    Which PKCS12 did you copy, export CA certificate? 
    This all makes no sense to me. 
    
    But no problem, I also provide great PKI workshops: 
    https://netknights.it/en/leistungen/one-time-services/ 
    
    Please note: Certificates is a topic it is very important you 
    understand 
    the underlying processes, rules and crytpography. 
    privacyIDEA has very basic certificate management 
    capabilities. 
    But I am happy, if you help to improve the software. 
    
    Kind regards 
    Cornelius 
    
    Am Mittwoch, den 13.07.2016, 04:44 -0700 schrieb Michael 
    Muenz: 
    > I copied the pkcs12 to the otp machine and exported the CA 
    Cert but 
    > it's empty. 
    > There seems to be something wrong, but I'm not sure if it's 
    my 
    > fault. :/ 
    > 
    > 
    > root@otp1:~# openssl pkcs12 -in CRT000032EE.p12 -cacerts 
    -nokeys -out 
    > cacert.pem 
    > Enter Import Password: 
    > MAC verified OK 
    > root@otp1:~# cat cacert.pem 
    > root@otp1:~# 
    > 
    > 
    > Did the same with an existing .p12 created for another 
    project and the 
    > corret root ca was exported. 
    > 
    > 
    > 
    > Am Mittwoch, 13. Juli 2016 13:25:22 UTC+2 schrieb Michael 
    Muenz: 
    >         Hm, I followed 
    >         now: 

http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

    >         
    >         
    >         mkdir /etc/privacyidea/CA 
    > 
    cp 

/opt/privacyidea/lib/python2.7/site-packages/tests/testdata/ca/openssl.cnf
/etc/privacyidea/CA/

    >         
    >         
    >         openssl req -days 3650 -new -x509 
    >         -keyout /etc/privacyidea/CA/ca.key \ 
    >                     -out /etc/privacyidea/CA/ca.crt \ 
    >                     -config /etc/privacyidea/CA/openssl.cnf 
    >         
    >         chmod 0600 /etc/privacyidea/CA/ca.key 
    >         touch /etc/privacyidea/CA/index.txt 
    >         echo 01 > /etc/privacyidea/CA/serial 
    >         openssl rsa -in ca.key -out ca-nopw.key 
    >         mv ca-nopw.key ca.key 
    >         chown -R privacyidea /etc/privacyidea/CA 
    >         
    >         
    >         
    >         
    >         
    >         
    >         I enroll a certificate and set a PW in the PIN 
    field, but I 
    >         can import it successfully with my W10 
    >         
    >         
    >         
    >         
    >         
    >         
    >         
    >         Am Mittwoch, 13. Juli 2016 12:50:38 UTC+2 schrieb 
    Cornelius 
    >         Kölbel: 
    >                 You should clearly state HOW you created the 
    user 
    >                 certificate. 
    >                 Especially HOW you created the keypair! 
    >                 
    >                 Am Mittwoch, den 13.07.2016, 03:39 -0700  schrieb 
    >                 Michael Muenz: 
    >                 > :) 
    >                 > 
    >                 > 
    >                 > No, I removed the password after our last 
    discussion 
    >                 (for the testing 
    >                 > system) 
    >                 > 
    >                 > 
    >                 > The certificates get created and I can 
    import them, 
    >                 but they don't 
    >                 > have a password. 
    >                 > 
    >                 > 
    >                 > Am Mittwoch, 13. Juli 2016 12:38:14 UTC+2  schrieb 
    >                 Cornelius Kölbel: 
    >                 >         To avoid confusion: 
    >                 >         
    >                 >         The private key of the CA is not 
    password 
    >                 protected! 
    >                 >         
    >                 >         Kind regards 
    >                 >         Cornelius 
    >                 >         
    >                 >         Am Mittwoch, den 13.07.2016, 03:37 
    -0700 
    >                 schrieb Michael 
    >                 >         Muenz: 
    >                 >         > Hi, 
    >                 >         > 
    >                 >         > 
    >                 >         > doesn't work for me. 
    >                 >         > 
    >                 >         > 
    >                 >         > Hm, with my first setup I 
    remember that it 
    >                 was working, but 
    >                 >         now when 
    >                 >         > importing an existing CA there 
    are no 
    >                 import pw's. 
    >                 >         > 
    >                 >         > 
    >                 >         > Will try again with a CA from 
    scratch. 
    >                 >         > 
    >                 >         > 
    >                 >         > 
    >                 >         > Am Mittwoch, 13. Juli 2016 
    12:16:14 UTC+2 
    >                 schrieb Cornelius 
    >                 >         Kölbel: 
    >                 >         >         Hi Michael, 
    >                 >         >         
    >                 >         >         this already can be 
    done. 
    >                 >         >         When setting the token 
    PIN, this 
    >                 will be the 
    >                 >         password for the 
    >                 >         >         pkcs12 
    >                 >         >         file. 
    >                 >         >         
    >                 >         >         Kind regards 
    >                 >         >         Cornelius 
    >                 >         >         
    >                 >         >         Am Mittwoch, den  13.07.2016, 02:45  0700 schrieb 
    >                 >         Michael 
    >                 >         >         Muenz: 
    >                 >         >         > Hi, 
    >                 >         >         > 
    >                 >         >         > 
    >                 >         >         > Again playing around 
    with the CA 
    >                 connector. 
    >                 >         >         > Are there any plans 
    for setting 
    >                 an import password 
    >                 >         for the 
    >                 >         >         generated 
    >                 >         >         > PKCS12 files? 
    >                 >         >         > 
    >                 >         >         > 
    >                 >         >         > Thanks 
    >                 >         >         > Michael 
    >                 >         >         > 
    >                 >         >         > Am Dienstag, 7. Juni  2016  10:15:14 UTC+2 schrieb 
    >                 >         Cornelius 
    >                 >         >         Kölbel: 
    >                 >         >         >         Hi Michael, 
    >                 >         >         >         
    >                 >         >         >         
    >                 >         >         >         I was thinking 
    the 
    >                 passphrase on the ca 
    >                 >         key. 
    >                 >         >         >         In my opinion 
    having a 
    >                 passphtase only 
    >                 >         makes limited 
    >                 >         >         sense. 
    >                 >         >         >         The passphrase 
    would be 
    >                 encrypted in the 
    >                 >         database. 
    >                 >         >          Encrypted 
    >                 >         >         >         with the 
    encryption key, 
    >                 which is probably 
    >                 >         only 
    >                 >         >         protected by 
    >                 >         >         >         file access. 
    So you can 
    >                 protect the ca key 
    >                 >         with file 
    >                 >         >         access in 
    >                 >         >         >         the first 
    place. 
    >                 >         >         >         
    >                 >         >         >         
    >                 >         >         >         Think of the 
    local ca as 
    >                 a working proof 
    >                 >         of concept 
    >                 >         >          :-) 
    >                 >         >         >         Any feedback 
    and input 
    >                 is appreciated. 
    >                 >         >         >         
    >                 >         >         >         
    >                 >         >         >         Kind regards 
    >                 >         >         >         Cornelius 
    >                 >         >         >         
    >                 >         >         >         
    >                 >         >         >         
    >                 >         >         >         
    >                 >         >         >         
    >                 >         >         >         
    >                 >         >         >         Cornelius 
    Kölbel 
    >                 >         >         >         +49 151 2960 
    1417 
    >                 >         >         >         
    >                 >         >         >         NetKnights 
    GmbH 
    >                 >         >         > 
    Http://NetKnights. It 
    >                 >         >         >         +49 561 3166 
    797 
    >                 >         >         >         
    >                 >         >         >         
    >                 >         >         >         
    >                 >         >         >         
    >                 >         >         >         -------- 
    Ursprüngliche 
    >                 Nachricht -------- 
    >                 >         >         >         Von: Michael 
    Muenz 
    >                 <m.m...@gmail.com> 
    >                 >         >         >         Datum: 
    07.06.16 10:04 
    >                 (GMT+01:00) 
    >                 >         >         >         An: 
    privacyidea 
    >                 >         <priva...@googlegroups.com> 
    >                 >         >         >         Betreff: Re: 
    >                 [privacyidea] CA Connector 
    >                 >         can't 
    >                 >         >         create 
    >                 >         >         >         certificate 
    >                 >         >         >         
    >                 >         >         >         
    >                 >         >         >         Ok, removed 
    the line and 
    >                 it works again. 
    >                 >         >         >         Now I can 
    download the 
    >                 PKCS12. 
    >                 >         >         >         
    >                 >         >         >         
    >                 >         >         >         But I had to 
    remove the 
    >                 password from the 
    >                 >         ca.key ... 
    >                 >         >         will this 
    >                 >         >         >         be the final 
    version or 
    >                 do you plan some 
    >                 >         fields in 
    >                 >         >         the UI to 
    >                 >         >         >         enter the 
    password for 
    >                 the root-ca? 
    >                 >         >         >         
    >                 >         >         >         
    >                 >         >         >         Michael 
    >                 >         >         >         
    >                 >         >         >         On Tuesday,  June 7, 2016  at 9:59:06 AM UTC  +2,  Michael Muenz  wrote: 
    >                 >         >         >                 I 
    added the 
    >                 Jessie-Backports since 
    >                 >         they 
    >                 >         >         deliver 0.15, 
    >                 >         >         >                 but 
    when I 
    >                 wanted to install it, 
    >                 >         it greps 
    >                 >         >         > 
    python-pyopenssl 
    >                 from the trusty 
    >                 >         ppa and 
    >                 >         >         brokes :) 
    >                 >         >         >                 After 
    that I 
    >                 forced it with 
    >                 >         aptitude -t 
    >                 >         >         > 
    jessie-backports 
    >                 and now I get a 
    >                 >         Internal 
    >                 >         >         Server Error 
    >                 >         >         >                 when 
    accessing 
    >                 the startpage 
    >                 >         >         >                 
    >                 >         >         >                 
    >                 >         >         >                 
    >                 >         >         >                 
    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.895043 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 
    139726979172096] 

/usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning:
Unicode column received non-unicode default value.

    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.895273 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] 
    >                 >         >         > 
    >                 > 
    default="/etc/privacyidea/dictionary") 
    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.921642 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         mod_wsgi 
    >                 >         >         > 
    (pid=489): 
    >                 Target WSGI script 
    >                 >         >         > 
    >                 > 
    '/etc/privacyidea/privacyideaapp.wsgi' 
    >                 >         >         cannot be 
    >                 >         >         >                 loaded 
    as Python 
    >                 module. 
    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.921834 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         mod_wsgi 
    >                 >         >         > 
    (pid=489): 
    >                 Exception occurred 
    >                 >         processing 
    >                 >         >         WSGI script 
    >                 >         >         > 
    >                 > 
    '/etc/privacyidea/privacyideaapp.wsgi'. 
    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.921948 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         Traceback 
    >                 >         >         >                 (most 
    recent 
    >                 call last): 
    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.922116 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         File 
    >                 >         >         > 
    >                 > 
    "/etc/privacyidea/privacyideaapp.wsgi", 
    >                 line 
    >                 >         >         3, in 
    >                 >         >         > 
    <module> 
    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.922265 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         from 
    >                 >         >         > 
    privacyidea.app 
    >                 import create_app 
    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.922359 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         File 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/app.py", 
    >                 >         >         >                 line 
    28, in 
    >                 <module> 
    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.922952 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         import 
    >                 >         >         > 
    >                 privacyidea.api.before_after 
    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.923097 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         File 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py”, line
29, in

    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.923599 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         > 
    from ..lib.user 
    >                 import 
    >                 >         get_user_from_param 
    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.923697 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         File 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", 
    >                 >         >         line 55, in <module> 
    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.924472 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         > 
    from .resolver 
    >                 import 
    >                 >         (get_resolver_object, 
    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.924585 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         File 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", 

line 47, in

    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.925108 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         from 
    >                 >         >         >                 config 
    import 
    >                 >         (get_resolver_types, 
    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.925207 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         File 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", 
    >                 >         >         line 47, in <module> 
    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.926073 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         > 
    >                 from .caconnectors.localca import 
    >                 >         >         BaseCAConnector 
    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.926233 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         File 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173

    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.926344 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         > 
    csr_extensions 
    >                 = 
    >                 >         csr_obj.get_extensions() 
    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.926499 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         ^ 
    >                 >         >         >                 [Tue 
    Jun 07 
    >                 09:53:37.926583 2016] 
    >                 >         >         [wsgi:error] [pid 
    >                 >         >         > 
    489:tid 
    >                 139726979172096] [remote 
    >                 >         X:512] 
    >                 >         >         > 
    >                 IndentationError: unexpected 
    >                 >         indent 
    >                 >         >         >                 
    >                 >         >         >                 
    >                 >         >         >                 
    >                 >         >         >                 
    >                 >         >         >                 I 
    think I'm 
    >                 gonna reinstall from 
    >                 >         >         scratch ... 
    >                 >         >         >                 
    >                 >         >         >                 On  Monday, June  6, 2016 at  11:36:09 PM UTC  +2,  Cornelius Kölbel  wrote: 
    >                 >         >         > 
    The CSR 
    >                 extensions are not 
    >                 >         used at 
    >                 >         >         the 
    >                 >         >         > 
    moment. 
    >                 >         >         > 
      
    >                 >         >         > 
    So we 
    >                 could as well remove 
    >                 >         this line 
    >                 >         >         and then 
    >                 >         >         > 
    >                 python-openssl 0.14 would 
    >                 >         >         > 
    work 
    >                 fine, again. 
    >                 >         >         > 
      
    >                 >         >         > 
    Kind 
    >                 regards 
    >                 >         >         > 
    >                 Cornelius 
    >                 >         >         > 
      
    >                 >         >         > 
    Am  Montag, den 06.06.2016,  13:20  0700 schrieb 
    >                 >         >         > 
    Michael 
    >                 Muenz: 
    >                 >         >         > 
    > ii 
    >                  openssl 
    >                 >         >          1.0.1t-1 
    >                 >         >         > 
    +deb8u2 
    >                 amd64 
    >                 >         >         > 
    > 
    >                  Secure Sockets 
    >                 >         Layer 
    >                 >         >         toolkit - 
    >                 >         >         > 
    >                 cryptographic utility 
    >                 >         >         > 
    > ii 
    >                  python-openssl 
    >                 >         >         0.14-1 
    >                 >         >         > 
    >                            all 
    >                 >         >         > 
    > 
    >                  Python 2 wrapper 
    >                 >         around the 
    >                 >         >         OpenSSL 
    >                 >         >         > 
    library 
    >                 >         >         > 
    > 
    >                 >         >         > 
    > 
    >                 >         >         > 
    > 
    >                 >         >         > 
    > 
    >                 >         >         > 
    > 
    >                 [2016-06-06 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >                 >         >         > 
    > user 
    >                 u'mimu' found in 
    >                 >         resolver 
    >                 >         >         u'maxadmins' 
    >                 >         >         > 
    > 
    >                 [2016-06-06 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >                 >         >         > 
    > userid 
    >                 resolved to 
    >                 >         >         > 
    >                 >         > 
    >                 u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >                 >         >         > 
    > 
    >                 [2016-06-06 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >                 >         >         > 
    > user 
    >                 u'mimu' found in 
    >                 >         resolver 
    >                 >         >         u'maxadmins' 
    >                 >         >         > 
    > 
    >                 [2016-06-06 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >                 >         >         > 
    > userid 
    >                 resolved to 
    >                 >         >         > 
    >                 >         > 
    >                 u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >                 >         >         > 
    > 
    >                 [2016-06-06 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >                 >         >         > 
    > user 
    >                 u'mimu' found in 
    >                 >         resolver 
    >                 >         >         u'maxadmins' 
    >                 >         >         > 
    > 
    >                 [2016-06-06 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >                 >         >         > 
    > userid 
    >                 resolved to 
    >                 >         >         > 
    >                 >         > 
    >                 u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >                 >         >         > 
    > 
    >                 [2016-06-06 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >                 >         >         > 
    > user 
    >                 u'mimu' found in 
    >                 >         resolver 
    >                 >         >         u'maxadmins' 
    >                 >         >         > 
    > 
    >                 [2016-06-06 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >                 >         >         > 
    > userid 
    >                 resolved to 
    >                 >         >         > 
    >                 >         > 
    >                 u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >                 >         >         > 
    > 
    >                 [2016-06-06 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >                 >         >         > 
    > user 
    >                 u'mimu' found in 
    >                 >         resolver 
    >                 >         >         u'maxadmins' 
    >                 >         >         > 
    > 
    >                 [2016-06-06 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >                 >         >         > 
    > userid 
    >                 resolved to 
    >                 >         >         > 
    >                 >         > 
    >                 u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >                 >         >         > 
    > 
    >                 [2016-06-06 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >                 >         >         > 
    > user 
    >                 u'mimu' found in 
    >                 >         resolver 
    >                 >         >         u'maxadmins' 
    >                 >         >         > 
    > 
    >                 [2016-06-06 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >                 >         >         > 
    > userid 
    >                 resolved to 
    >                 >         >         > 
    >                 >         > 
    >                 u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >                 >         >         > 
    > 
    >                 [2016-06-06 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >                 >         >         > 
    > user 
    >                 u'mimu' found in 
    >                 >         resolver 
    >                 >         >         u'maxadmins' 
    >                 >         >         > 
    > 
    >                 [2016-06-06 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >                 >         >         > 
    > userid 
    >                 resolved to 
    >                 >         >         > 
    >                 >         > 
    >                 u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >                 >         >         > 
    > 
    >                 [2016-06-06 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]

    >                 >         >         > 
    > 
    >                 Exception on /token/init 
    >                 >         [POST] 
    >                 >         >         > 
    > 
    >                 Traceback (most recent 
    >                 >         call 
    >                 >         >         last): 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    >                 >         > 
    > 
    "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >                 >         line 1817, 
    >                 >         >         in 
    >                 >         >         > 
    > 
    >                 wsgi_app 
    >                 >         >         > 
    > 
    >                 response = 
    >                 >         > 
    self.full_dispatch_request() 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    >                 >         > 
    > 
    "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >                 >         line 1477, 
    >                 >         >         in 
    >                 >         >         > 
    > 
    >                 full_dispatch_request 
    >                 >         >         > 
    >     rv 
    >                 = 
    >                 >         > 
    self.handle_user_exception(e) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    >                 >         > 
    > 
    "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >                 >         line 1381, 
    >                 >         >         in 
    >                 >         >         > 
    > 
    >                 handle_user_exception 
    >                 >         >         > 
    > 
    >                 reraise(exc_type, 
    >                 >         exc_value, 
    >                 >         >         tb) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    >                 >         > 
    > 
    "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >                 >         line 1475, 
    >                 >         >         in 
    >                 >         >         > 
    > 
    >                 full_dispatch_request 
    >                 >         >         > 
    >     rv 
    >                 = 
    >                 >         self.dispatch_request() 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    >                 >         > 
    > 
    "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >                 >         line 1461, 
    >                 >         >         in 
    >                 >         >         > 
    > 
    >                 dispatch_request 
    >                 >         >         > 
    > 
    >                 return 
    >                 >         >         > 
    >                 >         > 
    > 
    self.view_functions[rule.endpoint](**req.view_args) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >                 >         >         > 
    > line 
    >                 104, in 
    >                 >         policy_wrapper 
    >                 >         >         > 
    > 
    >                 return 
    >                 >         wrapped_function(*args, 
    >                 >         >         **kwds) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >                 >         >         > 
    > line 
    >                 104, in 
    >                 >         policy_wrapper 
    >                 >         >         > 
    > 
    >                 return 
    >                 >         wrapped_function(*args, 
    >                 >         >         **kwds) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >                 >         >         > 
    > line 
    >                 104, in 
    >                 >         policy_wrapper 
    >                 >         >         > 
    > 
    >                 return 
    >                 >         wrapped_function(*args, 
    >                 >         >         **kwds) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >                 >         >         > 
    > line 
    >                 104, in 
    >                 >         policy_wrapper 
    >                 >         >         > 
    > 
    >                 return 
    >                 >         wrapped_function(*args, 
    >                 >         >         **kwds) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >                 >         >         > 
    > line 
    >                 104, in 
    >                 >         policy_wrapper 
    >                 >         >         > 
    > 
    >                 return 
    >                 >         wrapped_function(*args, 
    >                 >         >         **kwds) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >                 >         >         > 
    > line 
    >                 104, in 
    >                 >         policy_wrapper 
    >                 >         >         > 
    > 
    >                 return 
    >                 >         wrapped_function(*args, 
    >                 >         >         **kwds) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >                 >         >         > 
    > line 
    >                 104, in 
    >                 >         policy_wrapper 
    >                 >         >         > 
    > 
    >                 return 
    >                 >         wrapped_function(*args, 
    >                 >         >         **kwds) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >                 >         >         > 
    > line 
    >                 104, in 
    >                 >         policy_wrapper 
    >                 >         >         > 
    > 
    >                 return 
    >                 >         wrapped_function(*args, 
    >                 >         >         **kwds) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >                 >         >         > 
    > line 
    >                 104, in 
    >                 >         policy_wrapper 
    >                 >         >         > 
    > 
    >                 return 
    >                 >         wrapped_function(*args, 
    >                 >         >         **kwds) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", 
    >                 >         >         > 
    > line 
    >                 57, in 
    >                 >         event_wrapper 
    >                 >         >         > 
    > 
    >                 f_result = 
    >                 >         func(*args, 
    >                 >         >         **kwds) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", 
    >                 >         >         line 
    >                 >         >         > 
    > 180, 
    >                 in log_wrapper 
    >                 >         >         > 
    > 
    >                 f_result = 
    >                 >         func(*args, 
    >                 >         >         **kwds) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", 
    >                 >         >         > 
    > line 
    >                 186, in init 
    >                 >         >         > 
    > 
    >                 >         tokenrealms=tokenrealms) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", 
    >                 >         >         line 
    >                 >         >         > 
    > 180, 
    >                 in log_wrapper 
    >                 >         >         > 
    > 
    >                 f_result = 
    >                 >         func(*args, 
    >                 >         >         **kwds) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", 
    >                 >         >         > 
    > line 
    >                 912, in init_token 
    >                 >         >         > 
    > 
    >                 >         > 
    tokenobject.update(upd_params) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”,
line 218, in update

    >                 >         >         > 
    > 
    >                 crypto.FILETYPE_PEM, 
    >                 >         req)) 
    >                 >         >         > 
    > 
    >                 File 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173, in sign_request

    >                 >         >         > 
    > 
    >                 csr_extensions = 
    >                 >         >         > 
    >                 csr_obj.get_extensions() 
    >                 >         >         > 
    > 
    >                 AttributeError: 
    >                 >         'X509Req' object 
    >                 >         >         has no 
    >                 >         >         > 
    >                 attribute 
    >                 >         'get_extensions' 
    >                 >         >         > 
    > 
    >                 >         >         > 
    > 
    >                 >         >         > 
    > 
    >                 >         >         > 
    > 
    >                 >         >         > 
    > 
    >                 >         >         > 
    > 
    >                 >         >         > 
    > 
    >                 >         >         > 
    > On  Monday, June 6, 2016  at 4:00:41  PM UTC+2,  Cornelius Kölbel wrote: 
    >                 >         >         > 
    > 
    >                 Hi, 
    >                 >         >         > 
    > 
    >                   
    >                 >         >         > 
    > 
    >                 can you please 
    >                 >         post your 
    >                 >         >         > 
    >                 privacyidea.log? 
    >                 >         >         > 
    > 
    >                 There should be 
    >                 >         a 
    >                 >         >         traceback. 
    >                 >         >         > 
    > 
    >                   
    >                 >         >         > 
    > 
    >                 Which version of 
    >                 >         pyopenssl 
    >                 >         >         and which 
    >                 >         >         > 
    version 
    >                 of openssl are 
    >                 >         >         > 
    > 
    >                 you using? 
    >                 >         >         > 
    > 
    >                   
    >                 >         >         > 
    > 
    >                 Kind regards 
    >                 >         >         > 
    > 
    >                 Cornelius 
    >                 >         >         > 
    > 
    >                   
    >                 >         >         > 
    > 
    >                 Am Montag, den 
    >                 >         06.06.2016, 
    >                 >         >         06:33 
    >                 >         >         > 
    -0700 
    >                 schrieb Michael 
    >                 >         Muenz: 
    >                 >         >         > 
    > 
    >                 > Hi, 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > I've set up 
    >                 >         the WebCA as 
    >                 >         >         described 
    >                 >         >         > 
    in 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > When I try to 
    >                 >         roll out a 
    >                 >         >         new 
    >                 >         >         > 
    >                 certificate I get: 
    >                 >         >         > 
    > 
    >                 > 'X509Req' 
    >                 >         object has no 
    >                 >         >         attribute 
    >                 >         >         > 
    >                 'get_extensions' 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > There's no 
    >                 >         certificate 
    >                 >         >         but the 
    >                 >         >         > 
    token 
    >                 will be displayed 
    >                 >         >         > 
    > 
    >                 within the 
    >                 >         >         > 
    > 
    >                 > token view. 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > Google tells 
    >                 >         me about 
    >                 >         >         some "wont 
    >                 >         >         > 
    fixes" 
    >                 with PyOpenSSL. 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > I'm using 
    >                 >         Debian 8 with 
    >                 >         >         latest 
    >                 >         >         > 
    packages 
    >                 from Trusty 
    >                 >         build. 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > Any ideas? 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 > Thanks 
    >                 >         >         > 
    > 
    >                 > Michael 
    >                 >         >         > 
    > 
    >                 > -- 
    >                 >         >         > 
    > 
    >                 > Please read 
    >                 >         the blog 
    >                 >         >         post about 
    >                 >         >         > 
    getting 
    >                 help 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    >                 >         > 
    >                 https://www.privacyidea.org/getting-help/. 
    >                 >         >         > 
    > 
    >                 >   
    >                 >         >         > 
    > 
    >                 > For 
    >                 >         professional 
    >                 >         >         services and 
    >                 >         >         > 
    >                 consultancy regarding two 
    >                 >         >         > 
    > 
    >                 factor 
    >                 >         >         > 
    > 
    >                 > authentication 
    >                 >         please 
    >                 >         >         visit 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 
    https://netknights.it/en/leistungen/one-time-services/ 
    >                 >         >         > 
    > 
    >                 >   
    >                 >         >         > 
    > 
    >                 > In an 
    >                 >         enterprise 
    >                 >         >         environment you 
    >                 >         >         > 
    should 
    >                 get a SERVICE 
    >                 >         LEVEL 
    >                 >         >         > 
    > 
    >                 AGREEMENT 
    >                 >         >         > 
    > 
    >                 > which suites 
    >                 >         your needs 
    >                 >         >         for 
    >                 >         >         > 
    >                 SECURITY, AVAILABILITY 
    >                 >         and 
    >                 >         >         > 
    > 
    >                 LIABILITY: 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >                 >         >         > 
    > 
    >                 > --- 
    >                 >         >         > 
    > 
    >                 > You received 
    >                 >         this 
    >                 >         >         message because 
    >                 >         >         > 
    you are 
    >                 subscribed to the 
    >                 >         >         > 
    > 
    >                 Google 
    >                 >         >         > 
    > 
    >                 > Groups 
    >                 >         "privacyidea" 
    >                 >         >         group. 
    >                 >         >         > 
    > 
    >                 > To unsubscribe 
    >                 >         from this 
    >                 >         >         group and 
    >                 >         >         > 
    stop 
    >                 receiving emails 
    >                 >         >         > 
    > 
    >                 from it, send 
    >                 >         >         > 
    > 
    >                 > an email to 
    >                 >         >         > 
    >                 >         privacyidea...@googlegroups.com. 
    >                 >         >         > 
    > 
    >                 > To post to 
    >                 >         this group, 
    >                 >         >         send email 
    >                 >         >         > 
    to 
    >                 >         >         > 
    > 
    >                 >         > 
    priva...@googlegroups.com. 
    >                 >         >         > 
    > 
    >                 > Visit this 
    >                 >         group at 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    > 
    https://groups.google.com/group/privacyidea. 
    >                 >         >         > 
    > 
    >                 > To view this 
    >                 >         discussion 
    >                 >         >         on the web 
    >                 >         >         > 
    visit 
    >                 >         >         > 
    > 
    >                 > 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 

https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com.

    >                 >         >         > 
    > 
    >                 > For more 
    >                 >         options, visit 
    >                 >         >         > 
    >                 > 
    https://groups.google.com/d/optout. 
    >                 >         >         > 
    > 
    >                   
    >                 >         >         > 
    > 
    >                 -- 
    >                 >         >         > 
    > 
    >                 Cornelius 
    >                 >         Kölbel 
    >                 >         >         > 
    > 
    >                 >         corneliu...@netknights.it 
    >                 >         >         > 
    > 
    >                 +49 151 2960 
    >                 >         1417 
    >                 >         >         > 
    > 
    >                   
    >                 >         >         > 
    > 
    >                 NetKnights GmbH 
    >                 >         >         > 
    > 
    >                 >         http://www.netknights.it 
    >                 >         >         > 
    > 
    >                 >         Landgraf-Karl-Str. 19, 
    >                 >         >         34131 Kassel, 
    >                 >         >         > 
    Germany 
    >                 >         >         > 
    > 
    >                 Tel: +49 561 
    >                 >         3166797, Fax: 
    >                 >         >         +49 561 
    >                 >         >         > 
    3166798 
    >                 >         >         > 
    > 
    >                   
    >                 >         >         > 
    > 
    >                 Amtsgericht 
    >                 >         Kassel, HRB 
    >                 >         >         16405 
    >                 >         >         > 
    > 
    >                 Geschäftsführer: 
    >                 >         Cornelius 
    >                 >         >         Kölbel 
    >                 >         >         > 
    > 
    >                   
    >                 >         >         > 
    > 
    >                   
    >                 >         >         > 
    > -- 
    >                 >         >         > 
    > Please 
    >                 read the blog 
    >                 >         post about 
    >                 >         >         getting 
    >                 >         >         > 
    help 
    >                 >         >         > 
    > 
    >                 >         > 
    >                 https://www.privacyidea.org/getting-help/. 
    >                 >         >         > 
    >   
    >                 >         >         > 
    > For 
    >                 professional 
    >                 >         services and 
    >                 >         >         consultancy 
    >                 >         >         > 
    >                 regarding two factor 
    >                 >         >         > 
    > 
    >                 authentication please 
    >                 >         visit 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 
    https://netknights.it/en/leistungen/one-time-services/ 
    >                 >         >         > 
    >   
    >                 >         >         > 
    > In an 
    >                 enterprise 
    >                 >         environment you 
    >                 >         >         should get 
    >                 >         >         > 
    a 
    >                 SERVICE LEVEL AGREEMENT 
    >                 >         >         > 
    > which 
    >                 suites your needs 
    >                 >         for 
    >                 >         >         SECURITY, 
    >                 >         >         > 
    >                 AVAILABILITY and 
    >                 >         LIABILITY: 
    >                 >         >         > 
    > 
    >                 >         >         > 
    >                 >         > 
    >                 > 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >                 >         >         > 
    > --- 
    >                 >         >         > 
    > You 
    >                 received this 
    >                 >         message because 
    >                 >         >         you are 
    >                 >         >         > 
    >                 subscribed to the Google 
    >                 >         >         > 
    > Groups 
    >                 "privacyidea" 
    >                 >         group. 
    >                 >         >         > 
    > To 
    >                 unsubscribe from this 
    >                 >         group and 
    >                 >         >         stop 
    >                 >         >         > 
    >                 receiving emails from it, 
    >                 >         send 
    >                 >         >         > 
    > an 
    >                 email to 
    >                 >         >         > 
    >                 >         privacyidea...@googlegroups.com. 
    >                 >         >         > 
    > To 
    >                 post to this group, 
    >                 >         send email 
    >                 >         >         to 
    >                 >         >         > 
    >                 >         priva...@googlegroups.com. 
    >                 >         >         > 
    > Visit 
    >                 this group at 
    >                 >         >         > 
    >                 >         >         
    >         ... 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two 
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL 
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and 
    LIABILITY: 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > Visit this group at 
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/91212e60-bed1-45dc-8e3b-45ee56faa34b%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/df8a609c-66f5-4d1b-be20-27e7f0daaf32%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

Hi,

Again playing around with the CA connector.
Are there any plans for setting an import password for the generated PKCS12
files?

Thanks
MichaelAm Dienstag, 7. Juni 2016 10:15:14 UTC+2 schrieb Cornelius Kölbel:

Hi Michael,

I was thinking the passphrase on the ca key.
In my opinion having a passphtase only makes limited sense.
The passphrase would be encrypted in the database. Encrypted with the
encryption key, which is probably only protected by file access. So you can
protect the ca key with file access in the first place.

Think of the local ca as a working proof of concept :slight_smile:
Any feedback and input is appreciated.

Kind regards
Cornelius

Cornelius Kölbel
+49 151 2960 1417

NetKnights GmbH
Http://NetKnights. It
+49 561 3166 797

-------- Ursprüngliche Nachricht --------
Von: Michael Muenz <m.m...@gmail.com <javascript:>>
Datum: 07.06.16 10:04 (GMT+01:00)
An: privacyidea <priva...@googlegroups.com <javascript:>>
Betreff: Re: [privacyidea] CA Connector can’t create certificate

Ok, removed the line and it works again.
Now I can download the PKCS12.

But I had to remove the password from the ca.key … will this be the
final version or do you plan some fields in the UI to enter the password
for the root-ca?

Michael

On Tuesday, June 7, 2016 at 9:59:06 AM UTC+2, Michael Muenz wrote:

I added the Jessie-Backports since they deliver 0.15, but when I wanted
to install it, it greps python-pyopenssl from the trusty ppa and brokes :slight_smile:
After that I forced it with aptitude -t jessie-backports and now I get a
Internal Server Error when accessing the startpage

[Tue Jun 07 09:53:37.895043 2016] [wsgi:error] [pid 489:tid
139726979172096]
/usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning:
Unicode column received non-unicode default value.
[Tue Jun 07 09:53:37.895273 2016] [wsgi:error] [pid 489:tid
139726979172096] default="/etc/privacyidea/dictionary")
[Tue Jun 07 09:53:37.921642 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] mod_wsgi (pid=489): Target WSGI script
’/etc/privacyidea/privacyideaapp.wsgi’ cannot be loaded as Python module.
[Tue Jun 07 09:53:37.921834 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] mod_wsgi (pid=489): Exception occurred
processing WSGI script ‘/etc/privacyidea/privacyideaapp.wsgi’.
[Tue Jun 07 09:53:37.921948 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] Traceback (most recent call last):
[Tue Jun 07 09:53:37.922116 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/etc/privacyidea/privacyideaapp.wsgi", line 3, in
[Tue Jun 07 09:53:37.922265 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from privacyidea.app import create_app
[Tue Jun 07 09:53:37.922359 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/app.py", line 28, in
[Tue Jun 07 09:53:37.922952 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] import privacyidea.api.before_after
[Tue Jun 07 09:53:37.923097 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py", line
29, in
[Tue Jun 07 09:53:37.923599 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from …lib.user import
get_user_from_param
[Tue Jun 07 09:53:37.923697 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", line 55, in

[Tue Jun 07 09:53:37.924472 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from .resolver import
(get_resolver_object,
[Tue Jun 07 09:53:37.924585 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", line 47, in

[Tue Jun 07 09:53:37.925108 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from config import (get_resolver_types,
[Tue Jun 07 09:53:37.925207 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", line 47, in

[Tue Jun 07 09:53:37.926073 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] from .caconnectors.localca import
BaseCAConnector
[Tue Jun 07 09:53:37.926233 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] File
"/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py",
line 173
[Tue Jun 07 09:53:37.926344 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] csr_extensions =
csr_obj.get_extensions()
[Tue Jun 07 09:53:37.926499 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] ^
[Tue Jun 07 09:53:37.926583 2016] [wsgi:error] [pid 489:tid
139726979172096] [remote X:512] IndentationError: unexpected indent

I think I’m gonna reinstall from scratch …

On Monday, June 6, 2016 at 11:36:09 PM UTC+2, Cornelius Kölbel wrote:

The CSR extensions are not used at the moment.

So we could as well remove this line and then python-openssl 0.14 would
work fine, again.

Kind regards
Cornelius

Am Montag, den 06.06.2016, 13:20 -0700 schrieb Michael Muenz:

ii openssl 1.0.1t-1+deb8u2 amd64
Secure Sockets Layer toolkit - cryptographic utility
ii python-openssl 0.14-1 all
Python 2 wrapper around the OpenSSL library

[2016-06-06
22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]
user u’mimu’ found in resolver u’maxadmins’
[2016-06-06
22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]
userid resolved to u’6ce8f8fe-5848-1030-9368-cd33db809b50’
[2016-06-06
22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]
Exception on /token/init [POST]
Traceback (most recent call last):
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1817, in
wsgi_app
response = self.full_dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1477, in
full_dispatch_request
rv = self.handle_user_exception(e)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1381, in
handle_user_exception
reraise(exc_type, exc_value, tb)
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1475, in
full_dispatch_request
rv = self.dispatch_request()
File “/usr/lib/python2.7/dist-packages/flask/app.py”, line 1461, in
dispatch_request
return self.view_functionsrule.endpoint
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File
"/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py",
line 104, in policy_wrapper
return wrapped_function(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py”,
line 57, in event_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/api/token.py”,
line 186, in init
tokenrealms=tokenrealms)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py”, line
180, in log_wrapper
f_result = func(*args, **kwds)
File “/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py”,
line 912, in init_token
tokenobject.update(upd_params)
File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”,
line 218, in update

crypto.FILETYPE_PEM, req)) 

File

“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173, in sign_request

csr_extensions = csr_obj.get_extensions() 

AttributeError: ‘X509Req’ object has no attribute ‘get_extensions’

On Monday, June 6, 2016 at 4:00:41 PM UTC+2, Cornelius Kölbel wrote:
Hi,

    can you please post your privacyidea.log? 
    There should be a traceback. 
    
    Which version of pyopenssl and which version of openssl are 
    you using? 
    
    Kind regards 
    Cornelius 
    
    Am Montag, den 06.06.2016, 06:33 -0700 schrieb Michael Muenz: 
    > Hi, 
    > 
    > 
    > I've set up the WebCA as described in 
    > 

http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

    > 
    > 
    > 
    > When I try to roll out a new certificate I get: 
    > 'X509Req' object has no attribute 'get_extensions' 
    > 
    > 
    > 
    > There's no certificate but the token will be displayed 
    within the 
    > token view. 
    > 
    > 
    > Google tells me about some "wont fixes" with PyOpenSSL. 
    > 
    > 
    > I'm using Debian 8 with latest packages from Trusty build. 
    > 
    > 
    > 
    > 
    > Any ideas? 
    > 
    > 
    > Thanks 
    > Michael 
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two 
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL 
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and 
    LIABILITY: 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > Visit this group at 
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com.
To post to this group, send email to priva...@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/137ce9e3-bc5b-4dce-bd01-5fbd46e0f7da%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google Groups
"privacyidea" group.
To unsubscribe from this group and stop receiving emails from it, send an
email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/fda5957c-bbd1-41b7-b1c2-71ba7b4b79b1%40googlegroups.com
https://groups.google.com/d/msgid/privacyidea/fda5957c-bbd1-41b7-b1c2-71ba7b4b79b1%40googlegroups.com?utm_medium=email&utm_source=footer
.
For more options, visit https://groups.google.com/d/optout.

The below mentioned link does not contain any pkcs12.

http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

I am really not sure what you mean here.

Are you talking about the CA certificate, this is the certificate
signing the others?
Or are you talking about a “certificate token”, i.e. a user certificate.

Which PKCS12 did you copy, export CA certificate?
This all makes no sense to me.

But no problem, I also provide great PKI workshops:
https://netknights.it/en/leistungen/one-time-services/

Please note: Certificates is a topic it is very important you understand
the underlying processes, rules and crytpography.
privacyIDEA has very basic certificate management capabilities.
But I am happy, if you help to improve the software.

Kind regards
CorneliusAm Mittwoch, den 13.07.2016, 04:44 -0700 schrieb Michael Muenz:

I copied the pkcs12 to the otp machine and exported the CA Cert but
it’s empty.
There seems to be something wrong, but I’m not sure if it’s my
fault. :confused:

root@otp1:~# openssl pkcs12 -in CRT000032EE.p12 -cacerts -nokeys -out
cacert.pem
Enter Import Password:
MAC verified OK
root@otp1:~# cat cacert.pem
root@otp1:~#

Did the same with an existing .p12 created for another project and the
corret root ca was exported.

Am Mittwoch, 13. Juli 2016 13:25:22 UTC+2 schrieb Michael Muenz:
Hm, I followed
now: http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

    mkdir /etc/privacyidea/CA
    cp /opt/privacyidea/lib/python2.7/site-packages/tests/testdata/ca/openssl.cnf /etc/privacyidea/CA/
    
    
    openssl req -days 3650 -new -x509
    -keyout /etc/privacyidea/CA/ca.key \
                -out /etc/privacyidea/CA/ca.crt \
                -config /etc/privacyidea/CA/openssl.cnf
    
    chmod 0600 /etc/privacyidea/CA/ca.key
    touch /etc/privacyidea/CA/index.txt
    echo 01 > /etc/privacyidea/CA/serial
    openssl rsa -in ca.key -out ca-nopw.key
    mv ca-nopw.key ca.key
    chown -R privacyidea /etc/privacyidea/CA
    
    
    
    
    
    
    I enroll a certificate and set a PW in the PIN field, but I
    can import it successfully with my W10
    
    
    
    
    
    
    
    Am Mittwoch, 13. Juli 2016 12:50:38 UTC+2 schrieb Cornelius
    Kölbel:
            You should clearly state HOW you created the user
            certificate. 
            Especially HOW you created the keypair! 
            
            Am Mittwoch, den 13.07.2016, 03:39 -0700 schrieb
            Michael Muenz: 
            > :) 
            > 
            > 
            > No, I removed the password after our last discussion
            (for the testing 
            > system) 
            > 
            > 
            > The certificates get created and I can import them,
            but they don't 
            > have a password. 
            > 
            > 
            > Am Mittwoch, 13. Juli 2016 12:38:14 UTC+2 schrieb
            Cornelius Kölbel: 
            >         To avoid confusion: 
            >         
            >         The private key of the CA is not password
            protected! 
            >         
            >         Kind regards 
            >         Cornelius 
            >         
            >         Am Mittwoch, den 13.07.2016, 03:37 -0700
            schrieb Michael 
            >         Muenz: 
            >         > Hi, 
            >         > 
            >         > 
            >         > doesn't work for me. 
            >         > 
            >         > 
            >         > Hm, with my first setup I remember that it
            was working, but 
            >         now when 
            >         > importing an existing CA there are no
            import pw's. 
            >         > 
            >         > 
            >         > Will try again with a CA from scratch. 
            >         > 
            >         > 
            >         > 
            >         > Am Mittwoch, 13. Juli 2016 12:16:14 UTC+2
            schrieb Cornelius 
            >         Kölbel: 
            >         >         Hi Michael, 
            >         >         
            >         >         this already can be done. 
            >         >         When setting the token PIN, this
            will be the 
            >         password for the 
            >         >         pkcs12 
            >         >         file. 
            >         >         
            >         >         Kind regards 
            >         >         Cornelius 
            >         >         
            >         >         Am Mittwoch, den 13.07.2016, 02:45 0700 schrieb 
            >         Michael 
            >         >         Muenz: 
            >         >         > Hi, 
            >         >         > 
            >         >         > 
            >         >         > Again playing around with the CA
            connector. 
            >         >         > Are there any plans for setting
            an import password 
            >         for the 
            >         >         generated 
            >         >         > PKCS12 files? 
            >         >         > 
            >         >         > 
            >         >         > Thanks 
            >         >         > Michael 
            >         >         > 
            >         >         > Am Dienstag, 7. Juni 2016 10:15:14 UTC+2 schrieb 
            >         Cornelius 
            >         >         Kölbel: 
            >         >         >         Hi Michael, 
            >         >         >         
            >         >         >         
            >         >         >         I was thinking the
            passphrase on the ca 
            >         key. 
            >         >         >         In my opinion having a
            passphtase only 
            >         makes limited 
            >         >         sense. 
            >         >         >         The passphrase would be
            encrypted in the 
            >         database. 
            >         >          Encrypted 
            >         >         >         with the encryption key,
            which is probably 
            >         only 
            >         >         protected by 
            >         >         >         file access. So you can
            protect the ca key 
            >         with file 
            >         >         access in 
            >         >         >         the first place. 
            >         >         >         
            >         >         >         
            >         >         >         Think of the local ca as
            a working proof 
            >         of concept 
            >         >          :-) 
            >         >         >         Any feedback and input
            is appreciated. 
            >         >         >         
            >         >         >         
            >         >         >         Kind regards 
            >         >         >         Cornelius 
            >         >         >         
            >         >         >         
            >         >         >         
            >         >         >         
            >         >         >         
            >         >         >         
            >         >         >         Cornelius Kölbel 
            >         >         >         +49 151 2960 1417 
            >         >         >         
            >         >         >         NetKnights GmbH 
            >         >         >         Http://NetKnights. It 
            >         >         >         +49 561 3166 797 
            >         >         >         
            >         >         >         
            >         >         >         
            >         >         >         
            >         >         >         -------- Ursprüngliche
            Nachricht -------- 
            >         >         >         Von: Michael Muenz
            <m.m...@gmail.com> 
            >         >         >         Datum: 07.06.16 10:04
            (GMT+01:00) 
            >         >         >         An: privacyidea 
            >         <priva...@googlegroups.com> 
            >         >         >         Betreff: Re:
            [privacyidea] CA Connector 
            >         can't 
            >         >         create 
            >         >         >         certificate 
            >         >         >         
            >         >         >         
            >         >         >         Ok, removed the line and
            it works again. 
            >         >         >         Now I can download the
            PKCS12. 
            >         >         >         
            >         >         >         
            >         >         >         But I had to remove the
            password from the 
            >         ca.key ... 
            >         >         will this 
            >         >         >         be the final version or
            do you plan some 
            >         fields in 
            >         >         the UI to 
            >         >         >         enter the password for
            the root-ca? 
            >         >         >         
            >         >         >         
            >         >         >         Michael 
            >         >         >         
            >         >         >         On Tuesday, June 7, 2016 at 9:59:06 AM UTC  +2,  Michael Muenz  wrote: 
            >         >         >                 I added the
            Jessie-Backports since 
            >         they 
            >         >         deliver 0.15, 
            >         >         >                 but when I
            wanted to install it, 
            >         it greps 
            >         >         >                 python-pyopenssl
            from the trusty 
            >         ppa and 
            >         >         brokes :) 
            >         >         >                 After that I
            forced it with 
            >         aptitude -t 
            >         >         >                 jessie-backports
            and now I get a 
            >         Internal 
            >         >         Server Error 
            >         >         >                 when accessing
            the startpage 
            >         >         >                 
            >         >         >                 
            >         >         >                 
            >         >         >                 
            >         >         >                 [Tue Jun 07
            09:53:37.895043 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid 
            >         >         > 
            >         > 
            >
            139726979172096] /usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning: Unicode column received non-unicode default value. 
            >         >         >                 [Tue Jun 07
            09:53:37.895273 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] 
            >         >         > 
            >         default="/etc/privacyidea/dictionary") 
            >         >         >                 [Tue Jun 07
            09:53:37.921642 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         mod_wsgi 
            >         >         >                 (pid=489):
            Target WSGI script 
            >         >         > 
            >         '/etc/privacyidea/privacyideaapp.wsgi' 
            >         >         cannot be 
            >         >         >                 loaded as Python
            module. 
            >         >         >                 [Tue Jun 07
            09:53:37.921834 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         mod_wsgi 
            >         >         >                 (pid=489):
            Exception occurred 
            >         processing 
            >         >         WSGI script 
            >         >         > 
            >         '/etc/privacyidea/privacyideaapp.wsgi'. 
            >         >         >                 [Tue Jun 07
            09:53:37.921948 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         Traceback 
            >         >         >                 (most recent
            call last): 
            >         >         >                 [Tue Jun 07
            09:53:37.922116 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         File 
            >         >         > 
            >         "/etc/privacyidea/privacyideaapp.wsgi",
            line 
            >         >         3, in 
            >         >         >                 <module> 
            >         >         >                 [Tue Jun 07
            09:53:37.922265 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         from 
            >         >         >                 privacyidea.app
            import create_app 
            >         >         >                 [Tue Jun 07
            09:53:37.922359 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         File 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/app.py", 
            >         >         >                 line 28, in
            <module> 
            >         >         >                 [Tue Jun 07
            09:53:37.922952 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         import 
            >         >         >
            privacyidea.api.before_after 
            >         >         >                 [Tue Jun 07
            09:53:37.923097 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         File 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py", line 29, in <module> 
            >         >         >                 [Tue Jun 07
            09:53:37.923599 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         >                 from ..lib.user
            import 
            >         get_user_from_param 
            >         >         >                 [Tue Jun 07
            09:53:37.923697 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         File 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", 
            >         >         line 55, in <module> 
            >         >         >                 [Tue Jun 07
            09:53:37.924472 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         >                 from .resolver
            import 
            >         (get_resolver_object, 
            >         >         >                 [Tue Jun 07
            09:53:37.924585 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         File 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", line 47, in <module> 
            >         >         >                 [Tue Jun 07
            09:53:37.925108 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         from 
            >         >         >                 config import 
            >         (get_resolver_types, 
            >         >         >                 [Tue Jun 07
            09:53:37.925207 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         File 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", 
            >         >         line 47, in <module> 
            >         >         >                 [Tue Jun 07
            09:53:37.926073 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         >
            from .caconnectors.localca import 
            >         >         BaseCAConnector 
            >         >         >                 [Tue Jun 07
            09:53:37.926233 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         File 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173 
            >         >         >                 [Tue Jun 07
            09:53:37.926344 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         >                 csr_extensions
            = 
            >         csr_obj.get_extensions() 
            >         >         >                 [Tue Jun 07
            09:53:37.926499 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         ^ 
            >         >         >                 [Tue Jun 07
            09:53:37.926583 2016] 
            >         >         [wsgi:error] [pid 
            >         >         >                 489:tid
            139726979172096] [remote 
            >         X:512] 
            >         >         >
            IndentationError: unexpected 
            >         indent 
            >         >         >                 
            >         >         >                 
            >         >         >                 
            >         >         >                 
            >         >         >                 I think I'm
            gonna reinstall from 
            >         >         scratch ... 
            >         >         >                 
            >         >         >                 On Monday, June 6, 2016 at  11:36:09 PM UTC  +2,  Cornelius Kölbel wrote: 
            >         >         >                         The CSR
            extensions are not 
            >         used at 
            >         >         the 
            >         >         >                         moment. 
            >         >         >                         
            >         >         >                         So we
            could as well remove 
            >         this line 
            >         >         and then 
            >         >         >
            python-openssl 0.14 would 
            >         >         >                         work
            fine, again. 
            >         >         >                         
            >         >         >                         Kind
            regards 
            >         >         >
            Cornelius 
            >         >         >                         
            >         >         >                         Am Montag, den 06.06.2016,  13:20  0700 schrieb 
            >         >         >                         Michael
            Muenz: 
            >         >         >                         > ii
             openssl 
            >         >          1.0.1t-1 
            >         >         >                         +deb8u2
            amd64 
            >         >         >                         >
             Secure Sockets 
            >         Layer 
            >         >         toolkit - 
            >         >         >
            cryptographic utility 
            >         >         >                         > ii
             python-openssl 
            >         >         0.14-1 
            >         >         >
                       all 
            >         >         >                         >
             Python 2 wrapper 
            >         around the 
            >         >         OpenSSL 
            >         >         >                         library 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         >
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187] 
            >         >         >                         > user
            u'mimu' found in 
            >         resolver 
            >         >         u'maxadmins' 
            >         >         >                         >
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188] 
            >         >         >                         > userid
            resolved to 
            >         >         > 
            >         >
            u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
            >         >         >                         >
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187] 
            >         >         >                         > user
            u'mimu' found in 
            >         resolver 
            >         >         u'maxadmins' 
            >         >         >                         >
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188] 
            >         >         >                         > userid
            resolved to 
            >         >         > 
            >         >
            u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
            >         >         >                         >
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187] 
            >         >         >                         > user
            u'mimu' found in 
            >         resolver 
            >         >         u'maxadmins' 
            >         >         >                         >
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188] 
            >         >         >                         > userid
            resolved to 
            >         >         > 
            >         >
            u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
            >         >         >                         >
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187] 
            >         >         >                         > user
            u'mimu' found in 
            >         resolver 
            >         >         u'maxadmins' 
            >         >         >                         >
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188] 
            >         >         >                         > userid
            resolved to 
            >         >         > 
            >         >
            u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
            >         >         >                         >
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187] 
            >         >         >                         > user
            u'mimu' found in 
            >         resolver 
            >         >         u'maxadmins' 
            >         >         >                         >
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188] 
            >         >         >                         > userid
            resolved to 
            >         >         > 
            >         >
            u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
            >         >         >                         >
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187] 
            >         >         >                         > user
            u'mimu' found in 
            >         resolver 
            >         >         u'maxadmins' 
            >         >         >                         >
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188] 
            >         >         >                         > userid
            resolved to 
            >         >         > 
            >         >
            u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
            >         >         >                         >
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187] 
            >         >         >                         > user
            u'mimu' found in 
            >         resolver 
            >         >         u'maxadmins' 
            >         >         >                         >
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188] 
            >         >         >                         > userid
            resolved to 
            >         >         > 
            >         >
            u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
            >         >         >                         >
            [2016-06-06 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423] 
            >         >         >                         >
            Exception on /token/init 
            >         [POST] 
            >         >         >                         >
            Traceback (most recent 
            >         call 
            >         >         last): 
            >         >         >                         >
            File 
            >         >         > 
            >         >
            "/usr/lib/python2.7/dist-packages/flask/app.py", 
            >         line 1817, 
            >         >         in 
            >         >         >                         >
            wsgi_app 
            >         >         >                         >
            response = 
            >         >         self.full_dispatch_request() 
            >         >         >                         >
            File 
            >         >         > 
            >         >
            "/usr/lib/python2.7/dist-packages/flask/app.py", 
            >         line 1477, 
            >         >         in 
            >         >         >                         >
            full_dispatch_request 
            >         >         >                         >     rv
            = 
            >         >         self.handle_user_exception(e) 
            >         >         >                         >
            File 
            >         >         > 
            >         >
            "/usr/lib/python2.7/dist-packages/flask/app.py", 
            >         line 1381, 
            >         >         in 
            >         >         >                         >
            handle_user_exception 
            >         >         >                         >
            reraise(exc_type, 
            >         exc_value, 
            >         >         tb) 
            >         >         >                         >
            File 
            >         >         > 
            >         >
            "/usr/lib/python2.7/dist-packages/flask/app.py", 
            >         line 1475, 
            >         >         in 
            >         >         >                         >
            full_dispatch_request 
            >         >         >                         >     rv
            = 
            >         self.dispatch_request() 
            >         >         >                         >
            File 
            >         >         > 
            >         >
            "/usr/lib/python2.7/dist-packages/flask/app.py", 
            >         line 1461, 
            >         >         in 
            >         >         >                         >
            dispatch_request 
            >         >         >                         >
            return 
            >         >         > 
            >         >
            self.view_functions[rule.endpoint](**req.view_args) 
            >         >         >                         >
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
            >         >         >                         > line
            104, in 
            >         policy_wrapper 
            >         >         >                         >
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         >
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
            >         >         >                         > line
            104, in 
            >         policy_wrapper 
            >         >         >                         >
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         >
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
            >         >         >                         > line
            104, in 
            >         policy_wrapper 
            >         >         >                         >
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         >
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
            >         >         >                         > line
            104, in 
            >         policy_wrapper 
            >         >         >                         >
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         >
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
            >         >         >                         > line
            104, in 
            >         policy_wrapper 
            >         >         >                         >
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         >
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
            >         >         >                         > line
            104, in 
            >         policy_wrapper 
            >         >         >                         >
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         >
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
            >         >         >                         > line
            104, in 
            >         policy_wrapper 
            >         >         >                         >
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         >
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
            >         >         >                         > line
            104, in 
            >         policy_wrapper 
            >         >         >                         >
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         >
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
            >         >         >                         > line
            104, in 
            >         policy_wrapper 
            >         >         >                         >
            return 
            >         wrapped_function(*args, 
            >         >         **kwds) 
            >         >         >                         >
            File 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", 
            >         >         >                         > line
            57, in 
            >         event_wrapper 
            >         >         >                         >
            f_result = 
            >         func(*args, 
            >         >         **kwds) 
            >         >         >                         >
            File 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", 
            >         >         line 
            >         >         >                         > 180,
            in log_wrapper 
            >         >         >                         >
            f_result = 
            >         func(*args, 
            >         >         **kwds) 
            >         >         >                         >
            File 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", 
            >         >         >                         > line
            186, in init 
            >         >         >                         > 
            >         tokenrealms=tokenrealms) 
            >         >         >                         >
            File 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", 
            >         >         line 
            >         >         >                         > 180,
            in log_wrapper 
            >         >         >                         >
            f_result = 
            >         func(*args, 
            >         >         **kwds) 
            >         >         >                         >
            File 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", 
            >         >         >                         > line
            912, in init_token 
            >         >         >                         > 
            >         >         tokenobject.update(upd_params) 
            >         >         >                         >
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py", line 218, in update 
            >         >         >                         >
            crypto.FILETYPE_PEM, 
            >         req)) 
            >         >         >                         >
            File 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173, in sign_request 
            >         >         >                         >
            csr_extensions = 
            >         >         >
            csr_obj.get_extensions() 
            >         >         >                         >
            AttributeError: 
            >         'X509Req' object 
            >         >         has no 
            >         >         >
            attribute 
            >         'get_extensions' 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         > 
            >         >         >                         > On Monday, June 6, 2016  at 4:00:41  PM UTC+2,  Cornelius Kölbel wrote: 
            >         >         >                         >
            Hi, 
            >         >         >                         >
              
            >         >         >                         >
            can you please 
            >         post your 
            >         >         >
            privacyidea.log? 
            >         >         >                         >
            There should be 
            >         a 
            >         >         traceback. 
            >         >         >                         >
              
            >         >         >                         >
            Which version of 
            >         pyopenssl 
            >         >         and which 
            >         >         >                         version
            of openssl are 
            >         >         >                         >
            you using? 
            >         >         >                         >
              
            >         >         >                         >
            Kind regards 
            >         >         >                         >
            Cornelius 
            >         >         >                         >
              
            >         >         >                         >
            Am Montag, den 
            >         06.06.2016, 
            >         >         06:33 
            >         >         >                         -0700
            schrieb Michael 
            >         Muenz: 
            >         >         >                         >
            > Hi, 
            >         >         >                         >
            > 
            >         >         >                         >
            > 
            >         >         >                         >
            > I've set up 
            >         the WebCA as 
            >         >         described 
            >         >         >                         in 
            >         >         >                         >
            > 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html 
            >         >         >                         >
            > 
            >         >         >                         >
            > 
            >         >         >                         >
            > 
            >         >         >                         >
            > When I try to 
            >         roll out a 
            >         >         new 
            >         >         >
            certificate I get: 
            >         >         >                         >
            > 'X509Req' 
            >         object has no 
            >         >         attribute 
            >         >         >
            'get_extensions' 
            >         >         >                         >
            > 
            >         >         >                         >
            > 
            >         >         >                         >
            > 
            >         >         >                         >
            > There's no 
            >         certificate 
            >         >         but the 
            >         >         >                         token
            will be displayed 
            >         >         >                         >
            within the 
            >         >         >                         >
            > token view. 
            >         >         >                         >
            > 
            >         >         >                         >
            > 
            >         >         >                         >
            > Google tells 
            >         me about 
            >         >         some "wont 
            >         >         >                         fixes"
            with PyOpenSSL. 
            >         >         >                         >
            > 
            >         >         >                         >
            > 
            >         >         >                         >
            > I'm using 
            >         Debian 8 with 
            >         >         latest 
            >         >         >                         packages
            from Trusty 
            >         build. 
            >         >         >                         >
            > 
            >         >         >                         >
            > 
            >         >         >                         >
            > 
            >         >         >                         >
            > 
            >         >         >                         >
            > Any ideas? 
            >         >         >                         >
            > 
            >         >         >                         >
            > 
            >         >         >                         >
            > Thanks 
            >         >         >                         >
            > Michael 
            >         >         >                         >
            > -- 
            >         >         >                         >
            > Please read 
            >         the blog 
            >         >         post about 
            >         >         >                         getting
            help 
            >         >         >                         >
            > 
            >         >         > 
            >         >
            https://www.privacyidea.org/getting-help/. 
            >         >         >                         >
            >   
            >         >         >                         >
            > For 
            >         professional 
            >         >         services and 
            >         >         >
            consultancy regarding two 
            >         >         >                         >
            factor 
            >         >         >                         >
            > authentication 
            >         please 
            >         >         visit 
            >         >         >                         >
            > 
            >         >         > 
            >         > 
            >
            https://netknights.it/en/leistungen/one-time-services/ 
            >         >         >                         >
            >   
            >         >         >                         >
            > In an 
            >         enterprise 
            >         >         environment you 
            >         >         >                         should
            get a SERVICE 
            >         LEVEL 
            >         >         >                         >
            AGREEMENT 
            >         >         >                         >
            > which suites 
            >         your needs 
            >         >         for 
            >         >         >
            SECURITY, AVAILABILITY 
            >         and 
            >         >         >                         >
            LIABILITY: 
            >         >         >                         >
            > 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            https://netknights.it/en/leistungen/service-level-agreements/ 
            >         >         >                         >
            > --- 
            >         >         >                         >
            > You received 
            >         this 
            >         >         message because 
            >         >         >                         you are
            subscribed to the 
            >         >         >                         >
            Google 
            >         >         >                         >
            > Groups 
            >         "privacyidea" 
            >         >         group. 
            >         >         >                         >
            > To unsubscribe 
            >         from this 
            >         >         group and 
            >         >         >                         stop
            receiving emails 
            >         >         >                         >
            from it, send 
            >         >         >                         >
            > an email to 
            >         >         > 
            >         privacyidea...@googlegroups.com. 
            >         >         >                         >
            > To post to 
            >         this group, 
            >         >         send email 
            >         >         >                         to 
            >         >         >                         > 
            >         >         priva...@googlegroups.com. 
            >         >         >                         >
            > Visit this 
            >         group at 
            >         >         >                         > 
            >         >         > 
            >         >
            https://groups.google.com/group/privacyidea. 
            >         >         >                         >
            > To view this 
            >         discussion 
            >         >         on the web 
            >         >         >                         visit 
            >         >         >                         >
            > 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com. 
            >         >         >                         >
            > For more 
            >         options, visit 
            >         >         > 
            >         https://groups.google.com/d/optout. 
            >         >         >                         >
              
            >         >         >                         >
            -- 
            >         >         >                         >
            Cornelius 
            >         Kölbel 
            >         >         >                         > 
            >         corneliu...@netknights.it 
            >         >         >                         >
            +49 151 2960 
            >         1417 
            >         >         >                         >
              
            >         >         >                         >
            NetKnights GmbH 
            >         >         >                         > 
            >         http://www.netknights.it 
            >         >         >                         > 
            >         Landgraf-Karl-Str. 19, 
            >         >         34131 Kassel, 
            >         >         >                         Germany 
            >         >         >                         >
            Tel: +49 561 
            >         3166797, Fax: 
            >         >         +49 561 
            >         >         >                         3166798 
            >         >         >                         >
              
            >         >         >                         >
            Amtsgericht 
            >         Kassel, HRB 
            >         >         16405 
            >         >         >                         >
            Geschäftsführer: 
            >         Cornelius 
            >         >         Kölbel 
            >         >         >                         >
              
            >         >         >                         >
              
            >         >         >                         > -- 
            >         >         >                         > Please
            read the blog 
            >         post about 
            >         >         getting 
            >         >         >                         help 
            >         >         >                         > 
            >         >
            https://www.privacyidea.org/getting-help/. 
            >         >         >                         >   
            >         >         >                         > For
            professional 
            >         services and 
            >         >         consultancy 
            >         >         >
            regarding two factor 
            >         >         >                         >
            authentication please 
            >         visit 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            https://netknights.it/en/leistungen/one-time-services/ 
            >         >         >                         >   
            >         >         >                         > In an
            enterprise 
            >         environment you 
            >         >         should get 
            >         >         >                         a
            SERVICE LEVEL AGREEMENT 
            >         >         >                         > which
            suites your needs 
            >         for 
            >         >         SECURITY, 
            >         >         >
            AVAILABILITY and 
            >         LIABILITY: 
            >         >         >                         > 
            >         >         > 
            >         > 
            >
            https://netknights.it/en/leistungen/service-level-agreements/ 
            >         >         >                         > --- 
            >         >         >                         > You
            received this 
            >         message because 
            >         >         you are 
            >         >         >
            subscribed to the Google 
            >         >         >                         > Groups
            "privacyidea" 
            >         group. 
            >         >         >                         > To
            unsubscribe from this 
            >         group and 
            >         >         stop 
            >         >         >
            receiving emails from it, 
            >         send 
            >         >         >                         > an
            email to 
            >         >         > 
            >         privacyidea...@googlegroups.com. 
            >         >         >                         > To
            post to this group, 
            >         send email 
            >         >         to 
            >         >         > 
            >         priva...@googlegroups.com. 
            >         >         >                         > Visit
            this group at 
            >         >         > 
            >         >         
    ...


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/91212e60-bed1-45dc-8e3b-45ee56faa34b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)

Anyways: The PIN is not correctly set during the enrollment of the
token.
You need to

  1. set the PIN on the token details and then
  2. reload the the token details.
    Then you can download the PKCS12 PIN protected.

Yay, you’re right. When I set the PIN again and reload it’s in there.
Shall I create an issue in github?

PKCS12 does not require to contain a CA certificate.

But why don’t you do that? The Root CA has to be specified within the UI,
so the filename is clear.
Then you have a clean path from Root to User CA when checking the
certificate.Am Mittwoch, 13. Juli 2016 22:23:30 UTC+2 schrieb Cornelius Kölbel:

Kind regards
Cornelius

    > So, I created the CA as documented before and enrolled a 
    certificate 
    > token for user e.g. mimu. 
    
    STOP. You say a complicated process very lightly in half a 
    sentence? 
    Please think about it yourself: How did you enroll the 
    certificate 
    token? There are many different ways to do so. This is 
    important 
    information - also to you! 
    
    This is really what makes it very challenging for me to act on 
    the 
    mailing list. Because most people to not take a look at what 
    they are 
    doing. 

OK, I setup a small article with some pictures, hopefully you can
follow me now, sorry for not beeing clear enough:

http://www.routerperformance.net/howtos/debug-certificates-in-privacyidea/

I checked the privacyidea.log, no traceback (the certificate token
gets created mostly perfect) and apache log is also quit.

Thanks
Michael

    Here probably is your problem. "You enrolled the certificate 
    token"... 
    Did it ever came up to your mind, that the problem the 
    certificate token 
    does not behave as expected is due to the fact, that the token 
    was not 
    enrolled as you thought you would? 
    So the logical consequence would be, to take a deeper look at 
    the token 
    enrollment process. And not only drop this topic in half a 
    sentence. 
    
    So again. How did you enroll the certificate token? 
    
    I very much recommend for all of you to study physics! 
    ...to train your analytic skills... 
    
    Kind regards 
    Cornelius 
    
    > Now I can download the certificate as PKCS12. Normally this 
    file 
    > should include certificate, key and root cert. 
    > With a doubleclick I can install the certificate (PKCS12) 
    but when 
    > asked for a import pw only a empty password works. 
    > 
    > 
    > Now, when opening the mmc snapin I can see the certificate 
    unter Own 
    > Certificates. But there's no root ca installed. 
    > That's why I tried to extract the root ca from the pkcs12 
    via openssl, 
    > but it's empty. 
    > 
    > 
    > I'm quite sure that with a first test machine with Ubuntu 
    ppa version 
    > 2.12 it worked. 
    > Now I'm using PiP 2.13 
    > 
    > 
    > Michael 
    > 
    > 
    > 
    > Am Mittwoch, 13. Juli 2016 18:23:27 UTC+2 schrieb Cornelius 
    Kölbel: 
    >         The below mentioned link does not contain any 
    pkcs12. 
    >         
    > 

http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

    >         
    >         I am really not sure what you mean here. 
    >         
    >         Are you talking about the CA certificate, this is 
    the 
    >         certificate 
    >         signing the others? 
    >         Or are you talking about a "certificate token", i.e. 
    a user 
    >         certificate. 
    >         
    >         Which PKCS12 did you copy, export CA certificate? 
    >         This all makes no sense to me. 
    >         
    >         But no problem, I also provide great PKI workshops: 
    > 
    https://netknights.it/en/leistungen/one-time-services/ 
    >         
    >         Please note: Certificates is a topic it is very 
    important you 
    >         understand 
    >         the underlying processes, rules and crytpography. 
    >         privacyIDEA has very basic certificate management 
    >         capabilities. 
    >         But I am happy, if you help to improve the 
    software. 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         Am Mittwoch, den 13.07.2016, 04:44 -0700 schrieb 
    Michael 
    >         Muenz: 
    >         > I copied the pkcs12 to the otp machine and 
    exported the CA 
    >         Cert but 
    >         > it's empty. 
    >         > There seems to be something wrong, but I'm not 
    sure if it's 
    >         my 
    >         > fault. :/ 
    >         > 
    >         > 
    >         > root@otp1:~# openssl pkcs12 -in CRT000032EE.p12 
    -cacerts 
    >         -nokeys -out 
    >         > cacert.pem 
    >         > Enter Import Password: 
    >         > MAC verified OK 
    >         > root@otp1:~# cat cacert.pem 
    >         > root@otp1:~# 
    >         > 
    >         > 
    >         > Did the same with an existing .p12 created for 
    another 
    >         project and the 
    >         > corret root ca was exported. 
    >         > 
    >         > 
    >         > 
    >         > Am Mittwoch, 13. Juli 2016 13:25:22 UTC+2 schrieb 
    Michael 
    >         Muenz: 
    >         >         Hm, I followed 
    >         >         now: 
    > 

http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

    >         >         
    >         >         
    >         >         mkdir /etc/privacyidea/CA 
    >         > 
    > 
    cp 

/opt/privacyidea/lib/python2.7/site-packages/tests/testdata/ca/openssl.cnf
/etc/privacyidea/CA/

    >         >         
    >         >         
    >         >         openssl req -days 3650 -new -x509 
    >         >         -keyout /etc/privacyidea/CA/ca.key \ 
    >         > 
    -out /etc/privacyidea/CA/ca.crt \ 
    >         > 
    -config /etc/privacyidea/CA/openssl.cnf 
    >         >         
    >         >         chmod 0600 /etc/privacyidea/CA/ca.key 
    >         >         touch /etc/privacyidea/CA/index.txt 
    >         >         echo 01 > /etc/privacyidea/CA/serial 
    >         >         openssl rsa -in ca.key -out ca-nopw.key 
    >         >         mv ca-nopw.key ca.key 
    >         >         chown -R privacyidea /etc/privacyidea/CA 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         I enroll a certificate and set a PW in the 
    PIN 
    >         field, but I 
    >         >         can import it successfully with my W10 
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         
    >         >         Am Mittwoch, 13. Juli 2016 12:50:38 UTC+2  schrieb 
    >         Cornelius 
    >         >         Kölbel: 
    >         >                 You should clearly state HOW you 
    created the 
    >         user 
    >         >                 certificate. 
    >         >                 Especially HOW you created the 
    keypair! 
    >         >                 
    >         >                 Am Mittwoch, den 13.07.2016, 03:39  0700  schrieb 
    >         >                 Michael Muenz: 
    >         >                 > :) 
    >         >                 > 
    >         >                 > 
    >         >                 > No, I removed the password after 
    our last 
    >         discussion 
    >         >                 (for the testing 
    >         >                 > system) 
    >         >                 > 
    >         >                 > 
    >         >                 > The certificates get created and 
    I can 
    >         import them, 
    >         >                 but they don't 
    >         >                 > have a password. 
    >         >                 > 
    >         >                 > 
    >         >                 > Am Mittwoch, 13. Juli 2016  12:38:14 UTC+2  schrieb 
    >         >                 Cornelius Kölbel: 
    >         >                 >         To avoid confusion: 
    >         >                 >         
    >         >                 >         The private key of the 
    CA is not 
    >         password 
    >         >                 protected! 
    >         >                 >         
    >         >                 >         Kind regards 
    >         >                 >         Cornelius 
    >         >                 >         
    >         >                 >         Am Mittwoch, den 
    13.07.2016, 03:37 
    >         -0700 
    >         >                 schrieb Michael 
    >         >                 >         Muenz: 
    >         >                 >         > Hi, 
    >         >                 >         > 
    >         >                 >         > 
    >         >                 >         > doesn't work for me. 
    >         >                 >         > 
    >         >                 >         > 
    >         >                 >         > Hm, with my first 
    setup I 
    >         remember that it 
    >         >                 was working, but 
    >         >                 >         now when 
    >         >                 >         > importing an existing 
    CA there 
    >         are no 
    >         >                 import pw's. 
    >         >                 >         > 
    >         >                 >         > 
    >         >                 >         > Will try again with a 
    CA from 
    >         scratch. 
    >         >                 >         > 
    >         >                 >         > 
    >         >                 >         > 
    >         >                 >         > Am Mittwoch, 13. Juli 
    2016 
    >         12:16:14 UTC+2 
    >         >                 schrieb Cornelius 
    >         >                 >         Kölbel: 
    >         >                 >         >         Hi Michael, 
    >         >                 >         >         
    >         >                 >         >         this already 
    can be 
    >         done. 
    >         >                 >         >         When setting 
    the token 
    >         PIN, this 
    >         >                 will be the 
    >         >                 >         password for the 
    >         >                 >         >         pkcs12 
    >         >                 >         >         file. 
    >         >                 >         >         
    >         >                 >         >         Kind regards 
    >         >                 >         >         Cornelius 
    >         >                 >         >         
    >         >                 >         >         Am Mittwoch,  den  13.07.2016, 02:45  0700 schrieb 
    >         >                 >         Michael 
    >         >                 >         >         Muenz: 
    >         >                 >         >         > Hi, 
    >         >                 >         >         > 
    >         >                 >         >         > 
    >         >                 >         >         > Again 
    playing around 
    >         with the CA 
    >         >                 connector. 
    >         >                 >         >         > Are there 
    any plans 
    >         for setting 
    >         >                 an import password 
    >         >                 >         for the 
    >         >                 >         >         generated 
    >         >                 >         >         > PKCS12 
    files? 
    >         >                 >         >         > 
    >         >                 >         >         > 
    >         >                 >         >         > Thanks 
    >         >                 >         >         > Michael 
    >         >                 >         >         > 
    >         >                 >         >         > Am Dienstag,  7. Juni  2016  10:15:14 UTC+2 schrieb 
    >         >                 >         Cornelius 
    >         >                 >         >         Kölbel: 
    >         >                 >         >         >         Hi 
    Michael, 
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         I 
    was thinking 
    >         the 
    >         >                 passphrase on the ca 
    >         >                 >         key. 
    >         >                 >         >         >         In 
    my opinion 
    >         having a 
    >         >                 passphtase only 
    >         >                 >         makes limited 
    >         >                 >         >         sense. 
    >         >                 >         >         >         The 
    passphrase 
    >         would be 
    >         >                 encrypted in the 
    >         >                 >         database. 
    >         >                 >         >          Encrypted 
    >         >                 >         >         >         with 
    the 
    >         encryption key, 
    >         >                 which is probably 
    >         >                 >         only 
    >         >                 >         >         protected by 
    >         >                 >         >         >         file 
    access. 
    >         So you can 
    >         >                 protect the ca key 
    >         >                 >         with file 
    >         >                 >         >         access in 
    >         >                 >         >         >         the 
    first 
    >         place. 
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         > 
    Think of the 
    >         local ca as 
    >         >                 a working proof 
    >         >                 >         of concept 
    >         >                 >         >          :-) 
    >         >                 >         >         >         Any 
    feedback 
    >         and input 
    >         >                 is appreciated. 
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         Kind 
    regards 
    >         >                 >         >         > 
    Cornelius 
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         > 
    Cornelius 
    >         Kölbel 
    >         >                 >         >         >         +49 
    151 2960 
    >         1417 
    >         >                 >         >         >         
    >         >                 >         >         > 
    NetKnights 
    >         GmbH 
    >         >                 >         >         > 
    >         Http://NetKnights. It 
    >         >                 >         >         >         +49 
    561 3166 
    >         797 
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         > 
    -------- 
    >         Ursprüngliche 
    >         >                 Nachricht -------- 
    >         >                 >         >         >         Von: 
    Michael 
    >         Muenz 
    >         >                 <m.m...@gmail.com> 
    >         >                 >         >         > 
    Datum: 
    >         07.06.16 10:04 
    >         >                 (GMT+01:00) 
    >         >                 >         >         >         An: 
    >         privacyidea 
    >         >                 > 
    <priva...@googlegroups.com> 
    >         >                 >         >         > 
    Betreff: Re: 
    >         >                 [privacyidea] CA Connector 
    >         >                 >         can't 
    >         >                 >         >         create 
    >         >                 >         >         > 
    certificate 
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         Ok, 
    removed 
    >         the line and 
    >         >                 it works again. 
    >         >                 >         >         >         Now 
    I can 
    >         download the 
    >         >                 PKCS12. 
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         >         But 
    I had to 
    >         remove the 
    >         >                 password from the 
    >         >                 >         ca.key ... 
    >         >                 >         >         will this 
    >         >                 >         >         >         be 
    the final 
    >         version or 
    >         >                 do you plan some 
    >         >                 >         fields in 
    >         >                 >         >         the UI to 
    >         >                 >         >         > 
    enter the 
    >         password for 
    >         >                 the root-ca? 
    >         >                 >         >         >         
    >         >                 >         >         >         
    >         >                 >         >         > 
    Michael 
    >         >                 >         >         >         
    >         >                 >         >         >         On  Tuesday,  June 7, 2016  at 9:59:06 AM UTC  +2,  Michael Muenz  wrote: 
    >         >                 >         >         > 
    I 
    >         added the 
    >         >                 Jessie-Backports since 
    >         >                 >         they 
    >         >                 >         >         deliver 0.15, 
    >         >                 >         >         > 
    but 
    >         when I 
    >         >                 wanted to install it, 
    >         >                 >         it greps 
    >         >                 >         >         > 
    >         python-pyopenssl 
    >         >                 from the trusty 
    >         >                 >         ppa and 
    >         >                 >         >         brokes :) 
    >         >                 >         >         > 
    After 
    >         that I 
    >         >                 forced it with 
    >         >                 >         aptitude -t 
    >         >                 >         >         > 
    >         jessie-backports 
    >         >                 and now I get a 
    >         >                 >         Internal 
    >         >                 >         >         Server Error 
    >         >                 >         >         > 
    when 
    >         accessing 
    >         >                 the startpage 
    >         >                 >         >         > 
        
    >         >                 >         >         > 
        
    >         >                 >         >         > 
        
    >         >                 >         >         > 
        
    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.895043 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 
    139726979172096] 

/usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning:
Unicode column received non-unicode default value.

    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.895273 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] 
    >         >                 >         >         > 
    >         >                 > 
    >         default="/etc/privacyidea/dictionary") 
    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.921642 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         mod_wsgi 
    >         >                 >         >         > 
    >         (pid=489): 
    >         >                 Target WSGI script 
    >         >                 >         >         > 
    >         >                 > 
    >         '/etc/privacyidea/privacyideaapp.wsgi' 
    >         >                 >         >         cannot be 
    >         >                 >         >         > 
    loaded 
    >         as Python 
    >         >                 module. 
    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.921834 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         mod_wsgi 
    >         >                 >         >         > 
    >         (pid=489): 
    >         >                 Exception occurred 
    >         >                 >         processing 
    >         >                 >         >         WSGI script 
    >         >                 >         >         > 
    >         >                 > 
    >         '/etc/privacyidea/privacyideaapp.wsgi'. 
    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.921948 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         Traceback 
    >         >                 >         >         > 
    (most 
    >         recent 
    >         >                 call last): 
    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.922116 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         File 
    >         >                 >         >         > 
    >         >                 > 
    >         "/etc/privacyidea/privacyideaapp.wsgi", 
    >         >                 line 
    >         >                 >         >         3, in 
    >         >                 >         >         > 
    >         <module> 
    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.922265 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         from 
    >         >                 >         >         > 
    >         privacyidea.app 
    >         >                 import create_app 
    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.922359 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/app.py", 
    >         >                 >         >         > 
    line 
    >         28, in 
    >         >                 <module> 
    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.922952 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         import 
    >         >                 >         >         > 
    >         >                 privacyidea.api.before_after 
    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.923097 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py”, line
29, in

    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.923599 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         > 
    >         from ..lib.user 
    >         >                 import 
    >         >                 >         get_user_from_param 
    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.923697 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", 
    >         >                 >         >         line 55, in 
    <module> 
    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.924472 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         > 
    >         from .resolver 
    >         >                 import 
    >         >                 >         (get_resolver_object, 
    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.924585 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", 

line 47, in

    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.925108 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         from 
    >         >                 >         >         > 
    config 
    >         import 
    >         >                 >         (get_resolver_types, 
    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.925207 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", 
    >         >                 >         >         line 47, in 
    <module> 
    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.926073 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         > 
    >         >                 from .caconnectors.localca import 
    >         >                 >         > 
    BaseCAConnector 
    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.926233 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173

    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.926344 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         > 
    >         csr_extensions 
    >         >                 = 
    >         >                 > 
    csr_obj.get_extensions() 
    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.926499 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         ^ 
    >         >                 >         >         > 
    [Tue 
    >         Jun 07 
    >         >                 09:53:37.926583 2016] 
    >         >                 >         >         [wsgi:error] 
    [pid 
    >         >                 >         >         > 
    >         489:tid 
    >         >                 139726979172096] [remote 
    >         >                 >         X:512] 
    >         >                 >         >         > 
    >         >                 IndentationError: unexpected 
    >         >                 >         indent 
    >         >                 >         >         > 
        
    >         >                 >         >         > 
        
    >         >                 >         >         > 
        
    >         >                 >         >         > 
        
    >         >                 >         >         > 
    I 
    >         think I'm 
    >         >                 gonna reinstall from 
    >         >                 >         >         scratch ... 
    >         >                 >         >         > 
        
    >         >                 >         >         > 
    On  Monday, June  6, 2016 at  11:36:09 PM UTC  +2,  Cornelius Kölbel  wrote: 
    >         >                 >         >         > 
    >         The CSR 
    >         >                 extensions are not 
    >         >                 >         used at 
    >         >                 >         >         the 
    >         >                 >         >         > 
    >         moment. 
    >         >                 >         >         > 
    >           
    >         >                 >         >         > 
    >         So we 
    >         >                 could as well remove 
    >         >                 >         this line 
    >         >                 >         >         and then 
    >         >                 >         >         > 
    >         >                 python-openssl 0.14 would 
    >         >                 >         >         > 
    >         work 
    >         >                 fine, again. 
    >         >                 >         >         > 
    >           
    >         >                 >         >         > 
    >         Kind 
    >         >                 regards 
    >         >                 >         >         > 
    >         >                 Cornelius 
    >         >                 >         >         > 
    >           
    >         >                 >         >         > 
    >         Am  Montag, den 06.06.2016,  13:20  0700 schrieb 
    >         >                 >         >         > 
    >         Michael 
    >         >                 Muenz: 
    >         >                 >         >         > 
    >         > ii 
    >         >                  openssl 
    >         >                 >         >          1.0.1t-1 
    >         >                 >         >         > 
    >         +deb8u2 
    >         >                 amd64 
    >         >                 >         >         > 
    >         > 
    >         >                  Secure Sockets 
    >         >                 >         Layer 
    >         >                 >         >         toolkit - 
    >         >                 >         >         > 
    >         >                 cryptographic utility 
    >         >                 >         >         > 
    >         > ii 
    >         >                  python-openssl 
    >         >                 >         >         0.14-1 
    >         >                 >         >         > 
    >         >                            all 
    >         >                 >         >         > 
    >         > 
    >         >                  Python 2 wrapper 
    >         >                 >         around the 
    >         >                 >         >         OpenSSL 
    >         >                 >         >         > 
    >         library 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                 >         >         > 
    >         > user 
    >         >                 u'mimu' found in 
    >         >                 >         resolver 
    >         >                 >         >         u'maxadmins' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                 >         >         > 
    >         > userid 
    >         >                 resolved to 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                 >         >         > 
    >         > user 
    >         >                 u'mimu' found in 
    >         >                 >         resolver 
    >         >                 >         >         u'maxadmins' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                 >         >         > 
    >         > userid 
    >         >                 resolved to 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                 >         >         > 
    >         > user 
    >         >                 u'mimu' found in 
    >         >                 >         resolver 
    >         >                 >         >         u'maxadmins' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                 >         >         > 
    >         > userid 
    >         >                 resolved to 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                 >         >         > 
    >         > user 
    >         >                 u'mimu' found in 
    >         >                 >         resolver 
    >         >                 >         >         u'maxadmins' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                 >         >         > 
    >         > userid 
    >         >                 resolved to 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                 >         >         > 
    >         > user 
    >         >                 u'mimu' found in 
    >         >                 >         resolver 
    >         >                 >         >         u'maxadmins' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                 >         >         > 
    >         > userid 
    >         >                 resolved to 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                 >         >         > 
    >         > user 
    >         >                 u'mimu' found in 
    >         >                 >         resolver 
    >         >                 >         >         u'maxadmins' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                 >         >         > 
    >         > userid 
    >         >                 resolved to 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187]

    >         >                 >         >         > 
    >         > user 
    >         >                 u'mimu' found in 
    >         >                 >         resolver 
    >         >                 >         >         u'maxadmins' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188]

    >         >                 >         >         > 
    >         > userid 
    >         >                 resolved to 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >                 >         >         > 
    >         > 
    >         >                 [2016-06-06 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423]

    >         >                 >         >         > 
    >         > 
    >         >                 Exception on /token/init 
    >         >                 >         [POST] 
    >         >                 >         >         > 
    >         > 
    >         >                 Traceback (most recent 
    >         >                 >         call 
    >         >                 >         >         last): 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >         >                 >         line 1817, 
    >         >                 >         >         in 
    >         >                 >         >         > 
    >         > 
    >         >                 wsgi_app 
    >         >                 >         >         > 
    >         > 
    >         >                 response = 
    >         >                 >         > 
    >         self.full_dispatch_request() 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >         >                 >         line 1477, 
    >         >                 >         >         in 
    >         >                 >         >         > 
    >         > 
    >         >                 full_dispatch_request 
    >         >                 >         >         > 
    >         >     rv 
    >         >                 = 
    >         >                 >         > 
    >         self.handle_user_exception(e) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >         >                 >         line 1381, 
    >         >                 >         >         in 
    >         >                 >         >         > 
    >         > 
    >         >                 handle_user_exception 
    >         >                 >         >         > 
    >         > 
    >         >                 reraise(exc_type, 
    >         >                 >         exc_value, 
    >         >                 >         >         tb) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >         >                 >         line 1475, 
    >         >                 >         >         in 
    >         >                 >         >         > 
    >         > 
    >         >                 full_dispatch_request 
    >         >                 >         >         > 
    >         >     rv 
    >         >                 = 
    >         >                 >         self.dispatch_request() 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    >         "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >         >                 >         line 1461, 
    >         >                 >         >         in 
    >         >                 >         >         > 
    >         > 
    >         >                 dispatch_request 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    >         self.view_functions[rule.endpoint](**req.view_args) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py”,

    >         >                 >         >         > 
    >         > line 
    >         >                 104, in 
    >         >                 >         policy_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 return 
    >         >                 >         wrapped_function(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", 
    >         >                 >         >         > 
    >         > line 
    >         >                 57, in 
    >         >                 >         event_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 f_result = 
    >         >                 >         func(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", 
    >         >                 >         >         line 
    >         >                 >         >         > 
    >         > 180, 
    >         >                 in log_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 f_result = 
    >         >                 >         func(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", 
    >         >                 >         >         > 
    >         > line 
    >         >                 186, in init 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    tokenrealms=tokenrealms) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", 
    >         >                 >         >         line 
    >         >                 >         >         > 
    >         > 180, 
    >         >                 in log_wrapper 
    >         >                 >         >         > 
    >         > 
    >         >                 f_result = 
    >         >                 >         func(*args, 
    >         >                 >         >         **kwds) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", 
    >         >                 >         >         > 
    >         > line 
    >         >                 912, in init_token 
    >         >                 >         >         > 
    >         > 
    >         >                 >         > 
    >         tokenobject.update(upd_params) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py”,
line 218, in update

    >         >                 >         >         > 
    >         > 
    >         >                 crypto.FILETYPE_PEM, 
    >         >                 >         req)) 
    >         >                 >         >         > 
    >         > 
    >         >                 File 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

“/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py”,
line 173, in sign_request

    >         >                 >         >         > 
    >         > 
    >         >                 csr_extensions = 
    >         >                 >         >         > 
    >         >                 csr_obj.get_extensions() 
    >         >                 >         >         > 
    >         > 
    >         >                 AttributeError: 
    >         >                 >         'X509Req' object 
    >         >                 >         >         has no 
    >         >                 >         >         > 
    >         >                 attribute 
    >         >                 >         'get_extensions' 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         > On  Monday, June 6, 2016  at 4:00:41  PM UTC+2,  Cornelius Kölbel wrote: 
    >         >                 >         >         > 
    >         > 
    >         >                 Hi, 
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > 
    >         >                 can you please 
    >         >                 >         post your 
    >         >                 >         >         > 
    >         >                 privacyidea.log? 
    >         >                 >         >         > 
    >         > 
    >         >                 There should be 
    >         >                 >         a 
    >         >                 >         >         traceback. 
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > 
    >         >                 Which version of 
    >         >                 >         pyopenssl 
    >         >                 >         >         and which 
    >         >                 >         >         > 
    >         version 
    >         >                 of openssl are 
    >         >                 >         >         > 
    >         > 
    >         >                 you using? 
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > 
    >         >                 Kind regards 
    >         >                 >         >         > 
    >         > 
    >         >                 Cornelius 
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > 
    >         >                 Am Montag, den 
    >         >                 >         06.06.2016, 
    >         >                 >         >         06:33 
    >         >                 >         >         > 
    >         -0700 
    >         >                 schrieb Michael 
    >         >                 >         Muenz: 
    >         >                 >         >         > 
    >         > 
    >         >                 > Hi, 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > I've set up 
    >         >                 >         the WebCA as 
    >         >                 >         >         described 
    >         >                 >         >         > 
    >         in 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html

    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > When I try to 
    >         >                 >         roll out a 
    >         >                 >         >         new 
    >         >                 >         >         > 
    >         >                 certificate I get: 
    >         >                 >         >         > 
    >         > 
    >         >                 > 'X509Req' 
    >         >                 >         object has no 
    >         >                 >         >         attribute 
    >         >                 >         >         > 
    >         >                 'get_extensions' 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > There's no 
    >         >                 >         certificate 
    >         >                 >         >         but the 
    >         >                 >         >         > 
    >         token 
    >         >                 will be displayed 
    >         >                 >         >         > 
    >         > 
    >         >                 within the 
    >         >                 >         >         > 
    >         > 
    >         >                 > token view. 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > Google tells 
    >         >                 >         me about 
    >         >                 >         >         some "wont 
    >         >                 >         >         > 
    >         fixes" 
    >         >                 with PyOpenSSL. 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > I'm using 
    >         >                 >         Debian 8 with 
    >         >                 >         >         latest 
    >         >                 >         >         > 
    >         packages 
    >         >                 from Trusty 
    >         >                 >         build. 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > Any ideas? 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 > Thanks 
    >         >                 >         >         > 
    >         > 
    >         >                 > Michael 
    >         >                 >         >         > 
    >         > 
    >         >                 > -- 
    >         >                 >         >         > 
    >         > 
    >         >                 > Please read 
    >         >                 >         the blog 
    >         >                 >         >         post about 
    >         >                 >         >         > 
    >         getting 
    >         >                 help 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    https://www.privacyidea.org/getting-help/. 
    >         >                 >         >         > 
    >         > 
    >         >                 >   
    >         >                 >         >         > 
    >         > 
    >         >                 > For 
    >         >                 >         professional 
    >         >                 >         >         services and 
    >         >                 >         >         > 
    >         >                 consultancy regarding two 
    >         >                 >         >         > 
    >         > 
    >         >                 factor 
    >         >                 >         >         > 
    >         > 
    >         >                 > authentication 
    >         >                 >         please 
    >         >                 >         >         visit 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >                 >         >         > 
    >         > 
    >         >                 >   
    >         >                 >         >         > 
    >         > 
    >         >                 > In an 
    >         >                 >         enterprise 
    >         >                 >         >         environment 
    you 
    >         >                 >         >         > 
    >         should 
    >         >                 get a SERVICE 
    >         >                 >         LEVEL 
    >         >                 >         >         > 
    >         > 
    >         >                 AGREEMENT 
    >         >                 >         >         > 
    >         > 
    >         >                 > which suites 
    >         >                 >         your needs 
    >         >                 >         >         for 
    >         >                 >         >         > 
    >         >                 SECURITY, AVAILABILITY 
    >         >                 >         and 
    >         >                 >         >         > 
    >         > 
    >         >                 LIABILITY: 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         >                 >         >         > 
    >         > 
    >         >                 > --- 
    >         >                 >         >         > 
    >         > 
    >         >                 > You received 
    >         >                 >         this 
    >         >                 >         >         message 
    because 
    >         >                 >         >         > 
    >         you are 
    >         >                 subscribed to the 
    >         >                 >         >         > 
    >         > 
    >         >                 Google 
    >         >                 >         >         > 
    >         > 
    >         >                 > Groups 
    >         >                 >         "privacyidea" 
    >         >                 >         >         group. 
    >         >                 >         >         > 
    >         > 
    >         >                 > To unsubscribe 
    >         >                 >         from this 
    >         >                 >         >         group and 
    >         >                 >         >         > 
    >         stop 
    >         >                 receiving emails 
    >         >                 >         >         > 
    >         > 
    >         >                 from it, send 
    >         >                 >         >         > 
    >         > 
    >         >                 > an email to 
    >         >                 >         >         > 
    >         >                 > 
    privacyidea...@googlegroups.com. 
    >         >                 >         >         > 
    >         > 
    >         >                 > To post to 
    >         >                 >         this group, 
    >         >                 >         >         send email 
    >         >                 >         >         > 
    >         to 
    >         >                 >         >         > 
    >         > 
    >         >                 >         > 
    >         priva...@googlegroups.com. 
    >         >                 >         >         > 
    >         > 
    >         >                 > Visit this 
    >         >                 >         group at 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         > 
    >         https://groups.google.com/group/privacyidea. 
    >         >                 >         >         > 
    >         > 
    >         >                 > To view this 
    >         >                 >         discussion 
    >         >                 >         >         on the web 
    >         >                 >         >         > 
    >         visit 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 

https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com.

    >         >                 >         >         > 
    >         > 
    >         >                 > For more 
    >         >                 >         options, visit 
    >         >                 >         >         > 
    >         >                 > 
    >         https://groups.google.com/d/optout. 
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > 
    >         >                 -- 
    >         >                 >         >         > 
    >         > 
    >         >                 Cornelius 
    >         >                 >         Kölbel 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    corneliu...@netknights.it 
    >         >                 >         >         > 
    >         > 
    >         >                 +49 151 2960 
    >         >                 >         1417 
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > 
    >         >                 NetKnights GmbH 
    >         >                 >         >         > 
    >         > 
    >         >                 > 
    http://www.netknights.it 
    >         >                 >         >         > 
    >         > 
    >         >                 >         Landgraf-Karl-Str. 19, 
    >         >                 >         >         34131 Kassel, 
    >         >                 >         >         > 
    >         Germany 
    >         >                 >         >         > 
    >         > 
    >         >                 Tel: +49 561 
    >         >                 >         3166797, Fax: 
    >         >                 >         >         +49 561 
    >         >                 >         >         > 
    >         3166798 
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > 
    >         >                 Amtsgericht 
    >         >                 >         Kassel, HRB 
    >         >                 >         >         16405 
    >         >                 >         >         > 
    >         > 
    >         >                 Geschäftsführer: 
    >         >                 >         Cornelius 
    >         >                 >         >         Kölbel 
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > 
    >         >                   
    >         >                 >         >         > 
    >         > -- 
    >         >                 >         >         > 
    >         > Please 
    >         >                 read the blog 
    >         >                 >         post about 
    >         >                 >         >         getting 
    >         >                 >         >         > 
    >         help 
    >         >                 >         >         > 
    >         > 
    >         >                 >         > 
    >         > 
    https://www.privacyidea.org/getting-help/. 
    >         >                 >         >         > 
    >         >   
    >         >                 >         >         > 
    >         > For 
    >         >                 professional 
    >         >                 >         services and 
    >         >                 >         >         consultancy 
    >         >                 >         >         > 
    >         >                 regarding two factor 
    >         >                 >         >         > 
    >         > 
    >         >                 authentication please 
    >         >                 >         visit 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >                 >         >         > 
    >         >   
    >         >                 >         >         > 
    >         > In an 
    >         >                 enterprise 
    >         >                 >         environment you 
    >         >                 >         >         should get 
    >         >                 >         >         > 
    >         a 
    >         >                 SERVICE LEVEL AGREEMENT 
    >         >                 >         >         > 
    >         > which 
    >         >                 suites your needs 
    >         >                 >         for 
    >         >                 >         >         SECURITY, 
    >         >                 >         >         > 
    >         >                 AVAILABILITY and 
    >         >                 >         LIABILITY: 
    >         >                 >         >         > 
    >         > 
    >         >                 >         >         > 
    >         >                 >         > 
    >         >                 > 
    >         > 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         >                 >         >         > 
    >         > --- 
    >         >                 >         >         > 
    >         > You 
    >         >                 received this 
    >         >                 >         message because 
    >         >                 >         >         you are 
    >         >                 >         >         > 
    >         >                 subscribed to the Google 
    >         >                 >         >         > 
    >         > Groups 
    >         >                 "privacyidea" 
    >         >                 >         group. 
    >         >                 >         >         > 
    >         > To 
    >         >                 unsubscribe from this 
    >         >                 >         group and 
    >         >                 >         >         stop 
    >         >                 >         >         > 
    >         >                 receiving emails from it, 
    >         >                 >         send 
    >         >                 >         >         > 
    >         > an 
    >         >                 email to 
    >         >                 >         >         > 
    >         >                 > 
    privacyidea...@googlegroups.com. 
    >         >                 >         >         > 
    >         > To 
    >         >                 post to this group, 
    >         >                 >         send email 
    >         >                 >         >         to 
    >         >                 >         >         > 
    >         >                 > 
    priva...@googlegroups.com. 
    >         >                 >         >         > 
    >         > Visit 
    >         >                 this group at 
    >         >                 >         >         > 
    >         >                 >         >         
    >         >         ... 
    >         > -- 
    >         > Please read the blog post about getting help 
    >         > https://www.privacyidea.org/getting-help/. 
    >         >   
    >         > For professional services and consultancy 
    regarding two 
    >         factor 
    >         > authentication please visit 
    >         > 
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >   
    >         > In an enterprise environment you should get a 
    SERVICE LEVEL 
    >         AGREEMENT 
    >         > which suites your needs for SECURITY, AVAILABILITY 
    and 
    >         LIABILITY: 
    >         > 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         > --- 
    >         > You received this message because you are 
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving 
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > Visit this group at 
    >         https://groups.google.com/group/privacyidea. 
    >         > To view this discussion on the web visit 
    >         > 
    > 

https://groups.google.com/d/msgid/privacyidea/91212e60-bed1-45dc-8e3b-45ee56faa34b%40googlegroups.com.

    >         > For more options, visit 
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two 
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL 
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and 
    LIABILITY: 
    > 
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the 
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails 
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to 
    priva...@googlegroups.com. 
    > Visit this group at 
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    > 

https://groups.google.com/d/msgid/privacyidea/df8a609c-66f5-4d1b-be20-27e7f0daaf32%40googlegroups.com.

    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea...@googlegroups.com <javascript:>.
To post to this group, send email to priva...@googlegroups.com
<javascript:>.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit

https://groups.google.com/d/msgid/privacyidea/6366a308-d759-4698-b199-e5af5f13d6b8%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
corneliu...@netknights.it <javascript:>
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

    Anyways: The PIN is not correctly set during the enrollment of
    the 
    token. 
    You need to 
    1. set the PIN on the token details and then 
    2. reload the the token details. 
    Then you can download the PKCS12 PIN protected. 

Yay, you’re right. When I set the PIN again and reload it’s in there.
Shall I create an issue in github?

    PKCS12 does not require to contain a CA certificate.

But why don’t you do that?

Two hands?
24 hours? :wink:

You are free to issue and issue or a pull request or order this feature.
It sounds sensible to me.

Kind regards
CorneliusAm Mittwoch, den 13.07.2016, 13:42 -0700 schrieb Michael Muenz:

Am Mittwoch, 13. Juli 2016 22:23:30 UTC+2 schrieb Cornelius Kölbel:

The Root CA has to be specified within the UI, so the filename is
clear.
Then you have a clean path from Root to User CA when checking the
certificate.

    Kind regards 
    Cornelius 
    > 
    > 
    >   
    >         
    >         > So, I created the CA as documented before and
    enrolled a 
    >         certificate 
    >         > token for user e.g. mimu. 
    >         
    >         STOP. You say a complicated process very lightly in
    half a 
    >         sentence? 
    >         Please think about it yourself: How did you enroll
    the 
    >         certificate 
    >         token? There are many different ways to do so. This
    is 
    >         important 
    >         information - also to you! 
    >         
    >         This is really what makes it very challenging for me
    to act on 
    >         the 
    >         mailing list. Because most people to not take a look
    at what 
    >         they are 
    >         doing. 
    > 
    > 
    > OK, I setup a small article with some pictures, hopefully
    you can 
    > follow me now, sorry for not beeing clear enough: 
    >
    http://www.routerperformance.net/howtos/debug-certificates-in-privacyidea/ 
    > 
    > 
    > 
    > I checked the privacyidea.log, no traceback (the certificate
    token 
    > gets created mostly perfect) and apache log is also quit. 
    > 
    > 
    > Thanks 
    > Michael 
    >   
    >         
    >         Here probably is your problem. "You enrolled the
    certificate 
    >         token"... 
    >         Did it ever came up to your mind, that the problem
    the 
    >         certificate token 
    >         does not behave as expected is due to the fact, that
    the token 
    >         was not 
    >         enrolled as you thought you would? 
    >         So the logical consequence would be, to take a
    deeper look at 
    >         the token 
    >         enrollment process. And not only drop this topic in
    half a 
    >         sentence. 
    >         
    >         So again. How did you enroll the certificate token? 
    >         
    >         I very much recommend for all of you to study
    physics! 
    >         ...to train your analytic skills... 
    >         
    >         Kind regards 
    >         Cornelius 
    >         
    >         > Now I can download the certificate as PKCS12.
    Normally this 
    >         file 
    >         > should include certificate, key and root cert. 
    >         > With a doubleclick I can install the certificate
    (PKCS12) 
    >         but when 
    >         > asked for a import pw only a empty password
    works. 
    >         > 
    >         > 
    >         > Now, when opening the mmc snapin I can see the
    certificate 
    >         unter Own 
    >         > Certificates. But there's no root ca installed. 
    >         > That's why I tried to extract the root ca from the
    pkcs12 
    >         via openssl, 
    >         > but it's empty. 
    >         > 
    >         > 
    >         > I'm quite sure that with a first test machine with
    Ubuntu 
    >         ppa version 
    >         > 2.12 it worked. 
    >         > Now I'm using PiP 2.13 
    >         > 
    >         > 
    >         > Michael 
    >         > 
    >         > 
    >         > 
    >         > Am Mittwoch, 13. Juli 2016 18:23:27 UTC+2 schrieb
    Cornelius 
    >         Kölbel: 
    >         >         The below mentioned link does not contain
    any 
    >         pkcs12. 
    >         >         
    >         > 
    >
    http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html 
    >         >         
    >         >         I am really not sure what you mean here. 
    >         >         
    >         >         Are you talking about the CA certificate,
    this is 
    >         the 
    >         >         certificate 
    >         >         signing the others? 
    >         >         Or are you talking about a "certificate
    token", i.e. 
    >         a user 
    >         >         certificate. 
    >         >         
    >         >         Which PKCS12 did you copy, export CA
    certificate? 
    >         >         This all makes no sense to me. 
    >         >         
    >         >         But no problem, I also provide great PKI
    workshops: 
    >         > 
    >
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >         
    >         >         Please note: Certificates is a topic it is
    very 
    >         important you 
    >         >         understand 
    >         >         the underlying processes, rules and
    crytpography. 
    >         >         privacyIDEA has very basic certificate
    management 
    >         >         capabilities. 
    >         >         But I am happy, if you help to improve
    the 
    >         software. 
    >         >         
    >         >         Kind regards 
    >         >         Cornelius 
    >         >         
    >         >         Am Mittwoch, den 13.07.2016, 04:44 -0700 schrieb 
    >         Michael 
    >         >         Muenz: 
    >         >         > I copied the pkcs12 to the otp machine
    and 
    >         exported the CA 
    >         >         Cert but 
    >         >         > it's empty. 
    >         >         > There seems to be something wrong, but
    I'm not 
    >         sure if it's 
    >         >         my 
    >         >         > fault. :/ 
    >         >         > 
    >         >         > 
    >         >         > root@otp1:~# openssl pkcs12 -in
    CRT000032EE.p12 
    >         -cacerts 
    >         >         -nokeys -out 
    >         >         > cacert.pem 
    >         >         > Enter Import Password: 
    >         >         > MAC verified OK 
    >         >         > root@otp1:~# cat cacert.pem 
    >         >         > root@otp1:~# 
    >         >         > 
    >         >         > 
    >         >         > Did the same with an existing .p12
    created for 
    >         another 
    >         >         project and the 
    >         >         > corret root ca was exported. 
    >         >         > 
    >         >         > 
    >         >         > 
    >         >         > Am Mittwoch, 13. Juli 2016 13:25:22 UTC +2 schrieb 
    >         Michael 
    >         >         Muenz: 
    >         >         >         Hm, I followed 
    >         >         >         now: 
    >         > 
    >
    http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html 
    >         >         >         
    >         >         >         
    >         >         >         mkdir /etc/privacyidea/CA 
    >         >         > 
    >         > 
    >
    cp /opt/privacyidea/lib/python2.7/site-packages/tests/testdata/ca/openssl.cnf /etc/privacyidea/CA/ 
    >         >         >         
    >         >         >         
    >         >         >         openssl req -days 3650 -new
    -x509 
    >         >         >
    -keyout /etc/privacyidea/CA/ca.key \ 
    >         >         > 
    >         -out /etc/privacyidea/CA/ca.crt \ 
    >         >         > 
    >         -config /etc/privacyidea/CA/openssl.cnf 
    >         >         >         
    >         >         >         chmod
    0600 /etc/privacyidea/CA/ca.key 
    >         >         >
    touch /etc/privacyidea/CA/index.txt 
    >         >         >         echo 01
    > /etc/privacyidea/CA/serial 
    >         >         >         openssl rsa -in ca.key -out
    ca-nopw.key 
    >         >         >         mv ca-nopw.key ca.key 
    >         >         >         chown -R
    privacyidea /etc/privacyidea/CA 
    >         >         >         
    >         >         >         
    >         >         >         
    >         >         >         
    >         >         >         
    >         >         >         
    >         >         >         I enroll a certificate and set a
    PW in the 
    >         PIN 
    >         >         field, but I 
    >         >         >         can import it successfully with
    my W10 
    >         >         >         
    >         >         >         
    >         >         >         
    >         >         >         
    >         >         >         
    >         >         >         
    >         >         >         
    >         >         >         Am Mittwoch, 13. Juli 2016 12:50:38 UTC+2  schrieb 
    >         >         Cornelius 
    >         >         >         Kölbel: 
    >         >         >                 You should clearly state
    HOW you 
    >         created the 
    >         >         user 
    >         >         >                 certificate. 
    >         >         >                 Especially HOW you
    created the 
    >         keypair! 
    >         >         >                 
    >         >         >                 Am Mittwoch, den 13.07.2016, 03:39  0700  schrieb 
    >         >         >                 Michael Muenz: 
    >         >         >                 > :) 
    >         >         >                 > 
    >         >         >                 > 
    >         >         >                 > No, I removed the
    password after 
    >         our last 
    >         >         discussion 
    >         >         >                 (for the testing 
    >         >         >                 > system) 
    >         >         >                 > 
    >         >         >                 > 
    >         >         >                 > The certificates get
    created and 
    >         I can 
    >         >         import them, 
    >         >         >                 but they don't 
    >         >         >                 > have a password. 
    >         >         >                 > 
    >         >         >                 > 
    >         >         >                 > Am Mittwoch, 13. Juli 2016  12:38:14 UTC+2  schrieb 
    >         >         >                 Cornelius Kölbel: 
    >         >         >                 >         To avoid
    confusion: 
    >         >         >                 >         
    >         >         >                 >         The private
    key of the 
    >         CA is not 
    >         >         password 
    >         >         >                 protected! 
    >         >         >                 >         
    >         >         >                 >         Kind regards 
    >         >         >                 >         Cornelius 
    >         >         >                 >         
    >         >         >                 >         Am Mittwoch,
    den 
    >         13.07.2016, 03:37 
    >         >         -0700 
    >         >         >                 schrieb Michael 
    >         >         >                 >         Muenz: 
    >         >         >                 >         > Hi, 
    >         >         >                 >         > 
    >         >         >                 >         > 
    >         >         >                 >         > doesn't work
    for me. 
    >         >         >                 >         > 
    >         >         >                 >         > 
    >         >         >                 >         > Hm, with my
    first 
    >         setup I 
    >         >         remember that it 
    >         >         >                 was working, but 
    >         >         >                 >         now when 
    >         >         >                 >         > importing an
    existing 
    >         CA there 
    >         >         are no 
    >         >         >                 import pw's. 
    >         >         >                 >         > 
    >         >         >                 >         > 
    >         >         >                 >         > Will try
    again with a 
    >         CA from 
    >         >         scratch. 
    >         >         >                 >         > 
    >         >         >                 >         > 
    >         >         >                 >         > 
    >         >         >                 >         > Am Mittwoch,
    13. Juli 
    >         2016 
    >         >         12:16:14 UTC+2 
    >         >         >                 schrieb Cornelius 
    >         >         >                 >         Kölbel: 
    >         >         >                 >         >         Hi
    Michael, 
    >         >         >                 >         >         
    >         >         >                 >         >         this
    already 
    >         can be 
    >         >         done. 
    >         >         >                 >         >         When
    setting 
    >         the token 
    >         >         PIN, this 
    >         >         >                 will be the 
    >         >         >                 >         password for
    the 
    >         >         >                 >         >
    pkcs12 
    >         >         >                 >         >
    file. 
    >         >         >                 >         >         
    >         >         >                 >         >         Kind
    regards 
    >         >         >                 >         >
    Cornelius 
    >         >         >                 >         >         
    >         >         >                 >         >         Am Mittwoch,  den  13.07.2016, 02:45  0700 schrieb 
    >         >         >                 >         Michael 
    >         >         >                 >         >
    Muenz: 
    >         >         >                 >         >         >
    Hi, 
    >         >         >                 >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         >         >
    Again 
    >         playing around 
    >         >         with the CA 
    >         >         >                 connector. 
    >         >         >                 >         >         >
    Are there 
    >         any plans 
    >         >         for setting 
    >         >         >                 an import password 
    >         >         >                 >         for the 
    >         >         >                 >         >
    generated 
    >         >         >                 >         >         >
    PKCS12 
    >         files? 
    >         >         >                 >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         >         >
    Thanks 
    >         >         >                 >         >         >
    Michael 
    >         >         >                 >         >         > 
    >         >         >                 >         >         > Am Dienstag,  7. Juni  2016  10:15:14 UTC+2 schrieb 
    >         >         >                 >         Cornelius 
    >         >         >                 >         >
    Kölbel: 
    >         >         >                 >         >         >
    Hi 
    >         Michael, 
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
    I 
    >         was thinking 
    >         >         the 
    >         >         >                 passphrase on the ca 
    >         >         >                 >         key. 
    >         >         >                 >         >         >
    In 
    >         my opinion 
    >         >         having a 
    >         >         >                 passphtase only 
    >         >         >                 >         makes limited 
    >         >         >                 >         >
    sense. 
    >         >         >                 >         >         >
    The 
    >         passphrase 
    >         >         would be 
    >         >         >                 encrypted in the 
    >         >         >                 >         database. 
    >         >         >                 >         >
     Encrypted 
    >         >         >                 >         >         >
    with 
    >         the 
    >         >         encryption key, 
    >         >         >                 which is probably 
    >         >         >                 >         only 
    >         >         >                 >         >
    protected by 
    >         >         >                 >         >         >
    file 
    >         access. 
    >         >         So you can 
    >         >         >                 protect the ca key 
    >         >         >                 >         with file 
    >         >         >                 >         >
    access in 
    >         >         >                 >         >         >
    the 
    >         first 
    >         >         place. 
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
          
    >         >         >                 >         >         > 
    >         Think of the 
    >         >         local ca as 
    >         >         >                 a working proof 
    >         >         >                 >         of concept 
    >         >         >                 >         >
     :-) 
    >         >         >                 >         >         >
    Any 
    >         feedback 
    >         >         and input 
    >         >         >                 is appreciated. 
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
    Kind 
    >         regards 
    >         >         >                 >         >         > 
    >         Cornelius 
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
          
    >         >         >                 >         >         > 
    >         Cornelius 
    >         >         Kölbel 
    >         >         >                 >         >         >
    +49 
    >         151 2960 
    >         >         1417 
    >         >         >                 >         >         >
          
    >         >         >                 >         >         > 
    >         NetKnights 
    >         >         GmbH 
    >         >         >                 >         >         > 
    >         >         Http://NetKnights. It 
    >         >         >                 >         >         >
    +49 
    >         561 3166 
    >         >         797 
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
          
    >         >         >                 >         >         > 
    >         -------- 
    >         >         Ursprüngliche 
    >         >         >                 Nachricht -------- 
    >         >         >                 >         >         >
    Von: 
    >         Michael 
    >         >         Muenz 
    >         >         >                 <m.m...@gmail.com> 
    >         >         >                 >         >         > 
    >         Datum: 
    >         >         07.06.16 10:04 
    >         >         >                 (GMT+01:00) 
    >         >         >                 >         >         >
    An: 
    >         >         privacyidea 
    >         >         >                 > 
    >         <priva...@googlegroups.com> 
    >         >         >                 >         >         > 
    >         Betreff: Re: 
    >         >         >                 [privacyidea] CA
    Connector 
    >         >         >                 >         can't 
    >         >         >                 >         >
    create 
    >         >         >                 >         >         > 
    >         certificate 
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
    Ok, 
    >         removed 
    >         >         the line and 
    >         >         >                 it works again. 
    >         >         >                 >         >         >
    Now 
    >         I can 
    >         >         download the 
    >         >         >                 PKCS12. 
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
    But 
    >         I had to 
    >         >         remove the 
    >         >         >                 password from the 
    >         >         >                 >         ca.key ... 
    >         >         >                 >         >         will
    this 
    >         >         >                 >         >         >
    be 
    >         the final 
    >         >         version or 
    >         >         >                 do you plan some 
    >         >         >                 >         fields in 
    >         >         >                 >         >         the
    UI to 
    >         >         >                 >         >         > 
    >         enter the 
    >         >         password for 
    >         >         >                 the root-ca? 
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
          
    >         >         >                 >         >         > 
    >         Michael 
    >         >         >                 >         >         >
          
    >         >         >                 >         >         >
    On  Tuesday,  June 7, 2016  at 9:59:06 AM UTC  +2,  Michael Muenz  wrote: 
    >         >         >                 >         >         > 
    >         I 
    >         >         added the 
    >         >         >                 Jessie-Backports since 
    >         >         >                 >         they 
    >         >         >                 >         >
    deliver 0.15, 
    >         >         >                 >         >         > 
    >         but 
    >         >         when I 
    >         >         >                 wanted to install it, 
    >         >         >                 >         it greps 
    >         >         >                 >         >         > 
    >         >         python-pyopenssl 
    >         >         >                 from the trusty 
    >         >         >                 >         ppa and 
    >         >         >                 >         >
    brokes :) 
    >         >         >                 >         >         > 
    >         After 
    >         >         that I 
    >         >         >                 forced it with 
    >         >         >                 >         aptitude -t 
    >         >         >                 >         >         > 
    >         >         jessie-backports 
    >         >         >                 and now I get a 
    >         >         >                 >         Internal 
    >         >         >                 >         >
    Server Error 
    >         >         >                 >         >         > 
    >         when 
    >         >         accessing 
    >         >         >                 the startpage 
    >         >         >                 >         >         > 
    >             
    >         >         >                 >         >         > 
    >             
    >         >         >                 >         >         > 
    >             
    >         >         >                 >         >         > 
    >             
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.895043 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    139726979172096] /usr/lib/python2.7/dist-packages/privacyidea/models.py:1793: SAWarning: Unicode column received non-unicode default value. 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.895273 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096] 
    >         >         >                 >         >         > 
    >         >         >                 > 
    >         >         default="/etc/privacyidea/dictionary") 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.921642 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >
    mod_wsgi 
    >         >         >                 >         >         > 
    >         >         (pid=489): 
    >         >         >                 Target WSGI script 
    >         >         >                 >         >         > 
    >         >         >                 > 
    >         >         '/etc/privacyidea/privacyideaapp.wsgi' 
    >         >         >                 >         >
    cannot be 
    >         >         >                 >         >         > 
    >         loaded 
    >         >         as Python 
    >         >         >                 module. 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.921834 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >
    mod_wsgi 
    >         >         >                 >         >         > 
    >         >         (pid=489): 
    >         >         >                 Exception occurred 
    >         >         >                 >         processing 
    >         >         >                 >         >         WSGI
    script 
    >         >         >                 >         >         > 
    >         >         >                 > 
    >         >         '/etc/privacyidea/privacyideaapp.wsgi'. 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.921948 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >
    Traceback 
    >         >         >                 >         >         > 
    >         (most 
    >         >         recent 
    >         >         >                 call last): 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.922116 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >
    File 
    >         >         >                 >         >         > 
    >         >         >                 > 
    >         >         "/etc/privacyidea/privacyideaapp.wsgi", 
    >         >         >                 line 
    >         >         >                 >         >         3,
    in 
    >         >         >                 >         >         > 
    >         >         <module> 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.922265 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >
    from 
    >         >         >                 >         >         > 
    >         >         privacyidea.app 
    >         >         >                 import create_app 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.922359 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >
    File 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/app.py", 
    >         >         >                 >         >         > 
    >         line 
    >         >         28, in 
    >         >         >                 <module> 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.922952 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >
    import 
    >         >         >                 >         >         > 
    >         >         >
    privacyidea.api.before_after 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.923097 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >
    File 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/before_after.py", line 29, in <module> 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.923599 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >         > 
    >         >         from ..lib.user 
    >         >         >                 import 
    >         >         >                 >
    get_user_from_param 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.923697 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >
    File 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/user.py", 
    >         >         >                 >         >         line
    55, in 
    >         <module> 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.924472 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >         > 
    >         >         from .resolver 
    >         >         >                 import 
    >         >         >                 >
    (get_resolver_object, 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.924585 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >
    File 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/resolver.py", line 47, in <module> 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.925108 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >
    from 
    >         >         >                 >         >         > 
    >         config 
    >         >         import 
    >         >         >                 >
    (get_resolver_types, 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.925207 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >
    File 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/config.py", 
    >         >         >                 >         >         line
    47, in 
    >         <module> 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.926073 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >         > 
    >         >         >
    from .caconnectors.localca import 
    >         >         >                 >         > 
    >         BaseCAConnector 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.926233 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >
    File 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.926344 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >         > 
    >         >         csr_extensions 
    >         >         >                 = 
    >         >         >                 > 
    >         csr_obj.get_extensions() 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.926499 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >         ^ 
    >         >         >                 >         >         > 
    >         [Tue 
    >         >         Jun 07 
    >         >         >                 09:53:37.926583 2016] 
    >         >         >                 >         >
    [wsgi:error] 
    >         [pid 
    >         >         >                 >         >         > 
    >         >         489:tid 
    >         >         >                 139726979172096]
    [remote 
    >         >         >                 >         X:512] 
    >         >         >                 >         >         > 
    >         >         >                 IndentationError:
    unexpected 
    >         >         >                 >         indent 
    >         >         >                 >         >         > 
    >             
    >         >         >                 >         >         > 
    >             
    >         >         >                 >         >         > 
    >             
    >         >         >                 >         >         > 
    >             
    >         >         >                 >         >         > 
    >         I 
    >         >         think I'm 
    >         >         >                 gonna reinstall from 
    >         >         >                 >         >
    scratch ... 
    >         >         >                 >         >         > 
    >             
    >         >         >                 >         >         > 
    >         On  Monday, June  6, 2016 at  11:36:09 PM UTC  +2,  Cornelius Kölbel  wrote: 
    >         >         >                 >         >         > 
    >         >         The CSR 
    >         >         >                 extensions are not 
    >         >         >                 >         used at 
    >         >         >                 >         >         the 
    >         >         >                 >         >         > 
    >         >         moment. 
    >         >         >                 >         >         > 
    >         >           
    >         >         >                 >         >         > 
    >         >         So we 
    >         >         >                 could as well remove 
    >         >         >                 >         this line 
    >         >         >                 >         >         and
    then 
    >         >         >                 >         >         > 
    >         >         >                 python-openssl 0.14
    would 
    >         >         >                 >         >         > 
    >         >         work 
    >         >         >                 fine, again. 
    >         >         >                 >         >         > 
    >         >           
    >         >         >                 >         >         > 
    >         >         Kind 
    >         >         >                 regards 
    >         >         >                 >         >         > 
    >         >         >                 Cornelius 
    >         >         >                 >         >         > 
    >         >           
    >         >         >                 >         >         > 
    >         >         Am  Montag, den 06.06.2016,  13:20  0700 schrieb 
    >         >         >                 >         >         > 
    >         >         Michael 
    >         >         >                 Muenz: 
    >         >         >                 >         >         > 
    >         >         > ii 
    >         >         >                  openssl 
    >         >         >                 >         >
     1.0.1t-1 
    >         >         >                 >         >         > 
    >         >         +deb8u2 
    >         >         >                 amd64 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                  Secure Sockets 
    >         >         >                 >         Layer 
    >         >         >                 >         >
    toolkit - 
    >         >         >                 >         >         > 
    >         >         >                 cryptographic utility 
    >         >         >                 >         >         > 
    >         >         > ii 
    >         >         >                  python-openssl 
    >         >         >                 >         >
    0.14-1 
    >         >         >                 >         >         > 
    >         >         >                            all 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                  Python 2 wrapper 
    >         >         >                 >         around the 
    >         >         >                 >         >
    OpenSSL 
    >         >         >                 >         >         > 
    >         >         library 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 [2016-06-06 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    22:16:46,000][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >         >                 >         >         > 
    >         >         > user 
    >         >         >                 u'mimu' found in 
    >         >         >                 >         resolver 
    >         >         >                 >         >
    u'maxadmins' 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 [2016-06-06 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    22:16:46,001][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >         >                 >         >         > 
    >         >         > userid 
    >         >         >                 resolved to 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 [2016-06-06 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    22:16:46,028][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >         >                 >         >         > 
    >         >         > user 
    >         >         >                 u'mimu' found in 
    >         >         >                 >         resolver 
    >         >         >                 >         >
    u'maxadmins' 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 [2016-06-06 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    22:16:46,029][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >         >                 >         >         > 
    >         >         > userid 
    >         >         >                 resolved to 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 [2016-06-06 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    22:16:46,056][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >         >                 >         >         > 
    >         >         > user 
    >         >         >                 u'mimu' found in 
    >         >         >                 >         resolver 
    >         >         >                 >         >
    u'maxadmins' 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 [2016-06-06 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    22:16:46,057][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >         >                 >         >         > 
    >         >         > userid 
    >         >         >                 resolved to 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 [2016-06-06 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >         >                 >         >         > 
    >         >         > user 
    >         >         >                 u'mimu' found in 
    >         >         >                 >         resolver 
    >         >         >                 >         >
    u'maxadmins' 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 [2016-06-06 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    22:16:46,083][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >         >                 >         >         > 
    >         >         > userid 
    >         >         >                 resolved to 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 [2016-06-06 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >         >                 >         >         > 
    >         >         > user 
    >         >         >                 u'mimu' found in 
    >         >         >                 >         resolver 
    >         >         >                 >         >
    u'maxadmins' 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 [2016-06-06 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    22:16:46,111][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >         >                 >         >         > 
    >         >         > userid 
    >         >         >                 resolved to 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 [2016-06-06 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >         >                 >         >         > 
    >         >         > user 
    >         >         >                 u'mimu' found in 
    >         >         >                 >         resolver 
    >         >         >                 >         >
    u'maxadmins' 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 [2016-06-06 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    22:16:46,139][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >         >                 >         >         > 
    >         >         > userid 
    >         >         >                 resolved to 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 [2016-06-06 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:187] 
    >         >         >                 >         >         > 
    >         >         > user 
    >         >         >                 u'mimu' found in 
    >         >         >                 >         resolver 
    >         >         >                 >         >
    u'maxadmins' 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 [2016-06-06 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    22:16:46,249][4767][140255173814016][INFO][privacyidea.lib.user:188] 
    >         >         >                 >         >         > 
    >         >         > userid 
    >         >         >                 resolved to 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         > 
    >         u'6ce8f8fe-5848-1030-9368-cd33db809b50' 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 [2016-06-06 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    22:16:46,432][4767][140255173814016][ERROR][privacyidea.app:1423] 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 Exception
    on /token/init 
    >         >         >                 >         [POST] 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 Traceback (most recent 
    >         >         >                 >         call 
    >         >         >                 >         >
    last): 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         > 
    >         >
    "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >         >         >                 >         line 1817, 
    >         >         >                 >         >         in 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 wsgi_app 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 response = 
    >         >         >                 >         > 
    >         >         self.full_dispatch_request() 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         > 
    >         >
    "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >         >         >                 >         line 1477, 
    >         >         >                 >         >         in 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 full_dispatch_request 
    >         >         >                 >         >         > 
    >         >         >     rv 
    >         >         >                 = 
    >         >         >                 >         > 
    >         >         self.handle_user_exception(e) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         > 
    >         >
    "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >         >         >                 >         line 1381, 
    >         >         >                 >         >         in 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 handle_user_exception 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 reraise(exc_type, 
    >         >         >                 >         exc_value, 
    >         >         >                 >         >         tb) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         > 
    >         >
    "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >         >         >                 >         line 1475, 
    >         >         >                 >         >         in 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 full_dispatch_request 
    >         >         >                 >         >         > 
    >         >         >     rv 
    >         >         >                 = 
    >         >         >                 >
    self.dispatch_request() 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         > 
    >         >
    "/usr/lib/python2.7/dist-packages/flask/app.py", 
    >         >         >                 >         line 1461, 
    >         >         >                 >         >         in 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 dispatch_request 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 return 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         > 
    >         >
    self.view_functions[rule.endpoint](**req.view_args) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >         >                 >         >         > 
    >         >         > line 
    >         >         >                 104, in 
    >         >         >                 >
    policy_wrapper 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 return 
    >         >         >                 >
    wrapped_function(*args, 
    >         >         >                 >         >
    **kwds) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >         >                 >         >         > 
    >         >         > line 
    >         >         >                 104, in 
    >         >         >                 >
    policy_wrapper 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 return 
    >         >         >                 >
    wrapped_function(*args, 
    >         >         >                 >         >
    **kwds) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >         >                 >         >         > 
    >         >         > line 
    >         >         >                 104, in 
    >         >         >                 >
    policy_wrapper 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 return 
    >         >         >                 >
    wrapped_function(*args, 
    >         >         >                 >         >
    **kwds) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >         >                 >         >         > 
    >         >         > line 
    >         >         >                 104, in 
    >         >         >                 >
    policy_wrapper 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 return 
    >         >         >                 >
    wrapped_function(*args, 
    >         >         >                 >         >
    **kwds) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >         >                 >         >         > 
    >         >         > line 
    >         >         >                 104, in 
    >         >         >                 >
    policy_wrapper 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 return 
    >         >         >                 >
    wrapped_function(*args, 
    >         >         >                 >         >
    **kwds) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >         >                 >         >         > 
    >         >         > line 
    >         >         >                 104, in 
    >         >         >                 >
    policy_wrapper 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 return 
    >         >         >                 >
    wrapped_function(*args, 
    >         >         >                 >         >
    **kwds) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >         >                 >         >         > 
    >         >         > line 
    >         >         >                 104, in 
    >         >         >                 >
    policy_wrapper 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 return 
    >         >         >                 >
    wrapped_function(*args, 
    >         >         >                 >         >
    **kwds) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >         >                 >         >         > 
    >         >         > line 
    >         >         >                 104, in 
    >         >         >                 >
    policy_wrapper 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 return 
    >         >         >                 >
    wrapped_function(*args, 
    >         >         >                 >         >
    **kwds) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/lib/prepolicy.py", 
    >         >         >                 >         >         > 
    >         >         > line 
    >         >         >                 104, in 
    >         >         >                 >
    policy_wrapper 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 return 
    >         >         >                 >
    wrapped_function(*args, 
    >         >         >                 >         >
    **kwds) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/event.py", 
    >         >         >                 >         >         > 
    >         >         > line 
    >         >         >                 57, in 
    >         >         >                 >         event_wrapper 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 f_result = 
    >         >         >                 >         func(*args, 
    >         >         >                 >         >
    **kwds) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", 
    >         >         >                 >         >
    line 
    >         >         >                 >         >         > 
    >         >         > 180, 
    >         >         >                 in log_wrapper 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 f_result = 
    >         >         >                 >         func(*args, 
    >         >         >                 >         >
    **kwds) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/api/token.py", 
    >         >         >                 >         >         > 
    >         >         > line 
    >         >         >                 186, in init 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         tokenrealms=tokenrealms) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/log.py", 
    >         >         >                 >         >
    line 
    >         >         >                 >         >         > 
    >         >         > 180, 
    >         >         >                 in log_wrapper 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 f_result = 
    >         >         >                 >         func(*args, 
    >         >         >                 >         >
    **kwds) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/token.py", 
    >         >         >                 >         >         > 
    >         >         > line 
    >         >         >                 912, in init_token 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         > 
    >         >         tokenobject.update(upd_params) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/tokens/certificatetoken.py", line 218, in update 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 crypto.FILETYPE_PEM, 
    >         >         >                 >         req)) 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 File 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    "/usr/lib/python2.7/dist-packages/privacyidea/lib/caconnectors/localca.py", line 173, in sign_request 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 csr_extensions = 
    >         >         >                 >         >         > 
    >         >         >
    csr_obj.get_extensions() 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 AttributeError: 
    >         >         >                 >         'X509Req'
    object 
    >         >         >                 >         >         has
    no 
    >         >         >                 >         >         > 
    >         >         >                 attribute 
    >         >         >                 >
    'get_extensions' 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         > On  Monday, June 6, 2016  at 4:00:41  PM UTC+2,  Cornelius Kölbel wrote: 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 Hi, 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                   
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 can you please 
    >         >         >                 >         post your 
    >         >         >                 >         >         > 
    >         >         >                 privacyidea.log? 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 There should be 
    >         >         >                 >         a 
    >         >         >                 >         >
    traceback. 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                   
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 Which version of 
    >         >         >                 >         pyopenssl 
    >         >         >                 >         >         and
    which 
    >         >         >                 >         >         > 
    >         >         version 
    >         >         >                 of openssl are 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 you using? 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                   
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 Kind regards 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 Cornelius 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                   
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 Am Montag, den 
    >         >         >                 >         06.06.2016, 
    >         >         >                 >         >
    06:33 
    >         >         >                 >         >         > 
    >         >         -0700 
    >         >         >                 schrieb Michael 
    >         >         >                 >         Muenz: 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > Hi, 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > I've set up 
    >         >         >                 >         the WebCA as 
    >         >         >                 >         >
    described 
    >         >         >                 >         >         > 
    >         >         in 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    http://privacyidea.readthedocs.io/en/latest/configuration/caconnectors.html 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > When I try to 
    >         >         >                 >         roll out a 
    >         >         >                 >         >         new 
    >         >         >                 >         >         > 
    >         >         >                 certificate I get: 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 'X509Req' 
    >         >         >                 >         object has no 
    >         >         >                 >         >
    attribute 
    >         >         >                 >         >         > 
    >         >         >                 'get_extensions' 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > There's no 
    >         >         >                 >         certificate 
    >         >         >                 >         >         but
    the 
    >         >         >                 >         >         > 
    >         >         token 
    >         >         >                 will be displayed 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 within the 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > token view. 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > Google tells 
    >         >         >                 >         me about 
    >         >         >                 >         >         some
    "wont 
    >         >         >                 >         >         > 
    >         >         fixes" 
    >         >         >                 with PyOpenSSL. 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > I'm using 
    >         >         >                 >         Debian 8 with 
    >         >         >                 >         >
    latest 
    >         >         >                 >         >         > 
    >         >         packages 
    >         >         >                 from Trusty 
    >         >         >                 >         build. 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > Any ideas? 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > Thanks 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > Michael 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > -- 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > Please read 
    >         >         >                 >         the blog 
    >         >         >                 >         >         post
    about 
    >         >         >                 >         >         > 
    >         >         getting 
    >         >         >                 help 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         > 
    >         https://www.privacyidea.org/getting-help/. 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >   
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > For 
    >         >         >                 >         professional 
    >         >         >                 >         >
    services and 
    >         >         >                 >         >         > 
    >         >         >                 consultancy regarding
    two 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 factor 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > authentication 
    >         >         >                 >         please 
    >         >         >                 >         >
    visit 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >   
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > In an 
    >         >         >                 >         enterprise 
    >         >         >                 >         >
    environment 
    >         you 
    >         >         >                 >         >         > 
    >         >         should 
    >         >         >                 get a SERVICE 
    >         >         >                 >         LEVEL 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 AGREEMENT 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > which suites 
    >         >         >                 >         your needs 
    >         >         >                 >         >         for 
    >         >         >                 >         >         > 
    >         >         >                 SECURITY, AVAILABILITY 
    >         >         >                 >         and 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 LIABILITY: 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > --- 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > You received 
    >         >         >                 >         this 
    >         >         >                 >         >
    message 
    >         because 
    >         >         >                 >         >         > 
    >         >         you are 
    >         >         >                 subscribed to the 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 Google 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > Groups 
    >         >         >                 >         "privacyidea" 
    >         >         >                 >         >
    group. 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > To unsubscribe 
    >         >         >                 >         from this 
    >         >         >                 >         >
    group and 
    >         >         >                 >         >         > 
    >         >         stop 
    >         >         >                 receiving emails 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 from it, send 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > an email to 
    >         >         >                 >         >         > 
    >         >         >                 > 
    >         privacyidea...@googlegroups.com. 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > To post to 
    >         >         >                 >         this group, 
    >         >         >                 >         >         send
    email 
    >         >         >                 >         >         > 
    >         >         to 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         > 
    >         >         priva...@googlegroups.com. 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > Visit this 
    >         >         >                 >         group at 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         > 
    >         >
    https://groups.google.com/group/privacyidea. 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > To view this 
    >         >         >                 >         discussion 
    >         >         >                 >         >         on
    the web 
    >         >         >                 >         >         > 
    >         >         visit 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/9f13cbc2-8c89-4aaa-86ef-09b748676673%40googlegroups.com. 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > For more 
    >         >         >                 >         options,
    visit 
    >         >         >                 >         >         > 
    >         >         >                 > 
    >         >         https://groups.google.com/d/optout. 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                   
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 -- 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 Cornelius 
    >         >         >                 >         Kölbel 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         corneliu...@netknights.it 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 +49 151 2960 
    >         >         >                 >         1417 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                   
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 NetKnights GmbH 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 > 
    >         http://www.netknights.it 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >
    Landgraf-Karl-Str. 19, 
    >         >         >                 >         >
    34131 Kassel, 
    >         >         >                 >         >         > 
    >         >         Germany 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 Tel: +49 561 
    >         >         >                 >         3166797, Fax: 
    >         >         >                 >         >         +49
    561 
    >         >         >                 >         >         > 
    >         >         3166798 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                   
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 Amtsgericht 
    >         >         >                 >         Kassel, HRB 
    >         >         >                 >         >
    16405 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 Geschäftsführer: 
    >         >         >                 >         Cornelius 
    >         >         >                 >         >
    Kölbel 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                   
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                   
    >         >         >                 >         >         > 
    >         >         > -- 
    >         >         >                 >         >         > 
    >         >         > Please 
    >         >         >                 read the blog 
    >         >         >                 >         post about 
    >         >         >                 >         >
    getting 
    >         >         >                 >         >         > 
    >         >         help 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         > 
    >         >         > 
    >         https://www.privacyidea.org/getting-help/. 
    >         >         >                 >         >         > 
    >         >         >   
    >         >         >                 >         >         > 
    >         >         > For 
    >         >         >                 professional 
    >         >         >                 >         services and 
    >         >         >                 >         >
    consultancy 
    >         >         >                 >         >         > 
    >         >         >                 regarding two factor 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 authentication please 
    >         >         >                 >         visit 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >         >                 >         >         > 
    >         >         >   
    >         >         >                 >         >         > 
    >         >         > In an 
    >         >         >                 enterprise 
    >         >         >                 >         environment
    you 
    >         >         >                 >         >
    should get 
    >         >         >                 >         >         > 
    >         >         a 
    >         >         >                 SERVICE LEVEL AGREEMENT 
    >         >         >                 >         >         > 
    >         >         > which 
    >         >         >                 suites your needs 
    >         >         >                 >         for 
    >         >         >                 >         >
    SECURITY, 
    >         >         >                 >         >         > 
    >         >         >                 AVAILABILITY and 
    >         >         >                 >         LIABILITY: 
    >         >         >                 >         >         > 
    >         >         > 
    >         >         >                 >         >         > 
    >         >         >                 >         > 
    >         >         >                 > 
    >         >         > 
    >         > 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         >         >                 >         >         > 
    >         >         > --- 
    >         >         >                 >         >         > 
    >         >         > You 
    >         >         >                 received this 
    >         >         >                 >         message
    because 
    >         >         >                 >         >         you
    are 
    >         >         >                 >         >         > 
    >         >         >                 subscribed to the
    Google 
    >         >         >                 >         >         > 
    >         >         > Groups 
    >         >         >                 "privacyidea" 
    >         >         >                 >         group. 
    >         >         >                 >         >         > 
    >         >         > To 
    >         >         >                 unsubscribe from this 
    >         >         >                 >         group and 
    >         >         >                 >         >
    stop 
    >         >         >                 >         >         > 
    >         >         >                 receiving emails from
    it, 
    >         >         >                 >         send 
    >         >         >                 >         >         > 
    >         >         > an 
    >         >         >                 email to 
    >         >         >                 >         >         > 
    >         >         >                 > 
    >         privacyidea...@googlegroups.com. 
    >         >         >                 >         >         > 
    >         >         > To 
    >         >         >                 post to this group, 
    >         >         >                 >         send email 
    >         >         >                 >         >         to 
    >         >         >                 >         >         > 
    >         >         >                 > 
    >         priva...@googlegroups.com. 
    >         >         >                 >         >         > 
    >         >         > Visit 
    >         >         >                 this group at 
    >         >         >                 >         >         > 
    >         >         >                 >         >         
    >         >         >         ... 
    >         >         > -- 
    >         >         > Please read the blog post about getting
    help 
    >         >         >
    https://www.privacyidea.org/getting-help/. 
    >         >         >   
    >         >         > For professional services and
    consultancy 
    >         regarding two 
    >         >         factor 
    >         >         > authentication please visit 
    >         >         > 
    >
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >         >   
    >         >         > In an enterprise environment you should
    get a 
    >         SERVICE LEVEL 
    >         >         AGREEMENT 
    >         >         > which suites your needs for SECURITY,
    AVAILABILITY 
    >         and 
    >         >         LIABILITY: 
    >         >         > 
    >         > 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         >         > --- 
    >         >         > You received this message because you
    are 
    >         subscribed to the 
    >         >         Google 
    >         >         > Groups "privacyidea" group. 
    >         >         > To unsubscribe from this group and stop
    receiving 
    >         emails 
    >         >         from it, send 
    >         >         > an email to
    privacyidea...@googlegroups.com. 
    >         >         > To post to this group, send email to 
    >         >         priva...@googlegroups.com. 
    >         >         > Visit this group at 
    >         >
    https://groups.google.com/group/privacyidea. 
    >         >         > To view this discussion on the web
    visit 
    >         >         > 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/91212e60-bed1-45dc-8e3b-45ee56faa34b%40googlegroups.com. 
    >         >         > For more options, visit 
    >         https://groups.google.com/d/optout. 
    >         >         
    >         >         -- 
    >         >         Cornelius Kölbel 
    >         >         corneliu...@netknights.it 
    >         >         +49 151 2960 1417 
    >         >         
    >         >         NetKnights GmbH 
    >         >         http://www.netknights.it 
    >         >         Landgraf-Karl-Str. 19, 34131 Kassel,
    Germany 
    >         >         Tel: +49 561 3166797, Fax: +49 561
    3166798 
    >         >         
    >         >         Amtsgericht Kassel, HRB 16405 
    >         >         Geschäftsführer: Cornelius Kölbel 
    >         >         
    >         >         
    >         > -- 
    >         > Please read the blog post about getting help 
    >         > https://www.privacyidea.org/getting-help/. 
    >         >   
    >         > For professional services and consultancy
    regarding two 
    >         factor 
    >         > authentication please visit 
    >         >
    https://netknights.it/en/leistungen/one-time-services/ 
    >         >   
    >         > In an enterprise environment you should get a
    SERVICE LEVEL 
    >         AGREEMENT 
    >         > which suites your needs for SECURITY, AVAILABILITY
    and 
    >         LIABILITY: 
    >         > 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    >         > --- 
    >         > You received this message because you are
    subscribed to the 
    >         Google 
    >         > Groups "privacyidea" group. 
    >         > To unsubscribe from this group and stop receiving
    emails 
    >         from it, send 
    >         > an email to privacyidea...@googlegroups.com. 
    >         > To post to this group, send email to 
    >         priva...@googlegroups.com. 
    >         > Visit this group at 
    >         https://groups.google.com/group/privacyidea. 
    >         > To view this discussion on the web visit 
    >         > 
    >
    https://groups.google.com/d/msgid/privacyidea/df8a609c-66f5-4d1b-be20-27e7f0daaf32%40googlegroups.com. 
    >         > For more options, visit
    https://groups.google.com/d/optout. 
    >         
    >         -- 
    >         Cornelius Kölbel 
    >         corneliu...@netknights.it 
    >         +49 151 2960 1417 
    >         
    >         NetKnights GmbH 
    >         http://www.netknights.it 
    >         Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    >         Tel: +49 561 3166797, Fax: +49 561 3166798 
    >         
    >         Amtsgericht Kassel, HRB 16405 
    >         Geschäftsführer: Cornelius Kölbel 
    >         
    >         
    > -- 
    > Please read the blog post about getting help 
    > https://www.privacyidea.org/getting-help/. 
    >   
    > For professional services and consultancy regarding two
    factor 
    > authentication please visit 
    > https://netknights.it/en/leistungen/one-time-services/ 
    >   
    > In an enterprise environment you should get a SERVICE LEVEL
    AGREEMENT 
    > which suites your needs for SECURITY, AVAILABILITY and
    LIABILITY: 
    >
    https://netknights.it/en/leistungen/service-level-agreements/ 
    > --- 
    > You received this message because you are subscribed to the
    Google 
    > Groups "privacyidea" group. 
    > To unsubscribe from this group and stop receiving emails
    from it, send 
    > an email to privacyidea...@googlegroups.com. 
    > To post to this group, send email to
    priva...@googlegroups.com. 
    > Visit this group at
    https://groups.google.com/group/privacyidea. 
    > To view this discussion on the web visit 
    >
    https://groups.google.com/d/msgid/privacyidea/6366a308-d759-4698-b199-e5af5f13d6b8%40googlegroups.com. 
    > For more options, visit https://groups.google.com/d/optout. 
    
    -- 
    Cornelius Kölbel 
    corneliu...@netknights.it 
    +49 151 2960 1417 
    
    NetKnights GmbH 
    http://www.netknights.it 
    Landgraf-Karl-Str. 19, 34131 Kassel, Germany 
    Tel: +49 561 3166797, Fax: +49 561 3166798 
    
    Amtsgericht Kassel, HRB 16405 
    Geschäftsführer: Cornelius Kölbel 


Please read the blog post about getting help
https://www.privacyidea.org/getting-help/.

For professional services and consultancy regarding two factor
authentication please visit
https://netknights.it/en/leistungen/one-time-services/

In an enterprise environment you should get a SERVICE LEVEL AGREEMENT
which suites your needs for SECURITY, AVAILABILITY and LIABILITY:
https://netknights.it/en/leistungen/service-level-agreements/

You received this message because you are subscribed to the Google
Groups “privacyidea” group.
To unsubscribe from this group and stop receiving emails from it, send
an email to privacyidea+unsubscribe@googlegroups.com.
To post to this group, send email to privacyidea@googlegroups.com.
Visit this group at https://groups.google.com/group/privacyidea.
To view this discussion on the web visit
https://groups.google.com/d/msgid/privacyidea/5016be8e-c6f3-48fe-8af9-33f2367a39f2%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.


Cornelius Kölbel
@cornelinux
+49 151 2960 1417

NetKnights GmbH
http://www.netknights.it
Landgraf-Karl-Str. 19, 34131 Kassel, Germany
Tel: +49 561 3166797, Fax: +49 561 3166798

Amtsgericht Kassel, HRB 16405
Geschäftsführer: Cornelius Kölbel

signature.asc (836 Bytes)