On Wed, 2009-02-11 at 10:50 -0500, Fu-Jyh Luo wrote:
> > <snip>
> > Is there a chance your aliases are the problem? What if you try a
> > straightforward, non-aliased directory structure just for testing
> > purposes? - John
> I did try that. I still NOT see "Initialize the database" GUI. For sure I
> have aliases issue. However, I am worry about I miss install some thing.
> Here is steps I did for openca 1.0.2.
> Would you mind check did I miss any thing?
>
> 00) prepare mysql DB
> 01) compile/install openca-tool-1.1.0
> 02) compile openca-base-1.0.2
> 03) make install-offline
> 04) make install-online
> 05) configure config.xml base my information
> 06) configure_etc.sh generate configuration files
> 07) start httpd
> 08) start openca
> 09) access httpd://pki.mycompany.com/pki/ca
>
> BTW, would you mind share your installation steps?
> I did above steps against 0.9.3 and I am able to see "Initialize the
> database" GUI. For some reason, 1.0.2 give me different result.
>
> In additional, I modify $OPENCA_ROOT/etc/openca/access_control/ca.xml to use
> admin as user to login openca. Does it matter?
<snip>
I'll go ahead and paste in our installation steps but it is very
specific to our environment (alas, I'm working under a brutal deadline
and do not have the time to turn this into a howto - any volunteers?).
We run the CA and RA on one system (which remains powered off most of
the time) and the public node on another but they all share the same
database. We also use domain components instead of the default C=,O= of
OpenCA, we allow selection of multiple values for O, OU, and DC, and we
allow for entry of multiple CNs and IPADDR in the subjAltName. This is
a very long document with a lot of detail. I've expunged much of the
information but the values should be taken as samples to be adapted to
your environment. Some of the formatting was also lost in the pasting
process. My apologies in advance to the list for the length of this
post - John
PS - any suggestions for improvement or corrections to our steps would
be appreciated. I guessed at a lot!
PPS - please be aware the advanced_csr patch is home grown without any
knowledge of perl. We are awaiting word of our submission to the
developers to know if it is a good patch.
Create CA/RA
Install OpenCA
Install needed ancillary packages:
yum install httpd mod_ssl perl-URI perl-XML-Twig perl-XML-SAX
perl-Convert-ASN1 perl-Authen-SASL perl-DBD-Pg postgresql
postgresql-libs gcc openssl-devel
Create the openca user and group:
groupadd -g 601 openca
useradd -g openca -u 601 openca
Setup Apache
Unless there is a very good reason, all web hosts should be removed from
this physical server so only the PKI hosts are available. After
disabling all web access, we can create the PKI web access as below.
Edit /etc/httpd.conf.httpd.conf by setting ServerName
pki01.ssiservices.com:80
Create the /root/.apache.pass file (N.B. the leading ".") with the
following contents:
#!/bin/bash
# We can use different passphrase for different keys
# is called with two arguments (the first is of the form
# `servername:portnumber'', the second is either `RSA'' or `DSA''),
# which indicate for which server and algorithm it has to print
# the corresponding Pass Phrase to stdout.
echo '<passphrase>' (the medium security passphrase)
Ensure it is readable only by root (chmod 600 /root/.apache.pass)
Edit /etc/httpd/conf.d/ssl.conf as follows:
In the SSL Global Context, add the line:
SSLOptions +StdEnvVars +ExportCertData
Find the line with the SSLPassPhraseDialog parameter and change it from
builtin to exec:/root/.apache.pass
Create a Virtual Host definitions for the CA/RA:
<VirtualHost 172.xx.x.32:443>
UseCanonicalName On
ServerAdmin operat...@mycompany.com
ServerName pki.mycompany.com:443
DocumentRoot /usr/local/OpenCA/XXX/www/html
<Directory "/usr/local/OpenCA/XXX/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/local/OpenCA/XXX/www/cgi-bin/
<Directory "/usr/local/OpenCA/XXX/www/cgi-bin">
SSLOptions +StdEnvVars
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
ErrorLog logs/pki.error_log
CustomLog logs/pki.access_log common
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
</VirtualHost>
We will change the key and cert once we have issued a new key and cert
for the web server.
httpd will not yet start (or restart) successfully since we have not
created the referenced directories.
Setup OpenCA
Create a /download/OpenCA directory:
mkdir -p /download/OpenCA
Download the openca-base-1.0.2.tar.gz and openca-tools-1.1.0.tar.gz
tarballs from http://www.openca.org or from some other source
into /download/
cd /download/OpenCA
wget
http://superb-east.dl.sourceforge.net/sourceforge/openca/openca-tools-1.1.0.tar.gz
wget
http://superb-east.dl.sourceforge.net/sourceforge/openca/openca-base-1.0.2.tar.gz
Become the openca user (su - openca)
Untar the tarballs as the openca user
tar zvxf openca-t*.tar.gz
tar zvxf openca-b*.tar.gz
cd /download/OpenCA/openca-tools*
./configure && make clean && make
su -c "make install"
cd /download/OpenCA/openca-base*
We need to patch the source code for some bugs in version 1.0.2.
cd src/common/lib/cmds
Backup the original versions:
mv approveCSR{,.orig}
mv viewCRR{,.orig}
mv viewCert{,.orig}
mv send_email_cert{,.orig}
Move these backups to the base directory since they MUST not be
installed in the cmds directory even as renamed files:
mv *.orig ../../../../
Download the new versions using wget from the following locations:
wget
http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_6295020/viewCert
wgethttp://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_6295020/send_email_cert
wget
http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_7221014/approveCSR
wget
http://ftp.openca.org/openca/openca-base/fixes/v1.0.2/Error_7221014/viewCRR
We need to patch advanced_csr to allow multiple instances of the same
field:
cp advanced_csr ../../../../
Copy in the openca_advanced_csr_multiField-1.0.2.patch patch
patch -p0 < openca_advanced_csr_multiField-1.0.2.patch
rm openca_advanced_csr_multiField-1.0.2.patch
Next we need to fix some spelling and grammar in the emails by patching
the mails directory:
Copy the opencamail-1.0.2.patch
to /download/openca-base-1.0.2/src/common/lib/mails
cd ../mails (i.e., src/common/lib/mails)
patch -p1 < opencamail-1.0.2.patch
Now we need to patch DBI.pm
Copy opencaDBI.pm-1.0.2.patch
to /download/openca-base-1.0.2/src/modules/openca-dbi/
cd ../../../modules/openca-dbi
cp DBI.pm ../../../
Apply the opencaDBI.pm-1.0.2.patch patch
patch -p0 < opencaDBI.pm-1.0.2.patch
cd /download/OpenCA/openca-base*/src/common/etc
We need to add two lines to the openca script (joe openca.in). At the
end of the start case statement, on a new line above the ;; add (without
quotes) "touch /var/lock/subsys/openca" and at the end of the stop case
statement, on a new line above the ;; add (without quotes) "rm
-f /var/lock/subsys/openca". Without the first, the openca script will
fail on shutdown. The second is necessary to keep killall from trying to
shutdown openca after it has already been shut down.
Now we need to configure, make, and install OpenCA:
cd /download/OpenCA/openca-base*
./configure --with-openca-user=openca --with-openca-group=openca
--with-web-host=ssipki.ssiservices.biz --with-httpd-user=apache
--with-httpd-group=apache
--with-httpd-fs-prefix=/usr/local/OpenCA/XXX/www
--with-service-mail-account=operat...@mycompany.com
--with-openca-prefix=/usr/local/OpenCA/XXX
--with-module-prefix=/usr/local/OpenCA/perlmods --with-db-user=yyyyy
--with-db-name=pki --with-db-passwd=<password>
--with-db-host=pgsql.mycompany.com --with-db-type=Pg --with-db-port=5432
--with-ca-organization=XXX --with-ca-country=US && make
Clear bash history to remove the password entered above (history -c) and
exit to become root again
To install do:
make install-offline && make install-ra
The OpenCA installation routine for the CA/RA does not properly make the
symbolic links for downloading the latest CRL and CA cert so we will do
this manually.
cd /usr/local/OpenCA/SSI/www/html/pki/ra
mkdir crl
mkdir cacert
cd crl
ln -s ../../../../../var/openca/crypto/crls/cacrl.crl cacrl.crl
ln -s ../../../../../var/openca/crypto/crls/cacrl.der cacrl.der
ln -s ../../../../../var/openca/crypto/crls/cacrl.pem cacrl.pem
ln -s ../../../../../var/openca/crypto/crls/cacrl.txt cacrl.txt
cd ../cacert
ln -s ../../../../../var/openca/crypto/cacerts/cacert.cer cacert.cer
ln -s ../../../../../var/openca/crypto/cacerts/cacert.crt cacert.crt
ln -s ../../../../../var/openca/crypto/cacerts/cacert.der cacert.der
ln -s ../../../../../var/openca/crypto/cacerts/cacert.pem cacert.pem
ln -s ../../../../../var/openca/crypto/cacerts/cacert.txt cacert.txt
cd ..
chown -R openca:openca c{acert,rl}
cd ../ca
mkdir crl
mkdir cacert
cd crl
ln -s ../../../../../var/openca/crypto/crls/cacrl.crl cacrl.crl
ln -s ../../../../../var/openca/crypto/crls/cacrl.der cacrl.der
ln -s ../../../../../var/openca/crypto/crls/cacrl.pem cacrl.pem
ln -s ../../../../../var/openca/crypto/crls/cacrl.txt cacrl.txt
cd ../cacert
ln -s ../../../../../var/openca/crypto/cacerts/cacert.cer cacert.cer
ln -s ../../../../../var/openca/crypto/cacerts/cacert.crt cacert.crt
ln -s ../../../../../var/openca/crypto/cacerts/cacert.der cacert.der
ln -s ../../../../../var/openca/crypto/cacerts/cacert.pem cacert.pem
ln -s ../../../../../var/openca/crypto/cacerts/cacert.txt cacert.txt
cd ..
chown -R openca:openca c{acert,rl}
Now we must edit several configuration files and templates.
cd /usr/local/OpenCA/XXX/etc/openca/access_control
There are four .xml.template files named batch, ca, ra, and node.
Ultimately, we will use LDAP for authentication but we need the PKI in
place before we build the LDAP server. Thus we will temporarily use
passwords. Edit each the same way as below:
Find the sha1 digest for the medium security password with the following
command:
openca-digest sha1 <thepassword>
Copy the digest and then clear the history file (history -c) so the
password is not available.
Edit each of the templates by going to the user section under the
internal database section and changing the sha1 digest from
@default_web_password@ to the digest from above.
cd ../openssl
Edit openssl.cnf.template by setting default_crl_days = 90 and
default_md = sha1.
cd openssl (sic.)
Edit all the server and Operator (e.g., CA_Operator.conf.template)
conf.template files by setting default_days = 760 and default_md = sha1.
Edit the user files by setting default_days = 395 and default_md = sha1.
cd ../../servers (etc/openca/servers)
Edit ca.conf.template:
Set the RegistrationAuthority parameter to "@ca_organization@"
Change DN_TYPE_BASIC_BASE from "O" "C" to "DC" "DC"
Change DN_TYPE_BASIC_ELEMENTS from "emailAddress" "CN" "OU" to
"emailAddress" "CN" "OU" "OU" "O" "O"
Set the DN_TYPE_BASIC_ELEMENT_1_REQUIRED parameter to "NO" (include
quotation marks)
Set the DN_TYPE_BASIC_ELEMENT_3 parameter to "Organizational Unit
1" (this is the label used on the web page for the first OU)
Set the DN_TYPE_BASIC_ELEMENT_3_MINIMUM_LENGTH parameter to 2
set the DN_TYPE_BASIC_ELEMENT_3_SELECT parameter to "xxxUsers" "Eng"
"HD" "Ops" "XXXServers" "DNS" "YYYServers" "ZZZServers" "VVVServers"
"Gateways" "WebServers"
Add the following elements after the DN_TYPE_BASIC_ELEMENT_3 section:
DN_TYPE_BASIC_ELEMENT_4 "Organizational Unit 2"
DN_TYPE_BASIC_ELEMENT_4_SELECT "xxxUsers" "Eng" "HD" "Ops" "XXXServers"
"DNS" "YYYServers" "ZZZServers" "VVVServers" "Gateways" "WebServers"
DN_TYPE_BASIC_ELEMENT_4_MINIMUM_LENGTH 2
DN_TYPE_BASIC_ELEMENT_4_REQUIRED "NO"
DN_TYPE_BASIC_ELEMENT_4_CHARACTERSET "LATIN1_LETTERS"
DN_TYPE_BASIC_ELEMENT_5 "Organization 1"
DN_TYPE_BASIC_ELEMENT_5_SELECT "aaaaaa"
DN_TYPE_BASIC_ELEMENT_5_MINIMUM_LENGTH 2
DN_TYPE_BASIC_ELEMENT_5_REQUIRED "NO"
DN_TYPE_BASIC_ELEMENT_5_CHARACTERSET "LATIN1_LETTERS"
DN_TYPE_BASIC_ELEMENT_6 "Organization 2"
DN_TYPE_BASIC_ELEMENT_6_SELECT "Int" "HJK" "Sys"
DN_TYPE_BASIC_ELEMENT_6_MINIMUM_LENGTH 2
DN_TYPE_BASIC_ELEMENT_6_REQUIRED "NO"
DN_TYPE_BASIC_ELEMENT_6_CHARACTERSET "LATIN1_LETTERS"
Save the changes
Edit ra.conf.template:
Set the RegistrationAuthority parameter to "@ca_organization@"
Change DN_TYPE_SPKAC_BASE from "O" "C" to "DC" "DC"
Change DN_TYPE_SPKAC_ELEMENTS from "emailAddress" "CN" "OU" to
"emailAddress" "CN" "OU" "OU" "O" "O"
Set the DN_TYPE_SPKAC_ELEMENT_1_REQUIRED parameter to "NO" (include
quotation marks)
Set the DN_TYPE_SPKAC_ELEMENT_3 parameter to "Organizational Unit
1" (this is the label used on the web page for the first OU)
Set the DN_TYPE_SPKAC_ELEMENT_3_MINIMUM_LENGTH parameter to 2
set the DN_TYPE_SPKAC_ELEMENT_3_SELECT parameter to "xxxUsers" "Eng"
"HD" "Ops" "XXXServers" "DNS" "YYYServers" "ZZZServers" "VVVServers"
"Gateways" "WebServers"
Add the following elements after the DN_TYPE_BASIC_ELEMENT_3 section:
DN_TYPE_SPKAC_ELEMENT_4 "Organizational Unit 2"
DN_TYPE_SPKAC_ELEMENT_4_SELECT "xxxUsers" "Eng" "HD" "Ops" "XXXServers"
"DNS" "YYYServers" "ZZZServers" "VVVServers" "Gateways" "WebServers"
DN_TYPE_SPKAC_ELEMENT_4_MINIMUM_LENGTH 2
DN_TYPE_SPKAC_ELEMENT_4_REQUIRED "NO"
DN_TYPE_SPKAC_ELEMENT_4_CHARACTERSET "LATIN1_LETTERS"
DN_TYPE_SPKAC_ELEMENT_5 "Organization 1"
DN_TYPE_SPKAC_ELEMENT_5_SELECT "aaaaa"
DN_TYPE_SPKAC_ELEMENT_5_MINIMUM_LENGTH 2
DN_TYPE_SPKAC_ELEMENT_5_REQUIRED "NO"
DN_TYPE_SPKAC_ELEMENT_5_CHARACTERSET "LATIN1_LETTERS"
DN_TYPE_SPKAC_ELEMENT_6 "Organization 2"
DN_TYPE_SPKAC_ELEMENT_6_SELECT "Int" "JK" "Sys"
DN_TYPE_SPKAC_ELEMENT_6_MINIMUM_LENGTH 2
DN_TYPE_SPKAC_ELEMENT_6_REQUIRED "NO"
DN_TYPE_SPKAC_ELEMENT_6_CHARACTERSET "LATIN1_LETTERS"
Change DN_TYPE_IE_BASE from "O" "C" to "DC" "DC"
Change DN_TYPE_IE_ELEMENTS from "emailAddress" "CN" "OU" to
"emailAddress" "CN" "OU" "OU" "O" "O"
Set the DN_TYPE_IE_ELEMENT_1_REQUIRED parameter to "NO" (include
quotation marks)
Set the DN_TYPE_IE_ELEMENT_3 parameter to "Organizational Unit 1" (this
is the label used on the web page for the first OU)
Set the DN_TYPE_IE_ELEMENT_3_MINIMUM_LENGTH parameter to 2
set the DN_TYPE_IE_ELEMENT_3_SELECT parameter to "xxxUsers" "Eng" "HD"
"Ops" "XXXServers" "DNS" "YYYServers" "ZZZServers" "VVVServers"
"Gateways" "WebServers"
Add the following elements after the DN_TYPE_IE_ELEMENT_3 section:
DN_TYPE_IE_ELEMENT_4 "Organizational Unit 2"
DN_TYPE_IE_ELEMENT_4_SELECT "xxxUsers" "Eng" "HD" "Ops" "XXXServers"
"DNS" "YYYServers" "ZZZServers" "VVVServers" "Gateways" "WebServers"
DN_TYPE_IE_ELEMENT_4_MINIMUM_LENGTH 2
DN_TYPE_IE_ELEMENT_4_REQUIRED "NO"
DN_TYPE_IE_ELEMENT_4_CHARACTERSET "LATIN1_LETTERS"
DN_TYPE_IE_ELEMENT_5 "Organization 1"
DN_TYPE_IE_ELEMENT_5_SELECT "aaaaa"
DN_TYPE_IE_ELEMENT_5_MINIMUM_LENGTH 2
DN_TYPE_IE_ELEMENT_5_REQUIRED "NO"
DN_TYPE_IE_ELEMENT_5_CHARACTERSET "LATIN1_LETTERS"
DN_TYPE_IE_ELEMENT_6 "Organization 2"
DN_TYPE_IE_ELEMENT_6_SELECT "Int" "HJK" "Sys"
DN_TYPE_IE_ELEMENT_6_MINIMUM_LENGTH 2
DN_TYPE_IE_ELEMENT_6_REQUIRED "NO"
DN_TYPE_IE_ELEMENT_6_CHARACTERSET "LATIN1_LETTERS"
Set warnuser to no
Change the WARN_EXPIRING_DAYS parameter from 31 to 62
Set SERVICE_MAIL_ACCOUNT to operat...@mycompany.com
Save the changes
Edit node.conf.template:
Set warnuser to no
cd ../rbac (etc/openca/rbac)
Edit roles.xml by commenting out the VPN User line as there is no
definition for a VPN User in 1.0.2 (xml comments are between <!-- and
-->)
cd .. (etc/openca)
Edit auth_browser_req.xml.template:
In the User Data section, ADDITIONAL_ATTRIBUTE_COUNTRY input, change
minlen from 3 to 2.
Edit browser_req.xml.template:
In the User Data section, ADDITIONAL_ATTRIBUTE_COUNTRY input, change
minlen from 3 to 2.
In the User Data section, Basic Information Section:
Set the required tag of the First Name and Last Name fields to "NO"
Set the User ID fields to have required as "YES" and minlength as "1"
In the Certificate Data Section under basedn, comment out all the rdn
elements (xml comments are between <!-- and -->)
In the dn section under the cn input, change the value from
$ADDITIONAL_ATTRIBUTE_FIRSTNAME $ADDITIONAL_ATTRIBUTE_LASTNAME to
$ADDITIONAL_ATTRIBUTE_UID and change the minlength to "2".
Under the ou input, use the following values instead of the defaults:
<value>XXXUsers</value>
<value>Eng</value>
<value>HD</value>
<value>Ops</value>
<value>XXXServers</value>
<value>DNS</value>
<value>YYYServers</value>
<value>ZZZServers</value>
<value>VVVServers</value>
<value>Gateways</value>
<value>WebServers</value>
and change the minlength to 2 , the name to ou_1, the label to
Certificate Group 1 and add <valueType>OU</valueType> at the end.
Add the following elements after the ou element and within the dn tags:
<input>
<name>ou_2</name>
<label>Certificate Group 2</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value></value>
<value>XXXUsers</value>
<value>Eng</value>
<value>HD</value>
<value>Ops</value>
<value>XXXServers</value>
<value>DNS</value>
<value>YYYServers</value>
<value>ZZZServers</value>
<value>VVVServers</value>
<value>Gateways</value>
<value>WebServers</value>
<minlen>0</minlen>
<required>NO</required>
<valueType>OU</valueType>
</input>
<input>
<name>o_1</name>
<label>Organization 1</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value></value>
<value>@ca_organization@</value>
<value>aaaa</value>
<minlen>0</minlen>
<required>NO</required>
<valueType>O</valueType>
</input>
<input>
<name>o_2</name>
<label>Organization 2</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value></value>
<value>Int</value>
<value>HKL</value>
<value>Sys</value>
<minlen>0</minlen>
<required>NO</required>
<valueType>O</valueType>
</input>
<input>
<name>C</name>
<label>Country</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value></value>
<value>@ca_country@</value>
<value>GB</value>
<minlen>0</minlen>
<required>NO</required>
</input>
<input>
<name>dc_1</name>
<label>Domain Component</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value>mycompany</value>
<minlen>0</minlen>
<required>NO</required>
<valueType>DC</valueType>
</input>
<input>
<name>dc_2</name>
<label>Domain Component</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value>com</value>
<minlen>0</minlen>
<required>NO</required>
<valueType>DC</valueType>
</input>
In the subjectAltNames section under Advanced Features immediately after
the OTHER_NAME_1 stanza, add the following three stanzas:
<input>
<name>DNS_1</name>
<label>Name 1</label>
<type>textfield</type>
<charset>UTF8_MIXED</charset>
<value>$ADDITIONAL_ATTRIBUTE_UID</value>
<minlen>0</minlen>
<required>NO</required>
<valueType>DNS</valueType>
</input>
<input>
<name>DNS_2</name>
<label>Name 2</label>
<type>textfield</type>
<charset>UTF8_MIXED</charset>
<minlen>0</minlen>
<required>NO</required>
<valueType>DNS</valueType>
</input>
<input>
<name>DNS_3</name>
<label>Name 3</label>
<type>textfield</type>
<charset>UTF8_MIXED</charset>
<minlen>0</minlen>
<required>NO</required>
<valueType>DNS</valueType>
</input>
<input>
<name>IP</name>
<label>IP Address</label>
<type>textfield</type>
<charset>IPV4_ADDRESS</charset>
<minlen>7</minlen>
<required>NO</required>
<valueType>IP</valueType>
</input>
Go to the key generation mode section and reverse the order of the value
tags, i.e., server should come before browser.
In the Key Generation Details section under Request Verification Pin,
change the minlen under both passwd1 and passwd2 to "9" (Remember to
change the label to also reflect a 9 character minimum).
Go to the Agreement Section at the end of the file and set enabled to
"NO".
Edit config.xml as follows (it is important we modify config.xml last;
configure_etc.sh compares the time stamps and will not update files if
the templates are newer than config.xml):
Remove the value for default_web_password by removing the text between
the value tags (but not the value tags themselves).
Set the value of the ca_organization to XXX
Set the value of the ca_country to US
Set the value of the service_mail_account to operat...@mycompany.com
Go to the web server configuration section
Set the CRLDistributionPoints to
URI.1=https://pkipub.mycompany.com/pki/pub/crl/cacrl.crl
Set NS_CRLDistributionPoint to
https://pkipub.mycompany.com/pki/pub/crl/cacrl.crl
Go to the database configuration section
Set the value of db_type to "Pg"
Set the value of db_port to "5432"
Set the value of the db_namespace to "" (empty)
Go to the module configuration section
Change the modules_shift value from 8 to 13
Go to the dataexchange configuration section of the file (near the end);
comment out option 0 (<!-- -->) and uncomment section 6 (CA and RA).
Go to the very end of the file and change dataexchange_device_up and
dataexchange_device_down values
to /usr/local/OpenCA/XXX/var/openca/tmp/pkitrans
Change dataexchange_device_local value
to /usr/local/OpenCA/XXX/var/openca/tmp/pki.local.tar
Save changes
Become root (su)
run etc/openca/configure_etc.sh as root
Restart the web server (service httpd restart)
Set httpd to start on boot (chkconfig httpd on)
Start OpenCA (/usr/local/OpenCA/XXX/etc/openca/openca_start)
Connect via web browser to https://pkipub.mycompany.com/pki/ca
Go to PKI Init & Config / Initialization / DB, Key and Cert Init
Initialize the database
Return to the DB, Key and Cert Init page
Generate a new CA key
take default values for key
use the high security password – this will be used to sign all
subsequent requests
Return to the DB, Key and Cert Init page
Generate a new cert request from the CA key
Common Name = ssica
Organization Unit = PKI
Organization = XXX
Domain Component = mycompany
Domain Component = com
Return to the DB, Key and Cert Init page
Create a self-signed CA certificate
Set the validity period to 7300 days
Return to the DB, Key and Cert Init page
Rebuild the CA chain
Go to PKI Init & Config / Initialization / CA Administrator
Create a new request
User Identifier = operator
E-mail Address = opera...@mycompany.com
Click Continue
Certificate Group = Eng
Certificate Template = RA Operator
Key Generation Mode = Server
Click Continue
Key Strength = Base
Enter an appropriate passphrase
Click continue
Click Generate Request
Return to PKI Init & Config / Initialization / CA Administrator
Issue the certificate
After editing the request, click Issue Certificate
Return to PKI Init & Config / Initialization / CA Administrator
Handle the certificate
Click on more info
Select PKCS#12 from the Certificate and Keypair drop down widget
Download to the home directory
Import the PKCS#12 package into the browser, e.g., in Firefox, choose
Edit / Preferences, choose Advanced, choose View Certificates, select
the Your Certificates tab, choose Import, enter the key passphrase.
Next, find the CA cert under Authorities, choose edit, and enable all
faculties. Click on OK.
Create Public Interface
Install OpenCA
The postgresql database runs on a separate database server
Install needed ancillary packages:
yum install httpd mod_ssl perl-URI perl-XML-Twig perl-XML-SAX
perl-Convert-ASN1 perl-Authen-SASL perl-DBD-Pg postgresql
postgresql-libs gcc openssl-devel tar gzip bzip2 automake make
Create the openca user and group:
groupadd -g 601 openca
useradd -g openca -u 601 openca
To save having to redo all the source code patching, we can clean the
source code on the CA and then copy it to the public node.
On the CA:
cd /download/OpenCA/openca-b*
su openca
make clean
Then scp the opencase-base directory to the pub server
Also copy over the openca-tools tarball
Return to the pub server:
mkdir -p /download/OpenCA
scp
r...@172.x.y.32:/download/OpenCA/openca-tools-1.1.0.tar.gz /download/OpenCA/
scp -r
r...@172.x.y.32:/download/OpenCA/openca-base-1.0.2 /download/OpenCA/
On the pub server:
Untar the tarball as the openca user
chown -R openca /download/OpenCA
cd /download/OpenCA
su openca
tar zvxf openca-t*.tar.gz
cd /download/OpenCA/openca-tools*
./configure && make clean && make
su -c "make install"
cd /download/OpenCA/openca-base*
./configure --with-openca-user=openca --with-openca-group=openca
--with-web-host=pkipub.mycompany.com --with-httpd-user=apache
--with-httpd-group=apache
--with-httpd-fs-prefix=/usr/local/OpenCA/XXX/www
--with-service-mail-account=operat...@mycompany.com
--with-openca-prefix=/usr/local/OpenCA/XXX
--with-module-prefix=/usr/local/OpenCA/perlmods --with-db-user=yyy
--with-db-name=pki --with-db-passwd=<password>
--with-db-host=pgsql.mycompany.com --with-db-type=Pg --with-db-port=5432
--with-ca-organization=XXX --with-ca-country=US && make
Clear bash history to remove the password entered above (history -c) and
exit to become root again
To install exit to root and install with:
make install-pub && make install-node:
Now we need to edit several configuration and template files
cd /opt/OpenCA/etc/openca/openssl
Edit openssl.cnf.template by setting default_crl_days = 90 and
default_md = sha1.
cd openssl (sic.)
Edit all the server and Operator (e.g., CA_Operator.conf.template)
conf.template files by setting default_days = 760 and default_md = sha1.
Edit the user files by setting default_days = 395 and default_md = sha1.
cd ../../rbac (etc/openca/rbac)
Edit roles.xml by commenting out the VPN User line as there is no
definition for a VPN User in 1.0.2 (xml comments are between <!-- and
-->)
cd ../servers (etc/openca/servers)
Edit pub.conf.template:
Reverse "Weak" and "Base" in SupportedKeyStrengths so that "Base" is
first. This makes it appear first in the drop down select box and
eliminates the need to change it. Actually, we could do this but it does
not make much of a difference for us day-to-day as this section affects
Server PKCS#10 requests.
Set the RegistrationAuthority parameter to "@ca_organization@"
Set MinPinLength to 9
cd .. (etc/openca)
Edit auth_browser_req.xml.template:
In the User Data section, ADDITIONAL_ATTRIBUTE_COUNTRY input, change
minlen from 3 to 2.
Edit browser_req.xml.template:
In the User Data section, ADDITIONAL_ATTRIBUTE_COUNTRY input, change
minlen from 3 to 2.
In the User Data section, Basic Information Section:
Set the required tag of the First Name and Last Name fields to "NO"
Set the User ID fields to have required as "YES" and minlength as "1"
In the Certificate Data Section under basedn, comment out all the rdn
elements (xml comments are between <!-- and -->)
In the dn section under the cn input, change the value from
$ADDITIONAL_ATTRIBUTE_FIRSTNAME $ADDITIONAL_ATTRIBUTE_LASTNAME to
$ADDITIONAL_ATTRIBUTE_UID and change the minlength to "2".
Under the ou input, use the following values instead of the defaults:
<value>XXXUsers</value>
<value>Eng</value>
<value>HD</value>
<value>Ops</value>
<value>XXXServers</value>
<value>DNS</value>
<value>YYYServers</value>
<value>ZZZServers</value>
<value>VVVervers</value>
<value>Gateways</value>
<value>WebServers</value>
and change the minlength to 2 , the name to ou_1, the label to
Certificate Group 1 and add <valueType>OU</valueType> at the end.
Add the following elements after the ou element and within the dn tags:
<input>
<name>ou_2</name>
<label>Certificate Group 2</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value></value>
<value>XXXUsers</value>
<value>Eng</value>
<value>HD</value>
<value>Ops</value>
<value>XXXServers</value>
<value>DNS</value>
<value>YYYServers</value>
<value>ZZZServers</value>
<value>VVVServers</value>
<value>Gateways</value>
<value>WebServers</value>
<minlen>0</minlen>
<required>NO</required>
<valueType>OU</valueType>
</input>
<input>
<name>o_1</name>
<label>Organization 1</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value></value>
<value>@ca_organization@</value>
<value>aaaaaaaa</value>
<minlen>0</minlen>
<required>NO</required>
<valueType>O</valueType>
</input>
<input>
<name>o_2</name>
<label>Organization 2</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value></value>
<value>Int</value>
<value>HJJ</value>
<value>Sys</value>
<minlen>0</minlen>
<required>NO</required>
<valueType>O</valueType>
</input>
<input>
<name>C</name>
<label>Country</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value></value>
<value>@ca_country@</value>
<value>GB</value>
<minlen>0</minlen>
<required>NO</required>
</input>
<input>
<name>dc_1</name>
<label>Domain Component</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value>mycompany</value>
<minlen>0</minlen>
<required>NO</required>
<valueType>DC</valueType>
</input>
<input>
<name>dc_2</name>
<label>Domain Component</label>
<type>select</type>
<charset>UTF8_MIXED</charset>
<value>com</value>
<minlen>0</minlen>
<required>NO</required>
<valueType>DC</valueType>
</input>
In the subjectAltNames section under Advanced Features immediately after
the OTHER_NAME_1 stanza, add the following three stanzas:
<input>
<name>DNS_1</name>
<label>Name 1</label>
<type>textfield</type>
<charset>UTF8_MIXED</charset>
<value>$ADDITIONAL_ATTRIBUTE_UID</value>
<minlen>0</minlen>
<required>NO</required>
<valueType>DNS</valueType>
</input>
<input>
<name>DNS_2</name>
<label>Name 2</label>
<type>textfield</type>
<charset>UTF8_MIXED</charset>
<minlen>0</minlen>
<required>NO</required>
<valueType>DNS</valueType>
</input>
<input>
<name>DNS_3</name>
<label>Name 3</label>
<type>textfield</type>
<charset>UTF8_MIXED</charset>
<minlen>0</minlen>
<required>NO</required>
<valueType>DNS</valueType>
</input>
<input>
<name>IP</name>
<label>IP Address</label>
<type>textfield</type>
<charset>IPV4_ADDRESS</charset>
<minlen>7</minlen>
<required>NO</required>
<valueType>IP</valueType>
</input>
Go to the key generation mode section and reverse the order of the value
tags, i.e., server should come before browser.
In the Key Generation Details section under Request Verification Pin,
change the minlen under both passwd1 and passwd2 to "9" (Remember to
change the label to also reflect a 9 character minimum).
Go to the Agreement Section at the end of the file and set enabled to
"NO".
Edit config.xml as follows (it is important we modify config.xml last;
configure_etc.sh compares the time stamps and will not update files if
the templates are newer than config.xml):
Remove the value for default_web_password by removing the text between
the value tags (but not the value tags themselves).
Set the value of the ca_organization to XXX
Set the value of the ca_country to US
Set the value of the service_mail_account to operat...@mycompany.com
Go to the web server configuration section
Set the CRLDistributionPoints to
URI.1=https://pkipub.mycompany.com/pki/pub/crl/cacrl.crl
Set NS_CRLDistributionPoint to
https://pkipub.mycompany.com/pki/pub/crl/cacrl.crl
Go to the database configuration section
Set the value of db_type to "Pg"
Set the value of db_port to "5432"
Set the value of the db_namespace to "" (empty)
Go to the module configuration section
Change the modules_shift value from 8 to 13
Go to the dataexchange configuration section of the file (near the end);
comment out option 0 (<!-- -->) and uncomment section 3 (public/scep
only).
Go to the very end of the file and change dataexchange_device_up and
dataexchange_device_down values
to /usr/local/OpenCA/XXX/var/openca/tmp/pkitrans
Change dataexchange_device_local value
to /usr/local/OpenCA/XXX/var/openca/tmp/pki.local.tar
Save changes
Become root (su)
run etc/openca/configure_etc.sh as root
Configure Apache
Edit /etc/httpd.conf.httpd.conf by setting ServerName
pki01.mycompany.com:80
Edit /etc/httpd/conf.d/ssl.conf as follows:
Create the /root/.apache.pass file (N.B. the leading ".") with the
following contents:
#!/bin/bash
# We can use different passphrase for different keys
# is called with two arguments (the first is of the form
# `servername:portnumber'', the second is either `RSA'' or `DSA''),
# which indicate for which server and algorithm it has to print
# the corresponding Pass Phrase to stdout.
echo '<passphrase>'
Ensure it is readable only by root (chmod 600 /root/.apache.pass)
Edit /etc/httpd/conf.d/ssl.conf as follows:
In the SSL Global Context, add the line:
SSLOptions +StdEnvVars +ExportCertData
Find the line with the SSLPassPhraseDialog parameter and change it from
builtin to exec:/root/.apache.pass
Create a Virtual Host definitions for the public node:
<VirtualHost 172.x.y.33:443>
UseCanonicalName On
ServerAdmin operat...@mycompany.com
ServerName pkipub.mycompany.com:443
DocumentRoot /usr/local/OpenCA/XXX/www/html
<Directory "/usr/local/OpenCA/XXX/www/html">
Options Indexes FollowSymLinks
AllowOverride None
Order allow,deny
Allow from all
</Directory>
ScriptAlias /cgi-bin/ /usr/local/OpenCA/XXX/www/cgi-bin/
<Directory "/usr/local/OpenCA/XXX/www/cgi-bin">
SSLOptions +StdEnvVars
AllowOverride None
Options None
Order allow,deny
Allow from all
</Directory>
ErrorLog logs/pki.error_log
CustomLog logs/pki.access_log common
SSLEngine on
SSLCertificateFile /etc/pki/tls/certs/localhost.crt
SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
</VirtualHost>
The presence of the node interface is required but we do not need to use
it. We want to make it inaccessible. This would prevent anyone from
going to the node interface and doing something like backing up the
database to their local hard drive.
chown root:root /usr/local/OpenCA/XXX/www/html/pki/node
chmod 750 /usr/local/OpenCA/XXX/www/html/pki/node
Restart the web server (service httpd restart)
Setup communications between CA/RA and Pub
Since we are using a shared database, we are not using the normal node
dataexchange. This means we must find another way of synchronizing the
file system between the CA/RA and Pub nodes as there are some files in
the var/openca/crypt directory which are related. Since the pub
interface is always up and the CA/RA should only be on when needed, we
will make the data transfer part of the start up and shut down routines
for the CA/RA via key based ssh and scp.
This produces some important dependencies:
1. All CA/RA systems and Pub nodes must be in pairs. That is, if
CA/RA #1 and CA/RA #2 are on Computer#5, both Pub#1 and Pub#2
must be on the same computer because the script hard codes the
remote host name.
2. The directory structures must be consistent for all PKIs on the
same server and between the pairs, i.e., if the CA/RA #1 on
Computer#5 is in /opt/OpenCA/CA1, then CA/RA #2 must be
in /opt/OpenCA/CA1 on Computer#5, Pub1 must be
in /opt/OpenCA/Pub1 on its host and Pub2 must be
in /opt/OpenCA/Pub2 on the same computer as Pub1. We could not,
for example, put Pub2 in /usr/local/OpenCA/Pub2 in this case.
Thus we need to generate a key for the CA root user. Connect to the
CA/RA and do the following:
ssh-keygen -t rsa (take the default location and do not enter a
passphrase)
Create a bash script named pkitransfer in the CA /etc/init.d directory
to copy the needed files to pub. Here is the script:
#!/bin/bash
# chkconfig: 2345 99 01
# description: Transfers latest cacert and crl to pub node
if [ -z ${1} ];then
echo "Usage: $(basename ${0}) stop | start"
exit 1
fi
IFSORIG=${IFS}
BASEDIR=/usr/local/OpenCA/
CDIR="var/openca/crypto/"
PUBNODE="web01.mycompany.com"
cd ${BASEDIR}
IFS=$'\n'
for SUBDIR in $(ls -1 ${BASEDIR}) # that is a one and not an ell – we
need to account for directories with spaces in their names
do
IFS=${IFSORIG}
if [ -d "${SUBDIR}/etc/openca" ];then #Cull files and non-PKI
directories
scp "${BASEDIR}${SUBDIR}/${CDIR}"cacerts/ca*.{pem,der,txt}
${PUBNODE}:"${BASEDIR}${SUBDIR}/${CDIR}"cacerts/
scp "${BASEDIR}${SUBDIR}/${CDIR}"crls/cacrl.*
${PUBNODE}:"${BASEDIR}${SUBDIR}/${CDIR}"crls/
ssh ${PUBNODE} "cd ${BASEDIR}${SUBDIR}/${CDIR};chown -R apache:apache
cacerts;chown -R apache:apache crls"
fi
done
IFS=${IFSORIG} # just in case there are no iterations over the for loop
if [ ${1} = "stop" ];then
rm -f /var/lock/subsys/pkitransfer
# killall will rerun the script if the lock file is not removed
else
touch /var/lock/subsys/pkitransfer
# the script will not run on shutdown if there is no lock
fi
Make the script executable and make it run on startup and shutdown
chmod 750 /etc/init.d/pkitransfer
chkconfig --add pkitransfer
chkconfig pkitransfer on
Set up connectivity:
cd /root/.ssh
scp id_rsa.pub web01.mycompany.com:.ssh/authorized_keys
ssh web01.mycompany.com (accept key)
exit (from web01)
Create init scripts and initialize Pub node
Since we are anticipating multiple PKIs on these systems, we will not
autostart the openca service since there is a separate one for each PKI.
We will add each to /etc/init.d and chkconfig but not set them to on.
SSH to the CA/RA, copy the openca init script to /etc/init.d/openca-xxx,
add it to the run levels as off, and then reboot the CA/RA to transfer
files to the Pub node.
ssh r...@172.x.y.32
cp /usr/local/OpenCA/XXX/etc/init/openca /etc/init.d/openca-xxx
chkconfig --add openca-xxx
reboot
SSH to the Pub node, verify the CA/RA transferred the CA certs, copy the
openca init script to /etc/init.d/openca-xxx, add it to the run levels
as off, restart the web server.
ssh r...@172.x.y.96
ls -l /usr/local/OpenCA/XXX/var/openca/crypto/cacerts (there should be
no broken links)
cp /usr/local/OpenCA/XXX/etc/init.d/openca /etc/init.d/openca-xxx
chkconfig --add openca-xxx
service httpd restart
Hope this helps someone! - John
--
John A. Sullivan III
Open Source Development Corporation
+1 207-985-7880
jsulli...@opensourcedevel.com
http://www.spiritualoutreach.com
Making Christianity intelligible to secular society
------------------------------------------------------------------------------
Create and Deploy Rich Internet Apps outside the browser with Adobe(R)AIR(TM)
software. With Adobe AIR, Ajax developers can use existing skills and code to
build responsive, highly engaging applications that combine the power of local
resources and data with the reach of the web. Download the Adobe AIR SDK and
Ajax docs to start building applications today-http://p.sf.net/sfu/adobe-com
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
