On Tue, 2008-12-30 at 11:43 -0500, David W Blaine wrote: > > In IE 6, I get the error: > > Error Code: 700 > > > The PKCS#7-object signals an error. > The signature is not valid. > > PKCS#7-Error 7932039: > OpenCA::PKCS7->parseDepth: There is > a problem with the verification of > the chain. ( error:7:certificate > signature failure) > > > > > > > > In Firefox 3, I get the error: > > Error Code: 6203 > > The request is not signed! > > after a popup that states "sign is needed to proceed" > > I have checked both browsers and the RA and Root certificate look > properly imported. > > ----------------------------------------------------------------- <snip><snip> > > I have this same problem. I checked the chain directory - and all is > ok there. It contains the cacert.crt and the chain. Permissions on the > file are 644 and owned by the web server account. I put in the patch > for viewCSR that Max posted in another thread. Can anyone else sign > their CSR's in Openca 1.0.2? > <snip> Hi, David. I can think of two possible issues. If I recall, when one imports the PKCS#12 package for the RA operator into the browser and it installs the CA cert, it does not set it as authorized to do much of anything. I believe I had to go into the CA cert in Firefox and check on the three check boxes for the various CA cert faculties.
Or, it could be some of the bugs we hit which resulted in similar errors. I'm fighting my own deadline so I haven't cleaned this up but here is a cut and paste from our internal documentation: We need to patch the source code for some bugs in version 1.0.2. cd src/common/lib/cmds Backup the original versions: mv approveCSR{,.orig} mv viewCRR{,.orig} mv viewCert{,.orig} mv send_email_cert{,.orig} Move these backups to the base directory since they MUST not be installed in the cmds directory even as renamed files: mv *.orig ../../../../ Download the new versions using wget from the following locations: http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_6295020/viewCert http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_6295020/send_email_cert http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_7221014/approveCSR http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_7221014/viewCRR Next we need to fix some spelling and grammar in the emails by patching the mails directory: cd ../mails (i.e., src/common/lib/mails) patch -p1 < opencamail-1.0.2.patch Now we need to patch DBI.pm cd ../../../modules/openca-dbi cp DBI.pm ../../../ Apply the opencaDBI.pm-1.0.2.patch patch patch -p0 < opencaDBI.pm-1.0.2.patch I'll attach the two patches which are ours. I've submitted them to the OpenCA developers and do not know if they've been accepted. Frankly, I'm a perl ignoramus so they may not be very good patches. Good luck - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsulli...@opensourcedevel.com http://www.spiritualoutreach.com Making Christianity intelligible to secular society
--- DBI.pm 2008-12-07 00:53:21.000000000 +0000 +++ DBI.fixed.pm 2008-12-06 21:52:16.000000000 +0000 @@ -2380,9 +2380,11 @@ } } - ## order by key to support correct listings - $query.= " order by ". - $OpenCA::DBI::SQL->{VARIABLE}->{$arguments {TABLE}."_ORDERBY"}[0]; + if ( $mode ne "count(*)" ) { + ## order by key to support correct listings + $query.= " order by ". + $OpenCA::DBI::SQL->{VARIABLE}->{$arguments {TABLE}."_ORDERBY"}[0]; + } $self->debug ("searchItems: query: $query");
diff -Naur mails/C/certsMail.msg mails.fixed/C/certsMail.msg --- mails/C/certsMail.msg 2007-11-07 19:53:40.000000000 +0000 +++ mails.fixed/C/certsMail.msg 2008-12-07 00:22:37.000000000 +0000 @@ -1,12 +1,12 @@ Dear @USER@, -You are able to download the requested certificate from our server +You may download the requested certificate from our server at the URI: @httpd_protocol@://@httpd_host@@httpd_port@ -please use the serial number reported in the subject of this email. -You can either follow the proposed link to import the certificate +Please use the serial number reported in the subject of this email. +Alternately, you can follow the link below to import the certificate directly from the server (no action required from you): @httpd_protocol@://@httpd_host@@httpd_port@@pub_cgi_url_prefix@/pki?cmd=getcert&k...@serial@&type=CERTIFICATE @@ -17,8 +17,8 @@ @httpd_protocol@://@httpd_host@@httpd_port@@pub_htdocs_url_prefix@ Please remember to keep at least one safe backup of your private -key: if you'll lose it you'll not be able to read the crypted -messages you received so far. +key; if you lose it, you'll not be able to read the encrypted +messages you have previously received. Last, but not least, please add the LDAP server of our organization to your browser's list. You can find it at the following address: @@ -33,12 +33,12 @@ LDAP Port : @ldap_port@ Dir Root : o...@ca_organization@, c...@ca_country@ -Now you are able to search directly users' certificates by the +You can then directly search users' certificates using the search facility built in Netscape with just one mouse click. - Sincerily Yours, + Sincerely Yours, @ca_organization@ Security Staff. diff -Naur mails/C/confirm_cert_sign.msg mails.fixed/C/confirm_cert_sign.msg --- mails/C/confirm_cert_sign.msg 2007-11-07 19:53:40.000000000 +0000 +++ mails.fixed/C/confirm_cert_sign.msg 2008-12-07 00:30:45.000000000 +0000 @@ -1,11 +1,11 @@ Dear Customer, -your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ was +Your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ has been generated. You can download it now from our server at the URI: @httpd_protocol@://@httpd_host@@httpd_port@ -Please use the serial number. You can either follow the proposed link to import +Please use the serial number. Alternately, you can follow the link below to import the certificate directly from the server (no action required from you): @httpd_protocol@://@httpd_host@@httpd_port@@pub_cgi_url_prefix@/pki?cmd=getcert&k...@__serial__@&type=CERTIFICATE @@ -16,8 +16,8 @@ @httpd_protocol@://@httpd_host@@httpd_port@@pub_htdocs_url_prefix@ Please remember to keep at least one safe backup of your private -key: if you'll lose it you'll not be able to read the crypted -messages you received so far. +key; if you lose it, you'll not be able to read the encrypted +messages you have previously received. -Sincerily Yours, +Sincerely Yours, @ca_organization@ Security Staff. diff -Naur mails/C/expiringMail.msg mails.fixed/C/expiringMail.msg --- mails/C/expiringMail.msg 2007-11-07 19:53:40.000000000 +0000 +++ mails.fixed/C/expiringMail.msg 2008-12-07 00:24:57.000000000 +0000 @@ -1,18 +1,18 @@ Dear Owner of Certificate __CERT_SERIAL__, -the certificate with the serial __CERT_SERIAL__ and the subject -__CERT_SUBJECT__ will expiring at __CERT_NOTAFTER__. +The certificate with the serial __CERT_SERIAL__ and the subject +__CERT_SUBJECT__ will expire at __CERT_NOTAFTER__. The certificate was issued for __CERT_CN__. Please visit our webpage to request a new certificate or contact your registration authority to renew the certificate. -You can simply reply to this email for further informations. +You can simply reply to this email for further information. @httpd_protocol@://@httpd_host@@httpd_port@ Please remember that the services for which the certificate -is used will propably no longer usable if the certificate -is expired. +is used will probably no longer be usable once the certificate +expires. - Sincerily Yours, + Sincerely Yours, @ca_organization@ Security Staff. diff -Naur mails/C/request_pin_mail.msg mails.fixed/C/request_pin_mail.msg --- mails/C/request_pin_mail.msg 2007-11-07 19:53:40.000000000 +0000 +++ mails.fixed/C/request_pin_mail.msg 2008-12-07 00:26:15.000000000 +0000 @@ -1,9 +1,9 @@ Dear Customer, -your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ was +Your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ has been generated. You can download it now. -Please use the PIN you are entered during the generation of +Please use the PIN you entered during the generation of the request to revoke the certificate. -Sincerly, your adminstration team +Sincerely, your administration team diff -Naur mails/C/secure_pin_mail.msg mails.fixed/C/secure_pin_mail.msg --- mails/C/secure_pin_mail.msg 2007-11-07 19:53:40.000000000 +0000 +++ mails.fixed/C/secure_pin_mail.msg 2008-12-07 00:27:08.000000000 +0000 @@ -1,10 +1,10 @@ Dear Customer, -your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ was +Your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ has been generated. You can download it now. Please use the following PIN to revoke your certificate: $PIN -Sincerly, your adminstration team +Sincerely, your adminstration team diff -Naur mails/en_GB/certsMail.msg mails.fixed/en_GB/certsMail.msg --- mails/en_GB/certsMail.msg 2007-11-07 19:53:40.000000000 +0000 +++ mails.fixed/en_GB/certsMail.msg 2008-12-07 00:29:26.000000000 +0000 @@ -1,12 +1,12 @@ Dear @USER@, -You are able to download the requested certificate from our server +You may download the requested certificate from our server at the URI: @httpd_protocol@://@httpd_host@@httpd_port@ -please use the serial number reported in the subject of this email. -You can either follow the proposed link to import the certificate +Please use the serial number reported in the subject of this email. +Alternately, you can follow the link below to import the certificate directly from the server (no action required from you): @httpd_protocol@://@httpd_host@@httpd_port@@pub_cgi_url_prefix@/pki?cmd=getcert&k...@serial@&type=CERTIFICATE @@ -17,10 +17,10 @@ @httpd_protocol@://@httpd_host@@httpd_port@@pub_htdocs_url_prefix@ Please remember to keep at least one safe backup of your private -key: if you'll lose it you'll not be able to read the crypted -messages you received so far. +key; if you lose it, you'll not be able to read the encrypted +messages you have previously received. -Last, but not least, please add the LDAP server of our organization +Last, but not least, please add the LDAP server of our organisation to your browser's list. You can find it at the following address: ldap://@ldap_host@:@ldap_port@/@ca_organization@,@ca_country@ @@ -33,12 +33,12 @@ LDAP Port : @ldap_port@ Dir Root : o...@ca_organization@, c...@ca_country@ -Now you are able to search directly users' certificates by the +You can then directly search users' certificates using the search facility built in Netscape with just one mouse click. - Sincerily Yours, + Sincerely Yours, @ca_organization@ Security Staff. diff -Naur mails/en_GB/confirm_cert_sign.msg mails.fixed/en_GB/confirm_cert_sign.msg --- mails/en_GB/confirm_cert_sign.msg 2007-11-07 19:53:40.000000000 +0000 +++ mails.fixed/en_GB/confirm_cert_sign.msg 2008-12-07 00:30:32.000000000 +0000 @@ -1,11 +1,11 @@ Dear Customer, -your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ was +Your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ has been generated. You can download it now from our server at the URI: @httpd_protocol@://@httpd_host@@httpd_port@ -Please use the serial number. You can either follow the proposed link to import +Please use the serial number. Alternately, you can follow the link below to import the certificate directly from the server (no action required from you): @httpd_protocol@://@httpd_host@@httpd_port@@pub_cgi_url_prefix@/pki?cmd=getcert&k...@__serial__@&type=CERTIFICATE @@ -16,8 +16,8 @@ @httpd_protocol@://@httpd_host@@httpd_port@@pub_htdocs_url_prefix@ Please remember to keep at least one safe backup of your private -key: if you'll lose it you'll not be able to read the crypted -messages you received so far. +key; if you lose it, you'll not be able to read the encrypted +messages you have previously received. -Sincerily Yours, +Sincerely Yours, @ca_organization@ Security Staff. diff -Naur mails/en_GB/expiringMail.msg mails.fixed/en_GB/expiringMail.msg --- mails/en_GB/expiringMail.msg 2007-11-07 19:53:40.000000000 +0000 +++ mails.fixed/en_GB/expiringMail.msg 2008-12-07 00:31:32.000000000 +0000 @@ -1,18 +1,18 @@ Dear Owner of Certificate __CERT_SERIAL__, -the certificate with the serial __CERT_SERIAL__ and the subject -__CERT_SUBJECT__ will expiring at __CERT_NOTAFTER__. +The certificate with the serial __CERT_SERIAL__ and the subject +__CERT_SUBJECT__ will expire at __CERT_NOTAFTER__. The certificate was issued for __CERT_CN__. Please visit our webpage to request a new certificate or contact your registration authority to renew the certificate. -You can simply reply to this email for further informations. +You can simply reply to this email for further information. @httpd_protocol@://@httpd_host@@httpd_port@ Please remember that the services for which the certificate -is used will propably no longer usable if the certificate -is expired. +is used will probably no longer be usable once the certificate +expires. - Sincerily Yours, + Sincerely Yours, @ca_organization@ Security Staff. diff -Naur mails/en_GB/request_pin_mail.msg mails.fixed/en_GB/request_pin_mail.msg --- mails/en_GB/request_pin_mail.msg 2007-11-07 19:53:40.000000000 +0000 +++ mails.fixed/en_GB/request_pin_mail.msg 2008-12-07 00:32:02.000000000 +0000 @@ -1,9 +1,9 @@ Dear Customer, -your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ was +Your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ has been generated. You can download it now. -Please use the PIN you are entered during the generation of +Please use the PIN you entered during the generation of the request to revoke the certificate. -Sincerly, your adminstration team +Sincerely, your administration team diff -Naur mails/en_GB/secure_pin_mail.msg mails.fixed/en_GB/secure_pin_mail.msg --- mails/en_GB/secure_pin_mail.msg 2007-11-07 19:53:40.000000000 +0000 +++ mails.fixed/en_GB/secure_pin_mail.msg 2008-12-07 00:32:29.000000000 +0000 @@ -1,10 +1,10 @@ Dear Customer, -your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ was +Your certificate with the serial number @__SERIAL__@ and the DN @__DN__@ has been generated. You can download it now. Please use the following PIN to revoke your certificate: $PIN -Sincerly, your adminstration team +Sincerely, your adminstration team
------------------------------------------------------------------------------
_______________________________________________ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users