High dears,
here I describe step by step the installation of openca-0.9.1-RC4.
But I'm not yet ready. It is just a snapshot.
At last in this document I create a request as a normal user, approve and sign
it by
ra operator, import to CA, sign , import the cert to RA and send a email.
Although I use one computer for CA and RA, I will describe it like I will use
two. So I do change from the last step by step.
I install the CA into /home/opencaca and
I install the RA into /home/opencara!
Your RA computer must be email enabled!
In the moment I do nothing about ldap. The I do later.
I'm working for a small company (about 40 workers) who sells IT-solution for
companys
with 1-2000 workers. We also active on firewall and clearly we want to go
to more security for small companys.
In the past I create certificates with openssl on shell. But know we think to
publish more extensivly the idea of pki to satisfy our customers.
THINK ABOUT: I'm newby and not everything here may be correct.
This description is only for testing purposes.
Sometimes I refer to Michael Bells THE OPENCA GUIDE included in the
tar.gz-file.
Our domain name is results-hannover.de, because this is ONLY a test I working
inside; this domain is called intern.results-hannover.de.
l101 is my desktop computer, linux SuSE8.0.
The linux is freshly patched. In addition I install a newer version of
openssl.
I got problems to sign with IE6.0 and Mozillla 1.1b and
so I USE ONLY NETSCAPE 4.79.
But sometimes I have written things which belongs to IE6.0 or Mozilla 1.1b.
Because SuSE8.0 installs openssl-0.9.6c-29 I have to upgrade to compile ocspd.
I install the latest what I found openssl-devel-0.9.8-1,
but 0.9.7. will be good enough.
Its easy to download the rpm from openssl and do
rpm -U openssl-devel-0.9.8-1.i386.rpm
rpm -i --force openssl-0.9.8-1.i386.rpm
The problem with installation of openssl-0.9.8-1 is, is this:
file /usr/bin/c_rehash from install of openssl-0.9.8-1 conflicts with file
from package openssl-0.9.6c-29
file /usr/bin/openssl from install of openssl-0.9.8-1 conflicts with file from
package openssl-0.9.6c-29
file /usr/lib/libcrypto.so.0 from install of openssl-0.9.8-1 conflicts with
file from package openssl-0.9.6c-29
file /usr/lib/libssl.so.0 from install of openssl-0.9.8-1 conflicts with file
from package openssl-0.9.6c-29
The source of openca is put to /home/wallus/openca-0.9.1
CREATE of installation directory
------------------------------
mkdir /home/openca
CONFIGURE THE software
---------------------------------
./configure --prefix=/home/opencaca \
--with-web-host=ca.intern.results-hannover.de \
--with-httpd-host=ca.intern.results-hannover.de \
--with-httpd-user=wwwrun \
--with-httpd-group=nogroup \
--with-dist-user=wallus \
--with-dist-group=openca \
--with-ca-organization=security \
--with-ca-locality=Hannover \
--with-ca-country=DE \
--with-ldap-host=ca.intern.results-hannover.de \
--with-ldap-root=" cn=LDAP Manager, o=results-security, l=Hannover, c=de" \
--with-ldap-root-pwd=peterpeter \
--without-db_type \
[EMAIL PROTECTED]
COMPILE CA
-------------
make ca
ERROR:
gcc -g -O2 -o openca-sv sv.o tools.o callback.o verify-crypto.o sign-crypto.o
verify-tools.o sign-tools.o sign2nd.o -lcrypto -lfl -ldl
/usr/i486-suse-linux/bin/ld: cannot find -lfl
collect2: ld returned 1 exit status
Edit the file
/home/wallus/openca-0.9.1/src/openca-sv/src/Makefile
at line 85 and change
SV_INCLUDE_LIBS = -lfl -ldl to SV_INCLUDE_LIBS = -ldl
make ca
make ca is ready.
As root
make install-ca
CONFIGURE THE software
---------------------------------
./configure --prefix=/home/opencara \
--with-web-host=ra.intern.results-hannover.de \
--with-httpd-host=ra.intern.results-hannover.de \
--with-httpd-user=wwwrun \
--with-httpd-group=nogroup \
--with-dist-user=wallus \
--with-dist-group=openca \
--with-ca-organization=security \
--with-ca-locality=Hannover \
--with-ca-country=DE \
--with-ldap-host=ra.intern.results-hannover.de \
--with-ldap-root=" cn=LDAP Manager, o=results-security, l=Hannover, c=de" \
--with-ldap-root-pwd=peterpeter \
--without-db_type \
[EMAIL PROTECTED]
COMPILE RA
-------------
Edit the file
/home/wallus/openca-0.9.1/src/openca-sv/src/Makefile
at line 85 and change
SV_INCLUDE_LIBS = -lfl -ldl to SV_INCLUDE_LIBS = -ldl
make ext
make install-ext
TO LOOK at the configuration
------------------------------
change to /home/openca
vi ./OpenCA/etc/openssl/openssl.cnf
looks everthing OK.
vi ./OpenCA/etc/openssl/openssl/Web_Server.conf
#0.organizationName_default = Humboldt-Universitaet zu Berlin
0.organizationName_default = Results Hannover
vi ./OpenCA/etc/openssl/openssl/CA_Operator.conf
vi ./OpenCA/etc/openssl/openssl/Cross_CA.conf
vi ./OpenCA/etc/openssl/openssl/Mail_Server.conf
vi ./OpenCA/etc/openssl/openssl/RA_Operator.conf
and all other file in this directory. Perhaps I can use a configure option
CONFIGURATION of apache CA Server
---------------------------------
I use virtuell hosting:
From httpd.conf:
Listen 80
Listen 443
Bindaddress l101.intern.results-hannover.de:80
Bindaddress l101.intern.results-hannover.de:443
include /home/opencaca/apache.conf
Clearly, l101 must be a DNS host
ca.intern.results-hannover.de must be an alias on l101.
From /home/opencaca/apache.conf
<VirtualHost ca.intern.results-hannover.de:80>
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/openca/apache/htdocs
ServerName ca.intern.results-hannover.de
#SSLEngine on
#SSLCertificateFile /home/openca/ssl.crt/server.pem
#SSLCertificateKeyFile /home/openca/ssl.key/key.pem
#<Files ~ "\.(cgi|shtml|phtml|php3?)$">
# SSLOptions +StdEnvVars
#</Files>
#<Directory "/usr/local/httpd/cgi-bin">
# SSLOptions +StdEnvVars
#</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "/home/openca/apache/htdocs">
Options Indexes FollowSymlinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ "/home/openca/apache/cgi-bin/"
<Directory "/home/openca/apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
ERROR
Because the initialization form CA does not work:
chown -R wwwrun.nogroup /home/openca/apache/cgi-bin/ca
CREATE CA CERTIFICATE
----------------------
Point the browser on http://ca.intern.results-hannover.de/ca
Click on
->Initialization / Initialize the Certification Authority /Initialize
Database
Output: The database was succesfully initilized.
This is described in THE OPENCA GUIDE 2.2.1 Step 1
->Initialization / Initialize the Certification Authority / Generate new CA
Secret key
(OK, des3, 2048,realy heavy password)
Output: Following you can ... and the RSA PRIVAT KEY.
This is described in THE OPENCA GUIDE 2.2.1 Step 2
->Initialization / Initialize the Certification Authority /Generate new CA
Certificate Request (use generated secret key)
(OK,[EMAIL PROTECTED],ca.intern.results-hannover.de,
security,Results,DE,
[EMAIL PROTECTED], CN=ca,
OU=security, O=Results, C=DE.
realy heavy password)
Output: Following you can find ..... the key...
This is described in THE OPENCA GUIDE 2.2.1 Step 3, this is CSR (Cert Setup
Request)
->Initialization / Initialize the Certification Authority / Generate Self
Signed CA Certificate (from altready generated request)
(OK,730,realy heavy password)
Output: Following you can find the result of the generation proce ... the key
This is described in THE OPENCA GUIDE 2.2.1 Step 4
->Initialization / Initialize the Certification Authority / Rebuild CA
Chain
Output: Succesful..... There have to be no error message!
This is described in THE OPENCA GUIDE 2.2.1 Step 5
Now put in a formatted floppy.
->Initialization / Initialize the Certification Authority / Export
Configuration
Output: Exporting the RBAC-configuration ..
If you have a Xserver on your PC, you have to change ownership and permission
for /dev/fd0, because the Xserver set on user permission.
chown root.root /dev/fd0; chmod 755 /dev/fd0
This belongs to THE OPENCA GUIDE 2.2.1 Step 5, too.
Make a hardcopy of this floppy to CD
dd if=/dev/fd0 of=ca.fd0 . Put file ca.fd0 on CD.
CREATE the initial administor
-------------------------------------
Your Work as ra operator is to sign certificate requests if you think the data
are OK.
For signing, you need a sign, that is this certificate, which will be here
created and imported to the browser.
If you got in this section an ERROR 690, it means: You try again to
create a first user. That not works. Please start up again with CREATE CA
CERTIFICATE
and initialize the database of ca.
Point the browser on http://ca.intern.results-hannover.de/ca
Click on
->Initialization / Create the initial administrator / Create a new
request
([EMAIL PROTECTED],Harald Wallus, Internet, CA Operator,
Trustcenter itself, 10leterslongPin,Continue , Continue)
This belongs to THE OPENCA GUIDE 2.2.2 Step 1
->Initialization / Create the initial administrator / Edit the request
Check if everything is OK,
->Continue,
->Issue Certificate, realy heavy password
Output: Certificate Issued ... .. the key ..
This belongs to THE OPENCA GUIDE 2.2.2 Step 2 and Step 3 (to issue)
Now to click on Initialization / Create the initial administrator / Issue the
certificate
results in an ERROR 690. Clearly the cert is issued in the step before.
But also Handle the certificate results in a ERROR 690.
So I go to:
Certificates / Valid Certificates
netscape4.79:Click on the serial number, choose Certificate and Keypair to
pk12
Download,type in your 10leterslongPin,download in to
raoperator.pk12)
This belongs to THE OPENCA GUIDE 2.2.2 Step 4
IMPORT RA OPERATOR INTO BROWSER
-----------------------------------
Remark: When you first import the CA Authority certificate,
ths ra operator cert will be trust else the certificate management of your
browser
will say, this certifcicate cannot not be verified.
Remark 2: On my instalation I work with netscape 4.79 as raoperator.
Mozilla 1.1b and IE6.0 cannot sign the requests.
netscape: Open communicator/tools/security-inof/yours
and import the pk12-certificate.
IE:
Extras/Internetoptions/contents -> Certificates -> Import
After success, you may find the certificate beneath another tab.
CREATE THE inital RA certificate
--------------------------------
The connection to the ra webinterface have to be secure. And we need
a sign, that we know that is realy our ra server. This certificate will now be
created.
This section belongs to THE OPENCA GUIDE 2.2.3:
Point the browser on http://ca.intern.results-hannover.de/ca
Click on
Initialization / Create the initial RA certificate / Create a new
request
( [EMAIL PROTECTED], ca.intern.results-hannover.de,
Certificate Request group: Internet,
Role Web Server, !!!!!!!!!! Attention
Trustcenter itself,
a new longerthan10keypassword,
Keysize: 1024, -> Continue -> Continue)
Output is a Certificate Request Confirm
Initialization / Create the initial RA certificate / Edit the request
Check if everything is OK,
and now be careful: you see the subject alternative name,
I got here
email:[EMAIL PROTECTED]
and I change it to (ca.intern.results-hannover.de is the name of the
webserver):
DNS:ca.intern.results-hannover.de,email:[EMAIL PROTECTED]
Remark: See above.
->Continue,
->Issue Certificate, realy heavy password
Output: Certificate Issued ....
Like for the ra operator certificate, we can't issue and handle it. ERROR
690.
Again we find the new cert if we click
->Certificates / Valid Certificates
->Click on the serial number, choose Certificate and Keypair to SSLeay,
-> Download, type in your longerthan10keypassword,download in to
server.txt
CONFIGURING SSL for APACHE RA Server
------------------------------------
Note: ra must be an alias DNS-Record to l101.
Into /etc/httpd.httpd.conf put a new include directive
includefile /home/opencara/apache.conf
The file /home/opencara/apache.conf looks like this:
<VirtualHost ra.intern.results-hannover.de:443>
ServerAdmin [EMAIL PROTECTED]
DocumentRoot /home/opencara/apache/htdocs
ServerName ra.intern.results-hannover.de
SSLEngine on
SSLCertificateFile /home/opencara/ssl.crt/server.pem
SSLCertificateKeyFile /home/opencara/ssl.key/key.pem
<Files ~ "\.(cgi|shtml|phtml|php3?)$">
SSLOptions +StdEnvVars
</Files>
<Directory "/usr/local/httpd/cgi-bin">
SSLOptions +StdEnvVars
</Directory>
SetEnvIf User-Agent ".*MSIE.*" \
nokeepalive ssl-unclean-shutdown \
downgrade-1.0 force-response-1.0
CustomLog /var/log/httpd/ssl_request_log \
"%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
<Directory "/home/opencara/apache/htdocs">
Options Indexes FollowSymlinks MultiViews
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ "/home/opencara/apache/cgi-bin/"
<Directory "/home/opencara/apache/cgi-bin">
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
</VirtualHost>
Now we have to copy the caserver.pk12 to /home/opencara/ssl.crt/server.pem
and to /home/opencara/ssl.key/key.pem and delete in server.pem the private
key section
and in key.pem the public key section.
Restart your apache.
/etc/init.d/apache restart
IMPORT THE CA CERTIFICATE into browser
-------------------------------------------
Now I think, it is a good idea to import the certificate of our ca.
Point your browser to https://ra.intern.results-hannover.de/pub
Click on
Get CA Certificate
IE: download the CA certificate into pki.cer. In file-explorer double click
this
file an click through the wizzard.
or open it and install it into your certificate memory.
netscape4.79:
Remark: If you now delete your ra operator cert in your browser and
install it again, your browser will trust this cert.
INITIALIZE RA SERVER
------------------------------------------------------
Point your browser to https://ca.intern.results-hannover.de/ra
Click on RAServer Admin, your change to ...../online
Click on
RAServer Init/ Initialize Database
Output: This was sucessfully ....
Now I take the first floppy from CREATE CA CERTIFICATE /Export Configuration
RAServer Init/ Import Configuration
Output: Importing the Configuration .....
I got an ERROR from ldap. This is OK because I have
not intitialize ldap. I do it later.
REQUEST AN USER CERTIFICATE as normal user.
-------------------------------------------
Point your Browser to https://ra.intern.results-hannover.de/pub
-> Click on Request a Certificate
Fill out the form, choose role user.
-> Continue
If everything is OK -> Continue
-> Click OK to start the generation of the private key.
Output:Certificate Request Confirm
Thank you for requesting your certificate from our organization, your
request with serial
1056 it's been successfully archived and it is now waiting for approval by
any of our
Registration Authorities...
Please notice the serial number, in this example it is the number 1056!
If you now change to the pending request (use the "here"-link in the output
page or
your find it on https://ra.intern.results-hannover.de/ra/, ->Request/Pending
Requests)
Remark: If I understand the procedure corrrect, the key is generated by
netscape-browser
and only the public part is send to the CA for signing!!
RAOPERATOR SIGNS YOUR REQUEST
-------------------------------------
Point Your Browser with the ra operator certificate to
https://ra.intern.results-hannover.de/ra/ and
-> Click on Request/Pending Requests
-> Click on your serial number (in this example 1056) and
-> if everything is OK click on "Approve and Sign Request"
Look if your correct ra operator cert is chose and
-> click OK.
Output: Request Approved .....
EXPORT THE REQUEST FROM RA on floppy
---------------------------------------
The user request is now signed by ra operator: ra operator say, this
request ist OK. Now we need the sign of the ca. For this we must export
the request, import the request into ca, sign there and put it back to ra.
Put in a formatted floppy which works fine (this is sometimes difficult to
get).
Point Your Browser with the ra operator certificate to
https://ra.intern.results-hannover.de/ra/ and
-> Click on RAServer Admin / Input and Output/ Request -> OK
Output: Exporting the requests to CA ...
And you will find beneath Approved request the request with serial 1056.
Eject the floppy
IMPORT THE REQUEST INTO CA AND SIGN IT
--------------------------------------
Now we put the floppy into the ca and point the browser to
http://ca.intern.results-hannover.de/ca/ click on
-> Input and Output / Import Request -> OK
Output: Beneath "Importing approved request .." you will find our serial
number.
Now we click on
-> Approved Certificate Requests /
-> choose our serial number
-> Issue certificate, put in the realy heavy password -> OK
Output: Certificate Issued ....
Now we have a certificate. But we have to put it back on the public interface.
EXPORT THE CERTIFICATE AND IMPORT IT INTO RA
---------------------------------------------
We do on :http://ca.intern.results-hannover.de/ca/
-> Click on Input and Output / Export Certs
Ouptut: Exporting all certificates to RAServer ....
Eject floppy and put it into ra.
https://ra.intern.results-hannover.de/ra/ and
-> Click on RAServer Admin / Input and Output/ Import Certs
Output: Importing all certificates from CA ...
No we have to E-Mail new users
-> E-Mail new users
Output: Sending CRIN-Mail(s) ...
and a mail counter counts up.
REAMRK: If your working an a test computer, can it send real emails.
IF you want to sent a email again, because one email is not send properly,
you can use the link Send a CRIN-mail. You need to know the email number.
Next step: -> Delete Temp Files
You got an email with a appendix called smime.p7m.
That is an encrypted email from CA (normally I use kmail 1.4.2
and thats looks like to have some problems with pgp).
Because I do all things with netscape 4.79.
I open the email client of netscape and the message is decrypted:
your certificate was generated. You can download it now.
Please use the following PIN to revoke your certificate:
658KueOOs1Hh9H+jK5uhxw==
Sincerly, your adminstration team
Now I have to look to export this certificate to a file, to store them
and to import to another email tool.
Here I stop now.
Every comment are welcome.
--
Dr. Harald Wallus
Results GmbH
Am Listholze 78, D-30177 Hannover
Tel: +49(0)511 90 95 1-23 Fax: +49(0)511 90 95 = 1-90
Email: [EMAIL PROTECTED]
Internet: http://www.results-hannover.de
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
