Re: [Openca-Users] Error starting openca 1.1.1 after initial setup
Any ideas whats going wrong here? No one can help me? However, I download the source from sf, do a configure/make/make install-online install-offline and set the company name in config.xml... After init.d/openca start all I get is: Starting OpenCA ... Bareword ERR_USER_STATUS_UNKNOWN not allowed while strict subs in use at /opt/openca_1.1/lib/openca/perl_modules/perl5/OpenCA/User.pm line 372, DATA line 275. Compilation failed in require at /opt/openca_1.1/lib/openca/functions/initServer line 44, DATA line 275. BEGIN failed--compilation aborted at /opt/openca_1.1/lib/openca/functions/initServer line 44, DATA line 275. Compilation failed in require at /opt/openca_1.1/etc/openca/openca_start line 65, DATA line 275. OK Has anybody except me also installed openca 1.1.1 yet?? Regards Ralf -- Increase Visibility of Your 3D Game App Earn a Chance To Win $500! Tap into the largest installed PC base get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Error starting openca 1.1.1 after initial setup
Hi List, I use debian 5 and openca from source. After installing and doing a small initial setup (Organisation, User PW, Database and starting i get: testca:/opt/openca/etc# ./init.d/openca start Starting OpenCA ... Bareword ERR_USER_STATUS_UNKNOWN not allowed while strict subs in use at /opt/openca_1.1/lib/openca/perl_modules/perl5/OpenCA/User.pm line 372, DATA line 275. Compilation failed in require at /opt/openca_1.1/lib/openca/functions/initServer line 44, DATA line 275. BEGIN failed--compilation aborted at /opt/openca_1.1/lib/openca/functions/initServer line 44, DATA line 275. Compilation failed in require at /opt/openca_1.1/etc/openca/openca_start line 65, DATA line 275. OK testca:/opt/openca/etc# Any ideas whats going wrong here? Regards Ralf -- Increase Visibility of Your 3D Game App Earn a Chance To Win $500! Tap into the largest installed PC base get more eyes on your game by optimizing for Intel(R) Graphics Technology. Get started today with the Intel(R) Software Partner Program. Five $500 cash prizes are up for grabs. http://p.sf.net/sfu/intelisp-dev2dev ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Res: Certificates/key with password in Openca
Regivaldo Gomes Costa regivaldoco...@yahoo.com.br wrote: Your tip solved the problem, but I had to convert from p12 to pem (with DES protect). You can also download as PEM using SSLeay or pkcs8 Option insteed Pkcs12. The openvpn not read keys with p12 format. Though... Regards Ralf -- ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] I Import existing Root CA and Server Certificates
spea s...@uni.de schreibte: Import Server Certificates: no idea :-( you can import a previously created backup from your old ca. See: http://mm.cs.dartmouth.edu/wiki/index.php/How_to_upgrade -- This SF.Net email is sponsored by the Verizon Developer Community Take advantage of Verizon's best-in-class app development support A streamlined, 14 day to market process makes app distribution fast and easy Join now and get one step closer to millions of Verizon customers http://p.sf.net/sfu/verizon-dev2dev ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] silly question
David O'Callaghan david.ocallag...@cs.tcd.ie wrote: This might be a silly answer, but are you sure you modified the right file? For example, on my system (based on OpenCA 1.x) if I want to alter the days parameter for the Web Server certificate profile I would need to edit /opt/openca/etc/openca/openssl/openssl/Web_Server.conf There is a separate OpenSSL conf file for each profile. You'd rather want to modify Web_Server.conf.template since Web_Server.conf would be rewritten on startup. Also its possible to increase the lifetime by using the days field in the request form. Regards Ralf -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] FIX: Expired list doesn't show
Hi Samuel Rios Carvalho schrieb: select status,dn,date(notafter),time(notafter) from certificate where status = 'EXPIRED'; So cmdlistCerts doesn't seem to do the correct query. I will try to fix that on this weekend. You can download the fixed version of OpenCA::DBI.pm here: http://www.ralf-hornik.de/pub/patches/openca/DBI.pm Please replace it with openca_prefix/modules/perl5/OpenCA/DBI.pm @Max. Since the status of expired certificates is being updated in DB, there is no need to use handleExpiredCert any more. I think it can be completely removed. Please test it and give a short feedback Regards Ralf -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Generate Requests from CSV Import
Hi, I want to implement the ability to generate PKCS12 files using CSV based CSR generation: Name,email,role,loa,pin -- Ralf Hornik,r...@domain.org,User,1,ba11aba||a ... --- Then generate the requests as advanced_csr server side key generation Can somebody (Max?) give me a pointer, witch would be the shortest (and less performance killing) way to do it (only short hints)? I will then do the development. Regards Ralf -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Expired list doesn't show
Samuel Rios Carvalho nhaw...@gmail.com wrote: I think that in status like should be REVOKED, but I don't know where I can change it. The database shows EXPIERD in the status field of certificate: select status,dn,date(notafter),time(notafter) from certificate where status = 'EXPIRED'; So cmdlistCerts doesn't seem to do the correct query. I will try to fix that on this weekend. Ralf -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Trouble with LDAP and CRL's
blain...@gdls.com wrote: ldap://host/cn=Root CA,ou=Trustcenter,dc=domain,dc=com Is this the full DN or is there an emailAddess too? Some Applications need the full DN to find the CRL: ldap://host/emailadress=r...@domain.com, cn=Root CA,ou=Trustcenter,dc=domain,dc=com -- alles bleibt anders... -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Upgrade from OpenCA 0.8x to 1.02
Dear list, Has anybody expieriences in upgrading openca 0.8 to 0.9 or 1.0? Are there any issues? I plan to do it as http://mm.cs.dartmouth.edu/wiki/index.php/How_to_upgrade but I'm not shure if that also works for 0.8.x. If anybody encountered problems or went another way, please gieve me feedback. Thank you and best regards Ralf -- alles bleibt anders... -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] openca-backup Upgrade issues from 0.92 - 1.x
Have you tried to make the backup using the node interface? Yildirim Zaynal asil.j...@gmail.com wrote: I would also do that if possible. But its a production machine, and need to keep the old database and continue on that. 2009/10/29 blain...@gdls.com I would recommend a clean install. -- Come build with us! The BlackBerry(R) Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9 - 12, 2009. Register now! http://p.sf.net/sfu/devconference ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users -- alles bleibt anders... -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Upgrade from OpenCA 0.8x to 1.02
Hi Max, Massimiliano Pala massimiliano.p...@dartmouth.edu wrote: AFAIK, the upgrade should work. Thank you for the quick answer. So I will try that and give a short conclusion if necsessary. Regards Ralf -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] How to make OpenCA use OpenSSL engine?
Hi, when your HSM has an engine for Openssl you can attach the HSM in tokens.xml like OpenSC token. Look for OpenSC in tokens.xml and create one for your HSM as similar. Regards Ralf Allen Liu all...@cisco.com wrote: No, it's not. OpenSSL ENGINE is a loadable module for talking to HSM (hardware Secure Module) or smart card through PKCS 11 in order to utilize keys stored inside as well as hardware-implementated algorithms. I know how to use OpenSSL ENGINE to talk to HSM but don't know to make OpenCA use ENGINE. Thanks, Allen On 9/3/09 5:00 PM, John A. Sullivan III jsulli...@opensourcedevel.com wrote: On Thu, 2009-09-03 at 16:13 -0700, Allen Liu wrote: Hi, I¹m new to OpenCA and trying to configure OpenCA to use OpenSSL engine. Is there a document or examples on this? Can some one give me a pointer? I¹d appreciate it! snip Hmmm . . . I thought it did that by default. Not sure, though - John -- John A. Sullivan III Open Source Development Corporation +1 207-985-7880 jsulli...@opensourcedevel.com http://www.spiritualoutreach.com M aking Christianity intelligible to secular society -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/li stinfo/openca-users -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users -- alles bleibt anders... -- Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA PKI Usability Survey
Hi, I also wrote a couple of patches to improve the usability. One patch adds a role for an OCSP responder including its extension. Another changes the cert retrieval by changing the link in the emails and change the get requested certificate to point the search engine to the cert detailes insteed of installing it in the browser (which in most cases not is what I want). However the search function currently only supports looking by cert serial, but request serial will implemented as soon as I can invest some more time to dig into the code. If openca.org is interested in using my modification (or any assistance), I will provide my patch set. Ralf David O'Callaghan david.ocallag...@cs.tcd.ie wrote: Hi Max, On 07/05/09 21:41, Massimiliano Pala wrote: The 1.0.2+ of OpenCA improved the user interfaces by adopting dynamic menus.. but I know there is still much work to do there... one step at a time... :D I've made some changes (I'd call them improvements :) to the dynamic menu stylesheet and javascript. Can I send you a patch? Kind regards, David P.S. I count 7 copies of dynmenu-openca.css and 77 copies of openca-menu.js in the source distribution: how do you keep them consistent? -- Dr David O'Callaghan Research Fellow - Grid-Ireland - e-INIS - Computer Architecture Grid School of Computer Science Statistics, Trinity College, Dublin 2, Ireland Telephone: +353 1 896 1720 -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users -- alles bleibt anders... -- The NEW KODAK i700 Series Scanners deliver under ANY circumstances! Your production scanning environment may not be a perfect world - but thanks to Kodak, there's a perfect scanner to get the job done! With the NEW KODAK i700 Series Scanner you'll get full speed at 300 dpi even with all image processing features enabled. http://p.sf.net/sfu/kodak-com ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] SCEP and subject_alt_name
Mike Wiseman wrote: I can do this by including email=my_email_address in the DN of the CSR, Try emailAddress=my_email_address Ralf -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] openca 0.9.2.5 + sendmail
Yildirim Zaynal asil.j...@gmail.com wrote: What I would like to have is automatic email notification to the users or administrator that a specific certificate is going to expire within 1 month etc With OpenCA 0.9.x its better you write your own application that warns about expiring. This can then be started as cronjob, whatever Anybody with experience of openca + sendmail? Better perl + sendmail. Openca uses a pipe between perl and sendmail: Example: $mailer = /usr/sbin/sendmail -n -t; # where -n disables aliasing and -t reads the headers from the message itself # Then open(SENDMAIL, |$mailer) or die Cannot open $mailer: $!; print SENDMAIL From: m...@mail.com\n; print SENDMAIL To: y...@mail.com\n; print SENDMAIL Subject: Your cert will expire\n; print SENDMAIL Content-type: text/plain\n\n; print SENDMAIL Hello,\n blabla; close(SENDMAIL); # message will now sent out by sendmail (if is configured correctly) Ralf -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] openca 0.9.2.5 + sendmail
Yildirim Zaynal asil.j...@gmail.com wrote: Would it be worth to try to upgrade to 1.0.2? how would it comply with the current database used by 0.9.2.5? it just seems like to much work.. Upgrading to 1.0.2 fixes a lot of configuration issues. Additionally, more features like stronger encryption, CRL extensions, new roles and LOAs can be used. The database is nearly the same unless some field properties of the crl table have changed from varchar to bigint (which was a really really good idea) The best way to upgrade is to install openca 1.0.2 and import a backup from 0.9.x (http://mm.cs.dartmouth.edu/wiki/index.php/How_to_upgrade) BTW, trying to start the openca 1.0.2. i get this error: Starting OpenCA ... Logging is not initialized. Configuration error: Missing Configuration Keyword : CgiCmdsPath Compilation failed in require at /usr/local/etc/openca/openca_start line 65. OK zayn...@tengritag:/usr/local/etc/openca$ Cant find the problem related.. double checked my config.xml but cant see the issue. Please use the right thread for archiving purposes. I will answer regarding this problem to this post: http://sourceforge.net/mailarchive/message.php?msg_name=fb1e10a90901270019xf753579k58bab7774f3d66a5%40mail.gmail.com Ralf -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Openca 1.0.2 for ubuntu 8.10
Yildirim Zaynal asil.j...@gmail.com wrote: trying to start the openca 1.0.2. i get this error: Starting OpenCA ... Logging is not initialized. Configuration error: Missing Configuration Keyword : CgiCmdsPath CgiCmdsPath is actually set in node.conf(.template). Please post how you did install openca (configure args, make args, etc) Ralf -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Openca 1.0.2 for ubuntu 8.10
Ralf Hornik Mailings r...@best.homeunix.org wrote: Have you built the openca packages under 8.10, or did you upgrade from 8.04. (Hint: perl changed from 8.8 to 8.10). If upgraded, please recompile/install the openca modules. ...and then, please let the list know, if this solved your problem. As we all know, this prevents a lot of people from asking the same question again and again... Ralf -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Openca 1.0.2 for ubuntu 8.10
Yildirim Zaynal asil.j...@gmail.com schreibte: I cannot compile openca in ubuntu 8.10 I get errors of missing files, make error: http://pastebin.com/m57ea5049 Seems like your ssl headers are missing. Please install them: # apt-get install libssl-dev Ralf -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Openca 1.0.2 for ubuntu 8.10
Yildirim Zaynal schrieb: Installing OpenCa 1.0.2 binary for ubuntu 8.10 works fine, except for some perl related modules. example: z...@tengritag:/opt/openca/bin$ ./openca-digest /usr/bin/perl: symbol lookup error: /opt/openca/lib/openca/perl_modules/perl5/i486-linux-gnu-thread-multi/auto/Digest/SHA1/SHA1.so: undefined symbol: Perl_Tstack_sp_pt Have you built the openca packages under 8.10, or did you upgrade from 8.04. (Hint: perl changed from 8.8 to 8.10). If upgraded, please recompile/install the openca modules. Ralf -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Policy extension missing since upgrade to 1.0.2
Can anybody reproduce this? I really need this extensions, I cannot issue certificates without this! :-( Ralf Hornik Mailings schrieb: Hi List, as I figured out, all of my new certificates issued by OpenCA 1.0.2 have neither, policy extension (OID's), nor the CPS extension included. However, I get no idea how exactly this extensions are included, since the extfiles have no config for this and all this stuff must be handled by loa.xml. Also, the debug output in stderr.log shows a normal openssl ca -batch ... command with no specific parts to this policies... Can somebody point me into the right direction please so I can help fixing this? I really need this extensions. Thanks and best regards Ralf -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ OpenCA-Devel mailing list openca-de...@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-devel -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] SubCA cert with the same serial then an user cert issued by SubCA
Hi list, when I create a subCA with OpenCA the (sub)CA certificate is shown as CA certificate correctly but when I click on it, the web interface tells me, that is ist not in the certificate table. Even more confusing, when I issue an end user certificate by this subCA with the same serial. Then, when I click on the CA certificate, I see the end user certificate with this serial. Normally the CA Certificate should only be pointed to the ca_certificate table in database, so the corresponding selection should do the same. Is there some work on it, or has somebody solved it? Best regards Ralf -- This SF.net email is sponsored by: SourcForge Community SourceForge wants to tell your story. http://p.sf.net/sfu/sf-spreadtheword ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Some Questions about OpenCA Batch Processor
Okay, I figured out some things by myself. First, the own pin is correctly imported by using the name purePIN insteed of importedPIN. Second, regarding the breaking workflow, the certificate is created and stored indeed, but after the break no further pkcs12 can be enrolled. stderr.log does not have any valuable entries regarding this, except that all has worked fine... Then, when I set the actual state to NEW_CERTt, it continues to ENROLLED_PIN, but then it breaks by performing enroll_pkcs12 because The certificate cannot be determined. However, all works fine, when I use one Key for CA, BP, Key_Backup and LOG so I think there is a problem when using different keys. Can somebody reproduce this, or give me a hint, what I should try next? Ralf Ralf Hornik Mailings r...@best.homeunix.org schreibte: Dear list, I want to learn something about the BP module so I read the (little to) short explantation in the OpenCA Documentation. However I found some more information via google but I cannot collect them usefully... 1. I created a separate bp/log/backup_key since my cakey is located on an etoken. 2. I created a certificate for this key (bp_cert.pem) and changed all corresponding symlinks (key and certs) for log and key_backup. 3. I created a file batch_process_data.txt whith this content: USER ralf PROCESS gen_cert_ralf set_state new_process ROLE User SUBJECT_ALT_NAME_1 email:r...@xxx SUBJECT emailaddress=r...@xxx, CN=Ralf Hornik, O=Daheim, C=DE LOA_MODE USE_IT LOA 10 imported...@private -BEGIN MYPIN- -BEGIN PKCS7- MIICBwYJKoZIhvcNAQcDoIIB+DCCAfQCAQAxggGvMIIBqwIBADCBkjCBjDELMAkG A1UEBhMCREUxGDAWBgNVBAoTD05hdGl2ZSBTZWN1cml0eTESMBAGA1UECxMJTmFz ZWMgUEtJMSAwHgYDVQQDExdOYXRpdmUgU2VjdXJpdHkgUm9vdCBDQTEtMCsGCSqG SIb3DQEJARYedHJ1c3RjZW50ZXJAbmF0aXZlLXNlY3VyaXR5LmRlAgEtMA0GCSqG SIb3DQEBAQUABIIBAGap19ueBhm5TOWrAupP7d6z6ZdcwaaGWbC39WYjK69geSJo Br3PdhTy4JwygXdevcBlsNVNadt1SHIzosc110B6dWY+y/DdnrVyV9JrxA5YdEsr XqoJ8u/kNN15GLEDvyjZuBba98kFY6MqHup+Sco/VwtCkKxo0CCRWj3FqvsRzPz6 l2nhURSCZ3jZYOPFPfWsmF6HGc3QQjPPnF2c2bjlCMKzNpIHOwtIwOmRZ8M5ZTt3 WRbEVz7/we/t90cCf2HWFpPBIR2PXYw8ej8JOb4PfDtlzFPKJAshK5MbK20M8n29 ik9ESuraIBlQ82nq0k+HHBcGScqL7U+HigxGbB8wPAYJKoZIhvcNAQcBMB0GCWCG SAFlAwQBKgQQgebx01xrdMjKCXFMQQy7UoAQFFRAITpt2hamg9H2mgYZww== -END PKCS7- -END MYPIN- (PKCS7 was created using openca-sv) 4. I imported it into the batch interface using Quick Import Now I can see the new user and process. But at first the PIN in not shown because the Webinterface says (Unknown File: importedPIN) 5. anyway, next I start a new Workflow using Do one step for all workflows, choose 16 steps and activate CA key AND BP Key for operation. But the batch process stops with error: Cannot issue the certificate (6794). Cannot encrypt PIN-mail! Aborting! OpenCA::OpenSSL returns errorcode 0 (). -130 And the actual state of the process is CHECKED_CSR. In stderr.log I see my new issued certificate but It doesn't seem to be stored anywhere. So my questions are: 1. How can I import the PIN from PKCS7 File so that I can use it later 2. Why are the issued certificates not stored. Whats wrong? 3. Does the batch process start in background, once activated using Do one step for all workflows frequently, or do I have to configure somthing more? Thank you very much for any help. Ralf This message was sent using IMP, the Internet Messaging Program. -- alles bleibt anders... This message was sent using IMP, the Internet Messaging Program. -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] How to renew the certificate
lampa lampa2...@gmail.com wrote: I want to know the process of renewing the certificate , I want to understand not only the operation of RA operator and Users ,but also the OpenCA How to deal with the request. OpenCA simply creates a copy of the archived request with a new serial number. However this breaks the RA signature. The next steps are the same as issuing any other certificate... Renewing a valid certificate (IMHO) does not need a complete verification process, since the old request has already been approved. The only thing to check might be if the certificate is still needed (or paid for). If so, you can renew the request and issue the new certificate. The only problem could be, that the approver's (RA)certificate has expired, or been revoked meanwhile, since there is no (automatic) check, whether the approvers certificate was valid at time of signatiure. (Max?) Ralf This message was sent using IMP, the Internet Messaging Program. -- SF.Net email is Sponsored by MIX09, March 18-20, 2009 in Las Vegas, Nevada. The future of the web can't happen without you. Join us at MIX09 to help pave the way to the Next Web now. Learn more and register at http://ad.doubleclick.net/clk;208669438;13503038;i?http://2009.visitmix.com/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] (SOLVED) -- OpenCA 1.0.2 Signing CRR
Massimiliano Pala schrieb:
Please let me know if this works...
Finally I got it!
Max, your idea with the newline was correct, but on the wrong location.
The data to be signed are evaluated in viewCRR and there has it to be changed.
Here is the corresponding diff:
--- viewCRR.orig2008-10-27 14:16:50.0 +0100
+++ viewCRR 2008-10-27 14:17:50.0 +0100
@@ -113,8 +113,8 @@
$text .= REVOKE_CERTIFICATE_NOTAFTER = .
($req-getParsed()-{REVOKE_CERTIFICATE_NOTAFTER} or gettext(n/a)) .
\r\n;
$text .= REVOKE_CERTIFICATE_SERIAL = .
($req-getParsed()-{REVOKE_CERTIFICATE_SERIAL} or gettext(n/a)) .
\r\n;
$text .= REVOKE_CERTIFICATE_ISSUER_DN = .
($req-getParsed()-{REVOKE_CERTIFICATE_ISSUER_DN} or gettext(n/a))
. \r\n;
-$text .= REVOKE_CERTIFICATE_KEY_DIGEST = .
($req-getParsed()-{REVOKE_CERTIFICATE_KEY_DIGEST} or gettext(n/a))
. \r\n;
-$text .= USER_CRR = . $req-getParsed()-{USER_CRR} . \r\n if
($req-getParsed()-{USER_CRR});
+$text .= REVOKE_CERTIFICATE_KEY_DIGEST = .
($req-getParsed()-{REVOKE_CERTIFICATE_KEY_DIGEST} or gettext(n/a));
+$text .= \r\nUSER_CRR = . $req-getParsed()-{USER_CRR} if
($req-getParsed()-{USER_CRR});
$hidden_list-{head} = ;
$hidden_list-{text} = $header.$text;
Tested with firefox 3.0 ans IE7
-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] (SOLVED) -- OpenCA 1.0.2 Signing CRR
Samuel Rios Carvalho schrieb:
Please, send us the complete file
Attached is the modified viewCRR.
I removed the \r\n at the end of line 116 and added it at the
beginning of USER_CRR at line 117.
Also I removed the \r\n at the end of line 117.
I think this could cause trouble as well...
Regards
Ralf
## OpenCA - Command
## (c) 1998-2001 by Massimiliano Pala and OpenCA Group
## (c) Copyright 2002-2004 The OpenCA Project
##
## File Name: viewCRR
## Brief: View CRR
## Version: $Revision: 1.2 $
## Description: Display given CRR to the RA Operator
## Parameters: dataType, key
## this script supports the following configurable references
##
## EDIT
## APPROVE
## APPROVE_WITHOUT_SIGNING
## REVOKE_CERT
## REVOKE_CERT_NEW
## REVOKE_CERT_PENDING
## REVOKE_CERT_SIGNED
## REVOKE_CERT_APPROVED
## DELETE
## DELETE_NEW
## DELETE_PENDING
## DELETE_SIGNED
## DELETE_APPROVED
use strict;
sub cmdViewCRR {
## Get the Configuration parameters ...
my $def;
my ( $myCN, $myEmail );
my ( $lnk, $sigInfo );
my $reqStatus;
my $tmp;
my ($info_list, $cmd_list, $hidden_list) = (undef, undef, undef);
my $dataType = $query-param('dataType' );
my $key = $query-param('key');
configError( gettext(Error, needed dB key!) ) if ( not $key );
if ( $dataType eq PENDING_CRR ) {
$reqStatus = gettext(Revocation Request Waiting for Approval);
} elsif ( $dataType eq NEW_CRR ) {
$reqStatus = gettext(New Revocation Request);
} elsif ( $dataType eq SIGNED_CRR ) {
$reqStatus = gettext(Signed Revocation Request Waiting for Additional
Signature);
} elsif ( $dataType eq APPROVED_CRR ) {
$reqStatus = gettext(Approved Revocation Request);
} elsif ( $dataType eq ARCHIVED_CRR ) {
$reqStatus = gettext(Archived Revocation Request);
} elsif ( $dataType eq DELETED_CRR ) {
$reqStatus = gettext(Deleted Revocation Request);
} elsif ( $dataType eq CRR ) {
## try to determine the datatype
if ($db-getItem ( DATATYPE = ARCHIVED_CRR, KEY = $key )) {
$dataType = ARCHIVED_CRR;
$reqStatus = gettext (Archived Revocation Request);
} elsif ($db-getItem ( DATATYPE = APPROVED_CRR, KEY = $key )) {
$dataType = APPROVED_CRR;
$reqStatus = gettext (Approved Revocation Request);
} elsif ($db-getItem ( DATATYPE = DELETED_CRR, KEY = $key )) {
$dataType = DELETED_CRR;
$reqStatus = gettext (Deleted Revocation Request);
} elsif ($db-getItem ( DATATYPE = SIGNED_CRR, KEY = $key )) {
$dataType = SIGNED_CRR;
$reqStatus = gettext (Signed Revocation Request Waiting for
Additional Signature);
} elsif ($db-getItem ( DATATYPE = PENDING_CRR, KEY = $key )) {
$dataType = PENDING_CRR;
$reqStatus = gettext(Revocation Request Waiting for Approval);
} elsif ($db-getItem ( DATATYPE = NEW_CRR, KEY = $key )) {
$dataType = NEW_CRR;
$reqStatus = gettext(New Revocation Request);
} else {
configError ( gettext (Cannot determine status of this
request!));
}
} else {
configError ( i18nGettext (Invalid or missing dataType
(__DATATYPE__)!, __DATATYPE__, $dataType));
}
my $req = $db-getItem( DATATYPE=$dataType, KEY=$key );
configError ( gettext(CRR not present in DB!) ) if ( not $req );
## Get the parsed Request
my $parsed_req = $req-getParsed();
## begin to build request for signing ##
my ($header, $text);
my $beginHeader = -BEGIN HEADER-;
my $endHeader = -END HEADER-;
## build header
$header = $beginHeader\r\n;
$header .= TYPE = CRR\r\n;
$header .= SERIAL = $key\r\n;
$header .= SSL_CERT_SERIAL = .
($req-getParsed()-{HEADER}-{SSL_CERT_SERIAL} or gettext(n/a)) . \r\n;
$header .= SSL_CERT_DN = . ($req-getParsed()-{HEADER}-{SSL_CERT_DN}
or gettext(n/a)) . \r\n;
$header .= SSL_CERT_ISSUER = .
($req-getParsed()-{HEADER}-{SSL_CERT_ISSUER} or gettext(n/a)) . \r\n;
$header .= $endHeader\r\n;
## build body
$text = SUBMIT_DATE = . $req-getParsed()-{SUBMIT_DATE}. \r\n;
$text .= APPROVED_DATE = . $tools-getDate() . \r\n;
$text .= CRIN = .($req-getParsed()-{CRIN} or gettext(n/a)) . \r\n;
$text .= REVOKE_REASON = .($parsed_req-{REVOKE_REASON} or
gettext(n/a)) . \r\n;
$text .= REVOKE_CERTIFICATE_DN = .
($req-getParsed()-{REVOKE_CERTIFICATE_DN} or gettext(n/a)) . \r\n;
$text .= REVOKE_CERTIFICATE_NOTBEFORE = .
($req-getParsed()-{REVOKE_CERTIFICATE_NOTBEFORE} or gettext(n/a)) . \r\n;
$text .= REVOKE_CERTIFICATE_NOTAFTER = .
($req-getParsed()-{REVOKE_CERTIFICATE_NOTAFTER} or gettext(n/a)) . \r\n;
$text .= REVOKE_CERTIFICATE_SERIAL = .
Re: [Openca-Users] FIX -- OpenCA 1.0.2 signing a CSR - Error 7221014
Hi Folks, works for me now... Thanks Ralf Massimiliano Pala [EMAIL PROTECTED] schreibte: Hi Guys, I found the error --- it was in the approveCSR command - the update dataType was wrongly set to RENEW_APPROVED instead of APPROVED_REQUEST. I attach the new version of the command that fixes the problem. To fix your installation, just copy the attached file in: PREFIX/lib/openca/cmds (NOTE: in binary distros PREFIX=/opt/openca). Please let me know if this fixes your installations or not... Later, Max Sam Morrison wrote: Yes I am also getting this exact same issue too. Can't find anything in the logs of any use. -- People who think they know everything are a great annoyance to those of us who do. -- Isaac Asimov -- alles bleibt anders... - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] OpenCA 1.0.2 Signing CRR
Hi, already, there is no way to sign CRR's (except Mozilla 1.x). When singing CRR's with IE[4567] the messege is: Cannot build PKCS#7-object from extracted signature! OpenCA::PKCS7 returns errorcode 7911031 (OpenCA::PKCS7-new: Cannot initialize signature (7912021). OpenCA::PKCS7-initSignature: Cannot parse signature (7921021). OpenCA::PKCS7-getParsed: The crypto-backend cannot verify the signature (7742075). OpenCA::OpenSSL-verify: openca-sv failed. [Error]: error:04077068:rsa routines:RSA_verify:bad signature [Info]: Input file intialized. [Info]: Signaturefile initialized. [Info]: Reading Certificate file. [Info]: PKCS#7 object loaded. [Info]: Data is ready for verification. [Info]: Signature Informations (PKCS#7): depth:1 serial:C732D5C7CD8E9BCB subject:emailAddress=***,CN=Daheim PKI,OU=Daheim CA Organisation,O=Daheim,C=DE depth:0 serial:01 subject:CN=RA Admin,OU=Users,O=Daheim,C=DE [Info]: Signature is corrupt. Errorcode -1. signature:error:-1 ). May be I can help fixing it, but I need some hints... Regards Ralf - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA 1.0.2 signing a CSR - Error 7221014
Now finally I stay on the same place. I estimate, this is a common issue...? openca-sv is located inside the openca_prefix and correctly placed in node.conf(.template). Is anyone able to sign CSR/CRR with IE or Firefox yet on openca 1.0.2? Mark E. [EMAIL PROTECTED] schreibte: Hi Max, in the stderr.log theres only the pkcs#7 request. no error or sth else. im pretty sure it has something to do with the openca-tools installation. because first i got another error telling me the openca-sv is malformed or not found. ldd openca-sv was fine. i found out that the openca-sv path in node.conf was wrong so i changed it to the right location and now i get this error message. a major problem i experienced was, when installing the tools first, the GUI installer has the default install-path in /usr . i didnt change it as i had no clue which path i needed here. how does the openca-base installer locate my tools ? Cheers, mark Date: Tue, 21 Oct 2008 18:02:51 -0400 From: [EMAIL PROTECTED] To: openca-users@lists.sourceforge.net Subject: Re: [Openca-Users] OpenCA 1.0.2 signing a CSR - Error 7221014 Hi Mark, do you have any more details from PREFIX/var/openca/log/stderr.log ??? Later, Max Mark E. wrote: Hi guys, when i try to sign a CSR within my RA i get general error code 7221014. Error while updating the status of the request (32800) ! What could be the problem here ? Regards, Mark _ Neu: Office Live Workspace, der kostenlose Online-Arbeitsbereich für Office. Ideal auch für Teams. Jetzt ausprobieren! http://workspace.officelive.com/?lc=1031cloc=de-DE - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users -- alles bleibt anders... - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA 1.0.2 signing a CSR - Error 7221014
Hi Max, Massimiliano Pala schrieb: Hi Ralf, with IE you need an extension because there is no support for IE to sign a PKCS#7 file. For Firefox/Mozilla you should: I have installed the extension: http://www.microsoft.com/downloads/details.aspx?FamilyID=860EE43A-A843-462F-ABB5-FF88EA5896F6 I indeed can sign, using the Test the certificate, but signing CSR failes with the error mentioned by the OP. (Error while updating the status of the request) May be, that has nothing to do with signing, because the pkcs7 output is generated in stderr.log? Best regards Ralf - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] cannot stat ca-node-menu.xml during make install-offline
Hi Max,
Massimiliano Pala [EMAIL PROTECTED] schreibte:
and change the line:
MENU_FILE = ${node_prefix}-menu.xml
to:
MENU_FILE = node-menu.xml
This should fix your problem.
Thank you, but the problem goes on. configure_etc.sh breaks because:
Error while loading configuration
(/opt/openca-off/openca/etc/servers/node.conf)!Content-type: text/html
Error while loading configuration
(/opt/openca-off/openca/etc/servers/node.conf)!
Later, all internal web redirects point to /pki/node/* insteed of
/pki/ca-node/*:
10.0.0.10 - - [22/Oct/2008:12:34:05 +0200] GET
/pki/node/scripts/de_DE/openca-menu.js
HTTP/1.1 404 336 https://ca-int/cgi-bin/pki/ca-node/node?redir=1;
Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 5.1; Mozilla/4.0 (compatible; MSIE
6.0; Windows NT 5.1;
SV1) ; .NET CLR 2.0.50727; .NET CLR 1.1.4322)
I know, its not a good idea to have RA and CA on one machine, but I
need it for testing
first
Regards Ralf
--
alles bleibt anders...
-
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100url=/
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] cannot stat ca-node-menu.xml during make install-offline
Dear List, I get an error while make install-offline: + /usr/bin/install -c -o root -g www-data -m 640 ca-node-menu.xml /opt/openca-off/openca/etc/menus/ca-node-menu.xml.template /usr/bin/install: cannot stat `ca-node-menu.xml': No such file or directory my configure-args are: ./configure \ --prefix=/opt/openca-off \ --with-httpd-user=www-data \ --with-httpd-group=www-data \ --with-openca-prefix=/opt/openca-off/openca \ --with-etc-prefix=/opt/openca-off/openca/etc \ --with-httpd-fs-prefix=/opt/openca-off/httpd \ --with-module-prefix=/opt/openca-off/modules \ --with-node-prefix=ca-node \ --with-web-host=ca-int.daheim \ --enable-engine \ --enable-dbi \ --enable-rbac \ Regards Ralf -- alles bleibt anders... - This SF.Net email is sponsored by the Moblin Your Move Developer's challenge Build the coolest Linux based applications with Moblin SDK win great prizes Grand prize is a trip for two to an Open Source event anywhere in the world http://moblin-contest.org/redirect.php?banner_id=100url=/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] PKCS12 renewal failed
Hi, after my RA (Registration Authority Administrator) certificate has been expired, I tried to renew it. Now, I cannot download the new RA certificate using the known PIN. In the Mysql database, the keys from the old cert and new are different. Shouldn't they be equal? Same happened with the CA (Certification Authority Administrator) certificate. I only renewed the old requests and singned them again. What could be the problem? Thanks for any suggestions Regards Ralf -- - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] PKCS12 renewal failed
And finally solved :-) I formerly changed the PIN. BUT I would recomment, when the PIN has been changed on the RA/Public Node, the new issued certificate SHOULD have the recent PIN of the old expired certificate. Otherwise the PIN can easily be lost and the new certificate will become unusable!! Regards Ralf Ralf Hornik Mailings schrieb: Appendum: the public_key fields are both the same (old cert and new). Only the private key differs but is encrypted. However, the private key from the expired cert I can decrypt using my known PIN, but the new ones private key I cannot. It schould be the same encrypted private key as the old one, because I did not generate a completely new keypair. I used the old request for the new certificate. Ralf Hornik Mailings schrieb: Hi, after my RA (Registration Authority Administrator) certificate has been expired, I tried to renew it. Now, I cannot download the new RA certificate using the known PIN. In the Mysql database, the keys from the old cert and new are different. Shouldn't they be equal? Same happened with the CA (Certification Authority Administrator) certificate. I only renewed the old requests and singned them again. What could be the problem? Thanks for any suggestions Regards Ralf -- - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users -- - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users -- - This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now http://get.splunk.com/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Error 6296060 Permission denied
Hi, Matthias Alsmann schrieb: Furthermore, the only thing I can do is to change the language of the ra node interface. Other actions like Administration - Server Init also fail with exact the same error. The Error occours in the AC.pm while compiling getAccess() so it is a role based access control problem. Try to find more information using debug in etc/log.xml. Have you *completely* deleted the old OpenCA installation before reinstall it, or did you overwrite the existing installation. There will be no config files ovewritten. Have you compiled it from source, or did you use a precompiled package like dep, or rpm? One simple solution would be disabling RBAC, if you do not need it. Ralf - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Error 6296060 Permission denied
Hi, Matthias Alsmann wrote: I can export and import data, but after the first restart of openca I get this problem. Where do you export/import the data? Do you use a floppy, or some other removable discs? Have you left the role based access control unchanged? (Believing yes) When using a floppy, keep the permissions of the openca user writable to it. I think, the openca installation sets the permissions correctly, and some bootprocess changes it... Regards Ralf - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Linking to OCSP service in certificates
Good morning, Massimiliano Pala wrote: certificate and in the ca cert (outlook or exchange owa e.g. gives a failure while checking the crl). Is this due to the presence of the CDP (CRL Distribution Point) in both the CA and EE (End Entity) certificates ? What happens if you have the CDP *only* in the EE certs ? Does Outlook (or exchange) works ? In my expierience a CRL has to be installed first before using. For Outlook/IE you install it into the local certificate store and for Mozilla into its own certificate manager. This must always be done by hand in the first time. Mozilla can update it frequently but that is too not a good idea. Certificates must be validated in realtime and without any additional effort to the user. I recomment using OCSP links in each certificate. Mozilla has a build in OCSP client that checks the validity by reading the OCSP link in the extension. For any other application there are several third party clients running in backround and do OCSP queries. Anyway, Thawte for example does not have the crl links in all certs eather :-) This is just another example of the difficulties for extensions to be useful.. too much static.. :-( CRL's can get a size of many MB's. When millions of users download and check it on the same time the CA can run into trouble. However, some CA's sell extensions like OCSP or CDP as an additional service... Best regards Ralf - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Certificate and Keypair
Zaki Akhmad wrote: I cannot find the certificate and keypair option. The keypair option is only available, if the key is generated on the openca server. Normally, a browser key is generated in the browsers crypto store, eg. Mozillas software security device, or IE's private certificate store. That's where the key should reside. When you plan to export it as pkcs12, you should mark the key as extractable while generating. This option is available to all browser crypto stores. However, when you created it on a smartcard, there could be no way to extract it (and this is the sense of a private key stored on smartcards) Generally, the private key should ALWAYS kept private. That means, generation and storage on clients side is mandatory for high security. Regards Ralf - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Purposes: Issuer Not Trusted
Zaki Akhmad schrieb: Finally, I succeed to encrypt my email using digital certificate. So the trick is we should have recipient certificate. I add other people's certificate to my Thunderbird. Another way is using LDAP as addressbook (may be OpenCA with LDAP). If there is deposited a certificate behind the users email address, and you have the trusted root certificate installed, the email will be encryted as well. But is this true? I cannot read the encrypted-email from web browser (example) gmail.com, but I should read it the encrypted-email from (example) Thunderbird. This is because I have to decrypt the encrypted-email first using my digital certificate. Yes. Your webmail doesn't support S/MIME, so it will simply show the mail as attachment. Some webmail clients have plugins for that, e.g. Squirrelmail, for verifiying a digital signatiure. But since your webmailclient resides on a webserver you will have to install your key and certificate on this server in order to create S/MIME signatures, or decrypt emails. I won't do that at all. Regards Ralf - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Purposes: Issuer Not Trusted
Hi, Zaki Akhmad schrieb: Then, I want to ask how to make our certificate which is issued by my own CA (using OpenCA, of course) trusted? For example trusted by Firefox, and Thunderbird. Have you installed the Root certificate from your CA and trust it explicitly in Firefox/Mozilla? Ralf - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] SSLOptions +StdEnvVars +ExportCertData
Zaki Akhmad wrote: Hi Ralf, thank you for your reply. I've done this, and it works at https protocol. Is it what I've done, didn't encrypt the message? Because the keylength is set to zero? No. The keylength isn't set to zero. While the SSL Handshake some tasks are done... RSA Authentication, Diffie Hellmann key agreement, Encryption/HMAC alghoritm proposals and so on. When you set SSLCipherSuite RSA:!EXP:!NULL:+HIGH:-MEDIUM:-LOW (for mod_ssl) or SSLRequireCipher AES-SHA 3DES-SHA (or something similar for apache_ssl) in your apache ssl section only strong encryption/authentication will be allowed by your apache. Additionally some information about the encryption will be exported to the applications via environment variables. This is done by using SSLOptions +StdEnvVars Back to openca. Openca uses CGI scripts and when initCGI is loaded, this variables former exported will be evaluated and prooved. The keylength variable of mod_ssl is called SSL_CIPHER_USEKEYSIZE (initCGI requires this name) and as the value of this is less then 128 the session will fail. In your case using apache-ssl this information resides in HTTPS_SECRETKEYSIZE. SSL_CIPHER_USEKEYSIZE is thus missing and returns zero or undef - the session fails. But this only happens due to missing information, not of bad encryption So don't have fear that your ssl session is not secure, when you set symmetric_keylength0/symmetric_keylength. When you harden your apache ssl config as mentioned above, you can see the strong encryption in your browser. I hope this explanation was understandable...:-) Regards Ralf - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] PKI Enabled Application
Hi, Guillaume Tamboise wrote: For enryption authentication: Basically anything that accepts X509 certificates: IPSec Virtual Private Networks (VPN), SSL VPN, Kerberos (for instance, Active Directory), S/MIME (encrypted email), EAP (802.1x, i.e. authenticated LAN / wireless LAN), SMTP/TLS, and anything you can pipe in SSL: LDAP, POP3, SMTP, telnet, ... And for digital signatures: Openoffice, M$ Office, Adobe Acrobat, Photoshop, Gimp, ... quite any common application that creates documents, movies, sourcecode and many more :-) Ralf - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] SSLOptions +StdEnvVars +ExportCertData
Zaki Akhmad wrote: But when I'm changing the access_control/*.template to protocol = ssl symmetric_keylenghth = 128 The Error 6251043, General Error Aborting connection - you are using a too short symmetric keylength (), shows up. Does your apache configtest complain about an unknown option SSLOptions? If not, it doesn't matter if you use apache-ssl or mod-ssl. There are exactly the same environment variables exported. I believe you set this option in a wrong context, Try this: Directory /path/to/openca/httpd/cgi-bin/ SSLOptions +StdEnvVars Directory in your SSL directive. Ralf - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] SSLOptions +StdEnvVars +ExportCertData
Ralf Hornik Mailings wrote: There are exactly the same environment variables exported. Sorry, I found an old document. Newer versions of mod_ssl have other environment variables. Apache-ssl: HTTPS_SECRETKEYSIZE Mod_ssl: SSL_CIPHER_USEKEYSIZE The easiest way to solve this problem is to set symmetric_keylength0/symmetric_keylength in your *.conf.template and let the apache restrict the keylength of your ssl sessions. Otherwise it must be added to the openca CGI's and AC.pm Ralf - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] OpenCA and multiple Organisations
Hi List, I have a lot of requests to sign by my CA. But I cannot submit them because the organisational name (O=) is different then the organisational name by my CA. Can I disable this in an esay way, so that i can use this requests? Thanx and best regards Ralf - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA and multiple Organisations
James Lever wrote: DN_TYPE_SPKAC_BASE DN_TYPE_SPKAC_ELEMENTS DN_TYPE_SPKAC_NAME Basic User Request That worked for me. Thank you very much! Bye Ralf - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA and RFC
Hi, Dmitrij Mironov wrote: This extension MUST appear in certificates that contain public keys that are used to validate digital signatures on other public key certificates or CRLs. When this extension appears, it SHOULD be marked critical. It MUST appear but it SHOULD be marked as critical As I understand from this - CA (in most cases) must have key usage extension and CA/end user certificates which have key usage ext. MUST have it marked critical. By default OpenCA certificates are issued with non critical extensions. Is this bug in OpenCA or those certificates profiles are defined only as examples? I wouldn't mark any extension as critical unless the certificate and crl profile says I must (e.g for a CA certificate). In case an extension is critical and the application does not know it, it will fail. Regards - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] How to run apache-ssl for openca?
Dear itboi, Sorry, but you have definitely no idea, what you are doing. I'm asking me, why do you want to install OpenCA, when you don't know what it is?? You don't know about SSL and certificate validation, but this is one of the the main purposes of Openca - certificate validation I recoment you reading a book about encryption/authentication and x.509v3, before setting up a PKI. A good one is this here: http://www.amazon.com/gp/product/0471397024/sr=8-1/qid=1154334847/ref=pd_bbs_1/002-1145735-3619241?ie=UTF8 Read it! Bye Ralf itboi schrieb: Thank for replied of Nicolas MASSE. I did flowing you step by step: $ cd /root $ chmod 700 . $ umask 077 $ mkdir mypki $ cd mypki $ mkdir certs $ mkdir private $ touch index.txt $ echo '01' serial $ vi openssl.cnf $ export OPENSSL_CONF=openssl.cnf $ openssl req -newkey rsa -x509 -subj '/C=VN/O=TEST/OU=COM/CN=TEST.COM' -out cacert.pem Generating a 2048 bit RSA private key +++ .+++ writing new private key to './private/cakey.pem' Enter PEM pass phrase: Verifying - Enter PEM pass phrase: - $ export -n OPENSSL_CONF $ openssl req -newkey rsa:1024 -keyout server.key -nodes -subj '/C=VN/O=TEST/OU=COM/CN=TEST.COM' -out server.req Generating a 1024 bit RSA private key ...++ .++ writing new private key to 'server.key' - $ export OPENSSL_CONF=openssl.cnf $ openssl ca -in server.req -out server.crt Using configuration from openssl.cnf Enter pass phrase for ./private/cakey.pem: Check that the request matches the signature Signature ok The Subject's Distinguished Name is as follows countryName :PRINTABLE:'VN' organizationName :PRINTABLE:'TEST' organizationalUnitName:PRINTABLE:'COM' commonName:PRINTABLE:'TEST.COM' Certificate is to be certified until Jul 26 09:28:28 2007 GMT (365 days) Sign the certificate? [y/n]:y 1 out of 1 certificate requests certified, commit? [y/n]y Write out database with 1 new entries Data Base Updated $ cat server.key $ cat server.crt AND THIS IS mypki/openssl.conf file-- [ ca ] default_ca = mypki [ mypki ] dir = . certificate = $dir/cacert.pem database= $dir/index.txt new_certs_dir = $dir/certs private_key = $dir/private/cakey.pem serial = $dir/serial x509_extensions = mypki_ext default_md = md5 default_days= 365 policy = mypki_policy [ mypki_policy ] [ mypki_ext ] basicConstraints= CA:false [ req ] default_bits= 2048 default_keyfile = ./private/cakey.pem prompt = no distinguished_name = root-ca_DN x509_extensions = root-ca_ext [ root-ca_DN ] commonName = TEST.COM organizationalUnitName = TEST organizationName= COM countryName = VN [ root-ca_ext ] basicConstraints= CA:true Then I copied server.key and server.crt (in mypki folder) to /usr/local/apache/mykey also configed httpd.conf: -- servername 10.0.1.10 port 80 Listen 80 Listen 443 VirtualHost 10.0.1.10:443 SSLEnable SSLEngine on ServerName 10.0.1.10 ServerAdmin [EMAIL PROTECTED] ErrorLog /var/log/httpd/error_log SSLCertificateFile /usr/local/apache/mykey/server.crt SSLCertificateKeyFile /usr/local/apache/mykey/server.key /VirtualHost - Then I start apache by: #../bin/apachectl startssl .ok.. #.../etc/openca_rc start ok [EMAIL PROTECTED] mypki]# openssl s_client -connect 10.0.1.10:80 CONNECTED(0003) 5456:error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol:s23_clnt.c:494: [EMAIL PROTECTED] mypki]# openssl s_client -connect 10.0.1.10:443 CONNECTED(0003) depth=0 verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 verify error:num=27:certificate not trusted verify return:1 depth=0 verify error:num=21:unable to verify the first certificate verify return:1 --- Certificate chain 0 s: i:/CN=TEST.COM/OU=COM/O=TEST/C=VN --- Server certificate -BEGIN CERTIFICATE- MIICQTCCASmgAwIBAgIBATANBgkqhkiG9w0BAQQFADA9MREwDwYDVQQDEwhURVNU LkNPTTEMMAoGA1UECxMDQ09NMQ0wCwYDVQQKEwRURVNUMQswCQYDVQQGEwJWTjAe Fw0wNjA3MjkwODQwMDRaFw0wNzA3MjkwODQwMDRaMAAwgZ8wDQYJKoZIhvcNAQEB BQADgY0AMIGJAoGBAKhERmR34IWB9Lzuo6IETPHs1qwRs5RUbCkBvd85Uaq1kSQ9 40rHWKAizdazKFhJOG4Mmyjicp8ixcEJuKsq2wmHjLEzZwafe8yBDmW7K7XVUu86 oewhODqVK8dIXnJJMXuiw2TAAtwkDfUJkKWb9Pi6ljbZtT99h/Zk2Db3lo5HAgMB AAGjDTALMAkGA1UdEwQCMAAwDQYJKoZIhvcNAQEEBQADggEBACzi6bQgjeKf2OZ5
Re: [Openca-Users] Problems generating digital signatures using IE and Mozilla
Hi, Ralf Hornik Mailings wrote: does anybody read the list who developes or works with openca? when I want to approve a CSR with digital signing using Internet Explorer 6 it works well but when I do the same with an CRR (same signing certificate)I get the following: Error 6206 General Error Cannot build PKCS#7-object from extracted signature! OpenCA::PKCS7 returns errorcode 7911031 (OpenCA::PKCS7-new: Cannot initialize signature (7912021). OpenCA::PKCS7-initSignature: Cannot parse signature (7921021). OpenCA::PKCS7-getParsed: The crypto-backend cannot verify the signature (7742075). OpenCA::OpenSSL-verify: openca-sv failed. [Error]: error:04077068:rsa routines:RSA_verify:bad signature [Info]: Input file intialized. [Info]: Signaturefile initialized. [Info]: Reading Certificate file. [Info]: PKCS#7 object loaded. [Info]: Data is ready for verification. [Info]: Signature Informations (PKCS#7): depth:1 serial:BAAB7AAE9EDF433E subject:[EMAIL PROTECTED],CN=Test Root CA,OU=PKI,O=Some Company,C=DE depth:0 serial:02 subject:serialNumber=2,[EMAIL PROTECTED],CN=Registration Authority Administrator,OU=Trustcenter,O=Some Company,C=DE [Info]: Signature is corrupt. Errorcode -1. signature:error:-1 ). I believe that is a known problem because I found the following: http://www.mail-archive.com/openca-devel@lists.sourceforge.net/msg02824.htm Sorry, I had a typo in that url. The correct link was: http://www.mail-archive.com/openca-devel@lists.sourceforge.net/msg02824.html When I approve a user validated CRR (using CRIN) OpenCA tells me that it has been signed correctly but later I see a broken singature and no pksc7 object has been created when I view the CRR. On mozilla id doesn't create any digital signature at all, neither approving any C[SR]R nor login using x.509 or anything else. I tested it with Mozilla Firefox version 1.0.6 to 1.5 (secClab installed) and IE version 6. Can anybody help me? Is this a client side Issue? Perlversion 5.8.6 Opensslversion 0.9.7a OpenCA - OpenSSL 0.9.135.2.11 Tools 0.4.3 DB0.9.115.2.8 Configuration 1.5.3 TRIStateCGI 1.5.5 REQ 0.9.61.2.1 X509 0.9.57 CRL 0.9.24.2.1 PKCS7 0.9.19.2.5 It would be very nice if somebody can give me answer, or point me into the right direction. Thanks Ralf - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Problems generating digital signatures using IE and Mozilla
Hello, does anybody read the list who developes or works with openca? Ralf Hornik Mailings wrote: when I want to approve a CSR with digital signing using Internet Explorer 6 it works well but when I do the same with an CRR (same signing certificate)I get the following: Error 6206 General Error Cannot build PKCS#7-object from extracted signature! OpenCA::PKCS7 returns errorcode 7911031 (OpenCA::PKCS7-new: Cannot initialize signature (7912021). OpenCA::PKCS7-initSignature: Cannot parse signature (7921021). OpenCA::PKCS7-getParsed: The crypto-backend cannot verify the signature (7742075). OpenCA::OpenSSL-verify: openca-sv failed. [Error]: error:04077068:rsa routines:RSA_verify:bad signature [Info]: Input file intialized. [Info]: Signaturefile initialized. [Info]: Reading Certificate file. [Info]: PKCS#7 object loaded. [Info]: Data is ready for verification. [Info]: Signature Informations (PKCS#7): depth:1 serial:BAAB7AAE9EDF433E subject:[EMAIL PROTECTED],CN=Test Root CA,OU=PKI,O=Some Company,C=DE depth:0 serial:02 subject:serialNumber=2,[EMAIL PROTECTED],CN=Registration Authority Administrator,OU=Trustcenter,O=Some Company,C=DE [Info]: Signature is corrupt. Errorcode -1. signature:error:-1 ). I believe that is a known problem because I found the following: http://www.mail-archive.com/openca-devel@lists.sourceforge.net/msg02824.htm When I approve a user validated CRR (using CRIN) OpenCA tells me that it has been signed correctly but later I see a broken singature and no pksc7 object has been created when I view the CRR. On mozilla id doesn't create any digital signature at all, neither approving any C[SR]R nor login using x.509 or anything else. I tested it with Mozilla Firefox version 1.0.6 to 1.5 (secClab installed) and IE version 6. Can anybody help me? Is this a client side Issue? Is this (or might be) a client side issue, (e.g. in Mozilla or IE)? Any tips/expiriences/solutions/workarounds/patches/info needed/...? Thanks Ralf Perlversion 5.8.6 Opensslversion 0.9.7a OpenCA - OpenSSL 0.9.135.2.11 Tools 0.4.3 DB 0.9.115.2.8 Configuration 1.5.3 TRIStateCGI 1.5.5 REQ 0.9.61.2.1 X5090.9.57 CRL 0.9.24.2.1 PKCS7 0.9.19.2.5 - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Problems generating digital signatures using IE and Mozilla
Hi, when I want to approve a CSR with digital signing using Internet Explorer 6 it works well but when I do the same with an CRR (same signing certificate)I get the following: Error 6206 General Error Cannot build PKCS#7-object from extracted signature! OpenCA::PKCS7 returns errorcode 7911031 (OpenCA::PKCS7-new: Cannot initialize signature (7912021). OpenCA::PKCS7-initSignature: Cannot parse signature (7921021). OpenCA::PKCS7-getParsed: The crypto-backend cannot verify the signature (7742075). OpenCA::OpenSSL-verify: openca-sv failed. [Error]: error:04077068:rsa routines:RSA_verify:bad signature [Info]: Input file intialized. [Info]: Signaturefile initialized. [Info]: Reading Certificate file. [Info]: PKCS#7 object loaded. [Info]: Data is ready for verification. [Info]: Signature Informations (PKCS#7): depth:1 serial:BAAB7AAE9EDF433E subject:[EMAIL PROTECTED],CN=Test Root CA,OU=PKI,O=Some Company,C=DE depth:0 serial:02 subject:serialNumber=2,[EMAIL PROTECTED],CN=Registration Authority Administrator,OU=Trustcenter,O=Some Company,C=DE [Info]: Signature is corrupt. Errorcode -1. signature:error:-1 ). When I approve a user validated CRR (using CRIN) OpenCA tells me that it has been signed correctly but later I see a broken singature and no pksc7 object has been created when I view the CRR. On mozilla id doesn't create any digital signature at all, neither approving any C[SR]R nor login using x.509 or anything else. I tested it with Mozilla Firefox version 1.0.6 to 1.5 (secClab installed)and IE version 6. Can anybody help me? Is this a client side Issue? Thank you and best regards Ralf - Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net's Techsay panel and you'll get the chance to share your opinions on IT business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.phpp=sourceforgeCID=DEVDEV ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Error with SCEP module
Hi, Nicolas MASSE wrote: I always have the same error : Error 723705 General Error Cannot extract the transaction ID from the SCEP message! Please copy the P7 Message generated by your scep client to the RA Machine by hand and try to print out the transid using: /usr/local/openca/bin/openca-scep -in message.p7 -noout -print_transid A good tool for debugging is sscep from www.klake.org/~jt/sscep/ It is very verbose and you can view the pkcs7 output in debugging mode. Copy the output into a file and execute the scep command above. Does this work? /Ralf - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Error with SCEP module
Hi, Nicolas MASSE schrieb: I do not have this command (OpenCA v0.9.2.5) while I made the make install-scep. You need openca-scep otherwise scep will not work, when you try to enroll a cert. You can postinstall it by going to $OPENCA_SRC_DIR/src/scep and do a configure (like you configured openca) make and make install. I read about this issue some posts before. Regards Ralf - Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] SOLVED: SCEP fails on enrolling a certificate
Dear list,
finally I fixed this problem. After a deep flight into the OpenCA code I
found the following in openca/lib/cmds/scepPKIOperation:
---8---
...
sub cmdscepPKIOperation
...
foreach (qw(ScepAllowEnrollment ScepAllowRenewal ScepDefaultRole
ScepDefaultRA ScepRenewalRDNMatch
ScepKeepSubjectAltName ScepAutoApprove)) {
my $val = getRequired($_);
eval \$$_ = \$val;
}
...
---8---
I estimate that EACH of the values is required and my scep.conf.template
shows:
---8---
## == [ General Section ] =
ScepAllowEnrollment YES
ScepAllowRenewalYES
ScepKeepSubjectAltName YES
ScepRenewalRDNMatch
# Defaults for initial enrollment
ScepDefaultRole User
#ScepDefaultRA MyRA
ScepAutoApprove NO
---8---
'ScepDefaultRA' was uncommented...so the compilation of
cmdScepPKIOperation failed. After uncommenting this value the compilation
was successfull.
Wouldn't it be better, to give a little bit more error handling here like:
foreach $value (qw(ScepAllowEnrollment ScepAllowRenewal ScepDefaultRole
ScepDefaultRA ScepRenewalRDNMatch
ScepKeepSubjectAltName ScepAutoApprove)) {
die $value missing in configfile: $! if not defined $value;
my $val = getRequired($value);
This would save much time and nerves. ;-)
However, after fixing this and reading the other SCEP related mails SCEP
works now. And I had not to make the scep direktive seperately. I think on
OpenCA 0.9.2.5 this issue has been removed.
Thanks
Ralf
Ralf Hornik Mailings schrieb:
Hi Martin,
Both debugging flags are enabled, there is no other output.
However, the openca-scep commands work, when I make it manually using the
shell.
I think, the problem is on the webinterface.
Regards
Ralf
Martin Bartosch schrieb:
Hi,
The exact error output with debugging enabled is:
there are no SCEP debug messages in the log file. Did you set both
Debug flags to 1 in log.xml? Such as:
openca
debug1/debug
stderr/usr/local/openca-0.9.2/var/log/stderr.log/stderr
log
debug1/debug
slots
...
After setting this you should restart OpenCA.
You should get debug messages like the sample below. Please post this
output.
cheers
Martin
OpenCA::AC-access granted
OpenCA::AC-initToken: starting
OpenCA::AC-initToken: successfully finished
cmds-cmdScepPKIOperation: execute5: /usr/local/bin/openca-scep -in /
usr/local/openca-0.9.2/var/tmp/scep_pkiOp_12872.p7 -noout -print_transid
cmds-cmdScepPKIOperation: Pipe returned error code 0
cmds-cmdScepPKIOperation: tid:
cmds-cmdScepPKIOperation: execute_bt: /usr/local/bin/openca-scep -
in /usr/local/openca-0.9.2/var/tmp/scep_pkiOp_12872.p7 -keyfile /etc/
certs/local/scep-key.pem -passin env:pwd -noout -print_scert /usr/
local/openca-0.9.2/var/tmp/scep_client_12872.crt
cmds-cmdScepPKIOperation: Backtick expansion returned error code 0
cmds-cmdScepPKIOperation: execute1: /usr/local/bin/openca-scep -in /
usr/local/openca-0.9.2/var/tmp/scep_pkiOp_12872.p7 -noout -print_msgtype
cmds-cmdScepPKIOperation: Pipe returned error code 0
cmds-cmdScepPKIOperation: msgtype: PKCSReq (19)
cmds-cmdScepPKIOperation: execute6: /usr/local/bin/openca-scep -in /
usr/local/openca-0.9.2/var/tmp/scep_pkiOp_12872.p7 -keyfile /etc/
certs/local/scep-key.pem -passin env:pwd -noout -print_req
cmds-cmdScepPKIOperation: Pipe returned error code 0
cmds-cmdScepPKIOperation: csr: -BEGIN CERTIFICATE REQUEST-
...
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications
in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnkkid=107521bid=248729dat=121642
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
--
All the advantages of Linux Managed Hosting--Without the Cost and Risk!
Fully trained technicians. The highest number of Red Hat certifications in
the hosting industry. Fanatical Support. Click to learn more
http://sel.as-us.falkag.net/sel?cmd=lnkkid=107521bid=248729dat=121642
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
--
-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https
Re: [Openca-Users] openca-configure not writing files
Hi,
what perl version have you installed? I remember with version 5.8.5 some
strange problems. I use 5.8.6.
Is your config.xml syntactically correct? Please parse it using this small
script:
#!/usr/bin/perl
use XML::Parser;
$file = $ARGV[0];
$p1 = new XML::Parser(Style = debug);
$p1-parsefile($file);
-
Give the filename of the XML file (config.xml) as argument and look for
some syntax errors.
Regards
Ralf
Marc Erdmann schrieb:
Hi,
I'm using OpenCA-0.9.2.5 on an up-to-date gentoo machine. openca-configure
(called via configure_etc.sh or directly) does not write any files.
strace /usr/local/bin/openca-configure /usr/local/OpenCA/etc/config.xml
/var/www/xyz/htdocs/batch/index.html.template
/var/www/xyz/htdocs/batch/index.html
...
open(/var/www/xyz/htdocs/batch/index.html.template,
O_RDONLY|O_LARGEFILE)
= 3
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfe6eb28) = -1 ENOTTY
(Inappropriate ioctl for device)
_llseek(3, 0, [0], SEEK_CUR)= 0
ioctl(3, SNDCTL_TMR_TIMEBASE or TCGETS, 0xbfe6eb18) = -1 ENOTTY
(Inappropriate ioctl for device)
fstat64(3, {st_mode=S_IFREG|0666, st_size=549, ...}) = 0
fcntl64(3, F_SETFD, FD_CLOEXEC) = 0
...
Can anyone help?
marc
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job
easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
--
-
Using Tomcat but need to do more? Need to support web services, security?
Get stuff done quickly with pre-integrated technology to make your job easier
Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo
http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Patch for SCEP error handling (was: SOLVED: SCEP fails on enrolling a certificate)
Hi again. :-)
I wrote a small patch for lib/cmds/scepPKIOperation and
lib/funktions/misc-utils.lib and added the necsessary error handling:
~# cd $OPENCADIR/openca/lib/cmds/ patch scepPKIOperation
scepPKIOperation.patch
scepPKIOperation.patch:
--- scepPKIOperation.orig 2006-07-14 20:07:56.0 +0200
+++ scepPKIOperation2006-07-14 20:06:58.0 +0200
@@ -115,11 +115,11 @@
$ChainDir = getRequired (ChainDir);
-foreach (qw(ScepAllowEnrollment ScepAllowRenewal ScepDefaultRole
+foreach my $value (qw(ScepAllowEnrollment ScepAllowRenewal
ScepDefaultRole
ScepDefaultRA ScepRenewalRDNMatch
ScepKeepSubjectAltName ScepAutoApprove)) {
-my $val = getRequired($_);
-eval \$$_ = \$val;
+my $val = getRequired($value);
+eval \$$value = \$val;
}
$p7_file = getRequired ( 'tempdir' ) . /scep_pkiOp_$$.p7;
now the scep client gets:
HTTP/1.1 200 OK\r
Date: Fri, 14 Jul 2006 15:26:04 GMT\r
Server: Apache\r
Set-Cookie: CGISESSID=5491a77b57ebf2c19f9c0c88b042e4fe; path=/\r
Connection: close\r
Content-Type: text/html\r
\r
?xml version=1.0 encoding=utf-8?
!DOCTYPE html
PUBLIC -//W3C//DTD XHTML 1.0 Transitional//EN
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd;
html xmlns=http://www.w3.org/1999/xhtml; lang=C
xml:lang=CheadtitleConfiguration Error/title
/headbody bgcolor=#FFCENTERBRHR
WIDTH=80%BR/CENTEROLOLH1FONT COLOR=redError
690/FONT/H1OL BConfiguration Error/B. Missing Configuration
Keyword : ScepDefaultRA./OL/OL/OL
/PRECENTERHR WIDTH=80%/CENTER
FONT SIZE=+0
/BODY
/HTML
And for printing it into stderr.log (because the client perhaps isn't
interested in):
~# cd $OPENCADIR/openca/lib/functions patch misc-utils.lib
misc-utils.lib.patch
misc-utils.lib.patch:
--- misc-utils.lib.orig 2006-07-14 20:14:15.0 +0200
+++ misc-utils.lib 2006-07-14 20:15:06.0 +0200
@@ -118,6 +118,7 @@
## If there is an Error, just send the missing
## parameter error to the browser
+print STDERR ERROR: Missing Configuration Keyword :
$name\n;
configError( i18nGettext (Missing Configuration Keyword :
__KEY__, __KEY__, $name) );
}
if there is a configuration error. Please test it. It works for me.
HTH and a nice Weekend
Ralf
Ralf Hornik Mailings schrieb:
Dear list,
finally I fixed this problem. After a deep flight into the OpenCA code I
found the following in openca/lib/cmds/scepPKIOperation:
---8---
...
sub cmdscepPKIOperation
...
foreach (qw(ScepAllowEnrollment ScepAllowRenewal ScepDefaultRole
ScepDefaultRA ScepRenewalRDNMatch
ScepKeepSubjectAltName ScepAutoApprove)) {
my $val = getRequired($_);
eval \$$_ = \$val;
}
...
---8---
I estimate that EACH of the values is required and my scep.conf.template
shows:
---8---
## == [ General Section ] =
ScepAllowEnrollment YES
ScepAllowRenewalYES
ScepKeepSubjectAltName YES
ScepRenewalRDNMatch
# Defaults for initial enrollment
ScepDefaultRole User
#ScepDefaultRA MyRA
ScepAutoApprove NO
---8---
'ScepDefaultRA' was uncommented...so the compilation of
cmdScepPKIOperation failed. After uncommenting this value the compilation
was successfull.
Wouldn't it be better, to give a little bit more error handling here like:
foreach $value (qw(ScepAllowEnrollment ScepAllowRenewal ScepDefaultRole
ScepDefaultRA ScepRenewalRDNMatch
ScepKeepSubjectAltName ScepAutoApprove)) {
die $value missing in configfile: $! if not defined $value;
my $val = getRequired($value);
This would save much time and nerves. ;-)
However, after fixing this and reading the other SCEP related mails SCEP
works now. And I had not to make the scep direktive seperately. I think on
OpenCA 0.9.2.5 this issue has been removed.
Thanks
Ralf
Ralf Hornik Mailings schrieb:
Hi Martin,
Both debugging flags are enabled, there is no other output.
However, the openca-scep commands work, when I make it manually using the
shell.
I think, the problem is on the webinterface.
Regards
Ralf
Martin Bartosch schrieb:
Hi,
The exact error output with debugging enabled is:
there are no SCEP debug messages in the log file. Did you set both
Debug flags to 1 in log.xml? Such as:
openca
debug1/debug
stderr/usr/local/openca-0.9.2/var/log/stderr.log/stderr
log
debug1/debug
slots
...
After setting this you should restart OpenCA.
You should get debug messages like the sample below. Please post this
output.
cheers
Martin
OpenCA::AC-access granted
OpenCA::AC-initToken: starting
OpenCA::AC-initToken: successfully finished
cmds-cmdScepPKIOperation
Re: [Openca-Users] SCEP fails on enrolling a certificate
Hi, yes I did that what Pete was recommended, and openca-scep is present as before. The exact error output with debugging enabled is: initServer: BrowserSupportedLanguage(s) [] initServer: BrowserSupportedCharset(s) [] initServer: setLanguage: setEncoding for log return utf-8 initServer: setLanguage: C :: utf-8 DEBUG: OpenCA::DBI-connect: connecting to database DEBUG: OpenCA::DBI-connect: try to connect DEBUG: OpenCA::DBI-connect: Checking AutoCommit to be off ... DEBUG: OpenCA::DBI-connect: AutoCommit is off OpenCA::AC-Checking the channel ... OpenCA::AC-loading channel data ... OpenCA::AC-channel type ... mod_ssl OpenCA::AC-check channel data ... OpenCA::AC-channel type ... ok OpenCA::AC-security protocol ... ok OpenCA::AC-source ... ok OpenCA::AC-asymmetric cipher ... ok OpenCA::AC-asymmetric keylength ... ok OpenCA::AC-symmetric cipher ... ok OpenCA::AC-symmetric keylength ... ok OpenCA::AC-Channel is ok OpenCA::AC-Starting authentication ... OpenCA::AC-channel type ... mod_ssl OpenCA::AC-Try to get a session ... OpenCA::AC-Try to login . OpenCA::AC-type ... none OpenCA::AC-identification disabled OpenCA::AC-checkACL ... OpenCA::AC-RBAC loaded OpenCA::AC-role loaded OpenCA::AC-operation loaded OpenCA::AC-owner loaded OpenCA::AC-getAccess: real module: 33 OpenCA::AC-getAccess: real role: OpenCA::AC-getAccess: real operation: scep operation OpenCA::AC-getAccess: real owner: OpenCA::AC-getAccess: module: .* OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: CRR list OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: .* OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: CSR list OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 3 OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: Cleanup Sessions OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 0 OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: access control configure OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 0 OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: access control show configuration OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 0 OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: access control sign configuration OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 3 OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: all ldap update OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 32 OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: all list OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: .* OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: all search OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 3 OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: backup OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 128 OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: batchprocessor delete pin OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 128 OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: batchprocessor export pins OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 128 OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: batchprocessor import new data in compact form OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 128 OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: batchprocessor import new processes OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 128 OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: batchprocessor import new users OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 128 OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: batchprocessor import process data OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 128 OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: batchprocessor import update of user data OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: (0|128) OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: batchprocessor issue certificate OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 128 OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: batchprocessor list users OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 128 OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: batchprocessor recover key OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: (0|128) OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: batchprocessor revoke certificate OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 128 OpenCA::AC-getAccess: role: .* OpenCA::AC-getAccess: operation: batchprocessor state configuration OpenCA::AC-getAccess: owner: .* OpenCA::AC-getAccess: module: 128
Re: [Openca-Users] SCEP fails on enrolling a certificate
Hi Martin, Both debugging flags are enabled, there is no other output. However, the openca-scep commands work, when I make it manually using the shell. I think, the problem is on the webinterface. Regards Ralf Martin Bartosch schrieb: Hi, The exact error output with debugging enabled is: there are no SCEP debug messages in the log file. Did you set both Debug flags to 1 in log.xml? Such as: openca debug1/debug stderr/usr/local/openca-0.9.2/var/log/stderr.log/stderr log debug1/debug slots ... After setting this you should restart OpenCA. You should get debug messages like the sample below. Please post this output. cheers Martin OpenCA::AC-access granted OpenCA::AC-initToken: starting OpenCA::AC-initToken: successfully finished cmds-cmdScepPKIOperation: execute5: /usr/local/bin/openca-scep -in / usr/local/openca-0.9.2/var/tmp/scep_pkiOp_12872.p7 -noout -print_transid cmds-cmdScepPKIOperation: Pipe returned error code 0 cmds-cmdScepPKIOperation: tid: cmds-cmdScepPKIOperation: execute_bt: /usr/local/bin/openca-scep - in /usr/local/openca-0.9.2/var/tmp/scep_pkiOp_12872.p7 -keyfile /etc/ certs/local/scep-key.pem -passin env:pwd -noout -print_scert /usr/ local/openca-0.9.2/var/tmp/scep_client_12872.crt cmds-cmdScepPKIOperation: Backtick expansion returned error code 0 cmds-cmdScepPKIOperation: execute1: /usr/local/bin/openca-scep -in / usr/local/openca-0.9.2/var/tmp/scep_pkiOp_12872.p7 -noout -print_msgtype cmds-cmdScepPKIOperation: Pipe returned error code 0 cmds-cmdScepPKIOperation: msgtype: PKCSReq (19) cmds-cmdScepPKIOperation: execute6: /usr/local/bin/openca-scep -in / usr/local/openca-0.9.2/var/tmp/scep_pkiOp_12872.p7 -keyfile /etc/ certs/local/scep-key.pem -passin env:pwd -noout -print_req cmds-cmdScepPKIOperation: Pipe returned error code 0 cmds-cmdScepPKIOperation: csr: -BEGIN CERTIFICATE REQUEST- ... All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnkkid=107521bid=248729dat=121642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users -- All the advantages of Linux Managed Hosting--Without the Cost and Risk! Fully trained technicians. The highest number of Red Hat certifications in the hosting industry. Fanatical Support. Click to learn more http://sel.as-us.falkag.net/sel?cmd=lnkkid=107521bid=248729dat=121642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] SCEP fails on enrolling a certificate
Hi *, I still get the error (as mentioned weeks before) here is my scep.conf: # Secure Server Configuration File ## (c) 1999 by Massimiliano Pala and the OpenCA Group ## ## Please Refer to the Documentation for a full detailed ## description of params. Read the README file in this dir ## for more infos on programs accessing this file. ## == [ General Section ] = ScepAllowEnrollment YES ScepAllowRenewalYES ScepKeepSubjectAltName YES ScepRenewalRDNMatch # Defaults for initial enrollment ScepDefaultRole User #ScepDefaultRA MyRA ScepAutoApprove NO DEFAULT_LANGUAGE en_GB DEFAULT_CHARSET iso-8859-1 DBmodule DBI CgiLibPath/export/openca-pub/openca/lib/functions CgiServerTypescep CgiServerNamescep HtdocsUrlPrefix SessionDir /export/openca-pub/openca/var/session/cookie SessionLifetime 1200 ModuleID33 ModuleShift8 AccessControlConfiguration /export/openca-pub/openca/etc/access_control/scep.xml SoftwareConfiguration /export/openca-pub/openca/etc/config.xml RoleConfiguration /export/openca-pub/openca/etc/rbac/roles.xml ModuleConfiguration/export/openca-pub/openca/etc/rbac/modules.xml TokenConfiguration /export/openca-pub/openca/etc/token.xml LogConfiguration /export/openca-pub/openca/etc/log.xml CertsDir /export/openca-pub/openca/var/crypto/certs CACertificate /export/openca-pub/openca/var/crypto/cacerts/cacert.pem ChainDir/export/openca-pub/openca/var/crypto/chain CRLDir/export/openca-pub/openca/var/crypto/crls ## Paths openssl /usr/bin/openssl sslconfig /export/openca-pub/openca/etc/openssl/openssl.cnf scepPath/export/openca-pub/bin/openca-scep tempdir /export/openca-pub/openca/var/tmp crlfile /export/openca-pub/openca/var/crypto/crls/cacrl.crl ## [ LOA Support ] = ## USE_LOAS takes either YES or NO USE_LOASyes ## [ SCEP Section ] == ## It is just an example, you should change the 03.pem and/or ## the path pointing to the right key/cert pair ScepRACert/export/openca-pub/openca/etc/scep/certs/scep_ra.pem ScepRAKey/export/openca-pub/openca/etc/scep/private/scep_ra.pem ScepRAPasswd ## == [ End SCEP Section ] Best regards /Ralf Ralf Hornik Mailings schrieb: Dear list, I try to work with sscep (OpenBSD) and can successfully download the ca-certificate using scep. But when I try to enroll a certificate (sscep enroll -f /etc/sscep.conf -c ca.crt -r local.csr) it fails and stderr.log shows: OpenCA: General error trapped 700: The compilation of the command cmdScepPKIOperation failed. Modification of a read-only value attempted at /export/openca-pub/modules/perl5/OpenCA/Logger/Syslog/Sys.pm line 91.br Compilation failed in require at /export/openca-pub/openca/etc/openca_start line 62. The same gets the sscep client, when I trace the process. My scep.conf file is unchanged except the path to teh key and certificate for the scep interface. access_control/scep.xml is only map_role set to no. The scep interface is located on the RA side. OpenCA version is 0.9.2.5. Has anybody an idea? Thanks and best Regards Ralf ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users -- ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] SCEP fails on enrolling a certificate
Dear list, I try to work with sscep (OpenBSD) and can successfully download the ca-certificate using scep. But when I try to enroll a certificate (sscep enroll -f /etc/sscep.conf -c ca.crt -r local.csr) it fails and stderr.log shows: OpenCA: General error trapped 700: The compilation of the command cmdScepPKIOperation failed. Modification of a read-only value attempted at /export/openca-pub/modules/perl5/OpenCA/Logger/Syslog/Sys.pm line 91.br Compilation failed in require at /export/openca-pub/openca/etc/openca_start line 62. The same gets the sscep client, when I trace the process. My scep.conf file is unchanged except the path to teh key and certificate for the scep interface. access_control/scep.xml is only map_role set to no. The scep interface is located on the RA side. OpenCA version is 0.9.2.5. Has anybody an idea? Thanks and best Regards Ralf ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Certificate Policies: Adding a userNotice to loa.xml
Hi *, yesterday I wrote this email, but it seems that it hasn't been reached the list. So I'll try it again. Can anybody help me to add a special userNotice to different kind of policies? As example, for LOA=Test I would like to do something like: --- certificatePolicies=ia5org, @policy_test [ policy_test ] policyIdentifier=1.2.3.3.4 CPS.1 = http://www.ca.org/cps; userNotice = @notice_test [ notice_test ] explicitText = Only for testing! Allowed tasks are encrypting and signing of only unclassified data! organisation = CA Company noticeNumbers = 1,2 --- However in loa.xml I found the following: --8--- namecertificatePolicies/name CP valueia5org/value value1.2.3.3.4/value CP section namepsec/name policy_ID_tagpolicyIdentifier/policy_ID_tag CPS URICPS.1 =http://www.native-security.de/cps;/URI /CPS --8--- I'm little confused how to include the extension(s) via xml tags. I tried to point the CP entry to an extfile e.g.: namecertificatePolicies/name CP valueia5org/value value@notice_test/value CP and then point to User.ext.template: [ policy_test ] policyIdentifier=1.2.3.3.4 CPS.1 = http://www.ca.org/cps; userNotice = @notice_test [ notice_test ] explicitText = Only for testing! Allowed tasks are encrypting and signing of unclassified data! organisation = CA Company noticeNumbers = 1,2 But that doesn't work. However I could disable LOA ans set the Policies in the extfiles manually, but I think it is easier with seperation using LOA's Has anybody another idea? Thank you and best regards Ralf --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Certificate Policies: Adding a userNotice to loa.xml
Hi *, can anybody help me to add a special userNotice to different kind of policies? As example, for LOA=Test I would like to do something like: --- certificatePolicies=ia5org, @policy_test [ policy_test ] policyIdentifier=1.2.3.3.4 CPS.1 = http://www.ca.org/cps; userNotice = @notice_test [ notice_test ] explicitText = Only for testing! Allowed tasks are encrypting and signing of only unclassified data! organisation = CA Company noticeNumbers = 1,2 - However in loa.xml I found the following: -- namecertificatePolicies/name CP valueia5org/value value1.2.3.3.4/value CP section namepsec/name policy_ID_tagpolicyIdentifier/policy_ID_tag CPS URICPS.1 =http://www.native-security.de/cps;/URI /CPS ... I'm little confused how to include the extension(s) via xml tags. I tried to point the CP entry to an extfile e.g.: namecertificatePolicies/name CP valueia5org/value value@notice_test/value CP and then point to User.ext.template: [ policy_test ] policyIdentifier=1.2.3.3.4 CPS.1 = http://www.ca.org/cps; userNotice = @notice_test [ notice_test ] explicitText = Only for testing! Allowed tasks are encrypting and signing of unclassified data! organisation = CA Company noticeNumbers = 1,2 But that doesn't work. However I could disable LOA ans set the Policies in the extfiles manually, but I think it is easier with seperation using LOA's Has anybody another idea? Thank you and best regards Ralf --- Using Tomcat but need to do more? Need to support web services, security? Get stuff done quickly with pre-integrated technology to make your job easier Download IBM WebSphere Application Server v.1.0.1 based on Apache Geronimo http://sel.as-us.falkag.net/sel?cmd=lnkkid=120709bid=263057dat=121642 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
