from:"dalini"

Re: [Openca-Users] SCEP-based automatic certificate renewal with CertNanny and OpenCA

2005-12-27 Thread dalini


Zitat von Martin Bartosch [EMAIL PROTECTED]:


Folks,

I've got a last-minute Christmas present for you all!


Indeed.


You will find the current CertNanny release on SourceForge at
http://sourceforge.net/projects/certnanny/


I guess, I will have a look soon.

Thx Martin


Greetings
Dalini



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] openssl syntax for multi-valued RDNs is unknown from cisco router unstructuredName

2005-12-27 Thread dalini


Zitat von [EMAIL PROTECTED]:


I think the reason can be found in the request from the cisco that send only
this:
-
serialNumber=206,
unstructuredName=ipsec-cisco-2610..de+serialNumber=87CE1234
Role=Web Server
Modulus (key size)  512
Public Key AlgorithmrsaEncryption
Public Key
Modulus (512 bit): 00:b6:0a:f3:09:3f:49:39:5a:83:42:d0:.
Exponent: 65537 (0x10001)
Signature Algorithm md5WithRSAEncryption
-

Are there some people, know what I have to do when I receive the
request from cisco ? In RA I can EDIT this data in the request, before
I make a export to CA and then import to CA.

Well, the solution is quite simple in this case. (there are some 
e-mails adressing this already at the list, but i have just access 
through an webfrontend at the moment, so searching is a bit painful, I 
will try to recover from my memories instead)


If you edit the request at the RA or CA you will see the request in a 
form like:

cn: type - value : type - value in one row

you should rewrite the whole cn part an put everything in the 'first' 
column of the form and delete the 'second' column informations in the 
request (unfortunalty i don't have a picture right now, i hope you get 
the idea ;)


sometimes it is necessary to add some SAN informations (Subject 
Alternative Names) usally cisco wants them if you request additation 
the ip or fqdn in the certificate. that means add san named: 
unstructuredName for the fqdn to the san and one unstructuredAddress 
with the ip as value in such cases should help.




---
An other question:

Why put the cisco router 2 requests over scep into the RA Interface ?
---
this has to do with key-types. if you request a general purpose key you 
get one request, if you request separate for signing and encryption the 
cisco device will generate two different key-pairs. one for signing 
stuff and one for encryption usage and therefore two requests.


to support this, you may have to add/change the available 'roles' in 
openca and write appropriate usage type like only for encryption or 
only for signing in the x509 certs. this is found under 
openssl/extfiles if i'm right. but there should be some extra 
information about that in the documentation already, how to 
change/create new roles.



greetings
dalini



---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems?  Stop!  Download the new AJAX search engine that makes
searching your log files as easy as surfing the  web.  DOWNLOAD SPLUNK!
http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] OpenCA and nCipher in batch process: Proud to announce some good results :-D

2005-08-12 Thread dalini


Johnny Gonzalez L. wrote:

yep, I was thinking in doing a top while issuing one of my new batch 
tests to try to catch where is the bigger delay, to see if it is in 
disk writting, db access, etc.



maybe it would be a good idea to insert some:
time or times commands at certain places this will give a bit more 
detailed information for each programm you call with it ;)

but i don't know if its available at your system

so maybe its usefull to call some commands with this too...
will be more accurate then top i guess - hehe

greetings
dalini


NAME
  time - time a simple command or give resource usage

SYNOPSIS
  time [options] command [arguments...]

DESCRIPTION
  The  time  command  runs  the  specified program command with the 
given
  arguments.  When command finishes, time writes a  message  to  
standard
  output  giving timing statistics about this program run.  These 
statis-
  tics consist of (i) the elapsed real time between invocation and 
termi-
  nation, (ii) the user CPU time (the sum of the tms_utime and 
tms_cutime
  values in a struct tms as returned by times(2)), and (iii)  the  
system
  CPU  time  (the  sum of the tms_stime and tms_cstime values in a 
struct

  tms as returned by times(2)).

--

NAME
  times - write process times

SYNOPSIS
  times

DESCRIPTION
  The times utility shall write the accumulated user and system 
times for
  the shell and for all of its child processes, in  the  following  
POSIX

  locale format:


 %dm%fs %dm%fs\n%dm%fs %dm%fs\n, shell user minutes,
 shell user seconds, shell system minutes,
 shell system seconds, children user minutes,
 children user seconds, children system minutes,
 children system seconds

  The  four  pairs  of  times  shall  correspond  to  the  members 
of the
  sys/times.h tms structure (defined in the Base Definitions 
volume  of
  IEEE Std 1003.1-2001,  Chapter  13,  Headers)  as  returned by 
times():

  tms_utime, tms_stime, tms_cutime, and tms_cstime, respectively.



---
SF.Net email is Sponsored by the Better Software Conference  EXPO
September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] building sources from CVS

2005-07-29 Thread dalini


Johnny Gonzalez wrote:

Hello everybody,

I'm trying to compile OpenCA accessing the code from
CVS (to have the most up-to-date sources, right?)but I
have some errors in the process.

I'm accessing through gcvs with:
[EMAIL PROTECTED]:/cvsroot/openca 


and I'm checking out the module: openca-0.9, is that
the right module I have to check out to have the
latest source code?

the latest source code is a complete rewrite and redesign of the current 
release - so if you checkout head - you get something totaly different 
from 0.9.2 series ;) its based on it but its just fair to call it new


to get the latest 0.9.2 series sources you must tell cvs to give u 0.9.2
i think this is done via -r switch

so maybe you should try this and then go to compile it ;)


greetings
dalini


---
SF.Net email is Sponsored by the Better Software Conference  EXPO September
19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] SCEP support

2005-07-28 Thread dalini


Philipp Gühring wrote:

Additionally: Can anyone provide me with a Test-installation of OpenCA with 
SCEP, so that I can try it out?


now - since scep is a protocol with no human interaction there is no 
web-interface in this sence ;) but there is code which handels the requests


you will find it in this files:
.../OpenCA/lib/cmds/scepGetCACert
.../OpenCA/lib/cmds/scepPKIOperation

the first one handels step one - client request ca-ra-certificates/chains
and the second one handels the scep messages following this first auth step

after a client requests a certificat via scep - you will see the request 
in the normal interface like any other request and can apply the 
apropriate workflow to it


if a certificate is granted (and exported to the ra) the client can 
fetch it through scep


the url of the scep-'interface' (which has to given to the client) looks 
something like (depending on your openca configuration and webserver 
setup):

http://pki.fem.tu-ilmenau.de/operating/004/pub/cgi-bin/scep/scep
alternativly it can also called like:
http://pki.fem.tu-ilmenau.de/operating/004/pub/cgi-bin/scep/pkiclient.exe

if u access this page (without any parameters) through a webbrowser u 
usally should see an error message:

Error 700, General Error. This interface is only for SCEP.

if you add: ?operation=GetCACert you will get the ca-cert in pkcs7 
format... like the client would do, this can also be read in the 
scep-rfc-drafts



greetings
dalini


---
SF.Net email is Sponsored by the Better Software Conference  EXPO September
19-22, 2005 * San Francisco, CA * Development Lifecycle Practices
Agile  Plan-Driven Development * Managing Projects  Teams * Testing  QA
Security * Process Improvement  Measurement * http://www.sqe.com/bsce5sf
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] retrieve certificate from ra interface

2005-07-26 Thread dalini


worou noee wrote:


Oliver Welter [EMAIL PROTECTED] a écrit :


What does openssl say ? Might it be that your cisco blanks out the 
common part from the certificate ?

I dont think that OpenCA issues a certificate with such a DN.


OpenCA issue the certificate with this DN. I can see iit in the ra 
interface.But in  the cisco device i cannot see the certificate with such DN. I 
only want to know if it is normal.


it is normal, it could be necessary to add ip and dns in the san too
(subject alternative name) of the certs but u have to check, sometimes
clients doesn't accept the certs if this is missing - so just in case ;)

greetings
dalini


---
SF.Net email is sponsored by: Discover Easy Linux Migration Strategies
from IBM. Find simple to follow Roadmaps, straightforward articles,
informative Webcasts and more! Get everything you need to get up to
speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Logging Error 64310030 on Solaris

2005-02-26 Thread dalini

Mathias Schäfer wrote:
Hi everybody,
I'm trying to start OpenCA on a Solaris-Box, getting an Error about 
logging:

unix dgram connect: Socket operation on non-socket at 
in log.xml you can switch off syslog logging
looks like there is a little problem
just remove the whole 'slot' for syslog
may help for the moment - to get it running
so is your install problem solved?
greetings
dalini
---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95alloc_id396op=click
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Is PIN code stored in RA or CA database?

2005-02-22 Thread dalini

Manolo Gómez wrote:
This behaviour is OK for user requests, but has nosense for server
requests because in that case  the encpryted pair of keys and also a
CSR has already benn generated in the server. Why is needed to give a
PIN code? Is it used?  Is it stored anywhere? Can I use it later for
any kind of authentication?
exactly it can be used for authentication purposes
at the registration node interface there is a option
called: verify pin, where an ra-operator may have the
ability to verify the request (basicaly it opens a extra window, where 
one can submit the pin two times - as password input fields, so its 
asterixed)

for example: the requester has to go to the ra operator and provide his 
pin in a webform - the openca-system then will compare the request pin 
against the provided password and tell the ra-operator if they match or 
not (he won't see it, only if he follows the fingers on the keyboard of 
the person ;)

so it may be possible, that a workflow requests that serveradmins show 
up at the pki help desk to confirm there request... and this will work 
with that option

available only in 0.9.2 series
greetings
dalini
---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95alloc_id396op=click
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] subject alt name doesn't support dns and ip address

2004-12-31 Thread dalini

Pho La Min wrote:
When I editing VPN server request in RA interface and I add dns name
in subject alternate name box, I got below error when issuing in CA
interface

Common Information

OpenCA Version  :
Perl Version:
OpenSSL Version :
Operating System:

Problem Description:



this may help us, to look at the right places ;) and give you a faster
and improoved feedback... please always try to use our stable releases
since usaly dns and ip ins subject alternative names are supported
the errors look like a problem with openssl:
OpenSSL fails (256).)..
11232:error:22075075:X509 V3 routines:v2i_GENERAL_NAME:unsupported
option:v3_alt.c:436:name=dns, referer:
Greetings
Dalini
---
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Re: SCEP not working

2004-12-30 Thread dalini

Michael Kopp wrote:
Hi Oliver,
thanks for your help, SCEP is now working for me. I successfully enrolled
with a Cisco VPN Client 4.6.00.45 on Win2K.
I will go on testing with various other Cisco devices (VPN Clients, IOS ,
PIX and VPN Concentrators )
yeah great, we definitly need more confirmed working setups with scep 
and different hardware!

greetings
dalini
---
The SF.Net email is sponsored by: Beat the post-holiday blues
Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek.
It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Support Request Template was: error signing certs

2004-12-16 Thread dalini

Common Informations

OpenCA Version  :
Perl Version:
OpenSSL Version :
Operating System:
Browser Typ/Ver :

Problem Description:



this may help us, to look at the right places ;) and give you a faster 
and improoved feedback... please always try to use our stable releases

Greetings
Dalini
---
SF email is sponsored by - The IT Product Guide
Read honest  candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now. 
http://productguide.itmanagersjournal.com/
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: AW: [Openca-Users] Error when setting UNIQUE_DN NO

2004-11-16 Thread dalini

[EMAIL PROTECTED] wrote:
Hi,
thanks for the answer.
The patch doesn't seem to work (see below) and I couldn't find any signs
for this patch in the daily OpenSSL-Snapshot
(openssl-SNAP-20041116.tar.gz) either.
Do you have any other suggestions?
no - most probably there have been some changes at ca.c since the patch 
has been written... so you have to apply it manualy ;)

or ask someone you know, who has some knowledge about c
greetings
dalini
---
This SF.Net email is sponsored by: InterSystems CACHE
FREE OODBMS DOWNLOAD - A multidimensional database that combines
robust object and relational technologies, making it a perfect match
for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Request Setup error

2004-11-11 Thread dalini

Angel Martinez Gonzalez wrote:
Hello:
 
I´m trying to initializate OpenCA. In Request Setup of Phase 1, I enter 
this DN:
 
/C=ES, ST=Valladolid, L=Boecillo, O=Telefonica I+D,
hmm maybe try to escape this + sign? i'm not sure but it looks like a 
probably troubelmaker ;) - or jsut try it without once, to see what happens

try a very simple dn - for testing, like cn=test,ou=plahh,c=es
if this doesn't work too, then it may be a problem of the dn:500 perl 
module, you are using

greetings
dalini

---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_idU88alloc_id065op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Cert chain, translation, ...

2004-11-05 Thread dalini

Obes, Til wrote:
At the state as openca is at the moment, changing the texts is not
practical.
anyhow, maybe we should move this discussion to the dev list?
greetings
dalini
---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Error 700 General Error. Your request has to include O=...

2004-11-05 Thread dalini

Kuderer David wrote:
Dear Open-CA Userlist
Error : 
  Error 700
  General Error. Your request has to include O=.

i guess you are using the 0.9.2 series?
Question : -
Is this a bug or a feature ?
  Our costumer dont't have the same organisation (o=).
  How i can make a workaround ? 


you can change this behavior through the configfiles in .../etc/
where it is set to o,c - to the dc styl for example
this is also described in our documentation for example here:
http://www2.openca.info/docs/guide/openca-guide.html#id2808788
so read the fine manual please, thx ;)
greetings
dalini
---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] openca-ocsp and Mozilla having problems

2004-11-05 Thread dalini

Ognyan Kulev wrote:
Janez Pirc wrote:
I then also tried with the OpenSSL OCSP client and I also get a workin 
response from my OCSPd. But when I want to verify a certificate with 
Mozilla (Windows, 1.7.3) I always get the message:

Could not very the certificate for unknown reasons

I submitted similar report but got no reply: 
http://sourceforge.net/mailarchive/forum.php?thread_id=5891510forum_id=2291 
:-(

the maintainer for ocsp is quite bussy at the moment - so there is not 
such a good support for this target at the moment, instead of openca itself

greetings
dalini
---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Error 700 General Error. Your request has to include O=...

2004-11-05 Thread dalini

dalini wrote:
you can change this behavior through the configfiles in .../etc/
where it is set to o,c - to the dc styl for example
this is also described in our documentation for example here:
http://www2.openca.info/docs/guide/openca-guide.html#id2808788
so read the fine manual please, thx ;)
maybe we should rename this target to:
Setup a Different Subject Style? (or something similar)
would this be easier to understand - if someone looks for it?
and then use the dc example as an example... ;)
since i guess - most people which don't want to have the common o,c 
style would look for dc as an alternative setup...

so comments are welcome, we always try to imporve our documentation as 
well as the system itself, since a useable (especially in the sense of 
understandable and 'findable' topics) documentation is essential for a 
project like openca

greetings
dalini
---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Cert chain, translation, ...

2004-11-04 Thread dalini

Obes, Til wrote:
For Mozilla and related you can simply stuff together the PEM Encoded 
certs in one large file - Mozilla imports them but sometimes 
messes up 
the Trust-Roles of it :(
For IE you must create a special binary container - I didnt 
manage that 
with Openssl but was able to export the chain from a Windows machine 
after importing the full chain by hand.
The MS Clients recognize the chain correctly


By hand is not that what i want
We have 16k students here and guess how many understand what to do ;)
So can the downloadcert command be changed, that it delievers the
complete chain?
i think - you can create the chain - once by hand, than you change the 
files which gets delivered to the students... but you have to do this 
with browser detection...

@olli - did you try to create one pkcs#12 file with the chain inside? i 
guess this should be work tooo...

maybe i find some time to try this ;)
than, this could be used as standard behavior
 And using text as a key is really silly in
my eyes.
hmm, i'm also not really perfect with the current situation, but if 
someone finds the time, he can create an english translation file and 
replace all text with keys like - operation-text-## or something, and 
this has to be done in all translation files - i guess

but then we would be free also to change english text without breaking 
anything...

of course one could do this with the database or like it is now, this is 
a question of what one likes more - i guess

Cvs from 28.10. was it i think.
so still a problem - hmm
greetings
dalini
---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Cert chain, translation, ...

2004-11-04 Thread dalini

Mike Schmidt wrote:
I agree that many of the messages have errors, but let's start by just 
fixing the langauge databases. It's easy to do, and should cause no pain.
so we first need a english translation form the english texts with typos 
;), then we may be able to fix the standard text in english without 
fixing the key-texts ;)

greetings
dalini
---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Cert chain, translation, ...

2004-11-04 Thread dalini

Joerg Schneider wrote:
For OpenCA I guess that means: If a user has configured his browser for 
a language not known to OpenCA, he will see the message from the code. 
Caveat: I haven't tried this/looked at the source.

no, this won't really a problem, since we have some code which tries to 
detect the browserlanguage and select a apropriate one - which is 
available, this could be set to default english 'translation' so the 
text from code should never get shown to the user... it is now set to 
default to c or en with finaly is the text in the code, if i'm right, 
but this change is minimal and everything is ready to behave correct 
actually

we just need the english 'translation' ;)
greetings
dalini
---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Renew CA certificate

2004-10-26 Thread dalini

Mike Schmidt wrote:
Hi,
This process is not clear to me.  Sorry for the questions, but I just 
read this thread and ended up understanding even less than I thought I 
understood.

How does this exactly work?  We set up a new CA on a different ip 
address? How does the previous CA cert remain available for 
verifications? Where is it cached? Why can't we use the current CA with 
a new (second) CA cert?

because this isn't supported right now, the awarnes of ca-rollover just 
slowly aproaches on the surface, even in established environments...
(usaly the problem of ca-rollover is 'solved' throug long term root-ca
 certs... which isn't really nice)

so what they mean is: you just setup a new pki - which have a new ca-key 
and cert and issues the new certs and keep the otherone running for crl 
issuing

you need to have in any case both certs and crls available and both crls 
on different cdps otherwise a client couldn't verify old certs issued by 
the old ca-cert which is still valid

the support for ca-rollover will be available in 0.9.3 and it will be 
quite unique i think you won't find that in a lot of even comercial 
products, but it isn't finished right now...

greetings
dalini
---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] store the certificate under uid instead CN on ldap..

2004-10-26 Thread dalini

Barrow H Kwan wrote:
We are using ldap for authentication.  User information is stored 
under uid=test,ou=People,dc=domain,dc=com.  We would like to store 
user certificate under the same entry instead of a differentone like 
serial_no=,CN=test, ou=Peopld,cd=domain,dc=com.

I have changed all the templates form to add the uid elements and 
re-run configure_etc.sh

eg
...
DN_TYPEBASIC_ELEMENTS emailAddress CN uid OU
...
DN_TYPE_BASIC_ELEMENT_3 Unix ID
DN_TYPE_BASIC_ELEMENT_3_MINIMUM_LENGTH 1
.
But the uid kept ignore by OpenCA.  What am I missing?
no, this can't be, i had this running with uid too already some time ago
did you change this on the ra and ca?
greetings
dalini
---
This SF.Net email is sponsored by:
Sybase ASE Linux Express Edition - download now for FREE
LinuxWorld Reader's Choice Award Winner for best database on Linux.
http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] scep cisco

2004-10-25 Thread dalini

Konstantin Khrooschev wrote:
dalini wrote:
Konstantin Khrooschev wrote:
Oct 22 15:56:46.149 MSD: CRYPTO_PKI: status = 100: certificate is 
granted
Oct 22 15:56:53.232 MSD: crypto_certc_pkcs7_extract_certs failed (1795):
Oct 22 15:56:53.232 MSD: crypto_certc_pkcs7_extract_certs failed

after Certificate enrollment failed, only ca certificate shown.
hmm this is strange, this shouldn't happen,
can be small ram space the reason of problem ?
could be, how much rum does your device have, but i think this shouldn't 
remove the ra-cert

maybe someone can 'sponsor' for a limited timeperiod, lets say two weeks 
or something an ios system so could run some tests and maybe debug the 
scep-code... since i developed and tested only with cisco pix equipment 
and sscep and therefore can't make sure assumtions about problems with 
iox expecially which problems to those trustpoints (i think this is a 
newer ios feature - or?)

i don't have anylonger access to the internal-cisco-knowledgedatabase, 
does someone have access to the cisco internal help-database, since the 
public knowledgebase is quite reduced and you get only full access to 
all documentation, faqs and problemsolutions with such an login ;), so i 
one have, he may be so kind so look for the cited error messages... 
maybe there are some hints what could be wrong

there is another option to, maybe you can enable more debugging output, 
but thats not so importend, what would be importend, to trace the 
problem would be, to capture the messages, while send between the router 
and the scep-interface

but since we don't know the router keys, we can't decrypt the captured 
pkcs#7 to trace this, but with higher debugging at the route (i don't 
know if this is possible) it may be possible to see the package data at 
the router and where exactly he fails, but we can see how large the 
outer pkcs#7 container is, since for an certificate of a certain size 
(like 1024 or 2048 bit) the message has to have to be around some bytes 
long ;)

as far as i can see from the output, the outer pkcs#7 can be read, since 
the router shows the status of the answer (success) - only when he tries 
to decrypt the encrypted part it fails and stops processing the answer

this means either the inner pkcs#7 is not encrypted with the right 
public key or there is nothing in or the keyinfo doesn't match, so how 
does the issued cert looks like?

if i think about it, there may be another option, it could be a similar 
problem like the one with firewall-1 systems... when the sending cert 
(from the client/router) changes during the transaction, and we use at 
the scep-interface the cert of the first request of this transaction and 
encrypt with that (old) one instead of the one recived during the last 
request

but this is all very hyptothetical since i can't verify this on my own ;(
greetings
dalini
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] User install requested certificate the second time???

2004-10-25 Thread dalini

Barrow H Kwan wrote:
What happen if user need to install his/her certificate again?  like on a 
different computer or might be his/her computer is broken and need to 
re-install everything ( OS, etc... ) that need to install the certificate 
again?

is there a way to do it or we have to revoke the old one and issue a new 
one?

that depends on the place where the keys get generated and stored
if the user used his browser to generate keys he can't reinstall the 
certificate since it depends on the key-pair, in this case you have to 
revoke and issue a new certificate

if the key-pair is servergenerated and the key is backuped or still 
available, then you can reinstall the certs and the keypair again of 
course ;) without revoking and requesting a new one

greetings
dalini
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] scep cisco

2004-10-24 Thread dalini

Konstantin Khrooschev wrote:
Oct 22 15:56:46.149 MSD: CRYPTO_PKI: status = 100: certificate is granted
Oct 22 15:56:53.232 MSD: crypto_certc_pkcs7_extract_certs failed (1795):
Oct 22 15:56:53.232 MSD: crypto_certc_pkcs7_extract_certs failed
Oct 22 15:56:53.236 MSD: Could not extract router cert from certrep, 
error=0x703
Oct 22 15:56:53.240 MSD: CRYPTO_PKI: can not set ca cert object (0x10D)
Oct 22 15:56:53 MSD: %SYS-2-FREEBAD: Attempted to free memory at 
2F17FF4, not part of buffer pool
-Traceback= 2155B84 2C381D0 2C487CE 2C3F0D8
Oct 22 15:56:53.244 MSD: CRYPTO_PKI: status = 65535: failed to process 
the inner content
Oct 22 15:56:53 MSD: %CRYPTO-6-CERTFAIL: Certificate enrollment failed.
Oct 22 15:56:53 MSD: %CRYPTO-6-CERT_FATAL_ERR: Invalid format for BER 
encoding
...
who is wrong now ?
hmm, since i don't have ios systems for testing here, this gonna be kind 
of tricky...

ok, the sscep request is working?
scep is setup with own certs (web-server) for the scep-interface
you get the request and you can issue a cert
looks at least if the router gets a granted reply, that it works till 
that...

Oct 22 15:56:53.240 MSD: CRYPTO_PKI: can not set ca cert object (0x10D)
this looks strange...
shouldn't be the ca cert already installed at the router?
is there something like:
show crypto ca cert (i don't know the ios syntax, i havn't donwloaded 
documentation right now)

this should show two certificates (the ca and the ra cert, means the 
webserver cert of the scep interface but for the clients its an ra) and 
one pending request before a enrollment gets started...

how do you setup the ca at the router as ca or as ra?
greetings
dalini
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] SCEP Problems

2004-10-24 Thread dalini

[EMAIL PROTECTED] wrote:
Hello everybody,
Can someone please send me a sample of a scep issued certificate and
the cisco trustpoint config? I still have problems getting the DN's
formatted correctly.
did you get it working (with the hints i send to you), otherwise, i
plan to setup a public testing-system, and there i could also issue
some testing certs which should work with cisco if requests get send
to it, or just arificial certs, so you can look, how the should look
like
greetings
dalini

---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Viewing Expired Certs

2004-10-21 Thread dalini

Mark Davidson wrote:
This is a problem with openca-0.9.2-RC6 - viewing expired certificates 
always showed nothing even if there were expired certificates. The 
expired certificates showed up on the valid page with a status of valid.

Attached is a patch which fixes this problem (small changes to viewCert 
and lists)

yeah - cool, i just thought if i have time i should fix this, since i 
also steped over it...

looks good, i think i will put it into cvs
just will check it before...
greetings
dalini
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Problem Importing Requests from a lower level of the hierarchy..

2004-10-15 Thread dalini

Troubleshoot-Template-Common-Informations:

OpenCA Version  :
Perl Version:
OpenSSL Version :
Operating System:

Problem Description:
this may help us, to look at the right places ;)
Greetings
Dalini
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Template for Support Requests ;)

2004-10-15 Thread dalini

Troubleshoot-Template-Common-Informations:

OpenCA Version  :
Perl Version:
OpenSSL Version :
Operating System:

Problem Description:
this may help us, to look at the right places ;)
and give a better and faster feedback...
so would be nice if it could get used for new
support-requests
Greetings
Dalini
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] OpenCA with multi organisational management

2004-10-15 Thread dalini

Dominique Launay wrote:
Hi everybody,

I don't want to let the user type the name of the O but give him/her the 
choice in a list.

Have someone an idea to do that? Is it possible?
In general this would be possible, but with some work ;)
Since it would require some changes in the Webfrontend
but not to much, I think
The LDAP Interface should already be able to handle different
O if I'm right, but I think Michael will tell you if this
works or not
what is possible right now already, would be to change the O at the RA 
Interface manualy, so the backend itself shouldn't have a problem to 
handle such a situation

greetings
dalini
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Is openssl Bug on Suse fixed ?

2004-10-14 Thread dalini

Oliver Welter wrote:
Hi Folks,
anybody knows if the Bug in openssl-0.9.7d is fixed by a Suse 9.1 
Online-Update - or must I install the openssl Libs by hand :(

sorry, i don't know
but how about asking suse and tell them and usaly i think they would fix 
it, since they don't want to ship a broken openssl instead of openssl 
themself ;)

greetings
dalini
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] scep again

2004-10-14 Thread dalini

dalini wrote:
so one may call this a debian problem, but actually it is a openssl 
problem and specially of there release-policy for stable releases...

maybe i will write an e-mail and talk about security in terms of broken 
protocol implementations which will crash protocols and it will be a 
security risc therefore, maybe not that you can 'hack' openssl with a 
buffer overflow, no you just have to install the stable d version to 
break your whole security infrastructure if it uses pkcs#7 maybe they 
then consider it a security risc...

somehow they have some strange understanding of security in my point of 
view - i will test this, since i don't have time and and i don't want to 
explain everytime that 0.9.7d is just broken - even if its the stable 
openssl release - actually this can't just be

greetings
dalini
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] 0.9.2RC6 SCEP decoding

2004-10-07 Thread dalini

[EMAIL PROTECTED] wrote:
Hi,
I use SSCEP with a similar configuration to the one available at
http://www.openca.org/openca/docs/online/ch04s04.html. The enrollment seems to
be ok on SSCEP side (I get a valid response from server followed by a
segmentation fault...). However when I edit the request on the RA side all CSR
attributes are set to n/a (public-key, email, cn, and so on). I've decoded the
ASN.1 object sent to the RA and the format seems ok. Does someone has the same
problem ?
hmm, sounds wired somehow
but the segmentation fault at sscep side looks like a maybe 
failconfiguration at openca and sscep side

ok the sscep should work like mentioned at the webpage
and at openca you have to set the ra stuff for scep
its just working with an ra involved right now
the segmentation error points into this direction
at the config.xml file at etc directory in openca
there is a scep-section you have to give some valid
path to a key and crt file used for the 'scep-ra'
(usaly its sufficient to use an ssl-crt/key like for https
 there, the key should have no passphrase, there where
 still some problems, if it have one and it doesn't change
 much in terms of security if you put the pwd in config.xml
 or leave the key unencrypted and only accessible through
 the openca scripts means the apache-user)
greetings
dalini
---
This SF.net email is sponsored by: IT Product Guide on ITManagersJournal
Use IT products in your business? Tell us what you think of them. Give us
Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more
http://productguide.itmanagersjournal.com/guidepromo.tmpl
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] 0.9.2-RC6 won't make on OpenBSD 3.5

2004-09-11 Thread dalini

Kevin wrote:
Hi All-
I'm not sure if I've found a bug in the code or if there is an
incompatibility, but can anyone comment on this?
i386/OpenBSD3.5 (most current)
/usr/local/src/OpenCA/openca-0.9.2-RC6 # gcc -v
Reading specs from /usr/lib/gcc-lib/i386-unknown-openbsd3.5/2.95.3/specs
gcc version 2.95.3 20010125 (prerelease, propolice)
  ^^
thats 'the problem' - it should compile with a newer gcc
i havn't checked out what is the exact problem with 2.95 and
apps.c but a newer gcc works with the code
greetings
dalini
---
This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170
Project Admins to receive an Apple iPod Mini FREE for your judgement on
who ports your project to Linux PPC the best. Sponsored by IBM. 
Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Certificate installation error

2004-08-27 Thread dalini

Dmitrij Mironov wrote:
Yes.
But after thinking a while I concerned, what lack of such feature is by 
design - downloading private key by following to an link in email is unsafe. 
yep
Email message can be intercepted. So, IMHO, this feature will not be 
realised...

not without a pwd-screen in front or some other countermessure ;o)
greetings
dalini
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Changing the timezone...

2004-08-20 Thread dalini

Janez Pirc wrote:
Hello!
I was wondering, and really searching a lot through the files of OpenCA, 
how to change the timezone of the shown date in the OpenCA interface? Next 
step would be to personalize it to Slovene language, but first this...

All times in certificates are alsways UTC and so they get shown as UTC.
(this is RFC by the way ,o) and this feature doesn't exist right now...
but one could think of an configurable feature to show times in local 
time... but an certificate would/should always contain utc timestamps
for validity time... since this is the convention and if you show dates 
with openssl interface or in your webbrowser you will also see utc 
timestamps from the certificate

or maybe something like firefox does:
29.06.2004 19:47:29
(29.06.2004 17:47:29 GMT)
so the first line is the data from the cert and below its shown in local 
time... but this would become a bit uncomfortable for listviews - so the 
 suggestion from above may be more reasonable... and during 
configuration of the interface one can decide how timestamps from certs 
and so on get shown to the user (like in the certs or local time)

So, any help?
if there isn't already a feature request for this - just make one...
(at sourceforge) and it may become part of an future release ,o)
so the point is: if this feature may be very importend for you, you may 
'fix' this by yourself - therefore its opensource - and if you send the 
patches we may be able to apply this to the current code...

there is an dir: .../lib/cmds/ there you will see view*, edit*, lists 
commands which may to be changed (i would suggest a function show_date() 
which may dependend on config show the real or local date)

sorry - no more help for this at the moment...
at least i don't remember we had something already which would make the 
trick ;o)

greetings
dalini
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] SCEP key sizes for Cisco

2004-08-13 Thread dalini

Tiller, Robert wrote:
fyi,
As a side note to SCEP with Cisco, the root ca key size must be 2048 bits
or less in order to import into the Cisco device.
yes, hmm, i should add this to the 'guide' to, but usaly this is also 
mentioned at the cisco documentation for the systems supporting 
rsa-keys... as i'm right, the 'client' certs should be also not exceed 
2048 bit ,o)

dalini
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Problems with DN

2004-08-10 Thread dalini

leonardo wrote:
Hi
I want to store Certificates in LDAP, but for organisational reasons my 
DN must look like:
uid=user unique id -name, cn= Domain Users, ou = ici, dc = 
curitiba, dc = org , dc = br

1) does OpenCA work with uid atribute in DN ?
yes, this should work fine, actually
2) how can a configure OpenCA to work with uid atribute in DN and 
export this certs to LDAP?

you just have to adopt the ldap setting, if i don't miss something ,o)
greetings
dalini
---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] openca-sv: Segmentation fault

2004-08-10 Thread dalini

Segmentation fault
This is the case on two different Debian-Sarge Machines with newest CVS, 
0.9.2-RC6 and openca-SNAP-20040730.
That could point to a mistake on my side, but i do not know, where to 
start looking.

openssl version? 0.9.7d is broken at pkcs#7 functionality
this may cause the segfault
greetings
dalini

---
SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media
100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33
Save 50% off Retail on Ink  Toner - Free Shipping and Free Gift.
http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] pkcs7 verify data returned status 0x707 (scep enrollment)

2004-07-30 Thread dalini


./sscep: pkistatus: SUCCESS
./sscep: cannot find requested certificate
should i post verbosedebug informatoin here  ?
no, thats the thing, i already mentioned, sscep will give an error here, 
because i had - add serial to dn on at the ca, so the dn of the request 
does not match the dn of the issued certificate and sscep doesn't like 
this...

so the test is actually ok ,o)
greetings
dalini
---
This SF.Net email is sponsored by OSTG. Have you noticed the changes on
Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now,
one more big change to announce. We are now OSTG- Open Source Technology
Group. Come see the changes on the new OSTG site. www.ostg.com
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] pkcs7 verify data returned status 0x707 (scep enrollment)

2004-07-29 Thread dalini

Konstantin Khrooschev wrote:
Ives Steglich wrote:
Ives Steglich wrote:
no not automatic - i will issue a cert
wait 5min
damn i missed some special attributes, so this will not work with cisco
and sscep will throw an error, since i issue with serial in dn at the 
momment, but it should show u if the cert gets throug or not...
and if the system is working

test-cert is issued now 

[EMAIL PROTECTED] sscep]$ ./sscep enroll -f sscep.conf
./sscep: sending certificate request
./sscep: valid response from server
./sscep: pkistatus: PENDING
yes, you should let it run till it tries the second time, i have to 
look, but my first reply from the scep-interface seemes to be always a 
pending state *g*

so maybe change the retry time to 10sec or something at start the 
command again and weit for the second reply... (this should be either 
the cert or an failure state but not pending again, i think, as far this 
is my current experience with cisco and sscep, so it works but it needs 
a second request, i will fix this later, since its not a huge problem)

greetings
dalini
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] OT: Assign a Certificate for SSL-Validarion to a website in Mozilla

2004-07-28 Thread dalini

Oliver Welter wrote:

When I choose autoselect certitificate in Mozilla it will choose the 
wrong one, so all Certificate Siging is done with my User cert and 
preventing the automated issue on the CA side

i think mozilla uses just the cert with the highest serial from the 
matching ca - or the newest one, since it don't know what an user and an 
ra or ca-operator is, so the idea behind is, the newest or the cert with 
the highest serial must be the actual one..., in the manual list, also 
always the cert with the highest number is on top, so i think they just 
do this

so an idea could be to issue a certificate with an very high serial 
number and then set the serial counter of openssl back and 'lock' this 
used number (but i think this would happend outomatical, since openca 
detects, there is an cert with such an serial already, so you wont 
overwerite it, u just had to change the manual maybe)

yeah thats not very clean, but it may solve the your problem for the 
moment...

greetings
dalini
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] pkcs7 verify data returned status 0x707 (scep enrollment)

2004-07-28 Thread dalini

Konstantin Khrooschev wrote:
Ives Steglich wrote:
Ives Steglich wrote:
  - sscep with attached configuration
can be found here:
http://lab.x-dense.org/openca/test.conf
greetings
dalini
sorry for wasting of time, another projects requre my attantion :-(
now tried test scep server, you published at  
http://pki.fem.tu-ilmenau.de/operating/006/pub/cgi-bin/scep/scep.
and it says my csr is pending.
is it fully automatical test ca, or i need connect the administrator to 
process my request ?

no not automatic - i will issue a cert
wait 5min
dalini
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] pkcs7 verify data returned status 0x707 (scep enrollment)

2004-07-23 Thread dalini

Konstantin Khrooschev wrote:
mv key.pem key.pem.save
openssl rsa -in key.pem.save -out key.pem
is that anough ?
i think so - otherwise open-ca gives the option to get it already 
mod_ssl ready (means the pem formated key and cert) but this should work too

what shows you the scep command if you call it in a browser like:
http://domain/pub/cgi-bin/scep/scep for example 
 Error 700
 *General Error*. This interface is only for SCEP..

thats ok, just to verify there are no configuration errors
since at the recent cvs version there where some config option missing
which gets shown here...
Server version: Apache/1.3.26 (Unix) Debian GNU/Linux
k, that i have too
so what does sscep do so far? do you got it working?
ah yeah - before i forget - hehe there is a little 'bug' in sscep
it calls the server by its ip, so vhosts get broken (but then you should 
get an 404 back..., check logs of your webserver)
i sometimes fell over this little issue of sscep...
(i will ask jarkko to make this configurable if ip or fqdn gets used)

in case of not, you are free to give (as far as you can go outside your 
network) the scep interface named at the test.conf a try
http://pki.fem.tu-ilmenau.de/operating/006/pub/cgi-bin/scep/scep
or
http://pki.fem.tu-ilmenau.de/operating/006/pub/cgi-bin/scep/pkiclient.exe
(this is an actual testing cvs version of openca running)

in future there will be a public testing installation found at:
http://lab.x-dense.org/openca
greetings
dalini
---
This SF.Net email is sponsored by BEA Weblogic Workshop
FREE Java Enterprise J2EE developer tools!
Get your free copy of BEA WebLogic Workshop 8.1 today.
http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Problems with database

2004-07-09 Thread dalini

Oliver Welter wrote:
Hi Johnny,
look at your config.xml (openca/etc/)
section database config
First Item dbmodule must be DBI - I think you have DB here and so 
OpenCA uses a flatfile as database

he uses 0.9.1.8 ;o) - there is no config.xml
dalini
---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] publish certificates for CA with more than one Level

2004-07-06 Thread dalini

Oliver Welter wrote:
Now I want to publish the root and the OpenCA signers certificate 
together in one file...

just conacting the PEMs together fails - can anyone give me a hint ?
Similar question: How about publishing the CA Certs together with the 
User certificate in one file ?
p12 and pkcs#7 are apropriate container files which can provide the 
requested functionality ;o)

so checkout: openssl p12 and openssl pkcs7 commands...
usaly there is alreade a makefile in the chain dir... which realizes the 
 ca-cert hirarchy stuff, if i have this right in mind...

greetings
dalini
---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] dual-key usage with OpenCA

2004-07-02 Thread dalini

Michael Konietzka wrote:
Does anyone see some mantraps or failures in this workflow
before I start configuring and coding.
i think its a good idea, and therefore i have put it to the dev list ;o)
(forwarded)
greetings
dalini
---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] CSR with IE fails

2004-07-02 Thread dalini


@Til: Same problem occurs with your pub-interface (RC4)
and the dalini-Interface 0.9.1.8 (?)
what is the dalini-interface 0.9.1.8? ;o)
greetings
dalini
---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] RBAC error with 0.9.2RC5+

2004-06-30 Thread dalini

Chris Covell wrote:
Dalini,
On Tuesday 29 June 2004 17:48, dalini wrote:
Any ideas ?
yes, but no good news... i just try to trace down this problem
this is related to all browserbased signing at the moment is broken
somehow...

thanks for this ! I shall have a look too, (but don't hold your breath !!!).
actually - i'm that far, that the code itself seemes to be fine in most 
cases, since i got the pub-user-test certificate working

the problem there was: the signing text had a \n at the end, but the 
text used to verify against didn't have \n at the end - so the verify 
fails... i just removed all \n inside the text for generating the 
signature - and it just worked...

the certificate could be verifyid as valid
so i guess - the current problems mainly result from missing or added 
bytes at the text or data to be proofed...

but i havn't localized this part for sure, where this happens...
i think it could be part of internationalization code, but i'm not sure
since:
the pkcs7, openssl and openca-sv code seemes to be fine in general
to test the above - you just go to: .../lib/cmd/test_cert line 13
i removed all \n and the whole thing worked...
if i insert somewhere a \n in the to be signed text - the verification 
breaks... that means - there is a converting problem with \n most 
probably it gets translated to \n\r or something, i will check the
hexcode of the data file used for verification

the question is - where does it get converted/changed so verification 
breaks...

since in other to be signed stuff there is \n used or a byte in the 
challenge with the same meaning - this is our troublemaker i guess...

if we find this - i think fixing is a question of some minutes ;o)
greetings
dalini
---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Dataexchange

2004-06-30 Thread dalini

Nuno Dias wrote:
Hi,
Someone can help with this two questions ?
http://www.mail-archive.com/openca-users%40lists.sourceforge.net/msg05438.html
http://www.mail-archive.com/openca-users%40lists.sourceforge.net/msg05436.html
The first is mine, the second is from Gregor Bethlen but the question
is basically the same issue ...
One CA, two RA's, when import certificates from CA, all certificates
in CA are import to the RA, they have been or not requested from that
RA.
There is a way to import from CA only certificates from one specific RA
?
Thank's
i think this is not implemented so far
but - thats why its opensource ;o) - change it yourself
(ok the code isn't perfectly documented, so the interaction, which makes 
it quite havy to get it, but not tooo much..., one just have to look at
some parts which are working with the headers and dataexchange to 
understand, whats going on)

so if you need this - maybe you can write some code
it should be possible - through the request id to find out
if a cert is from a certain part of the ca or not and should
be 'delivered' or not... since every module hase its own id
so the importing module should check, maybe the exporting but
i don't know if this will work so easily... i think the other
aproach is simpler to handle...
from the point of security of course the second aproach - so the
exporter from sensetiv data decides - is safer - of course ;o)
but this would mean - to change the node-interface too, since there is 
only export to lower - which includes all lower nodes...

but i don't have time for such things at the moment... sorry
first the verification problems have to be solved
greetings
dalini
---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Multiple OU in DN ?

2004-06-29 Thread dalini

Michael Konietzka wrote:
So not only OU can occur multiple, *every* AttributeType can occur 
multiple, can't it?

sure, you just have to setup your configruation regarding your needs
and the ldap config too ;o) so it can handle the used dn
greetings
dalini
---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] RBAC error with 0.9.2RC5+

2004-06-29 Thread dalini

Chris Covell wrote:
Any ideas ?
yes, but no good news... i just try to trace down this problem
this is related to all browserbased signing at the moment is broken
somehow...
so x509 based login doesn't work too... so if i have this little
shiny thing traced and eleminated all those signing based problems
should be gone...
i'm a bit short on time at the momment, but i'll do my best
to get this back working asap
the signing csr and crr stuff should work again too then...
greetings
dalini
---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Which RFC defines X.509v3 certficates??

2004-06-29 Thread dalini

Johnny Gonzalez wrote:
Hello everybody,
Can anyone tell me which RFC defines X.509v3
certificates? And if OpenCA fits to that standard?
openca uses openssl, openssl implents the cryptographic standards
we 'just' provide an interface to put at abstract...
which enables you, to implement a certain pki structure and policy
(workflow, who does what at which step... and so on)
so openssl provides the technology - we provide the logic or better
the framework for the logic/workflow above
openssl supports v3 certificates, you can setup the needed attributes
at the extension files inside the etc structure...
this page gives a quite good overview of relevant and available rfcs for x509 ;o)
http://www.networksorcery.com/enp/data/x509.htm
so in general you wanna look at:
[RFC 2459] Internet X.509 Public Key Infrastructure Certificate and CRL Profile.
* Obsoleted by: RFC 3280.
means read: RFC 3280 for up to date informations... since 2459 is from 1999 or 
something
greetings
dalini

---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] LDAP cn different from certificate DN

2004-06-28 Thread dalini

Oliver Welter wrote:
I want to store Certifictaes in LDAP, but for organisational reasons my 
DN must look like:
cn=cryptic-uid,ou=..

The Certificates should look like
cn=My Real Name,ou=.
1) How can I setup OpenCA to do this
2) Will Mailclients (Mozilla, Outlook) find the certificate by name ?
hmm, i think u will need a wrapper around the ldap...
so that any request get 'translated' before it gets into the
database and if an request gets there
but the data inside the certificate will always be cn=my real name
thats simple because of: this data has been signed by the ca and
can't be changed...
but the cn in ldap isn't signed - so its free to modify the ldap
antry - the certificate itself is usaly just a binary block
i hope this helps ;o)
greetings
dalini
---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] RC5: approve request with signing fails

2004-06-18 Thread dalini

Michael Konietzka wrote:
Michael Konietzka wrote:
Hi
I updated from RC4 to RC5.
When approve a CSR with Signing i get the following error:
Fehler 6206
 Allgemeiner Fehler. Es konnte kein PKCS#7-Objekt aus der 
extrahierten Signatur erstellt werden!
OpenCA::PKCS#7 gab den Fehlercode 7911031 zurück
(Die Signatur konnte nicht initialisiert werden (7912021).
Die Signatur eines PKCS#7-Objektes konnte nicht ausgewertet werden 
(7921031).
 Der Unterzeichner konnte nicht ausgelesen werden (). )..

Well, this bug is already filed in
http://sourceforge.net/tracker/index.php?func=detailaid=969515group_id=20873atid=120873 

Asche auf mein Haupt ;-)
The surprise for me is that i haven't any problems signing
requests with RC4.
the filed bug ist for CRR you are talking about CSR - or did you mix up 
the both types? ;o)
the one is revocation (rr) and the other one is a new certificate 
request aka signing request (sr)

but i will do some more testing in the evening
greetings
dalini
---
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] OpenCA RC5 webfrontend and Sendmail

2004-06-18 Thread dalini

Sergio Avila wrote:
step by step as it would be to create a certificate and key par for the use 
with sendmail daemon¿? 

 

k, in general: you create a cert request, with server-side key 
generation (basic request)
you put into the request: as common name the dns of your sendmail box
in the additional fields you put the dns again and the ip adress (if you 
like)

than you process it through the pki - and finaly you can export it as 
mod_ssl
you get shown a page with key (unsecured) and cert in pem format wich you
copy and past into two separate files one for the key one for the cert

those two files you put into the filesystem, make it readable only for 
the sendmail deamon and put into the sendmail config the path to those 
two files... but this should be written in detail at 
sendmailconfiguration, of course you have to give the ca-cert file 
(usaly as pem formatted) too to the sendmail stuff... you can also fetch 
this through the webfrontend

i hope its detailed enough, even if its not step by step
for anybody else out there - if you have step-by-step guides ready or 
wann provide some for us - they are always welcome, so we can put them 
into the documentation, as examples - how to generate certs for special 
uses... like sendmail/apache/ldap/and so on... (which are basicaly 
always the same, regarding the part for cert generation i guess ;o)

greetings
dalini
---
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] User's Browser Request - SPKAC

2004-06-18 Thread dalini

Nuno Dias wrote:
Hi,
When i request a user certificate, in public interface, i fill the form,
and one off the fields is Choose a keysize, i chose 1024 for
example.
The i press continue and i get the Confirm Certificate Request page.
In this page i get again the option to chose Keysize ??! 
If i chose the keysize in the early page, why i need to chose again ?
There is a way to disable this second choice ?
Thank's

 

no, unfortunalty there is no such choice, since the second key-size is 
produced by the browser itself
and it can't be set to the previously choosen size... so you have to set 
it twice at current state of code

maybe we can think about leaving out the first one for spkac request, 
since the key-size will be available at the request anyway...
i'll see at the weekend if there will be problems, with leaving out the 
first one, and what the other developers think about

greetings
dalini
---
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] User's Browser Request - SPKAC

2004-06-18 Thread dalini

Nuno Dias wrote:
Hi,
In Confirm Certificate Request page, there is any way to only permit
keysize of 1024 ?
Tahnk's
 

no, the key_creation object will be show all supported key-sizes by your 
browser
there are no parameters... so it can't be limited

this is a propriatary netscape-based html-tag
KEYGEN NAME=newkey CHALLENGE=NO_CHALLENGE
keygen only supports the challenge tag... so for mozilla based browsers
this will be a known issue which can't be disabled so fast... i would need
an additation optional (so it stays compatible to older netzscape versions)
attribute which lets limit the available keysizes or something
so it basically means - code-changes at mozillacode and a redefinition 
of this propriatary html tag...
or to use a different approach for mozilla/netscape based zertifikate 
requests...

greetings
dalini
---
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Mozilla 1.7 / secclab

2004-06-18 Thread dalini

Michael Konietzka wrote:
Hi,
I upgraded my browser from Mozilla 1.6 to Mozilla 1.7.
The crypto seems to work fine so there is no need for secclab-plugin 
with Mozilla 1.7 I think.
As an improvement the crypto accepts my sign-only certificate 
without complaints. With secclab
I had the problem that only signencrypt-certificates were accepted.

yes, we 'pushed' the crypto code intot the 1.7 tree, since it is 
basically availalbe since quite one or even two years, but never made it 
into the main-tree... but finaly its in... and of course with help of 
many asking ppl at this open issue at the mozilla-bug-tracker - hehe, 
there should be some mails on this list too, which documents, tha havy 
efforts to get it in...

greetings
dalini
---
This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference
Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer
Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA
REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] workflow

2004-06-09 Thread dalini

Til Obes wrote:
4. whats the sense of loa? For what do i need this?
 

if you don't need/use it - you can disable it etc/server/ra.conf or 
ca.conf there is an option
use_loa set it to no and you won't see it again ;o)

you can also adapt those levels and so on...
greetings
dalini
---
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] DIFFERENT HOUR FROM OPENCA THAN MACHINE'S

2004-06-07 Thread dalini

Diego I. Rosso wrote:
Anyone know why all my certificates are created, revoked, etc.. with a different hour than machine's (Exactly 3 hours, it could GMT or something like that?) 
Where can i check that or correct?


usaly it is mentioned inside the certificate which relation and which 
timebase is used:

Valid From  Jun 3 23:57:51 2004 GMT
Expiration on   Jun 3 23:57:51 2005 GMT
so you see GMT ;o)
so that means its 'different' from your local time
but not really if you issue it at a specific local
time this is 'just' transformed to the general GMT
without any +/-
but one have to keep that in meind if he reads the
time and looks at his whatch... yeah ;o)
becouse the offset of your time to gmt you know
but if someone in a different timezone uses a cert, he doesn't necessery 
know - even if its stated there, so its simple just to add correction of 
its own timezone to gmt, than to calculate to the difference to the 
issuing timezone - i think, so simple everybody uses gmt for certs

so rfc3280 [http://rfc.sunsite.dk/rfc/rfc3280.html] says:
4.1.2.5  Validity
   The certificate validity period is the time interval during which the
   CA warrants that it will maintain information about the status of the
   certificate.  The field is represented as a SEQUENCE of two dates:
   the date on which the certificate validity period begins (notBefore)
   and the date on which the certificate validity period ends
   (notAfter).  Both notBefore and notAfter may be encoded as UTCTime or
   GeneralizedTime.
   CAs conforming to this profile MUST always encode certificate
   validity dates through the year 2049 as UTCTime; certificate validity
   dates in 2050 or later MUST be encoded as GeneralizedTime.
   The validity period for a certificate is the period of time from
   notBefore through notAfter, inclusive.
greetings
dalini
---
This SF.Net email is sponsored by: GNOME Foundation
Hackers Unite!  GUADEC: The world's #1 Open Source Desktop Event.
GNOME Users and Developers European Conference, 28-30th June in Norway
http://2004/guadec.org
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] typo in Configuration.pm

2004-06-02 Thread dalini

Michael Bell wrote:
Hi,
I fixed it in my sources. I commit it in the evening. BTW it will be part
of the snapshot on friday. The next RC is scheduled for monday next week.
 

i hope i get the individual issuing time running by then ;o)
the ra part is already finished... so its possible to store
number of days for validity of an certificate at the ra-interface
just have to change the ca-code/the cert-issuing code for
checking the new header-field and overwrite the config-file
default value...
btw: i also fixed a small mistake with the loa-stuff, when you set a 
role in the request on public interface or so, at the ra it always had 
been set to the lowest again... this should now not happend anymore, and 
the requested loa should be shown at the ra interface ;o)

i will submit the changes if the full chain for individual issue-times 
is workin - i think this will be tomorrow or friday, so it should be 
also part of the next rc...

boundary checks for issuing days will be next improvement at this feature
(min/max issuing time in relation to requested role, automatic checking 
and adaption of it
@michael: i think i can encapsulate this also at the ra with quite 
little effort... so no big changes are required for this at the moment, 
since this can be easily included at the header-saving-routine for the 
days at the request and change code, so no changes at issuing code will 
be necessary to get this working and the ca will stay clean of this 
changes, imho..., but this is stuff for next week ;o)

greetings
dalini
---
This SF.Net email is sponsored by the new InstallShield X.
From Windows to Linux, servers to mobile, InstallShield X is the one
installation-authoring solution that does it all. Learn more and
evaluate today! http://www.installshield.com/Dev2Dev/0504
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] cvs tree

2004-05-28 Thread dalini

Laurent Mesuré wrote:
hi,
when i use the cvs tree what is the version of openca downloaded?
0.9.2
greetings
dalini
---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] cvs tree

2004-05-28 Thread dalini

dalini wrote:
Laurent Mesuré wrote:
hi,
when i use the cvs tree what is the version of openca downloaded?
0.9.2
that means - if just call cvs - of course you can also fetch an older 
version... if you provide the right tag (i just don't have it in mind 
right now ;o)

greetings
dalini
---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] mutliple eMail Adds in the certifiacte

2004-05-27 Thread dalini

Oliver Welter wrote:
Hi Folks,
I need more than one eMail Address in my certs - anyone successfully 
expanded the frontend to do this ??

what about:
subject = primariy mail
subject alt name = alternative emails...
you can extend the number of attributes for the sub alt and subject for 
each interface...

i think this should work, since it also possible to add more than one 
dns and so on thrugh the sub alt fields...
hope this works... havn't tried this so far with emails ;o)

greetings
dalini

---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] RC4: batch processors and pkcs12

2004-05-26 Thread dalini

Michael Konietzka wrote:
Do you use a special printer for the PINs like a bank for the ec-card or
credit-card PINs? Does anyone how those printers are named, because 
google
with query pin printer isn't very successful.

you don't need a special printer - there is special paper available
i had this from my krankenkasse they used this for the online access
you print with normal printer - but can't read it - just the recipient
and he can see if it has been manipulated
i'll try to find this peace of paper again - than i can tell you, how 
it's named...

greetings
dalini
---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] bugzilla anywhere?

2004-05-19 Thread dalini

Michael Bell wrote:
No, you are missing nothing. We deactivated the bugtracking system on
sourceforge some time ago because there was only a small number of users.
Today the load on the mailing lists is much higher. I would activate the
BTS again but perhaps there are other comments from developers. So I will
wait until monday and then ask Max to activate the BTS again.
i think its a good idea ;o) - to activate it
since i yesterday dicsovered some bugs in granting certs
when using the + fields for subjects, when we traced down some problems 
with the scep and pix stuff...

i'll put some hints for granting cisco-equipment certs next few days to 
the list... since the issue is closly related to this above mentioned 
prolbem

datails follow up soon - yeah - i know... but its late, the birds are 
singing and i need some sleep... ;o)

greetings
dalini

---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Still can't get the CISCO stuff to work...

2004-05-19 Thread dalini

dalini wrote:
so i guess - this is just a small problem somewhere but a bit tricky to 
locate... since i have this running with pix 'without' problems - in 
early stages of scep-getting-ready-to-really-work i had some nightmares 
with this stuff... because some hints at cisco docu are easy to overread 
but importend to follow to get things work properly...

yeah - we traced it down - and its kind of tricky but simple to solve 
;o) - so short for all

if you get a (scep) request from cisco hardware (this is for pix but 
other cisco equipment should be similar) - please EDIT it the following way:

set subject alt name to:
IP : ipaddress
DNS: FQDN
!!!IMPORTEND!!!
change the subject
if you have the bottom line with
cn: fqdn + unstructured... + unstructered... or similar
clean up all + fields! otherwise you end up like jörg with strange 
behavior and non issued certs and so on

setup the subject as follows:
first fild(top) and only fill the left sided files - no + filds at the 
bottom! since this seemes to be buggy and doesn't work right at the moment

unstructuredAddress: IP
unstructuredName: FQDN
cn: FQDN
ou, o, c or dc as needed by your organisation
this should work
i hope i did post something understandable *g* - kind of late
so have a nice day - hehe
greetings
dalini


---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Still can't get the CISCO stuff to work...

2004-05-18 Thread dalini

Jörg Bartz wrote:
..can anyone point me towards the email-adress of Micheal Weith - he seems to be the 
pioneer in this case...
if i find some more time *g* - i can create a step by step guide
(for 0.9.2 cvs version) which works with:
- cisco pix 515 6.1 and up (verified - because i have it right here)
  including usage with cisco clients for vpn-auth
  - if necessary including aladdin etoken pro as cert stores
but not all like aladdin *g*
- sscep as an alternative linux client, also good for testing
  even if its a bit sensetive for changes in the subject line...
  (i used it during finalizing the scep interface and scep-code for
   openca, since the cisco pix and scep-client have really bad debugging
   features - for tracing down problems and there reasons with scep)
but at the moment i have really limited time for those
extra detailed step by step guides ;o(... but i'll see if i get some 
time... since i have to go through the whole process to document it 
carefully so i can be sure, it can be followed step by step and trace 
down some common errors - to tell them in advance... this is really time 
consuming and since my freetime is limited its not available right 
now... (if you really don't get it working and need it fast - contact me 
personal, and we will see how to get this working faster for you ;o)

but in general the scep-code should do the necessary things
and work just fine for this purposes with pix
other clients like the cisco vpn client and ssh sentinel can also 
communicate through scep with the pki (i tested this too)

so i guess - this is just a small problem somewhere but a bit tricky to 
locate... since i have this running with pix 'without' problems - in 
early stages of scep-getting-ready-to-really-work i had some nightmares 
with this stuff... because some hints at cisco docu are easy to overread 
but importend to follow to get things work properly...

greetings
dalini
you can also call me but not before 10 a.m. ;o): +49-3677-78 72 23
---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Error 6251043.

2004-05-17 Thread dalini

Roberto Hoyle wrote:
Given how often this error comes up, I have to ask, why is OpenCA 
checking this?  Isn't this really part of the web server configuration? 
 Instead of duplicating work that already exists in Apache, why not just 
make a document specifying how to configure it properly so that only the 
right symmetric keylength and/or protocol can access the server?

the answer is given several time in this mailling list
the standardconfiguration is set to https with a keylength of 128 bit
you can disable this in the configuration files - see documentation
and you have to tell apache to export sslvariables and certvars
this is in the list... and since some days also in the documentation...
(for sure at cvs version or latest snapshot but i'm not sure here...)
so this is mainly just an setup problem... nothing else
and it is documented in the latest cvs version - so just read the 
documentation...

greetings
dalini
---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Aproved REQUEST HOW TO

2004-05-14 Thread dalini

Diego I. Rosso wrote:
I have openca 0.9.1.7 ... i dont have xml config's files... I found the same in ca.conf archive? 

ups, ok, thats a problem ;o) - than my hint isn't the right one
i hve to take a look into 0.9.1.7, there i don't have anough knowledge about
greetings
dalini
---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] 6292010 strikes again!

2004-05-13 Thread dalini

Michael Portz wrote:

ps: Is there any prefered installation sequence for
the abovementioned config? I tried with either, ie
 make install-ca
 make install-ra
 make install-node
and
 make install-node
 make install-ra
 make install-ca
and noticed no difference, but one never knows...
ok and afterwards you did the config.xml stuff and run 
./configure_etc.sh - right?

i never discovered this error - this is really strange
ah yeah
you can do (should do)

make
make install-offline
or
make install-online
this will than install all necessary stuff usaly
of course it is possible to run install-node, install-ra and so on 
seperate...

if you have ra and ca at the same machine in the same install path, you 
usaly don't need node interface - since they use the same database

yeah - so thats all i have in mind just right now...
i will post a complete step by step guide - for installing a ca with 
node and a ra with node at the same machine for testing, but with 
complete separated installation directories, so its really like 
simulating two separeted systems (just the modules used will be the 
same, since they are it anyway ;o)

but this will most probably not be the case before tomorrow...

greetings
dalini


---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] problem starting openca

2004-05-10 Thread dalini

Kevin Mitcham wrote:

I've checked and re-checked the Database part of the config.xml, and it 
all seems good to me.  Any hints from the more experienced parts of the 
world?

have you installed the correct perl-dbi module?
looks like it couldn't be found
greetings
dalini
---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson  Lucent use to deliver
higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Error 6251043

2004-05-07 Thread dalini

Christian Guenther wrote:

Hi list,

after successfully solving my problem with the logging (see thread  
problems with openca_rc start) I ran
into the next error. I start my RA by issuing ./openca_rc start and  
everything works beautiful, but when I try
to connect to the wesite (https://hostname/ra/) I receive this error  
message:

Error Aborting connection - you are using a too short symmetric  
keylength ().
General Error. 6251043.

look - what your browser shows - as the used bitlength for the securing 
of https... i have disabled the low in apache - so usaly that means - 
your used symmetric key is shorter than 128bit

or for testing - just set it to http ;o) - and the other parameters to 
zero instead of the default values

you find this in etc/access_control/*.xml

there is a section:
channel
typemod_ssl/type
protocol.*/protocol
source.*/source
asymmetric_cipher.*/asymmetric_cipher
asymmetric_keylength0/asymmetric_keylength
symmetric_cipher.*/symmetric_cipher
symmetric_keylength0/symmetric_keylength
/channel
it its like this - you can use it with anything (http/https) and so 
on... so set it for first steps to this - should avoid problems

the type can still be mod_ssl shouldn't be a problem

greetings
dalini
---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson  Lucent use to deliver
higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] General Error. 6251026.

2004-05-06 Thread dalini

silves wrote:
Hello Michael

I am using https and its the same thing ...

zite from a nother mail of this list today :o):

Please check your apache config for this:
SSLOptions +StdEnvVars +ExportCertData
greetings
dalini
---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson  Lucent use to deliver
higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] PIX won't import issued certificate

2004-05-05 Thread dalini

Jörg Bartz wrote:

==
Isuued Certificate:
Description Certificate issued and Certificate Request archived.  
Logging Message Certificate:
Data:
Version: 3 (0x2)
Serial Number: 12 (0xc)
Signature Algorithm: sha1WithRSAEncryption
Issuer: [EMAIL PROTECTED],CN=ComNet Certification Authority,OU=Trustcenter,O=ComNet GmbH,C=DE
Validity
Not Before: May  4 09:27:43 2004 GMT
Not After : May  4 09:27:43 2005 GMT
Subject: serialNumber=12
I think, this could be an problem - usaly i have the dns in the subject 
to... but i don't know - maybe you requested a serial in the cert, since 
the ca enroll command isn't included in your e-mail ;o)
in general i have deactivated the writing of serials in the subject or 
something like this, since the serial is part of the certificate anyway

X509v3 Subject Alternative Name: 
DNS:pix.*mydomain*.de, email:[EMAIL PROTECTED]
this looks ok, as far as i see - i'm not sure if the pix maybe falls 
over the email in subject alternative name, but shouldn't be an problem

have you tried - just to enroll egain? very often - the pix then just 
accepts the issued certificate - i havn't find out exactly why it can't 
successfully finish the first transaction but takes the cert in the 
second transaction... (this is for pix 515), usaly there is no 
interaction at the pki required - because the certificate is already 
issued, if the request stays the same

greetings
dalini
---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] SCEP and PIX

2004-05-04 Thread dalini

Bert Koelewijn wrote:

Yes OK. But is it possible to access /cgi-bin/scep/scep, without even 
running the openca server?
regards,

this is an interface script - you can't run this just like it is
you have to modify it - to use it as an stand-alone aplication
just take a look ;o)

greetings
dalini
---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] SCEP and PIX

2004-04-30 Thread dalini

Bert Koelewijn wrote:
Hello all,

Is it possible to use SCEP stand-alone, without using openca? Can I get 
the PIX-request from SCEP, sign it and feed it back to SCEP?

yes, call the scep-tool with --help ;o) - it has a interface similar to 
the openssl tools like pkcs## or req and so on...

so just call the binary and look - how to call for usal operations you 
can see in the script scepPKIOperation

greetings
dalini
---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] scep problem

2004-04-25 Thread dalini

pug wrote:
Hi,
while playing around with scep an a Cisco 836 I experienced, that 
certificate request does not appear in Certificate requests menu of 
OpenCA.

After configuration of crypto pki trustpoint 836 requested the ca 
certificate. It was delivered by OpenCA and 836 installed it. After that 
836 requested a certificate:
how is your openca setup?
did you generate some (web-server) certs for the scep-interface
and set the path to the key and cert file at config.xml at the
scep part?
how many certs shows your trustpoint 836?
one ca and one ra or only one ca?
if you use - just an ca without extra ra-certs for the scep interface
you have to set the ca key and cert at the path for scep at the 
config.xml file...

otherwise the scep-interface can't use the right certs and keys for 
communication with an client

and don't forget to rerun ./configure_etc.sh to update config files...

but usally one doesn't use the ca-stuff directly

Is there a way to get more debug output from scep ?
no, not at the current state

greetings
dalini
---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Problem reading CRIN-Mail

2004-04-23 Thread dalini

[EMAIL PROTECTED] wrote:

To fix this bug, I replaced line 2576 in OpenSSL.pm
$smime-encrypt(CERTIFICATE  = $sign_x509)
with
$smime-encrypt(CERTIFICATE  = $enc_x509)
ah great - i will put this into cvs - so should be available
to all tomorrow (since the public cvs is usaly around one day behind)
greetings
dalini


---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] RA CSR upload problesm

2004-04-23 Thread dalini

lin leon wrote:


Michael wrote:

Did you correctly choose the appropriate configuration template for 
the dataexchange in config.xml before you are running configure_etc.sh 
on the RA and on the CA? OpenCA's dataexchange does not export or 
import anything if you don't change the used template in config.xml. 
We must do this for security reasons to avoid impacts into the 
infrastructure of the CA.

Best regards

Michael
--
---
i want to know what is the mean to change the used template and how to do

you go to:
installdir/.../etc and look into file config.xml
at the end - there is a section for configuring
dataexchange
there are 5 or 6 templates - from wich the first one ist activated, and
this stands for - everything is at the same machine...
you have to comment out this section and choose the apropriate one for
the right node
so for the ra - choose a template for ra, with ldap,public,scep whatever
you have and for the ca activate the ca only template
then you have to rerun ./configure_etc.sh to get the configfiles updated...

greetings
dalini


---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Announcement: OpenCA-0.9.2 RC4

2004-04-21 Thread dalini

Release-Announcement:

OpenCA 0.9.2 RC4 is finished. We land a lot of patches on the
CVS and we hope this will solve several problems. There are
so many fixes that I can only notice the most important ones.
First the documentation. I know that it is not big enough and
that there are many things which the people needs but now you
can extend it by your own because it is fully compilable with
Open Source tools.
Second we added support for Microsoft Smartcard and Domain
Controller certificates. You have to install OpenCA with
OpenSSL 0.9.7. After this you must install an OpenSSL snapshot
and change the reference to the new OpenSSL binary. Sounds
complicated? Nothing is for free, but it is documented. BTW
you have not to know such things like the OIDs from Microsoft.
Third there are lot of fixes for the access control. Things
like X.509 authentication works now for all interfaces. There
are roles for normal accounts too and ACLs are activated by
default.
Fifth there are many enhancements for the new batchsystem. Yes,
we develop a complete new one because of the poor performance
and the complicated extension of the first one in 0.9.1. The new
system is much more flexible and includes a simple state machine.
Like the old system it includes a mechanism for key recovery.
Every function is now in a seperate. This makes it really easy
to customize checks or special behaviours.
The last enhancement are the bugfixes and small new features.
We added several new errormessages to give you more details if
something fails. This should support you with more hints if the
first startup of OpenCA fails. A feature which was requested for
years but never implemented is the PIN verification on the RA.
It is now possible that a user enters it's PIN on the RA to
identify him. Several fixes try to make CRRs working but there
is still an open issue with signed CRRs.
I hope this summary helps a little bit to give you an idea
why it takes so long. There will be definitely an RC5 to
land the last patches for CRRs and to integrate a new language.
The OpenCA Team

Importend Notes:

you will find the current RC4 at the moment at our sourceforge area:
http://sourceforge.net/project/showfiles.php?group_id=20873package_id=17066
the offical dl openca-pages will be updated in the next days:
http://www.openca.org/openca/downloads.shtml
openca-homepage:
http://www.openca.org
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] openca certificate error

2004-04-17 Thread dalini

lin leon wrote:

 yes i have to export the certificate from the CA to the floppy .and i've 
 write permissions.in the way:chown xx /dev/fd0
 
xx should be the apache user...

greetings
dalini


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Unable to create serverside certs

2004-04-15 Thread dalini

Oliver Welter wrote:
Hi All,

I installed 0.9.2 RC3 and hava a problem creating the initial admin...

When tryinig so, I get:

Generating RSA private key, 1024 bit long modulus
..++
..++
e is 65537 (0x10001)
unable to write 'random state'
problems making Certificate Request
28356:error:0D07A097:asn1 encoding routines:ASN1_mbstring_copy:string 
too long:a_mbstr.c:154:maxsize=2

yes - this looks like there is somewhere a - country string which is 
longer than two characters ;o)

check your configuration... it think there is an typo or soemthing 
somewhere...

becouse this remebers me to one thing we hat recently at the list, same 
problem and maxsize=2 looks like the country attribute

greetings
dalini
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Cannot initialize Crypto Shell

2004-04-06 Thread dalini

Mike Tech wrote:

Hi Michael,
I am using OpenCA-SNAP-20031219.tar.gz 
http://www.openca.org/cgi-bin/openca/downloads/getFile/OpenCA-SNAP-20031219.tar.gz?name=snapshots%2FOpenCA-SNAP-20031219.tar.gz dated 
19 Dec 2003.Please suggest which version (date) I have to use ?
 
at the moment it would be best to use cvs version - for the 0.9.2 tree
- since there quite sime fixes which are not released
as snapshot or cvs right now...
the next rc is in the que but is waiting for some translations
and fixup for some singing crr issues (which will be fixed soon
i hope, will see when i take a look at this, since micha is a bit
short on time at the moment)
greetings
dalini
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Gemplus, Alladdin UID Attribute

2004-04-05 Thread dalini

Gio wrote:
Hallo,
I try to store the certificates on the Chipcard (Gemplus) and e-token 
(Alladin).
It works wonderfully as long I don't alter the Configuration-Files.
I have to change the configuration to have the attribute uid
Highly probably, I will have to use also attributes ST and L .
The single mistake, that I have, come from IE:
The generation of the request faild
This happens as well as with Gemplus card also as with e-token Alladin.
The private Key is generated, and I can see it on the Gemplus-Karte .
What fails is the creation of the Request.
As said, with the original Configuration, I don't have problem.
Any Idea?
Yes, that's not an OpenCA issue, this is a problem of the cards
as far as i could verify this... since manual import of those
certs with uids for example - works, but the card-software can't
show them correct... (aladdin) (try to generate the keys not at the card 
and export the results as pkcs#12 - import it - you will see, what i 
mean... - the aladdin software can't interpret those uid attributes)

i have mailed this issu to aladdin already and they are working on it, 
or at least checking this issues ;o) - for gemplus i can't say, since i 
don't have cards for evaluation

maybe they do use siemens chips too (like aladdin)? with card os m4? i 
think this is a problem of the card-os or the drivers of the cards...
so maybe you can contact gemplus - aladdin is already in the que ;o)

greetings
dalini
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Gemplus, Alladdin UID Attribute

2004-04-05 Thread dalini

Gio wrote:
Hallo,
and a little issue for this maillinglist - not just for you ;o):

- PLEASE - if you start a NEW topic
  = write a NEW mail
DONT reply to an old message and just change the topic!

modern e-mail clients use the references-header of the mails
to sort messages in threads - and the topic - also some imap
servers directly support this
so this will put messages in wrong threads and will make it
more difficult for us to identify new issues on the list, if
they are inside old threads...
Thank you all!

Greetings
Dalini


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] openCa initialization

2004-04-05 Thread dalini

Guillaume Roger wrote:
Michael Bell a écrit :

Guillaume Roger wrote:



Did you edit the request? Even if you don't change the request's data, 
please click ok at the edit page. This editing changes the state of 
the request from NEW to PENDING. The statechange is required to make 
the request visible for the issuing function.

Yes, I did it more than one time, but it didn't change anything.

I tried to approve the request from the RA; it worked, but only if I 
don't sign it in the same time. In other word, the request is now 
Approved, but I am always not able to sign it.
this sound wired - maybe it would be a good idea to get at the same
level of what we are talking ;o)
the subject says: openca initialization

you say: request from the ra - but i think you still at the ca?
can you maybe give exact the steps you do - and where you crash?
since this is a little confusing to me at least
it would be best - for initialization to use the steps
from the initilization page, than using the 'normal' interface
greetings
dalini


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Current Issues

2004-04-01 Thread dalini

CSRs:
- works complete, with and without signing
CRRs:
- works without signing
- signing doesn't work (will see what i can fix today)
  no workaround at the moment
Login with Certs to Interfaces
- works with ra interface
- doesn't work for node and ldap (just an install issue)
  - will be fixed at RC4 and cvs soon ;o)
  = workaround:
  go to installdir/apache
  - cd node
  - ln -s ../ra/scripts scripts
  - cd ..
  - cd ldap
  - ln -s ../ra/scripts scripts
  otherwise at the node and ldap interface the necessary scripts
  can't be loaded at the webbrowser...
greetings
dalini


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Current Issues

2004-04-01 Thread dalini

dalini wrote:
first the issues are for 0.9.2 cvs
second:
  go to installdir/apache
i mean: installdir/apache/htdocs for sure ;o)

greetings
dalini
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] setup two management interfaces on one server

2004-03-31 Thread dalini

Michael Portz wrote:
Well..what helped me in the same situation
was to STRICTLY keep those two versions apart.
That means: different --prefix, --with-openca-prefix,
--with-module-prefix and --with-httpd-fs-prefix.
What me surprised was that you could use the
same --with-web-host, but I guess that was
just me... :)
actually you don't nee to keep them strictly apart
for example it doesn't make much sense to separate the
module stuff... you can go for even more nodes on the
same computer this way... and have the modules just one
time there - this is also practical for personal
code-changes, if you have special needs - you change it
once and can test it will all nodes and interfaces, as
far as its the general modules
i attached two setups i usaly use to 'simulate' two separated 
installations at one system

than you can work like you would have to separte installations
so you can check the dataexchange processes are working properly
and so on...
for dataexchange i than just use a directory like:
/usr/local/pki-new/operating/exchange/filename
so in the exchange directory are different files for the different
levels of the hirarchy like level-00 level-01 which than would
for example be used: 00 for ca-sub-ca and 01 for sub-ca-ra
and so on
for final deploy you just put one - lets say the offline part
at a different computer - change the exchange behavior - like
the paths to point to fd0 or some usb-stick stuff or through
scp...
greetings
dalini
online configuration
./configure \
 --prefix=/usr/local/pki-new/operating/ra \
 --enable-ocspd \
 --enable-scep \
 --with-openca-user=pki \
 --with-openca-group=pki \
 --with-web-host=pki.somehost.de \
 --with-httpd-url-prefix=/pki/ra/ \
 --with-hierarchy-level=ra \
 --with-httpd-user=apache \
 --with-httpd-group=apache \
 --with-module-prefix=/usr/local/pki-new/operating/modules
offline configuration
./configure \
 --prefix=/usr/local/pki-new/operating/ca \
 --disable-ocspd \
 --disable-scep \
 --with-openca-user=pki \
 --with-openca-group=pki \
 --with-web-host=pki.somehost.de \
 --with-httpd-url-prefix=/pki/ca \
 --with-hierarchy-level=ca \
 --with-httpd-user=apache \
 --with-httpd-group=apache \
 --with-module-prefix=/usr/local/pki-new/operating/modules


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] PIN Messages are not beeing sent

2004-03-30 Thread dalini

Tobias Glemser wrote:

In config.xml sendmail is given as mailer (I tried the default value 
as wall as sendmail, sendmail -t, sendmail -n), and the sendmail 
command itself is working. The error logs in /var/log/mail are normal.
Any suggestions?
yes - this is fixed at cvs ;o), there are also some other issues fixed
at cvs version - which are not working at rc3 - for example the
revocation process and login auth with certificates isn't working 
properly at rc3...

greetings
dalini


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] change role to spanish language....

2004-03-29 Thread dalini

Pedro Jossi wrote:
Hello to all! 
 
Is possible to change the names to Spanish language of the files 
user.conf, ca_operator. conf, mail_server. conf, etc 
 
the names of the files shouldn't be a problem - just take care of
special chars ( this could rise some problems with the filesystems maybe
- you have to try ) and don't forgett to adopt regarding configurations
for the roles and so on... than it should work, so it reflects the
changed names
but i think this should work - but havn't tryed so far ;o)

greetings
dalini


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] OT: SCEP/CISCO CA(PKI)-Rollover

2004-03-29 Thread dalini

Hello all together,

i just fell over this issue, when i was planing some CA/PKI-Rollover 
Scenario

so - i come to the conclusion - this gone give some really havy problems
and one day you have to do it... especially in a running environment 
this looks like it gonna give some real problems:

situation:

- usaly you have a ca signing certrequests so that the validity of the 
cert doesn't exceed the validity of the ca-cert
- that means - if you have a maximum issuing time for certs of 1 year 
that this ca will issue tha last year of its existense only crls but no 
more certificates
- so you do than a ca/pki-rollover - means, you do a new ca-cert and 
setup a new pki-structure for it to use

BUT
- now we get into trouble, maybe i oversaw something, i hope so really 
but at the moment i can't find the easy solution i'm actually looking 
for... which isn't that good

- so we have TWO CA with TWO CRLs for the timespan when ca-old issues 
only crls and ca-new will do the new-certs and its own crl for that

- but as far as i see this right now - the pix or lets say scep can just 
handle one ca - yeah and here we have a real problem right ahaed

- so if we approve the new ca - we loose validity of certs for the old 
one, but they are still valid, actually - and we can't proof for crls of 
the old one two

so that means, all client-certs of the old ca has to be reissued by the 
new one, afte the day this gets into, lets call it active state and the 
old one is in, lets call it passive state (means crl-signing only)

but this means - a lot of work and maybe unneccessary troubles - but i 
see no other chance to handle this at the moment?

but i think, since this shouldn't be a tooo knew issue - how does other 
handle this? set the lifetime of the vpn-ca to 10 years (or something 
around that) or what? so one just hopes - that scep or lets say the pix 
or other equipment by then can handle more than one ca in parallel, to 
get this really working?

thanks for any suggestions ;o) - i mean this issue stays even with a 
more complex setup using maybe a long-term-root-ca this issue is still 
not solved - since i get a root-ca-rollover somewhere in the future

greetings
dalini
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] OpenCA-0.9.2-RC3 and IE request

2004-03-28 Thread dalini

Artur Pyc wrote:

Hi,
Firstlly I'm sorry if the following subject was prewiouslly discussed on
this list (I'm new here).
I've just Installed openca version 0.9.2RC3 and I've problem with getting
requested certificate. When I'm trying to Get the certificate IE shows the
error with following details:
Row: 9
Sign: 9
Error: Unknown definition 'cert'
Code: 0
this should be fixed at cvs and at next rc comming soon ;o)

greetings
dalini
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] floppy disk?

2004-03-27 Thread dalini

Chimaw Lee wrote:

Hello everybody..

I have a qustion about Openca.
the question is the floppy disk
the ca and ra server communcation with floppy disk
Could I remove the floppy disk then the Openca can also work ?
beacuase i think use the floppy disk is not convenient.
Somebody can give me some advice? or any good idea?
read the fine manual
yes, you can: its simple, its online, its inlcuded at the distributions
there are configuration files
and there are fileds where you can setup the dataexchange
there are examples inside the configuration files and at
the documentation how to to this different than with fd0
go to .../etc/ and do:
grep fd0 * -R -n
this will show you the files where you can change this

just a little hint:
if you change things inside a .template file than a rerun
of ./configure_etc.sh will keep those changes
if you change things inside a .conf file then a rerun will
overwrite those changes
greetings
dalini
ps: next time it will be enough to ask at one mailling list - thx

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] SCEP requests failing

2004-03-26 Thread dalini

Andréa Cavallari wrote:
Hi!

In wich files I can set this configuration

SET_CERTIFICATE_SERIAL_IN_DN NO

go to .../etc do:
grep SET_CERTIFICATE_SERIAL_IN_DN * -R -n
;o)

but usaly it is in etc/servers/ca.conf
or ra.conf and so on...
greetings
dalini


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] SCEP and Enterasys VPN Router

2004-03-24 Thread dalini

Teo Romera wrote:

How about the SCEP thing? The SCEP-speaking router would contact the RA
to obtain the CA cert and make a request for its own cert. So will the
RA sign the cert for the router? and, can the RA just give out the CA's
cert to the router?
no, i don't know which kind of router you use, but usally you can tell 
them if they talk directly to an ca or an ra - so they know there is 
step between

that means:
the communication beetween the scep-interface and the router/clients 
whoever uses the scep functionality is secured with the cert for this 
interface, which is signed by the ca too

the ca is always used to issue certificates - the ones for the ra, as 
for the route as for the clients - its always the ca who does this

Globally i just need a cert for the SCEP-speaking router and a way to
issue certs for the remote access users when they request them. Which
should be the deployment view? I know I can handle installation and
configuration issues, but I just don't see how it all would work
altogether.
usaly the whole administrativa is handeld at the ra-level, if one exists
so there all the requests will get handeld by one ore more ra-operators
even the request for the router - this works quite transparent actually
the ra-operator will see a request, maybe change this an that - than 
approve it, usally sign with its own cert, so the ca (ca-operator) can 
later verify who approved the requests

then those approved requests get exported (through an usb-stick, a tape, 
a disk, whatever) transported to the offline-ca - there you import the 
data through the node-interface (which actually handels the data export 
and import between the machines) and than the certificates gets issued 
there either manually or automatically through the batch system

then all goes backwards - export certs from the ca - import at the ra
when the certs are imported at the ra - they can be fetched by the users 
and also by the route through scep, of course it is possible that a user 
requests a cert through scep too - if his client supports this and so 
on, there are a lot of options, depending on your environment and needs 
and so on... ;o)

and don't forgett to issue a crl - i think the router at least will need 
one for proper operation - otherwise it could be difficult for him to 
decide if a certificate is really still valid or not

of course it is possible that this gets handeld all by one person ;o)
in larger szenarios this gets usaly devided, as there are technicans and 
people who decide who is allowed to use something - like the vpn-access 
- are different

greetings
dalini
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Mail sending problem

2004-03-24 Thread dalini

Guillaume Roger wrote:

Hi all,

When I try to send mail to users (node-utilities-send a crin mail or 
email new user), nothing is send, with OpenCA 0.92RC3, on fedora 1.
i think this should have been fixed at cvs version ;o)

dalini

---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] SCEP and PIX Firewall

2004-03-23 Thread dalini

Bernd Probst wrote:

The certs are marked as active, but i can see no serial number at the ca certificate in the pix. Is this correct??

yes this correct, since the ca-cert has a serial number of zero ;o)
which pix interpretes as not available...
I tried to edit the request with the correct DN. Then OpenCA was able to issue the certificate, but
nevertheless the PIX was not able to show this certificate with show ca cert. But the pending request
(Pending 102) at PIX trace was changed to granted (Granted 100). I thought this is it. But NO!!! The PIX shows
only the ra and the ca certificate !!! Has anyone an idea what went wrong ???

yeah - i have some ideas ;o)

first - the granted cert will be shown on top of ca and ra cert
as the first one - it its there
second - it is importend to keep some special attributes in the dn
that means: unstructeredAddress and unstructuredName if available
otherwise the pix will not accept the issued certificate
if you do a request (ca enroll pki-name pwd ipadress) than it musst
be included - but at least the unstructuredName should be inlcuded

and as mentioned before - you have to set the equivalent
subject-alternative name - for unstructuredName this is DNS and there
have to be the same string - for unstructuredAddress it is IP

(this is mentioned somewhere at the cisco-vpn-documentation for pix)

i add both usally

greetings
dalini
---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

1 2 >

1 - 100 of 132 matches

Mail list logo