>> Other observations: >> CA & RA need to use the same SQL database (which makes an air gap separation
>> impossible). If it used db instead of dbi would this work? [Database is not >> updated when it imports the reqs] >I think there is a misunderstanding of the export-/import-technology. >The RA and CA can use of course another SQL-database than the CA. Why do >you think they must use the same SQL-database? What do you mean with >[Database is not updated when it imports the reqs]? Because, although the import and export procedures import the files into the appropriate directories in var/crypto/*, the web interface depends on the database to show any references to the certificate in order to issue them. e.g. If I create the initial administrator on the CA and look at the SQL database: mysql> select req_key, cn, status from request; +---------+------------------------+---------+ | req_key | cn | status | +---------+------------------------+---------+ | 256 | Craig McGregor (CA Op) | PENDING | +---------+------------------------+---------+ 1 row in set (0.00 sec) So, I can issue the certificate through the web-interface. However, if I import some requests from the RA and they are not populated in the database, using the web functions to issue the certificates is not possible because it doesn't seem the certificates are there. lib/cmds/listReqs for example has code in it that certainly depends on the information being contained in the database. >> I also get an error 700 cannot import req when attempting to approve (and create >> token key pairs). Any ideas what might be wrong? >Please describe exactly what your are doing. Tokenrequests work like >follows: >1. the user creates such a request (means he want a smartcard) >2. the RA Operator uses a new smartcard with it's IE or Netscape >3. the RA Operator generates the keys and the real request with the smartcard >4. now it works like a normal request Seems to be breaking when the RA Operator looks at the request and attempts to create the key-pair on the token, which will then create a request. For some reason, this works on the pub site, but not the ra site. I will look at it more closely, but it could be because I was not setup for signing an approval. In some circumstances it might be useful to create the whole request as an RA Opearator with using the public site first. e.g. Signed e-mail to RA operator please create tokens for users A ([EMAIL PROTECTED]), B ([EMAIL PROTECTED]), C ([EMAIL PROTECTED]) .... Regards, Craig. ------------------------------------------------------- This sf.net email is sponsored by: viaVerio will pay you up to $1,000 for every account that you consolidate with us. http://ad.doubleclick.net/clk;4749864;7604308;v? http://www.viaverio.com/consolidator/osdn.cfm _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
