High dears,
here I describe step by step the installation of openca-0.9.1-RC4.
But I'm not yet ready. It is just a snapshot.
In the moment I reached the level Initalization of RA.
Because Michael Bell suggest to me to use OpenCA-0.9. instead of 0.8.x, I
change to openca-0.9.1-RC4.
I'm working for a small company (about 40 workers) who sells IT-solution for
companys with 1-2000 workers. We also active on firewall and clearly we want
to go to more security for small companys.
In the last I create certificates with openssl on shell. But know we think to
publish more extensivly the idea of pki to satisfy our customers.
THINK ABOUT: I'm newby and not everything here may be correct.
And I install CA and RA on one server. This is only for testing purposes.
Sometimes I refer to Michael Bells THE OPENCA GUIDE included in the
tar.gz-file.
Our domain name is results-security.de, because this is ONLY a test I working
inside; this domain is called intern.results-hannover.de.
l101 is my desktop computer, linux SuSE8.0.
The linux is freshly patched. In addition I install a newer version of
openssl.
I use IE6.0. Mozilla-1.1b has problems to import pk12-certs.
With netscape-4.79 I got the problems which is describe in THE OPENCA GUIDE
1.2.1.1 but I got it not solve. I'm shure that I have done something wrong.
I will look again later on this.
To compile ocspd I need to install openssl-devel-0.9.8-1.
Its easy to download the rpm from openssl and do
rpm -U openssl-devel-0.9.8-1.i386.rpm
rpm -i --force openssl-0.9.8-1.i386.rpm
The problem with installation of openssl-0.9.8-1 is, is this:
file /usr/bin/c_rehash from install of openssl-0.9.8-1 conflicts with file
from package openssl-0.9.6c-29
file /usr/bin/openssl from install of openssl-0.9.8-1 conflicts with file from
package openssl-0.9.6c-29
file /usr/lib/libcrypto.so.0 from install of openssl-0.9.8-1 conflicts with
file from package openssl-0.9.6c-29
file /usr/lib/libssl.so.0 from install of openssl-0.9.8-1 conflicts with file
from package openssl-0.9.6c-29
The source of openca is put to /home/wallus/openca-0.9.1
CREATE of working directory
------------------------------
mkdir /home/openca
CONFIGURE THE software
---------------------------------
./configure --prefix=/home/openca \
--with-web-host=ca.intern.results-hannover.de \
--with-httpd-host=ca.intern.results-hannover.de \
--with-httpd-user=wwwrun \
--with-httpd-group=nogroup \
--with-dist-user=wallus \
--with-dist-group=openca \
--with-ca-organization=security \
--with-ca-locality=Hannover \
--with-ca-country=DE \
--with-ldap-host=ca.intern.results-hannover.de \
--with-ldap-root=" cn=LDAP Manager, o=results-security, l=Hannover, c=de" \
--with-ldap-root-pwd=peterpeter \
--without-db_type \
[EMAIL PROTECTED]
COMPILE CA
-------------
make ca
ERROR:
gcc -g -O2 -o openca-sv sv.o tools.o callback.o verify-crypto.o sign-crypto.o
verify-tools.o sign-tools.o sign2nd.o -lcrypto -lfl -ldl
/usr/i486-suse-linux/bin/ld: cannot find -lfl
collect2: ld returned 1 exit status
Edit the file
/home/wallus/openca-0.9.1/src/openca-sv/src/Makefile
at line 85 and change
SV_INCLUDE_LIBS = -lfl -ldl to SV_INCLUDE_LIBS = -ldl
make ca
make ca is ready.
As root
make install-ca
COMPILE RA
-------------
make ext
#Not much to do because make ca has compiled most of this.
make install-ext
TO LOOK at the configuration
------------------------------
change to /home/openca
vi ./OpenCA/etc/openssl/openssl.cnf
looks everthing OK.
vi ./OpenCA/etc/openssl/openssl/Web_Server.conf
#0.organizationName_default = Humboldt-Universitaet zu Berlin
0.organizationName_default = Results Hannover
vi ./OpenCA/etc/openssl/openssl/CA_Operator.conf
vi ./OpenCA/etc/openssl/openssl/Cross_CA.conf
vi ./OpenCA/etc/openssl/openssl/Mail_Server.conf
vi ./OpenCA/etc/openssl/openssl/RA_Operator.conf
and all other file in this directory. Perhaps I can use a configure option
CONFIGURATION of apache:
---------------------------
I use virtuell hosting:
From httpd.conf:
Listen 80
Listen 443
Bindaddress l101.intern.results-hannover.de:80
Bindaddress l101.intern.results-hannover.de:443
include /home/openca/apache.conf
Clearly, l101 must be DNS
ca.intern.results-hannover.de must be an alias on l101.
From /home/openca/apache.conf
<VirtualHost ca.intern.results-hannover.de:80>
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/openca/apache/htdocs
ServerName ca.intern.results-hannover.de
#SSLEngine on
#SSLCertificateFile /home/openca/ssl.crt/server.pem
#SSLCertificateKeyFile /home/openca/ssl.key/key.pem
#<Files ~ "\.(cgi|shtml|phtml|php3?)$">
# SSLOptions +StdEnvVars
#</Files>
#<Directory "/usr/local/httpd/cgi-bin">
# SSLOptions +StdEnvVars
#</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "/home/openca/apache/htdocs">
Options Indexes FollowSymlinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ "/home/openca/apache/cgi-bin/"
<Directory "/home/openca/apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
ERROR
Because the initialization form CA does not work:
chown -R wwwrun.nogroup /home/openca/apache/cgi-bin/ca
CREATE CA CERTIFICATE
----------------------
Point the browser on http://ca.intern.results-hannover.de/ca
Click on
Initialization / Initialize the Certification Authority /Initialize
Database
Output: The database was succesfully initilized.
This is describe in THE OPENCA GUIDE 2.2.1 Step 1
Initialization / Initialize the Certification Authority / Generate new CA
Secret key
(OK, des3, 2048,realy heavy password)
Output: Following you can ... and the RSA PRIVAT KEY.
This is describe in THE OPENCA GUIDE 2.2.1 Step 2
Initialization / Initialize the Certification Authority /Generate new CA
Certificate Request (use generated secret key)
(OK,[EMAIL PROTECTED],ca.intern.results-hannover.de,
security,Results,DE,
[EMAIL PROTECTED], CN=ca,
OU=security, O=Results, C=DE.
realy heavy password)
Output: Following you can find ..... the key...
This is describe in THE OPENCA GUIDE 2.2.1 Step 3, this is CSR (Cert Setup
Request)
Initialization / Initialize the Certification Authority / Generate Self
Signed CA Certificate (from altready generated request)
(OK,730,realy heavy password)
Output: Following you can find the result of the generation proce ... the key
This is describe in THE OPENCA GUIDE 2.2.1 Step 4
Initialization / Initialize the Certification Authority / Rebuild CA
Chain
Output: Succesful..... There have to be no error message!
This is describe in THE OPENCA GUIDE 2.2.1 Step 5
Now put in a formatted floppy.
Initialization / Initialize the Certification Authority / Export
Configuration
Output: Exporting the RBAC-configuration ..
If you have a Xserver on your PC, you have to change ownership and permission
for /dev/fd0, because the Xserver set on user permission.
chown root.root /dev/fd0; chmod 755 /dev/fd0
This belongs to THE OPENCA GUIDE 2.2.1 Step 5, too.
Make a hardcopy of this floppy to CD
dd if=/dev/fd0 of=ca.fd0 . Put file ca.fd0 on CD.
CREATE the initial administor
-------------------------------------
Your Work as ra operator is to sign certificate requests if you think the data
are OK.
For signing, you need a sign, that is this certificate, which will be here
created and imported to the browser.
Point the browser on http://ca.intern.results-hannover.de/ca
Click on
Initialization / Create the initial administrator / Create a new
request
([EMAIL PROTECTED],Harald Wallus, Internet, CA
Operator,
Trustcenter itself, 10leterslongPin,Continue , Continue)
This belongs to THE OPENCA GUIDE 2.2.2 Step 1
Initialization / Create the initial administrator / Edit the request
(Check if everything is OK, Continue,
Issue Certificate, realy heavy password)
Output: Certificate Issued ... .. the key ..
This belongs to THE OPENCA GUIDE 2.2.2 Step 2 and Step 3 (to issue)
Now to click on Initialization / Create the initial administrator / Issue the
certificate
results in an ERROR 690. Clearly the cert is issued in the step before.
But also Handle the certificate results in a ERROR 690.
So I go to:
Certificates / Valid Certificates
(Click on the serial number, choose Certificate and Keypair to
PKCS#12, Download, type in your 10leterslongPin,
download in to ca.pk12)
And got an ERROR: Cannot convert a PKCS#8 Certificate to a pem or PKCS#12
cert.
OK, we do it once again and choose PKCS#8, no download utton appears.
So I choose
This page I store down into raoperator.txt (.pem is not possible with IE).
This belongs to THE OPENCA GUIDE 2.2.2 Step 4
IE:
Extras/Internetoptions/contents -> Certificates -> Import
After success, you may find the certificate beneath another tab.
CREATE THE inital RA certificate
--------------------------------
The connection to the ra webinterface have to be secure. And we need
a sign, that we know that is realy our ra server. This certificate will now be
created.
This section belongs to THE OPENCA GUIDE 2.2.3:
Point the browser on http://ca.intern.results-hannover.de/ca
Click on
Initialization / Create the initial RA certificate / Create a new
request
( [EMAIL PROTECTED], ca.intern.results-hannover.de,
Certificate Request group: Internet,
Role CA operator,
Trustcenter itself,
a new longerthan10keypassword,
Keysize: 1024, -> Continue -> Continue)
Output is a Certificate Request Confirm
Initialization / Create the initial RA certificate / Edit the request
(If everything is OK -> OK, ->Issued certificate, realy heavy
password)
Output: Certificate Issued ....
Like for the ra operator certificate, we can't issue and handle it. ERROR
690.
Again we find the new cert if we click
Certificates / Valid Certificates
(Click on the serial number, choose Certificate and Keypair to
modssl, Download, type in your longerthan10keypassword,
download in to caserver.txt)
CONFIGURING SSL for APACHE
-----------------------------
What I now do is not correct for production. Into the
includefile /home/openca/apache.conf I append nearly the same lines again.
But I change 80 to 443 and define some SSL things:
<VirtualHost ca.intern.results-hannover.de:443>
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/openca/apache/htdocs
ServerName ca.intern.results-hannover.de
SSLEngine on
SSLCertificateFile /home/openca/ssl.crt/server.pem
SSLCertificateKeyFile /home/openca/ssl.key/key.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/httpd/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "/home/openca/apache/htdocs">
Options Indexes FollowSymlinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ "/home/openca/apache/cgi-bin/"
<Directory "/home/openca/apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Now we have to copy the caserver.txt to /home/openca/ssl.crt/server.pem
and to /home/openca/ssl.key/key.pem and delete in server.pem the private key
section
and in key.pem the public key section.
Restart your apache.
/etc/init.d/apache restart
EXPORT FROM ca
--------------------------------------
I do export from ca.
Put a freshly formatted disk into your floppy.
Point your browser to http://ca.intern.results-hannover.de/ca
INPUT/OUPUT/ Export ALL
Output: Exports all avaible .....
I got ERROR on exporting the archive: Archiving failed to /dev/fdO 512
May be, this is because my installation wasn't fresh.
INITIALIZE RA SERVER
------------------------------------------------------
Point your browser to http://ca.intern.results-hannover.de/ra
Click on RAServer Admin, your change to ...../online
Click on
RAServer Init/ Initialize Database
Output: This was sucessfully ....
Now I take the first floppy from CREATE CA CERTIFICATE
RAServer Init/ Import Configuration
Output: Importing the Configuration .....
I got an ERROR from ldap. This is OK because I have
not intitialize ldap. I do it later.
Here I stop for a moment. But I will go ahead soon.
Have nice day.
--
Dr. Harald Wallus
Results GmbH
Am Listholze 78, D-30177 Hannover
Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95 = 1-90
Email: [EMAIL PROTECTED]
Internet: http://www.results-hannover.de
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
