Dear All, I am attaching my config-script pair.
Could you please tell me if you can see anything wrong with them? If I direct the script to the apache pid the script moves on and fails with the too many arguments on line 52 or 53. If I use the ocspd.pid option the daemon will not start at all I have even given root privileges to the daemon account, no go. The key is protected, is this a reason for the daemon not to start? I am sure I have given the option that provides the password to the key, still no go. If anyone is interested I can send the certificates I am using. Thank you all for your time. The system is Debian. Best Regards Ted. # OCSPd example configuration file. # (c) 2001 by Massimiliano Pala - OpenCA Project. # All rights reserved [ ocspd ] default_ocspd = OCSPD_default # The default ocspd section #################################################################### [ OCSPD_default ] dir = /root/austerca # Where everything is kept db = $dir/database.txt # database index file. md = sha1 ca_certificate = $dir/certs/01.pem # The CA certificate ocspd_certificate = $dir/certs/02.pem # The OCSP server cert ocspd_key = $dir/keys/austerocsp.key # The OCSP server key pidfile = /usr/local/apache/logs/httpd.pid # Main process pid # User and Group the server will run as. It is a good idea # not having servers running as root: in case of errors in # the code providing an 'illegal' access method for an attacker # it is better not to give him additional advantages. user = ocspd group = daemon # Bind to a specific address. This option is useful if you need # to listen only on one IP among the availables ones. bind = * # Port where the server will listen for incoming requests. port = 2560 # Max size of accepted requests. Data connection will be closed # in case this size will be reached. max_req_size = 8192 # Auto Reload interval of CRL (if set to 0 or not present, to # reload the CRL you'll need to send a SIGHUP (kill -1 <pid>) # to the parent process (seconds) crl_auto_reload = 3600 # Check CRL validity period. If this parameter is set to #n # then the CRL is checked every #n secs and if the CRL's validity # period is expired then all the responses will be set to # 'unknown'. # If 'crl_check_validity' is set to '0' or it is absent, all # responses will be based on the loaded CRL, no matter if it # is expired or not. crl_check_validity = 600 # Reload CRL if the one loaded is expired. Set this parameter # only if you are sure that the new CRL will be issued and put # in the crl_url. crl_reload_expired = yes # Specifies the response section to load the server options # from response = ocsp_response # It specifies the section to be used where options about where # CRL and certificates are kept. # # Example section using LDAP for data retrival # dbms = dbms_ldap # # Example section using FILES for data retrival dbms = dbms_file # Enables the ENGINE interface for the server. If set to off then # no support for ENGINE is loaded. If set to anything but 'off' the # value must correspond to a section in this configuration file. # Currently only LunaCA3, LunaSA are directly supported. If you need # support for other HSM write to the authors. # # IMPORTANT NOTE: in case of usage with engine support enabled, put # the private key ID - look at the HSM documentation - into the # 'ocspd_key' field above in this file engine = HSM #################################################################### [ ocsp_response ] dir = /root/ocspdaemon/etc/ocspd # It is possible to include additional certificates in given # responses. Put all the certificates you want to include in # the file pointed by 'ocsp_add_responses_certs', concatenated # one after the other. # # Comment this option if you don't want to add certificates # to responses. #ocsp_add_response_certs = $dir/certs/chain_certs.pem # Set this option if you want to include the KeyID. If you are # unsure about this setting, use 'yes'. ocsp_add_response_keyid = yes # next_update_days and next_update_mins allows to specify in # each response when new revocation data will be available. # If the two options are both set to '0' the 'nextUpdate' field # in the OCSP response will be left NULL indicating new data # can be made available anytime (this is true if you are issuing # new CRLs every time a revocation takes place) # # NOTE: Firefox/Mozilla do not parse correctly the OCSP answer in # case the nextUpdate field is missing. It is therefore suggested # to use the next_update_mins set (e.g. 5 minutes) to have mozilla's # software correclty work with OCSP enabled. next_update_days = 0 next_update_mins = 5 #################################################################### #####[ dbms_ldap ] ####0.ca = @ldap_ca_1 ######[ ldap_ca_1 ] # You can have the CRL on a simple file # crl_url = file:///usr/local/etc/ocspd/crl.pem # You can have the CRL retrieved from an HTTP server # crl_url = http://[user[:[EMAIL PROTECTED]:port]/path_to_crl # You can store the CRL into an LDAP server, simply # store it in certificateRevocationList;binary attribute # # There are different way, all legal, to specify the CRL # URL address: # crl_url = ldap://[user[:[EMAIL PROTECTED]:389] # crl_url = ldap://ldap.server.org:389 #####crl_url = ldap://localhost # The CRL entry DN is the DN to look for when retrieving the # date from the LDAP server. Put here the complete DN (usually # the DN of the CA's certificate). # # This option is needed only if the CRL is stored on LDAP #####crl_entry_dn = "cn=Certification Auth, o=Organization, c=IT" # To retrieve the CRL from LDAP the attribute where it is stored is to # be specified. Usually this should be set to: # # certificateRevocationList;binary # # anyway existing LDAP installations or new standards can mandate # for different attributes for storing CRLs into. Use this parameter # to specify the attribute used to retrieve the CRL from. # # This option is needed only if the CRL is stored on LDAP #####crl_entry_attribute = "certificateRevocationList;binary" # We need the CA certificate for every CA we support. Upon loading # the CRL and the CA certificate a simple check is made to ensure # the CRL/CA certificate matching. Also the CA certificate is used # to retrieve the CID used to identify the certificate being # requested by the client (CID of the Issuer + serial Number). # # DN where the cACertificate;binary value can be downloaded # This option is needed only if the CA Certificate is stored on LDAP #####ca_entry_dn = "o=Organisation, c=IT" #################################################################### [ dbms_file ] # We can have as many CAs supported as we want, each CRL will be # loaded and stored upon server starting 0.ca = @first_ca #1.ca = @second_ca #################################################################### [ first_ca ] # You can have the CRL on a simple file in PEM format crl_url = file:////root/austerca/crl.pem # We need the CA certificate for every supported CRL ca_url = file:////root/austerca/certs/01.pem #################################################################### [ second_ca ] # You can have the CRL on a simple file in PEM format #crl_url = file:////root/ocspdaemon/etc/ocspd/crls/crl_02.pem # We need the CA certificate for every supported CRL #ca_url = file:////root/ocspdaemon/etc/ocspd/certs/2nd_cacert.pem #################################################################### [ HSM ] # Setup parameters for basic lunaCA3/LunaSA crypto hardware. # Specifies the ENGINE id to be used - check OpenSSL and your HSM # vendor to get more info about this parameter. engine_id = LunaCA3 # Some HSM need initialisation before access to the crypto accelerated # functions is granted. It is possible, by using the 'engine_pre' options # to issue needed commands directly to the HSM. # # The format is as follows: # 0.engine_pre = cmd:values # 1.engine_pre = cmd2:values # ... # It is possible to have as many commands as needed. # The following command is for LunaCA3/LunaSA. It forces the vendor's # library to use '/etc/my_conf_file' as configuration file (check the # HSM documentation about this file contents. #0.engine_pre = CONF_PATH:/etc/my_conf_file # The following is for LunaCA3/LunaSA where the command is 'login' and # the value is "1:10:11:myPassword" which indicates to use Slot 1, # high application id 10, low app id 11 and password "myPassword" 0.engine_pre = login:1:10:11:myPassword # Some HSMs need to perform commands after the ENGINE initialisation # which are taken from the 'engine_post' option. Usage and format # is exactly the same as 'engine_pre', the difference is that commands # are sent to the HSM after the ENGINE_init() function. Refer to your # HSM documentation for more informations # 0.engine_post = logout:1:10:11 ---------------------------------------------------- #!/bin/sh # # Startup script for the OCSPD responder # # chkconfig: 345 85 15 # description: OpenCA OCSP Responder # processname: openca-ocspd prefix="/root/o"; sbin="${prefix}/sbin"; etc="${prefix}/etc/ocspd" # Source function library. # . /etc/rc.d/init.d/functions ocspd="${sbin}/ocspd"; conf="${etc}/ocspd.conf"; # Take a look in your apache config and set it as it is set there. pidfile1="${etc}/ocspd.pid"; # See how we were called. case "$1" in start) echo -n "Starting OCSP Responder: " echo -n "Etc = ( $etc ) " echo -n "Conf = ( $conf ) " ${ocspd} -v -c "${conf}" -d echo "Done." ;; stop) echo -n "Shutting down OCSP Responder: " if [ -f "$pidfile1" ] ; then pid1=`cat $pidfile`; # if [ "x$pid1" = "x" ] ; then # killall -15 ocspd # else kill -15 ${pid} # fi rm -f "$pidfile1" else echo "Missing pidfile (already stopped?)" fi echo "Done." ;; status) echo -n "OCSP Responder is " if ! [ -f "$pidfile1" ] ; then echo "stopped." else pid1=`cat $pidfile1`; if test `ps -p ${pid1}` ; then echo "running ( $pid1 ) ... " else echo "stopped." fi fi ;; restart) $0 stop sleep 2 $0 start ;; *) echo "Usage: $0 {start|stop|status}" exit 1 esac exit 0 -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of [EMAIL PROTECTED] Sent: Thursday, June 01, 2006 6:14 AM To: [email protected] Subject: Openca-Users digest, Vol 1 #1928 - 4 msgs Send Openca-Users mailing list submissions to [email protected] To subscribe or unsubscribe via the World Wide Web, visit https://lists.sourceforge.net/lists/listinfo/openca-users or, via email, send a message with subject or body 'help' to [EMAIL PROTECTED] You can reach the person managing the list at [EMAIL PROTECTED] When replying, please edit your Subject line so it is more specific than "Re: Contents of Openca-Users digest..." Today's Topics: 1. Re: Problem with ocspd shell script. (Guillaume Tamboise) 2. Re: OCSPD Testing (Guillaume Tamboise) 3. Problems with additional attributes (Juan Carlos Lillo Molina) 4. O, OU, CN length (Dmitrij Mironov) --__--__-- Message: 1 Date: Wed, 31 May 2006 13:03:05 -0500 From: Guillaume Tamboise <[EMAIL PROTECTED]> To: [email protected] Subject: Re: [Openca-Users] Problem with ocspd shell script. Reply-To: [email protected] Massimiliano Pala wrote: > I was going to modify the script, any I will probably end up using the > pgrep instead of the ps for the 'status' command. Do you know if there > are systems that do not come with this command by default ? pgrep is widely spread today, including on Solaris. I remember seeing it on Solaris 8, so I think that you can pretty safely use it. Debian/Ubuntu also have it by default. Guillaume --__--__-- Message: 2 Date: Wed, 31 May 2006 13:07:29 -0500 From: Guillaume Tamboise <[EMAIL PROTECTED]> To: [email protected] Subject: Re: [Openca-Users] OCSPD Testing Reply-To: [email protected] Massimiliano Pala wrote: > Kostis Thodoris wrote: > >> apache pid variable is declared in the config file, and the ocspd >> script recognizes it. It stops right after declaring too many >> arguments in the > > > I do not understand the "apache" reference. The OCSPD is not an apache > module, it runs independently from Apache. The pid is the file where the > pid of the running OCSPD is written. ocspd script: [...] # Take a look in your apache config and set it as it is set there. pidfile="${etc}/ocspd.pid"; [...] It seems that you based the ocspd init script on an Apache init script. And then, you forgot to tweak that comment? Guillaume --__--__-- Message: 3 Date: Wed, 31 May 2006 12:41:28 -0400 From: "Juan Carlos Lillo Molina" <[EMAIL PROTECTED]> To: [email protected] Subject: [Openca-Users] Problems with additional attributes Reply-To: [email protected] ------=_Part_477_11382956.1149093688304 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Content-Disposition: inline Hello... I need new attributes to "subjectAltName" I use the following lines in pub.conf DN_TYPE_BASIC_SUBJECTALTNAMES "otherName" "email" DN_TYPE_BASIC_SUBJECTALTNAME_1 "RUT" DN_TYPE_BASIC_SUBJECTALTNAME_1_MINIMUM_LENGTH 12 DN_TYPE_BASIC_SUBJECTALTNAME_1_REQUIRED "YES" DN_TYPE_BASIC_SUBJECTALTNAME_2 "E-Mail" DN_TYPE_BASIC_SUBJECTALTNAME_2_MINIMUM_LENGTH 3 DN_TYPE_BASIC_SUBJECTALTNAME_2_REQUIRED "YES" If i swap "otherName" by "DNS"... there is no problems with the certificate generation, but with "otherName" the result is this: Error 6761 *Error General* Error while issuing Certificate to Juan Carlos Lillo Molina1 (filename: /usr/local/OpenCA/var/tmp/1A.req). OpenCA::OpenSSL returns errocode 7731075 (OpenCA::OpenSSL->issueCert: OpenSSL fails (7777067). Using configuration from /usr/local/OpenCA/etc/openssl/openssl/User.conf Check that the request matches the signature Signature ok ERROR: adding extensions in section default 23292:error:22075075:X509 V3 routines:v2i_GENERAL_NAME:unsupported option:v3_alt.c:436:name= otherName.0 23292:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:v3_conf.c:92:name=subjectAltName, [EMAIL PROTECTED] error in ca ). In the openssl documentation talk about the "otherName" features, but don't work with openca... Please, help me with any hint... -- Atte. JCLM ------=_Part_477_11382956.1149093688304 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Hello...<br>I need new attributes to "subjectAltName"<br><br>I use the following lines in pub.conf<br><br>DN_TYPE_BASIC_SUBJECTALTNAMES "otherName" "email"<br><br>DN_TYPE_BASIC_SUBJECTALTNAME_1 "RUT" <br>DN_TYPE_BASIC_SUBJECTALTNAME_1_MINIMUM_LENGTH 12<br>DN_TYPE_BASIC_SUBJECTALTNAME_1_REQUIRED "YES"<br><br>DN_TYPE_BASIC_SUBJECTALTNAME_2 "E-Mail"<br>DN_TYPE_BASIC_SUBJECTALTNAME_2_MINIMUM_LENGTH 3 <br>DN_TYPE_BASIC_SUBJECTALTNAME_2_REQUIRED "YES"<br><br>If i swap "otherName" by "DNS"... there is no problems with the certificate generation, but with "otherName" the result is this: <br><br><ol><h1><font color="red">Error 6761</font></h1><ol><b>Error General</b> Error while issuing Certificate to Juan Carlos Lillo Molina1 (filename: /usr/local/OpenCA/var/tmp/1A.req). <br><br><br>OpenCA::OpenSSL returns errocode 7731075 (OpenCA::OpenSSL->issueCert: OpenSSL fails (7777067). Using configuration from /usr/local/OpenCA/etc/openssl/openssl/User.conf<br>Check that the request matches the signature<br>Signature ok<br>ERROR: adding extensions in section default<br>23292:error:22075075:X509 V3 routines:v2i_GENERAL_NAME:unsupported option:v3_alt.c:436:name=otherName.0<br>23292:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in extension:v3_conf.c:92:name=subjectAltName, [EMAIL PROTECTED]<br>error in ca<br>).<br><br><br></ol></ol>In the openssl documentation talk about the "otherName" features, but don't work with openca...<br><br>Please, help me with any hint...<br><br clear="all"> <br>-- <br>Atte.<br>JCLM ------=_Part_477_11382956.1149093688304-- --__--__-- Message: 4 From: "Dmitrij Mironov" <[EMAIL PROTECTED]> To: <[email protected]> Date: Wed, 31 May 2006 22:52:24 +0300 Subject: [Openca-Users] O, OU, CN length Reply-To: [email protected] Hi guys, I have a little problem with O, OU and CN RDNs length limitation - it is set somewhere to 64 chars. If use UTF8, I suppose, it is even shorter. The question is - did this limitation is set according to some RFC, or it is by design? Did this limits can be changed? Thanks for any hints. Regards, Dmitrij --__--__-- _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users End of Openca-Users Digest
smime.p7s
Description: S/MIME cryptographic signature
