Hi Guys,
For a project of mine I'm currently trying to implement an OpenCA PKI
server.
My goals are:
1. Making it a Root Certificate Authority .
2. 2nd or 3rd tier CA (it has to be able to accept certificates from
other CAs)
3 User certificate generation (for RADIUS)
4 Machine certificate generation (for RADIUS), guess that's about the
same as #3
And maybe some webinterface tweaks.
Well, to be honest I'm having a rather hard time getting OpenCA to work
using both RPM packages and a source install.
I prefer the RPM packages since they're much easier to distribute and
replace than source installs, so I'm trying to get those to work first.
If there's a good reason for me to start using the sources please tell
me (I just had a look but it's not very easy either).
I've been running Linux for ~8 years so I know my way around, that
shouldn't be much of a problem.
My current test system is a clean Centos 5.6 32bit testing VM on which
I installed these packages:
[root@lumiadca openca]# rpm -qa | grep openca
openca-base-common-1.1.1-1.rhfc12.i686
openca-base-online-1.1.1-1.rhfc12.i686
openca-tools-1.3.0-1.el5.i386
openca-base-offline-1.1.1-1.rhfc12.i686
Okay, I also installed apache and enabled cgi-bin, apache is running as
apache:apache (centos default).
Okay, then I changed the following stuff in config.xml and restarted openca:
[root@companyca openca]# diff config.xml config.xml.bak
58c58
< <value>*ZIP*</value>
---
> <value>@default_web_password@</value>
63c63
< <value>CompanyName</value>
---
> <value>OpenCA Labs</value>
71c71
< <value>CompanyName</value>
---
> <value>OpenCA Labs</value>
79c79
< <value>Utrecht</value>
---
> <value></value>
87c87
< <value>Utrecht</value>
---
> <value></value>
96c96
< <value>NL</value>
---
> <value></value>
104c104
< <value>yes</value>
---
> <value>no</value>
109c109
< <value>ope...@company.nl</value>
---
> <value>supp...@pki.openca.org</value>
114c114
< <value>openca-dontre...@company.nl</value>
---
> <value>p...@openca.org</value>
118c118
< <value>https://companyca.boudewijnector.nl/pki/pub/policy.html</value>
---
> <value>https://titan/pki/pub/policy.html</value>
130c130
< <value>companyca.boudewijnector.nl</value>
---
> <value>titan</value>
171c171
< URI.1=http://companyca.boudewijnector.nl/pki/pub/crl/cacrl.crl
---
> URI.1=http://titan/pki/pub/crl/cacrl.crl
182c182
<
authorityInfoAccess=caIssuers;URI:http://companyca.boudewijnector.nl/pki/pub/cacert/cacert.crt,OCSP;URI:http://companyca.boudewijnector.nl:2560/,prqpServer;URI:http://companyca.boudewijnector.nl:830/
---
>
authorityInfoAccess=caIssuers;URI:http://titan/pki/pub/cacert/cacert.crt,OCSP;URI:http://titan:2560/,prqpServer;URI:http://titan:830/
187c187
< <value>http://companyca.boudewijnector.nl/pki/pub/crl/cacrl.crl</value>
---
> <value>http://titan/pki/pub/crl/cacrl.crl</value>
199c199
< <value>companyca.boudewijnector.nl</value>
---
> <value>titan</value>
252c252
< <value>*ZIP*</value>
---
> <value>openca</value>
Please note that I've changed the url's and projectname a bit to make
sure the project remains a bit more anonymous.
In /opt/openca/etc/openca/openca_start I also have:
$AUTOCONF {"httpd_user"} = "apache";
$AUTOCONF {"httpd_group"} = "apache";
Which ought to be correct too.
Afterwards, I ran
/opt/openca/etc/openca/configure_etc.sh
When going to:
http://<servername>/cgi-bin/pki/ca/ca
I'm getting this error:
OpenCA Error: Server is not online or does not accept requests
(/opt/openca/var/openca/tmp/openca_socket -
�/opt/openca/var/openca/tmp/openca_socket).
That file indeed does not exist although openca is running:
[root@companyca openca]# ps aux | grep openca
apache 4455 0.0 6.7 46152 34412 ? S Feb09 0:00
/usr/bin/perl /opt/openca/etc/openca/openca_start
root 4752 0.0 0.1 4344 728 pts/0 S+ 19:18 0:00 grep openca
I seem to have chown'ed some paths to the apache user:
drwxr-x---. 2 apache apache 4096 Feb 9 02:00 tmp
[root@lumiadca openca]# pwd
/opt/openca/var/openca
I read this post:
https://sites.google.com/site/asidoothings/Home/my-issues-with-getting-openca-working
And it suggests switching to the source-based version. Is that indeed
the only fix for this issue, and what am I getting wrong? Chmod777'ing
the whole directory is not an acceptable solution to me.
Cheers,
Boudewijn Ector
------------------------------------------------------------------------------
Try before you buy = See our experts in action!
The most comprehensive online learning library for Microsoft developers
is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3,
Metro Style Apps, more. Free future releases when you subscribe now!
http://p.sf.net/sfu/learndevnow-dev2
_______________________________________________
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
