Troubleshooting Guide
Troubleshooting Guide
Section titled “Troubleshooting Guide”This guide covers common errors and diagnostic procedures for QPKI.
1. Common Errors
Section titled “1. Common Errors”1.1 CA Errors
Section titled “1.1 CA Errors””CA not found” / “CA directory not found”
Section titled “”CA not found” / “CA directory not found””Error: CA not found at ./caError: failed to load CA: directory not foundCause: The --ca-dir flag points to a non-existent or invalid CA directory.
Solution:
qpki ca list --dir .
qpki cert issue --ca-dir ./myca --profile ec/tls-server --csr request.csr“Failed to load CA signer”
Section titled ““Failed to load CA signer””Error: failed to load CA signer: x509: decryption password incorrectCause: The CA private key is encrypted and the passphrase is wrong or missing.
Solution:
qpki cert issue --ca-dir ./myca --ca-passphrase "correct-password" --profile ec/tls-server --csr request.csr“Version not found”
Section titled ““Version not found””Error: version v5 not foundCause: Attempting to activate a non-existent CA version.
Solution:
qpki ca versions --ca-dir ./myca
qpki ca activate --ca-dir ./myca --version v21.2 Credential Errors
Section titled “1.2 Credential Errors””Credential not found”
Section titled “”Credential not found””Error: credential alice-xxx not foundCause: The --cred-dir flag points to wrong directory or credential ID is incorrect.
Solution:
qpki credential list --cred-dir ./credentials
qpki credential info alice-xxx --cred-dir ./myca/credentials“KEM profile requires a signature profile first”
Section titled ““KEM profile requires a signature profile first””Error: KEM profile "ml-kem/client" requires a signature profile first (RFC 9883)Cause: ML-KEM (encryption) profiles require a signature profile for proof of possession.
Solution:
qpki credential enroll --profile ec/client --profile ml-kem/client \ --var cn=alice@example.com“Credential version is PENDING”
Section titled ““Credential version is PENDING””Error: cannot use credential - version v2 is PENDINGCause: Credential was rotated but not activated.
Solution:
qpki credential activate alice-xxx --version v21.3 Profile Errors
Section titled “1.3 Profile Errors””Profile not found”
Section titled “”Profile not found””Error: profile "ec/custom-server" not foundCause: Profile doesn’t exist in CA profiles directory or built-in profiles.
Solution:
qpki profile list --dir ./myca
qpki profile install --dir ./myca
qpki credential enroll --profile ec/tls-server --var cn=server.example.com“Variable required”
Section titled ““Variable required””Error: variable "cn" is required but not providedCause: Required profile variable was not provided.
Solution:
qpki profile vars ec/tls-server
qpki credential enroll --profile ec/tls-server \ --var cn=server.example.com \ --var dns_names=server.example.com1.4 Certificate Errors
Section titled “1.4 Certificate Errors””Certificate not found”
Section titled “”Certificate not found””Error: certificate with serial 05 not foundCause: Serial number doesn’t exist in CA index.
Solution:
qpki cert list --ca-dir ./myca
qpki cert info 0x03 --ca-dir ./myca“Certificate verification failed”
Section titled ““Certificate verification failed””Error: certificate verification failed: x509: certificate signed by unknown authorityCause: CA certificate chain is incomplete or wrong CA used for verification.
Solution:
qpki cert verify server.crt --ca ./issuing-ca/ca.crt
qpki cert verify server.crt --ca ./issuing-ca/chain.crt
openssl verify -CAfile ./root-ca/ca.crt ./issuing-ca/ca.crtopenssl verify -CAfile ./root-ca/ca.crt -untrusted ./issuing-ca/ca.crt server.crt1.5 CRL/OCSP Errors
Section titled “1.5 CRL/OCSP Errors””CRL is expired”
Section titled “”CRL is expired””Warning: CRL has expired (Next Update: 2025-01-01)Cause: CRL validity period has passed.
Solution:
qpki crl gen --ca-dir ./myca --days 30“OCSP responder unreachable”
Section titled ““OCSP responder unreachable””Error: OCSP request failed: connection refusedCause: OCSP server is not running or wrong URL.
Solution:
qpki ocsp serve --ca-dir ./myca --listen :8080 &
qpki cert verify server.crt --ca ca.crt --ocsp http://localhost:80802. Diagnostic Commands
Section titled “2. Diagnostic Commands”2.1 CA Diagnostics
Section titled “2.1 CA Diagnostics”# CA informationqpki ca info --ca-dir ./myca
qpki ca versions --ca-dir ./myca
qpki ca list --dir /var/lib/pki
qpki ca export --ca-dir ./myca --out ca.crt2.2 Credential Diagnostics
Section titled “2.2 Credential Diagnostics”# List all credentialsqpki credential list --cred-dir ./credentials
qpki credential info alice-xxx --cred-dir ./credentials
qpki credential versions alice-xxx --cred-dir ./credentials
qpki credential export alice-xxx --cred-dir ./credentials2.3 Certificate Diagnostics
Section titled “2.3 Certificate Diagnostics”# List certificates in CAqpki cert list --ca-dir ./myca
qpki cert info 0x03 --ca-dir ./myca
qpki inspect certificate.crtqpki inspect private.keyqpki inspect request.csr2.4 Profile Diagnostics
Section titled “2.4 Profile Diagnostics”# List available profilesqpki profile list --dir ./myca
qpki profile info ec/tls-server --dir ./myca
qpki profile vars ec/tls-server
qpki profile lint ./my-profile.yaml2.5 CRL Diagnostics
Section titled “2.5 CRL Diagnostics”# List CRLsqpki crl list --ca-dir ./myca
qpki crl info ./myca/crl/ca.crl
qpki crl verify ./myca/crl/ca.crl --ca ./myca/ca.crt3. OpenSSL Verification
Section titled “3. OpenSSL Verification”3.1 Certificate Verification
Section titled “3.1 Certificate Verification”# Verify single certificateopenssl verify -CAfile ca.crt server.crt
openssl verify -CAfile root-ca/ca.crt -untrusted issuing-ca/ca.crt server.crt
openssl x509 -in server.crt -text -noout
openssl x509 -in server.crt -dates -noout
openssl x509 -in server.crt -subject -issuer -noout3.2 Key Verification
Section titled “3.2 Key Verification”# View key detailsopenssl ec -in key.pem -text -nooutopenssl rsa -in key.pem -text -noout
openssl x509 -in cert.crt -noout -modulus | openssl md5openssl rsa -in key.pem -noout -modulus | openssl md53.3 CSR Verification
Section titled “3.3 CSR Verification”# View CSR detailsopenssl req -in request.csr -text -noout
openssl req -in request.csr -verify -noout3.4 CRL Verification
Section titled “3.4 CRL Verification”# View CRL detailsopenssl crl -in ca.crl -text -noout
openssl crl -in ca.crl -CAfile ca.crt -verify4. HSM/PKCS#11 Issues
Section titled “4. HSM/PKCS#11 Issues”4.1 Token Not Found
Section titled “4.1 Token Not Found”Error: PKCS#11: token not foundCauses:
- HSM/token not connected
- Wrong PKCS#11 library path
- Token not initialized
Solutions:
qpki hsm list --hsm-config ./hsm.yaml
qpki hsm test --hsm-config ./hsm.yaml4.2 PIN Incorrect
Section titled “4.2 PIN Incorrect”Error: PKCS#11: CKR_PIN_INCORRECTSolution: Verify PIN in HSM configuration file.
4.3 Slot Unavailable
Section titled “4.3 Slot Unavailable”Error: PKCS#11: slot 0 not foundSolution:
qpki hsm list --hsm-config ./hsm.yaml5. File System Issues
Section titled “5. File System Issues”5.1 Permission Denied
Section titled “5.1 Permission Denied”Error: open ./ca/ca.key: permission deniedSolution:
ls -la ./ca/
chmod 600 ./ca/ca.keychmod 644 ./ca/ca.crt5.2 Directory Structure
Section titled “5.2 Directory Structure”Expected CA directory structure:
ca/├── ca.crt # CA certificate├── ca.key # CA private key (protect!)├── chain.crt # Certificate chain (if subordinate)├── serial # Next serial number├── index.txt # Certificate database├── crl/ # CRL directory│ └── ca.crl├── certs/ # Issued certificates│ ├── 01.pem│ └── 02.pem└── profiles/ # Custom profiles (optional)6. Debug Mode
Section titled “6. Debug Mode”Enable verbose output for troubleshooting:
# Run with debug flagqpki --debug ca info --ca-dir ./myca
cat ./myca/index.txt
cat ./myca/serial7. Getting Help
Section titled “7. Getting Help”7.1 Built-in Help
Section titled “7.1 Built-in Help”# General helpqpki --help
qpki ca --helpqpki credential enroll --help7.2 Documentation
Section titled “7.2 Documentation”- CA - CA operations and certificate issuance
- Credentials - Credential management
- Crypto-Agility - Algorithm migration
- Profiles - Certificate profiles
- HSM - Hardware Security Module integration
- OCSP - Online Certificate Status Protocol
- TSA - Time-Stamp Authority
- CMS - Cryptographic Message Syntax
7.3 Reporting Issues
Section titled “7.3 Reporting Issues”Report issues at: https://github.com/remiblancher/qpki/issues
Include:
- QPKI version (
qpki version) - Operating system
- Full error message
- Command that caused the error
- Relevant configuration (without secrets)