Re: [Openca-Users] Some Questions about OpenCA Batch Processor
Okay, I figured out some things by myself. First, the own pin is correctly imported by using the name "purePIN" insteed of "importedPIN". Second, regarding the breaking workflow, the certificate is created and stored indeed, but after the break no further pkcs12 can be enrolled. stderr.log does not have any valuable entries regarding this, except that all has worked fine... Then, when I set the actual state to NEW_CERTt, it continues to ENROLLED_PIN, but then it breaks by performing enroll_pkcs12 because "The certificate cannot be determined". However, all works fine, when I use one Key for CA, BP, Key_Backup and LOG so I think there is a problem when using different keys. Can somebody reproduce this, or give me a hint, what I should try next? Ralf "Ralf Hornik Mailings" schreibte: > Dear list, > > I want to learn something about the BP module so I read the (little > to) short explantation in the OpenCA Documentation. > > However I found some more information via google but I cannot > collect them usefully... > > 1. I created a separate bp/log/backup_key since my cakey is located > on an etoken. > > 2. I created a certificate for this key (bp_cert.pem) and changed > all corresponding symlinks (key and certs) for log and key_backup. > > 3. I created a file batch_process_data.txt whith this content: > > USER ralf > PROCESS gen_cert_ralf > set_state new_process > ROLE User > SUBJECT_ALT_NAME_1 email:r...@xxx > SUBJECT emailaddress=r...@xxx, CN=Ralf Hornik, O=Daheim, C=DE > LOA_MODE USE_IT > LOA 10 > imported...@private > -BEGIN MYPIN- > -BEGIN PKCS7- > MIICBwYJKoZIhvcNAQcDoIIB+DCCAfQCAQAxggGvMIIBqwIBADCBkjCBjDELMAkG > A1UEBhMCREUxGDAWBgNVBAoTD05hdGl2ZSBTZWN1cml0eTESMBAGA1UECxMJTmFz > ZWMgUEtJMSAwHgYDVQQDExdOYXRpdmUgU2VjdXJpdHkgUm9vdCBDQTEtMCsGCSqG > SIb3DQEJARYedHJ1c3RjZW50ZXJAbmF0aXZlLXNlY3VyaXR5LmRlAgEtMA0GCSqG > SIb3DQEBAQUABIIBAGap19ueBhm5TOWrAupP7d6z6ZdcwaaGWbC39WYjK69geSJo > Br3PdhTy4JwygXdevcBlsNVNadt1SHIzosc110B6dWY+y/DdnrVyV9JrxA5YdEsr > XqoJ8u/kNN15GLEDvyjZuBba98kFY6MqHup+Sco/VwtCkKxo0CCRWj3FqvsRzPz6 > l2nhURSCZ3jZYOPFPfWsmF6HGc3QQjPPnF2c2bjlCMKzNpIHOwtIwOmRZ8M5ZTt3 > WRbEVz7/we/t90cCf2HWFpPBIR2PXYw8ej8JOb4PfDtlzFPKJAshK5MbK20M8n29 > ik9ESuraIBlQ82nq0k+HHBcGScqL7U+HigxGbB8wPAYJKoZIhvcNAQcBMB0GCWCG > SAFlAwQBKgQQgebx01xrdMjKCXFMQQy7UoAQFFRAITpt2hamg9H2mgYZww== > -END PKCS7- > -END MYPIN- > > (PKCS7 was created using openca-sv) > > 4. I imported it into the batch interface using "Quick Import" > > Now I can see the new user and process. But at first the PIN in not > shown because the Webinterface says (Unknown File: importedPIN) > > 5. anyway, next I start a new Workflow using "Do one step for all > workflows", choose 16 steps and activate CA key AND BP Key for > operation. > > But the batch process stops with error: > > "Cannot issue the certificate (6794). Cannot encrypt PIN-mail! > Aborting! OpenCA::OpenSSL returns errorcode 0 (). > > > -130" > > And the actual state of the process is CHECKED_CSR. > In stderr.log I see my new issued certificate but It doesn't seem to > be stored anywhere. > > So my questions are: > > 1. How can I import the PIN from PKCS7 File so that I can use it later > 2. Why are the issued certificates not stored. Whats wrong? > 3. Does the batch process start in background, once activated using > "Do one step for all workflows" frequently, or do I have to > configure somthing more? > > Thank you very much for any help. > > > Ralf > > > This message was sent using IMP, the Internet Messaging Program. > -- alles bleibt anders... This message was sent using IMP, the Internet Messaging Program. -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Can't find CRL (was Re: Shared database)
Thank you, David. This helps a lot but leaves a few questions. I assume I can work around the bug by creating the links manually. Are these links from www/html/pki/pub/crl to var/openca/crypto/crls etc.? You mention that every time the CRL is updated, the file system is updated. I assume that means that when the CA issues a new CRL, the latest crl is placed in var/openca/crypt/crls/cacrl.pem on the CA. If we are not using dataexchange through the node (the reason for using a shared database, how will these files get to the file system on the pub server (a different host and hence a difference file system)? Is there anything else that is short circuited by not using the node dataexchange? Thanks - John On Tue, 2008-12-16 at 08:45 -0500, David W Blaine wrote: > > Hi John, > > The answer to you first question (and probably the rest since they all > seem to follow from this basic question): Yes the CRL's (as well as CA > certs at least in the PUB interface) are grabbed from the filesystem. > There is a bug in OpenCA 1.0.2 where the links from the > $OPENCA_HOME/openca/var/crypto are not created in the PUB interface. > Everytime the CRL is generated the filesystem is updated so if you > have links (instead of actual file copies) all will be up-to-date. > > > - > DAVID BLAINE, GCIA , CISSP > GDLS-C Lead Information Risk Manager (LIRM) > CSC > > 6000 E. 17 Mile Rd. Sterling Heights MI 48313 > GIS | o: 586.825.7650 | c: 810.217.8041 | f: 586.825.8606 | > dblai...@csc.com | www.csc.com > > > "John A. Sullivan III" > > > 12/15/2008 08:27 PM > Please respond to >"Users' Help and Suggestions" > > > > > >To > "Users' Help and > Suggestions" > >cc > > Subject > [Openca-Users] > Can't find CRL > (was Re: Shared > database) > > > > > > > > On Thu, 2008-12-11 at 18:57 -0500, John A. Sullivan III wrote: > > On Thu, 2008-12-11 at 18:54 -0500, John A. Sullivan III wrote: > > > On Thu, 2008-12-11 at 13:10 -0500, John A. Sullivan III wrote: > > > > Hello, all. We have a small, low security client for which we > are doing > > > > an installation of OpenCA-1.0.2. It is actually an upgrade from > 0.9.2 > > > > and a transfer to new equipment. We have already separated the > RA and > > > > CA. The would now like to separate the pub interface from the > RA. > > > > > > > > To avoid having two complete sets of node transfers, I thought > we would > > > > try using a single shared database and wanted to share my > thoughts about > > > > both security and how to do this to see if I am making any dumb > mistakes > > > > with this approach. > > > > > > > > The CA and RA are normally left powered down. This is why they > would > > > > like to separate the Pub - for automated CRL fetching via http > as well > > > > as for the ease of having some access to the system without > having to > > > > start up the CA or RA. > > > > > > > > I was thus thinking of storing a single instance of the database > on the > > > > pub server. My first thought was this is security madness. > Then I > > > > realized, there is nothing in the database that is not already > exposed > > > > by the pub interface - keys, certs, crls, reqs - all are made > available > > > > via pub. Thus, there is no security compromise. > > > > > > > > FIRST QUESTION: > > > > Is this understanding about no security compromise by putting > the shared > > > > database on the pub server correct? > > > > > > > > SECOND QUESTION: > > > > Is it correct to assume that a shared database eliminates the > need for > > > > data transfer via the node interface? > > > > > > > > THIRD QUESTION: > > > > Assuming #2 is true, is it correct to assume I still need to > install a > > > > node on the CA for utility functions like backup, cleanup, > rebuild > > > > chain, etc.? > > > > > > > > FOURTH QUESTION: > > > > Do I need a node on the other interfaces even with a shared > database? > > > > For example, the restore procedure on the node not only > initializes and > > > > restores the database but also rebuilds openssl's database and > next > > > > serial number. How does one do this on the pub and RA > interfaces if > > > > there is only a node on the CA? Is it necessary? What about > rebuilding > > > > the CA chain? Do I need to manually copy in the CA cert and hash > link to > > > > the RA and pub servers? > > > > > > > > PROCEDURE: > > > > I'm assuming I do the following: > > > > 1) Setup the database skeleton on the public server > > > > 2) Install the CA and CA Node (make install-offline) pointing > the > > > > database to the database on the public server. > > > > 3) Initialize and restore the database and then rebuild the > openssl > > > > database through the CA node. > > > > 4) Install the RA (make install-ra) pointing the database to the > > > > database on the public server. > > > > 5) Manually copy the regular files in the
Re: [Openca-Users] How to renew the certificate
lampa wrote: > I want to know the process of renewing the certificate , I want to > understand not only the operation of RA operator and Users ,but > also the OpenCA How to deal with the request. OpenCA simply creates a copy of the archived request with a new serial number. However this breaks the RA signature. The next steps are the same as issuing any other certificate... Renewing a valid certificate (IMHO) does not need a complete verification process, since the old request has already been approved. The only thing to check might be if the certificate is still needed (or paid for). If so, you can renew the request and issue the new certificate. The only problem could be, that the approver's (RA)certificate has expired, or been revoked meanwhile, since there is no (automatic) check, whether the approvers certificate was valid at time of signatiure. (Max?) Ralf This message was sent using IMP, the Internet Messaging Program. -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users