Re: [Openca-Users] SCEP-based automatic certificate renewal with CertNanny and OpenCA
Zitat von Martin Bartosch [EMAIL PROTECTED]: Folks, I've got a last-minute Christmas present for you all! Indeed. You will find the current CertNanny release on SourceForge at http://sourceforge.net/projects/certnanny/ I guess, I will have a look soon. Thx Martin Greetings Dalini --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] openssl syntax for multi-valued RDNs is unknown from cisco router unstructuredName
Zitat von [EMAIL PROTECTED]: I think the reason can be found in the request from the cisco that send only this: - serialNumber=206, unstructuredName=ipsec-cisco-2610..de+serialNumber=87CE1234 Role=Web Server Modulus (key size) 512 Public Key AlgorithmrsaEncryption Public Key Modulus (512 bit): 00:b6:0a:f3:09:3f:49:39:5a:83:42:d0:. Exponent: 65537 (0x10001) Signature Algorithm md5WithRSAEncryption - Are there some people, know what I have to do when I receive the request from cisco ? In RA I can EDIT this data in the request, before I make a export to CA and then import to CA. Well, the solution is quite simple in this case. (there are some e-mails adressing this already at the list, but i have just access through an webfrontend at the moment, so searching is a bit painful, I will try to recover from my memories instead) If you edit the request at the RA or CA you will see the request in a form like: cn: type - value : type - value in one row you should rewrite the whole cn part an put everything in the 'first' column of the form and delete the 'second' column informations in the request (unfortunalty i don't have a picture right now, i hope you get the idea ;) sometimes it is necessary to add some SAN informations (Subject Alternative Names) usally cisco wants them if you request additation the ip or fqdn in the certificate. that means add san named: unstructuredName for the fqdn to the san and one unstructuredAddress with the ip as value in such cases should help. --- An other question: Why put the cisco router 2 requests over scep into the RA Interface ? --- this has to do with key-types. if you request a general purpose key you get one request, if you request separate for signing and encryption the cisco device will generate two different key-pairs. one for signing stuff and one for encryption usage and therefore two requests. to support this, you may have to add/change the available 'roles' in openca and write appropriate usage type like only for encryption or only for signing in the x509 certs. this is found under openssl/extfiles if i'm right. but there should be some extra information about that in the documentation already, how to change/create new roles. greetings dalini --- This SF.net email is sponsored by: Splunk Inc. Do you grep through log files for problems? Stop! Download the new AJAX search engine that makes searching your log files as easy as surfing the web. DOWNLOAD SPLUNK! http://ads.osdn.com/?ad_id=7637alloc_id=16865op=click ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA and nCipher in batch process: Proud to announce some good results :-D
Johnny Gonzalez L. wrote: yep, I was thinking in doing a top while issuing one of my new batch tests to try to catch where is the bigger delay, to see if it is in disk writting, db access, etc. maybe it would be a good idea to insert some: time or times commands at certain places this will give a bit more detailed information for each programm you call with it ;) but i don't know if its available at your system so maybe its usefull to call some commands with this too... will be more accurate then top i guess - hehe greetings dalini NAME time - time a simple command or give resource usage SYNOPSIS time [options] command [arguments...] DESCRIPTION The time command runs the specified program command with the given arguments. When command finishes, time writes a message to standard output giving timing statistics about this program run. These statis- tics consist of (i) the elapsed real time between invocation and termi- nation, (ii) the user CPU time (the sum of the tms_utime and tms_cutime values in a struct tms as returned by times(2)), and (iii) the system CPU time (the sum of the tms_stime and tms_cstime values in a struct tms as returned by times(2)). -- NAME times - write process times SYNOPSIS times DESCRIPTION The times utility shall write the accumulated user and system times for the shell and for all of its child processes, in the following POSIX locale format: %dm%fs %dm%fs\n%dm%fs %dm%fs\n, shell user minutes, shell user seconds, shell system minutes, shell system seconds, children user minutes, children user seconds, children system minutes, children system seconds The four pairs of times shall correspond to the members of the sys/times.h tms structure (defined in the Base Definitions volume of IEEE Std 1003.1-2001, Chapter 13, Headers) as returned by times(): tms_utime, tms_stime, tms_cutime, and tms_cstime, respectively. --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] building sources from CVS
Johnny Gonzalez wrote: Hello everybody, I'm trying to compile OpenCA accessing the code from CVS (to have the most up-to-date sources, right?)but I have some errors in the process. I'm accessing through gcvs with: [EMAIL PROTECTED]:/cvsroot/openca and I'm checking out the module: openca-0.9, is that the right module I have to check out to have the latest source code? the latest source code is a complete rewrite and redesign of the current release - so if you checkout head - you get something totaly different from 0.9.2 series ;) its based on it but its just fair to call it new to get the latest 0.9.2 series sources you must tell cvs to give u 0.9.2 i think this is done via -r switch so maybe you should try this and then go to compile it ;) greetings dalini --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] SCEP support
Philipp Gühring wrote: Additionally: Can anyone provide me with a Test-installation of OpenCA with SCEP, so that I can try it out? now - since scep is a protocol with no human interaction there is no web-interface in this sence ;) but there is code which handels the requests you will find it in this files: .../OpenCA/lib/cmds/scepGetCACert .../OpenCA/lib/cmds/scepPKIOperation the first one handels step one - client request ca-ra-certificates/chains and the second one handels the scep messages following this first auth step after a client requests a certificat via scep - you will see the request in the normal interface like any other request and can apply the apropriate workflow to it if a certificate is granted (and exported to the ra) the client can fetch it through scep the url of the scep-'interface' (which has to given to the client) looks something like (depending on your openca configuration and webserver setup): http://pki.fem.tu-ilmenau.de/operating/004/pub/cgi-bin/scep/scep alternativly it can also called like: http://pki.fem.tu-ilmenau.de/operating/004/pub/cgi-bin/scep/pkiclient.exe if u access this page (without any parameters) through a webbrowser u usally should see an error message: Error 700, General Error. This interface is only for SCEP. if you add: ?operation=GetCACert you will get the ca-cert in pkcs7 format... like the client would do, this can also be read in the scep-rfc-drafts greetings dalini --- SF.Net email is Sponsored by the Better Software Conference EXPO September 19-22, 2005 * San Francisco, CA * Development Lifecycle Practices Agile Plan-Driven Development * Managing Projects Teams * Testing QA Security * Process Improvement Measurement * http://www.sqe.com/bsce5sf ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] retrieve certificate from ra interface
worou noee wrote: Oliver Welter [EMAIL PROTECTED] a écrit : What does openssl say ? Might it be that your cisco blanks out the common part from the certificate ? I dont think that OpenCA issues a certificate with such a DN. OpenCA issue the certificate with this DN. I can see iit in the ra interface.But in the cisco device i cannot see the certificate with such DN. I only want to know if it is normal. it is normal, it could be necessary to add ip and dns in the san too (subject alternative name) of the certs but u have to check, sometimes clients doesn't accept the certs if this is missing - so just in case ;) greetings dalini --- SF.Net email is sponsored by: Discover Easy Linux Migration Strategies from IBM. Find simple to follow Roadmaps, straightforward articles, informative Webcasts and more! Get everything you need to get up to speed, fast. http://ads.osdn.com/?ad_idt77alloc_id492op=click ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Logging Error 64310030 on Solaris
Mathias Schäfer wrote: Hi everybody, I'm trying to start OpenCA on a Solaris-Box, getting an Error about logging: unix dgram connect: Socket operation on non-socket at in log.xml you can switch off syslog logging looks like there is a little problem just remove the whole 'slot' for syslog may help for the moment - to get it running so is your install problem solved? greetings dalini --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95alloc_id396op=click ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Is PIN code stored in RA or CA database?
Manolo Gómez wrote: This behaviour is OK for user requests, but has nosense for server requests because in that case the encpryted pair of keys and also a CSR has already benn generated in the server. Why is needed to give a PIN code? Is it used? Is it stored anywhere? Can I use it later for any kind of authentication? exactly it can be used for authentication purposes at the registration node interface there is a option called: verify pin, where an ra-operator may have the ability to verify the request (basicaly it opens a extra window, where one can submit the pin two times - as password input fields, so its asterixed) for example: the requester has to go to the ra operator and provide his pin in a webform - the openca-system then will compare the request pin against the provided password and tell the ra-operator if they match or not (he won't see it, only if he follows the fingers on the keyboard of the person ;) so it may be possible, that a workflow requests that serveradmins show up at the pki help desk to confirm there request... and this will work with that option available only in 0.9.2 series greetings dalini --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://ads.osdn.com/?ad_ide95alloc_id396op=click ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] subject alt name doesn't support dns and ip address
Pho La Min wrote: When I editing VPN server request in RA interface and I add dns name in subject alternate name box, I got below error when issuing in CA interface Common Information OpenCA Version : Perl Version: OpenSSL Version : Operating System: Problem Description: this may help us, to look at the right places ;) and give you a faster and improoved feedback... please always try to use our stable releases since usaly dns and ip ins subject alternative names are supported the errors look like a problem with openssl: OpenSSL fails (256).).. 11232:error:22075075:X509 V3 routines:v2i_GENERAL_NAME:unsupported option:v3_alt.c:436:name=dns, referer: Greetings Dalini --- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Re: SCEP not working
Michael Kopp wrote: Hi Oliver, thanks for your help, SCEP is now working for me. I successfully enrolled with a Cisco VPN Client 4.6.00.45 on Win2K. I will go on testing with various other Cisco devices (VPN Clients, IOS , PIX and VPN Concentrators ) yeah great, we definitly need more confirmed working setups with scep and different hardware! greetings dalini --- The SF.Net email is sponsored by: Beat the post-holiday blues Get a FREE limited edition SourceForge.net t-shirt from ThinkGeek. It's fun and FREE -- well, almosthttp://www.thinkgeek.com/sfshirt ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Support Request Template was: error signing certs
Common Informations OpenCA Version : Perl Version: OpenSSL Version : Operating System: Browser Typ/Ver : Problem Description: this may help us, to look at the right places ;) and give you a faster and improoved feedback... please always try to use our stable releases Greetings Dalini --- SF email is sponsored by - The IT Product Guide Read honest candid reviews on hundreds of IT Products from real users. Discover which products truly live up to the hype. Start reading now. http://productguide.itmanagersjournal.com/ ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: AW: [Openca-Users] Error when setting UNIQUE_DN NO
[EMAIL PROTECTED] wrote: Hi, thanks for the answer. The patch doesn't seem to work (see below) and I couldn't find any signs for this patch in the daily OpenSSL-Snapshot (openssl-SNAP-20041116.tar.gz) either. Do you have any other suggestions? no - most probably there have been some changes at ca.c since the patch has been written... so you have to apply it manualy ;) or ask someone you know, who has some knowledge about c greetings dalini --- This SF.Net email is sponsored by: InterSystems CACHE FREE OODBMS DOWNLOAD - A multidimensional database that combines robust object and relational technologies, making it a perfect match for Java, C++,COM, XML, ODBC and JDBC. www.intersystems.com/match8 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Request Setup error
Angel Martinez Gonzalez wrote: Hello: I´m trying to initializate OpenCA. In Request Setup of Phase 1, I enter this DN: /C=ES, ST=Valladolid, L=Boecillo, O=Telefonica I+D, hmm maybe try to escape this + sign? i'm not sure but it looks like a probably troubelmaker ;) - or jsut try it without once, to see what happens try a very simple dn - for testing, like cn=test,ou=plahh,c=es if this doesn't work too, then it may be a problem of the dn:500 perl module, you are using greetings dalini --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_idU88alloc_id065op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Cert chain, translation, ...
Obes, Til wrote: At the state as openca is at the moment, changing the texts is not practical. anyhow, maybe we should move this discussion to the dev list? greetings dalini --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Error 700 General Error. Your request has to include O=...
Kuderer David wrote: Dear Open-CA Userlist Error : Error 700 General Error. Your request has to include O=. i guess you are using the 0.9.2 series? Question : - Is this a bug or a feature ? Our costumer dont't have the same organisation (o=). How i can make a workaround ? you can change this behavior through the configfiles in .../etc/ where it is set to o,c - to the dc styl for example this is also described in our documentation for example here: http://www2.openca.info/docs/guide/openca-guide.html#id2808788 so read the fine manual please, thx ;) greetings dalini --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] openca-ocsp and Mozilla having problems
Ognyan Kulev wrote: Janez Pirc wrote: I then also tried with the OpenSSL OCSP client and I also get a workin response from my OCSPd. But when I want to verify a certificate with Mozilla (Windows, 1.7.3) I always get the message: Could not very the certificate for unknown reasons I submitted similar report but got no reply: http://sourceforge.net/mailarchive/forum.php?thread_id=5891510forum_id=2291 :-( the maintainer for ocsp is quite bussy at the moment - so there is not such a good support for this target at the moment, instead of openca itself greetings dalini --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Error 700 General Error. Your request has to include O=...
dalini wrote: you can change this behavior through the configfiles in .../etc/ where it is set to o,c - to the dc styl for example this is also described in our documentation for example here: http://www2.openca.info/docs/guide/openca-guide.html#id2808788 so read the fine manual please, thx ;) maybe we should rename this target to: Setup a Different Subject Style? (or something similar) would this be easier to understand - if someone looks for it? and then use the dc example as an example... ;) since i guess - most people which don't want to have the common o,c style would look for dc as an alternative setup... so comments are welcome, we always try to imporve our documentation as well as the system itself, since a useable (especially in the sense of understandable and 'findable' topics) documentation is essential for a project like openca greetings dalini --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Cert chain, translation, ...
Obes, Til wrote: For Mozilla and related you can simply stuff together the PEM Encoded certs in one large file - Mozilla imports them but sometimes messes up the Trust-Roles of it :( For IE you must create a special binary container - I didnt manage that with Openssl but was able to export the chain from a Windows machine after importing the full chain by hand. The MS Clients recognize the chain correctly By hand is not that what i want We have 16k students here and guess how many understand what to do ;) So can the downloadcert command be changed, that it delievers the complete chain? i think - you can create the chain - once by hand, than you change the files which gets delivered to the students... but you have to do this with browser detection... @olli - did you try to create one pkcs#12 file with the chain inside? i guess this should be work tooo... maybe i find some time to try this ;) than, this could be used as standard behavior And using text as a key is really silly in my eyes. hmm, i'm also not really perfect with the current situation, but if someone finds the time, he can create an english translation file and replace all text with keys like - operation-text-## or something, and this has to be done in all translation files - i guess but then we would be free also to change english text without breaking anything... of course one could do this with the database or like it is now, this is a question of what one likes more - i guess Cvs from 28.10. was it i think. so still a problem - hmm greetings dalini --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Cert chain, translation, ...
Mike Schmidt wrote: I agree that many of the messages have errors, but let's start by just fixing the langauge databases. It's easy to do, and should cause no pain. so we first need a english translation form the english texts with typos ;), then we may be able to fix the standard text in english without fixing the key-texts ;) greetings dalini --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Cert chain, translation, ...
Joerg Schneider wrote: For OpenCA I guess that means: If a user has configured his browser for a language not known to OpenCA, he will see the message from the code. Caveat: I haven't tried this/looked at the source. no, this won't really a problem, since we have some code which tries to detect the browserlanguage and select a apropriate one - which is available, this could be set to default english 'translation' so the text from code should never get shown to the user... it is now set to default to c or en with finaly is the text in the code, if i'm right, but this change is minimal and everything is ready to behave correct actually we just need the english 'translation' ;) greetings dalini --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Renew CA certificate
Mike Schmidt wrote: Hi, This process is not clear to me. Sorry for the questions, but I just read this thread and ended up understanding even less than I thought I understood. How does this exactly work? We set up a new CA on a different ip address? How does the previous CA cert remain available for verifications? Where is it cached? Why can't we use the current CA with a new (second) CA cert? because this isn't supported right now, the awarnes of ca-rollover just slowly aproaches on the surface, even in established environments... (usaly the problem of ca-rollover is 'solved' throug long term root-ca certs... which isn't really nice) so what they mean is: you just setup a new pki - which have a new ca-key and cert and issues the new certs and keep the otherone running for crl issuing you need to have in any case both certs and crls available and both crls on different cdps otherwise a client couldn't verify old certs issued by the old ca-cert which is still valid the support for ca-rollover will be available in 0.9.3 and it will be quite unique i think you won't find that in a lot of even comercial products, but it isn't finished right now... greetings dalini --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] store the certificate under uid instead CN on ldap..
Barrow H Kwan wrote: We are using ldap for authentication. User information is stored under uid=test,ou=People,dc=domain,dc=com. We would like to store user certificate under the same entry instead of a differentone like serial_no=,CN=test, ou=Peopld,cd=domain,dc=com. I have changed all the templates form to add the uid elements and re-run configure_etc.sh eg ... DN_TYPEBASIC_ELEMENTS emailAddress CN uid OU ... DN_TYPE_BASIC_ELEMENT_3 Unix ID DN_TYPE_BASIC_ELEMENT_3_MINIMUM_LENGTH 1 . But the uid kept ignore by OpenCA. What am I missing? no, this can't be, i had this running with uid too already some time ago did you change this on the ra and ca? greetings dalini --- This SF.Net email is sponsored by: Sybase ASE Linux Express Edition - download now for FREE LinuxWorld Reader's Choice Award Winner for best database on Linux. http://ads.osdn.com/?ad_id=5588alloc_id=12065op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] scep cisco
Konstantin Khrooschev wrote: dalini wrote: Konstantin Khrooschev wrote: Oct 22 15:56:46.149 MSD: CRYPTO_PKI: status = 100: certificate is granted Oct 22 15:56:53.232 MSD: crypto_certc_pkcs7_extract_certs failed (1795): Oct 22 15:56:53.232 MSD: crypto_certc_pkcs7_extract_certs failed after Certificate enrollment failed, only ca certificate shown. hmm this is strange, this shouldn't happen, can be small ram space the reason of problem ? could be, how much rum does your device have, but i think this shouldn't remove the ra-cert maybe someone can 'sponsor' for a limited timeperiod, lets say two weeks or something an ios system so could run some tests and maybe debug the scep-code... since i developed and tested only with cisco pix equipment and sscep and therefore can't make sure assumtions about problems with iox expecially which problems to those trustpoints (i think this is a newer ios feature - or?) i don't have anylonger access to the internal-cisco-knowledgedatabase, does someone have access to the cisco internal help-database, since the public knowledgebase is quite reduced and you get only full access to all documentation, faqs and problemsolutions with such an login ;), so i one have, he may be so kind so look for the cited error messages... maybe there are some hints what could be wrong there is another option to, maybe you can enable more debugging output, but thats not so importend, what would be importend, to trace the problem would be, to capture the messages, while send between the router and the scep-interface but since we don't know the router keys, we can't decrypt the captured pkcs#7 to trace this, but with higher debugging at the route (i don't know if this is possible) it may be possible to see the package data at the router and where exactly he fails, but we can see how large the outer pkcs#7 container is, since for an certificate of a certain size (like 1024 or 2048 bit) the message has to have to be around some bytes long ;) as far as i can see from the output, the outer pkcs#7 can be read, since the router shows the status of the answer (success) - only when he tries to decrypt the encrypted part it fails and stops processing the answer this means either the inner pkcs#7 is not encrypted with the right public key or there is nothing in or the keyinfo doesn't match, so how does the issued cert looks like? if i think about it, there may be another option, it could be a similar problem like the one with firewall-1 systems... when the sending cert (from the client/router) changes during the transaction, and we use at the scep-interface the cert of the first request of this transaction and encrypt with that (old) one instead of the one recived during the last request but this is all very hyptothetical since i can't verify this on my own ;( greetings dalini --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] User install requested certificate the second time???
Barrow H Kwan wrote: What happen if user need to install his/her certificate again? like on a different computer or might be his/her computer is broken and need to re-install everything ( OS, etc... ) that need to install the certificate again? is there a way to do it or we have to revoke the old one and issue a new one? that depends on the place where the keys get generated and stored if the user used his browser to generate keys he can't reinstall the certificate since it depends on the key-pair, in this case you have to revoke and issue a new certificate if the key-pair is servergenerated and the key is backuped or still available, then you can reinstall the certs and the keypair again of course ;) without revoking and requesting a new one greetings dalini --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] scep cisco
Konstantin Khrooschev wrote: Oct 22 15:56:46.149 MSD: CRYPTO_PKI: status = 100: certificate is granted Oct 22 15:56:53.232 MSD: crypto_certc_pkcs7_extract_certs failed (1795): Oct 22 15:56:53.232 MSD: crypto_certc_pkcs7_extract_certs failed Oct 22 15:56:53.236 MSD: Could not extract router cert from certrep, error=0x703 Oct 22 15:56:53.240 MSD: CRYPTO_PKI: can not set ca cert object (0x10D) Oct 22 15:56:53 MSD: %SYS-2-FREEBAD: Attempted to free memory at 2F17FF4, not part of buffer pool -Traceback= 2155B84 2C381D0 2C487CE 2C3F0D8 Oct 22 15:56:53.244 MSD: CRYPTO_PKI: status = 65535: failed to process the inner content Oct 22 15:56:53 MSD: %CRYPTO-6-CERTFAIL: Certificate enrollment failed. Oct 22 15:56:53 MSD: %CRYPTO-6-CERT_FATAL_ERR: Invalid format for BER encoding ... who is wrong now ? hmm, since i don't have ios systems for testing here, this gonna be kind of tricky... ok, the sscep request is working? scep is setup with own certs (web-server) for the scep-interface you get the request and you can issue a cert looks at least if the router gets a granted reply, that it works till that... Oct 22 15:56:53.240 MSD: CRYPTO_PKI: can not set ca cert object (0x10D) this looks strange... shouldn't be the ca cert already installed at the router? is there something like: show crypto ca cert (i don't know the ios syntax, i havn't donwloaded documentation right now) this should show two certificates (the ca and the ra cert, means the webserver cert of the scep interface but for the clients its an ra) and one pending request before a enrollment gets started... how do you setup the ca at the router as ca or as ra? greetings dalini --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] SCEP Problems
[EMAIL PROTECTED] wrote: Hello everybody, Can someone please send me a sample of a scep issued certificate and the cisco trustpoint config? I still have problems getting the DN's formatted correctly. did you get it working (with the hints i send to you), otherwise, i plan to setup a public testing-system, and there i could also issue some testing certs which should work with cisco if requests get send to it, or just arificial certs, so you can look, how the should look like greetings dalini --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Viewing Expired Certs
Mark Davidson wrote: This is a problem with openca-0.9.2-RC6 - viewing expired certificates always showed nothing even if there were expired certificates. The expired certificates showed up on the valid page with a status of valid. Attached is a patch which fixes this problem (small changes to viewCert and lists) yeah - cool, i just thought if i have time i should fix this, since i also steped over it... looks good, i think i will put it into cvs just will check it before... greetings dalini --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Problem Importing Requests from a lower level of the hierarchy..
Troubleshoot-Template-Common-Informations: OpenCA Version : Perl Version: OpenSSL Version : Operating System: Problem Description: this may help us, to look at the right places ;) Greetings Dalini --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Template for Support Requests ;)
Troubleshoot-Template-Common-Informations: OpenCA Version : Perl Version: OpenSSL Version : Operating System: Problem Description: this may help us, to look at the right places ;) and give a better and faster feedback... so would be nice if it could get used for new support-requests Greetings Dalini --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA with multi organisational management
Dominique Launay wrote: Hi everybody, I don't want to let the user type the name of the O but give him/her the choice in a list. Have someone an idea to do that? Is it possible? In general this would be possible, but with some work ;) Since it would require some changes in the Webfrontend but not to much, I think The LDAP Interface should already be able to handle different O if I'm right, but I think Michael will tell you if this works or not what is possible right now already, would be to change the O at the RA Interface manualy, so the backend itself shouldn't have a problem to handle such a situation greetings dalini --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Is openssl Bug on Suse fixed ?
Oliver Welter wrote: Hi Folks, anybody knows if the Bug in openssl-0.9.7d is fixed by a Suse 9.1 Online-Update - or must I install the openssl Libs by hand :( sorry, i don't know but how about asking suse and tell them and usaly i think they would fix it, since they don't want to ship a broken openssl instead of openssl themself ;) greetings dalini --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] scep again
dalini wrote: so one may call this a debian problem, but actually it is a openssl problem and specially of there release-policy for stable releases... maybe i will write an e-mail and talk about security in terms of broken protocol implementations which will crash protocols and it will be a security risc therefore, maybe not that you can 'hack' openssl with a buffer overflow, no you just have to install the stable d version to break your whole security infrastructure if it uses pkcs#7 maybe they then consider it a security risc... somehow they have some strange understanding of security in my point of view - i will test this, since i don't have time and and i don't want to explain everytime that 0.9.7d is just broken - even if its the stable openssl release - actually this can't just be greetings dalini --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] 0.9.2RC6 SCEP decoding
[EMAIL PROTECTED] wrote: Hi, I use SSCEP with a similar configuration to the one available at http://www.openca.org/openca/docs/online/ch04s04.html. The enrollment seems to be ok on SSCEP side (I get a valid response from server followed by a segmentation fault...). However when I edit the request on the RA side all CSR attributes are set to n/a (public-key, email, cn, and so on). I've decoded the ASN.1 object sent to the RA and the format seems ok. Does someone has the same problem ? hmm, sounds wired somehow but the segmentation fault at sscep side looks like a maybe failconfiguration at openca and sscep side ok the sscep should work like mentioned at the webpage and at openca you have to set the ra stuff for scep its just working with an ra involved right now the segmentation error points into this direction at the config.xml file at etc directory in openca there is a scep-section you have to give some valid path to a key and crt file used for the 'scep-ra' (usaly its sufficient to use an ssl-crt/key like for https there, the key should have no passphrase, there where still some problems, if it have one and it doesn't change much in terms of security if you put the pwd in config.xml or leave the key unencrypted and only accessible through the openca scripts means the apache-user) greetings dalini --- This SF.net email is sponsored by: IT Product Guide on ITManagersJournal Use IT products in your business? Tell us what you think of them. Give us Your Opinions, Get Free ThinkGeek Gift Certificates! Click to find out more http://productguide.itmanagersjournal.com/guidepromo.tmpl ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] 0.9.2-RC6 won't make on OpenBSD 3.5
Kevin wrote: Hi All- I'm not sure if I've found a bug in the code or if there is an incompatibility, but can anyone comment on this? i386/OpenBSD3.5 (most current) /usr/local/src/OpenCA/openca-0.9.2-RC6 # gcc -v Reading specs from /usr/lib/gcc-lib/i386-unknown-openbsd3.5/2.95.3/specs gcc version 2.95.3 20010125 (prerelease, propolice) ^^ thats 'the problem' - it should compile with a newer gcc i havn't checked out what is the exact problem with 2.95 and apps.c but a newer gcc works with the code greetings dalini --- This SF.Net email is sponsored by: YOU BE THE JUDGE. Be one of 170 Project Admins to receive an Apple iPod Mini FREE for your judgement on who ports your project to Linux PPC the best. Sponsored by IBM. Deadline: Sept. 13. Go here: http://sf.net/ppc_contest.php ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Certificate installation error
Dmitrij Mironov wrote: Yes. But after thinking a while I concerned, what lack of such feature is by design - downloading private key by following to an link in email is unsafe. yep Email message can be intercepted. So, IMHO, this feature will not be realised... not without a pwd-screen in front or some other countermessure ;o) greetings dalini --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Changing the timezone...
Janez Pirc wrote: Hello! I was wondering, and really searching a lot through the files of OpenCA, how to change the timezone of the shown date in the OpenCA interface? Next step would be to personalize it to Slovene language, but first this... All times in certificates are alsways UTC and so they get shown as UTC. (this is RFC by the way ,o) and this feature doesn't exist right now... but one could think of an configurable feature to show times in local time... but an certificate would/should always contain utc timestamps for validity time... since this is the convention and if you show dates with openssl interface or in your webbrowser you will also see utc timestamps from the certificate or maybe something like firefox does: 29.06.2004 19:47:29 (29.06.2004 17:47:29 GMT) so the first line is the data from the cert and below its shown in local time... but this would become a bit uncomfortable for listviews - so the suggestion from above may be more reasonable... and during configuration of the interface one can decide how timestamps from certs and so on get shown to the user (like in the certs or local time) So, any help? if there isn't already a feature request for this - just make one... (at sourceforge) and it may become part of an future release ,o) so the point is: if this feature may be very importend for you, you may 'fix' this by yourself - therefore its opensource - and if you send the patches we may be able to apply this to the current code... there is an dir: .../lib/cmds/ there you will see view*, edit*, lists commands which may to be changed (i would suggest a function show_date() which may dependend on config show the real or local date) sorry - no more help for this at the moment... at least i don't remember we had something already which would make the trick ;o) greetings dalini --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] SCEP key sizes for Cisco
Tiller, Robert wrote: fyi, As a side note to SCEP with Cisco, the root ca key size must be 2048 bits or less in order to import into the Cisco device. yes, hmm, i should add this to the 'guide' to, but usaly this is also mentioned at the cisco documentation for the systems supporting rsa-keys... as i'm right, the 'client' certs should be also not exceed 2048 bit ,o) dalini --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Problems with DN
leonardo wrote: Hi I want to store Certificates in LDAP, but for organisational reasons my DN must look like: uid=user unique id -name, cn= Domain Users, ou = ici, dc = curitiba, dc = org , dc = br 1) does OpenCA work with uid atribute in DN ? yes, this should work fine, actually 2) how can a configure OpenCA to work with uid atribute in DN and export this certs to LDAP? you just have to adopt the ldap setting, if i don't miss something ,o) greetings dalini --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] openca-sv: Segmentation fault
Segmentation fault This is the case on two different Debian-Sarge Machines with newest CVS, 0.9.2-RC6 and openca-SNAP-20040730. That could point to a mistake on my side, but i do not know, where to start looking. openssl version? 0.9.7d is broken at pkcs#7 functionality this may cause the segfault greetings dalini --- SF.Net email is sponsored by Shop4tech.com-Lowest price on Blank Media 100pk Sonic DVD-R 4x for only $29 -100pk Sonic DVD+R for only $33 Save 50% off Retail on Ink Toner - Free Shipping and Free Gift. http://www.shop4tech.com/z/Inkjet_Cartridges/9_108_r285 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] pkcs7 verify data returned status 0x707 (scep enrollment)
./sscep: pkistatus: SUCCESS ./sscep: cannot find requested certificate should i post verbosedebug informatoin here ? no, thats the thing, i already mentioned, sscep will give an error here, because i had - add serial to dn on at the ca, so the dn of the request does not match the dn of the issued certificate and sscep doesn't like this... so the test is actually ok ,o) greetings dalini --- This SF.Net email is sponsored by OSTG. Have you noticed the changes on Linux.com, ITManagersJournal and NewsForge in the past few weeks? Now, one more big change to announce. We are now OSTG- Open Source Technology Group. Come see the changes on the new OSTG site. www.ostg.com ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] pkcs7 verify data returned status 0x707 (scep enrollment)
Konstantin Khrooschev wrote: Ives Steglich wrote: Ives Steglich wrote: no not automatic - i will issue a cert wait 5min damn i missed some special attributes, so this will not work with cisco and sscep will throw an error, since i issue with serial in dn at the momment, but it should show u if the cert gets throug or not... and if the system is working test-cert is issued now [EMAIL PROTECTED] sscep]$ ./sscep enroll -f sscep.conf ./sscep: sending certificate request ./sscep: valid response from server ./sscep: pkistatus: PENDING yes, you should let it run till it tries the second time, i have to look, but my first reply from the scep-interface seemes to be always a pending state *g* so maybe change the retry time to 10sec or something at start the command again and weit for the second reply... (this should be either the cert or an failure state but not pending again, i think, as far this is my current experience with cisco and sscep, so it works but it needs a second request, i will fix this later, since its not a huge problem) greetings dalini --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OT: Assign a Certificate for SSL-Validarion to a website in Mozilla
Oliver Welter wrote: When I choose autoselect certitificate in Mozilla it will choose the wrong one, so all Certificate Siging is done with my User cert and preventing the automated issue on the CA side i think mozilla uses just the cert with the highest serial from the matching ca - or the newest one, since it don't know what an user and an ra or ca-operator is, so the idea behind is, the newest or the cert with the highest serial must be the actual one..., in the manual list, also always the cert with the highest number is on top, so i think they just do this so an idea could be to issue a certificate with an very high serial number and then set the serial counter of openssl back and 'lock' this used number (but i think this would happend outomatical, since openca detects, there is an cert with such an serial already, so you wont overwerite it, u just had to change the manual maybe) yeah thats not very clean, but it may solve the your problem for the moment... greetings dalini --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] pkcs7 verify data returned status 0x707 (scep enrollment)
Konstantin Khrooschev wrote: Ives Steglich wrote: Ives Steglich wrote: - sscep with attached configuration can be found here: http://lab.x-dense.org/openca/test.conf greetings dalini sorry for wasting of time, another projects requre my attantion :-( now tried test scep server, you published at http://pki.fem.tu-ilmenau.de/operating/006/pub/cgi-bin/scep/scep. and it says my csr is pending. is it fully automatical test ca, or i need connect the administrator to process my request ? no not automatic - i will issue a cert wait 5min dalini --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] pkcs7 verify data returned status 0x707 (scep enrollment)
Konstantin Khrooschev wrote: mv key.pem key.pem.save openssl rsa -in key.pem.save -out key.pem is that anough ? i think so - otherwise open-ca gives the option to get it already mod_ssl ready (means the pem formated key and cert) but this should work too what shows you the scep command if you call it in a browser like: http://domain/pub/cgi-bin/scep/scep for example Error 700 *General Error*. This interface is only for SCEP.. thats ok, just to verify there are no configuration errors since at the recent cvs version there where some config option missing which gets shown here... Server version: Apache/1.3.26 (Unix) Debian GNU/Linux k, that i have too so what does sscep do so far? do you got it working? ah yeah - before i forget - hehe there is a little 'bug' in sscep it calls the server by its ip, so vhosts get broken (but then you should get an 404 back..., check logs of your webserver) i sometimes fell over this little issue of sscep... (i will ask jarkko to make this configurable if ip or fqdn gets used) in case of not, you are free to give (as far as you can go outside your network) the scep interface named at the test.conf a try http://pki.fem.tu-ilmenau.de/operating/006/pub/cgi-bin/scep/scep or http://pki.fem.tu-ilmenau.de/operating/006/pub/cgi-bin/scep/pkiclient.exe (this is an actual testing cvs version of openca running) in future there will be a public testing installation found at: http://lab.x-dense.org/openca greetings dalini --- This SF.Net email is sponsored by BEA Weblogic Workshop FREE Java Enterprise J2EE developer tools! Get your free copy of BEA WebLogic Workshop 8.1 today. http://ads.osdn.com/?ad_id=4721alloc_id=10040op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Problems with database
Oliver Welter wrote: Hi Johnny, look at your config.xml (openca/etc/) section database config First Item dbmodule must be DBI - I think you have DB here and so OpenCA uses a flatfile as database he uses 0.9.1.8 ;o) - there is no config.xml dalini --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] publish certificates for CA with more than one Level
Oliver Welter wrote: Now I want to publish the root and the OpenCA signers certificate together in one file... just conacting the PEMs together fails - can anyone give me a hint ? Similar question: How about publishing the CA Certs together with the User certificate in one file ? p12 and pkcs#7 are apropriate container files which can provide the requested functionality ;o) so checkout: openssl p12 and openssl pkcs7 commands... usaly there is alreade a makefile in the chain dir... which realizes the ca-cert hirarchy stuff, if i have this right in mind... greetings dalini --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] dual-key usage with OpenCA
Michael Konietzka wrote: Does anyone see some mantraps or failures in this workflow before I start configuring and coding. i think its a good idea, and therefore i have put it to the dev list ;o) (forwarded) greetings dalini --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] CSR with IE fails
@Til: Same problem occurs with your pub-interface (RC4) and the dalini-Interface 0.9.1.8 (?) what is the dalini-interface 0.9.1.8? ;o) greetings dalini --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] RBAC error with 0.9.2RC5+
Chris Covell wrote: Dalini, On Tuesday 29 June 2004 17:48, dalini wrote: Any ideas ? yes, but no good news... i just try to trace down this problem this is related to all browserbased signing at the moment is broken somehow... thanks for this ! I shall have a look too, (but don't hold your breath !!!). actually - i'm that far, that the code itself seemes to be fine in most cases, since i got the pub-user-test certificate working the problem there was: the signing text had a \n at the end, but the text used to verify against didn't have \n at the end - so the verify fails... i just removed all \n inside the text for generating the signature - and it just worked... the certificate could be verifyid as valid so i guess - the current problems mainly result from missing or added bytes at the text or data to be proofed... but i havn't localized this part for sure, where this happens... i think it could be part of internationalization code, but i'm not sure since: the pkcs7, openssl and openca-sv code seemes to be fine in general to test the above - you just go to: .../lib/cmd/test_cert line 13 i removed all \n and the whole thing worked... if i insert somewhere a \n in the to be signed text - the verification breaks... that means - there is a converting problem with \n most probably it gets translated to \n\r or something, i will check the hexcode of the data file used for verification the question is - where does it get converted/changed so verification breaks... since in other to be signed stuff there is \n used or a byte in the challenge with the same meaning - this is our troublemaker i guess... if we find this - i think fixing is a question of some minutes ;o) greetings dalini --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Dataexchange
Nuno Dias wrote: Hi, Someone can help with this two questions ? http://www.mail-archive.com/openca-users%40lists.sourceforge.net/msg05438.html http://www.mail-archive.com/openca-users%40lists.sourceforge.net/msg05436.html The first is mine, the second is from Gregor Bethlen but the question is basically the same issue ... One CA, two RA's, when import certificates from CA, all certificates in CA are import to the RA, they have been or not requested from that RA. There is a way to import from CA only certificates from one specific RA ? Thank's i think this is not implemented so far but - thats why its opensource ;o) - change it yourself (ok the code isn't perfectly documented, so the interaction, which makes it quite havy to get it, but not tooo much..., one just have to look at some parts which are working with the headers and dataexchange to understand, whats going on) so if you need this - maybe you can write some code it should be possible - through the request id to find out if a cert is from a certain part of the ca or not and should be 'delivered' or not... since every module hase its own id so the importing module should check, maybe the exporting but i don't know if this will work so easily... i think the other aproach is simpler to handle... from the point of security of course the second aproach - so the exporter from sensetiv data decides - is safer - of course ;o) but this would mean - to change the node-interface too, since there is only export to lower - which includes all lower nodes... but i don't have time for such things at the moment... sorry first the verification problems have to be solved greetings dalini --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Multiple OU in DN ?
Michael Konietzka wrote: So not only OU can occur multiple, *every* AttributeType can occur multiple, can't it? sure, you just have to setup your configruation regarding your needs and the ldap config too ;o) so it can handle the used dn greetings dalini --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] RBAC error with 0.9.2RC5+
Chris Covell wrote: Any ideas ? yes, but no good news... i just try to trace down this problem this is related to all browserbased signing at the moment is broken somehow... so x509 based login doesn't work too... so if i have this little shiny thing traced and eleminated all those signing based problems should be gone... i'm a bit short on time at the momment, but i'll do my best to get this back working asap the signing csr and crr stuff should work again too then... greetings dalini --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Which RFC defines X.509v3 certficates??
Johnny Gonzalez wrote: Hello everybody, Can anyone tell me which RFC defines X.509v3 certificates? And if OpenCA fits to that standard? openca uses openssl, openssl implents the cryptographic standards we 'just' provide an interface to put at abstract... which enables you, to implement a certain pki structure and policy (workflow, who does what at which step... and so on) so openssl provides the technology - we provide the logic or better the framework for the logic/workflow above openssl supports v3 certificates, you can setup the needed attributes at the extension files inside the etc structure... this page gives a quite good overview of relevant and available rfcs for x509 ;o) http://www.networksorcery.com/enp/data/x509.htm so in general you wanna look at: [RFC 2459] Internet X.509 Public Key Infrastructure Certificate and CRL Profile. * Obsoleted by: RFC 3280. means read: RFC 3280 for up to date informations... since 2459 is from 1999 or something greetings dalini --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] LDAP cn different from certificate DN
Oliver Welter wrote: I want to store Certifictaes in LDAP, but for organisational reasons my DN must look like: cn=cryptic-uid,ou=.. The Certificates should look like cn=My Real Name,ou=. 1) How can I setup OpenCA to do this 2) Will Mailclients (Mozilla, Outlook) find the certificate by name ? hmm, i think u will need a wrapper around the ldap... so that any request get 'translated' before it gets into the database and if an request gets there but the data inside the certificate will always be cn=my real name thats simple because of: this data has been signed by the ca and can't be changed... but the cn in ldap isn't signed - so its free to modify the ldap antry - the certificate itself is usaly just a binary block i hope this helps ;o) greetings dalini --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] RC5: approve request with signing fails
Michael Konietzka wrote: Michael Konietzka wrote: Hi I updated from RC4 to RC5. When approve a CSR with Signing i get the following error: Fehler 6206 Allgemeiner Fehler. Es konnte kein PKCS#7-Objekt aus der extrahierten Signatur erstellt werden! OpenCA::PKCS#7 gab den Fehlercode 7911031 zurück (Die Signatur konnte nicht initialisiert werden (7912021). Die Signatur eines PKCS#7-Objektes konnte nicht ausgewertet werden (7921031). Der Unterzeichner konnte nicht ausgelesen werden (). ).. Well, this bug is already filed in http://sourceforge.net/tracker/index.php?func=detailaid=969515group_id=20873atid=120873 Asche auf mein Haupt ;-) The surprise for me is that i haven't any problems signing requests with RC4. the filed bug ist for CRR you are talking about CSR - or did you mix up the both types? ;o) the one is revocation (rr) and the other one is a new certificate request aka signing request (sr) but i will do some more testing in the evening greetings dalini --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA RC5 webfrontend and Sendmail
Sergio Avila wrote: step by step as it would be to create a certificate and key par for the use with sendmail daemon¿? k, in general: you create a cert request, with server-side key generation (basic request) you put into the request: as common name the dns of your sendmail box in the additional fields you put the dns again and the ip adress (if you like) than you process it through the pki - and finaly you can export it as mod_ssl you get shown a page with key (unsecured) and cert in pem format wich you copy and past into two separate files one for the key one for the cert those two files you put into the filesystem, make it readable only for the sendmail deamon and put into the sendmail config the path to those two files... but this should be written in detail at sendmailconfiguration, of course you have to give the ca-cert file (usaly as pem formatted) too to the sendmail stuff... you can also fetch this through the webfrontend i hope its detailed enough, even if its not step by step for anybody else out there - if you have step-by-step guides ready or wann provide some for us - they are always welcome, so we can put them into the documentation, as examples - how to generate certs for special uses... like sendmail/apache/ldap/and so on... (which are basicaly always the same, regarding the part for cert generation i guess ;o) greetings dalini --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] User's Browser Request - SPKAC
Nuno Dias wrote: Hi, When i request a user certificate, in public interface, i fill the form, and one off the fields is Choose a keysize, i chose 1024 for example. The i press continue and i get the Confirm Certificate Request page. In this page i get again the option to chose Keysize ??! If i chose the keysize in the early page, why i need to chose again ? There is a way to disable this second choice ? Thank's no, unfortunalty there is no such choice, since the second key-size is produced by the browser itself and it can't be set to the previously choosen size... so you have to set it twice at current state of code maybe we can think about leaving out the first one for spkac request, since the key-size will be available at the request anyway... i'll see at the weekend if there will be problems, with leaving out the first one, and what the other developers think about greetings dalini --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] User's Browser Request - SPKAC
Nuno Dias wrote: Hi, In Confirm Certificate Request page, there is any way to only permit keysize of 1024 ? Tahnk's no, the key_creation object will be show all supported key-sizes by your browser there are no parameters... so it can't be limited this is a propriatary netscape-based html-tag KEYGEN NAME=newkey CHALLENGE=NO_CHALLENGE keygen only supports the challenge tag... so for mozilla based browsers this will be a known issue which can't be disabled so fast... i would need an additation optional (so it stays compatible to older netzscape versions) attribute which lets limit the available keysizes or something so it basically means - code-changes at mozillacode and a redefinition of this propriatary html tag... or to use a different approach for mozilla/netscape based zertifikate requests... greetings dalini --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Mozilla 1.7 / secclab
Michael Konietzka wrote: Hi, I upgraded my browser from Mozilla 1.6 to Mozilla 1.7. The crypto seems to work fine so there is no need for secclab-plugin with Mozilla 1.7 I think. As an improvement the crypto accepts my sign-only certificate without complaints. With secclab I had the problem that only signencrypt-certificates were accepted. yes, we 'pushed' the crypto code intot the 1.7 tree, since it is basically availalbe since quite one or even two years, but never made it into the main-tree... but finaly its in... and of course with help of many asking ppl at this open issue at the mozilla-bug-tracker - hehe, there should be some mails on this list too, which documents, tha havy efforts to get it in... greetings dalini --- This SF.Net email is sponsored by The 2004 JavaOne(SM) Conference Learn from the experts at JavaOne(SM), Sun's Worldwide Java Developer Conference, June 28 - July 1 at the Moscone Center in San Francisco, CA REGISTER AND SAVE! http://java.sun.com/javaone/sf Priority Code NWMGYKND ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] workflow
Til Obes wrote: 4. whats the sense of loa? For what do i need this? if you don't need/use it - you can disable it etc/server/ra.conf or ca.conf there is an option use_loa set it to no and you won't see it again ;o) you can also adapt those levels and so on... greetings dalini --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] DIFFERENT HOUR FROM OPENCA THAN MACHINE'S
Diego I. Rosso wrote: Anyone know why all my certificates are created, revoked, etc.. with a different hour than machine's (Exactly 3 hours, it could GMT or something like that?) Where can i check that or correct? usaly it is mentioned inside the certificate which relation and which timebase is used: Valid From Jun 3 23:57:51 2004 GMT Expiration on Jun 3 23:57:51 2005 GMT so you see GMT ;o) so that means its 'different' from your local time but not really if you issue it at a specific local time this is 'just' transformed to the general GMT without any +/- but one have to keep that in meind if he reads the time and looks at his whatch... yeah ;o) becouse the offset of your time to gmt you know but if someone in a different timezone uses a cert, he doesn't necessery know - even if its stated there, so its simple just to add correction of its own timezone to gmt, than to calculate to the difference to the issuing timezone - i think, so simple everybody uses gmt for certs so rfc3280 [http://rfc.sunsite.dk/rfc/rfc3280.html] says: 4.1.2.5 Validity The certificate validity period is the time interval during which the CA warrants that it will maintain information about the status of the certificate. The field is represented as a SEQUENCE of two dates: the date on which the certificate validity period begins (notBefore) and the date on which the certificate validity period ends (notAfter). Both notBefore and notAfter may be encoded as UTCTime or GeneralizedTime. CAs conforming to this profile MUST always encode certificate validity dates through the year 2049 as UTCTime; certificate validity dates in 2050 or later MUST be encoded as GeneralizedTime. The validity period for a certificate is the period of time from notBefore through notAfter, inclusive. greetings dalini --- This SF.Net email is sponsored by: GNOME Foundation Hackers Unite! GUADEC: The world's #1 Open Source Desktop Event. GNOME Users and Developers European Conference, 28-30th June in Norway http://2004/guadec.org ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] typo in Configuration.pm
Michael Bell wrote: Hi, I fixed it in my sources. I commit it in the evening. BTW it will be part of the snapshot on friday. The next RC is scheduled for monday next week. i hope i get the individual issuing time running by then ;o) the ra part is already finished... so its possible to store number of days for validity of an certificate at the ra-interface just have to change the ca-code/the cert-issuing code for checking the new header-field and overwrite the config-file default value... btw: i also fixed a small mistake with the loa-stuff, when you set a role in the request on public interface or so, at the ra it always had been set to the lowest again... this should now not happend anymore, and the requested loa should be shown at the ra interface ;o) i will submit the changes if the full chain for individual issue-times is workin - i think this will be tomorrow or friday, so it should be also part of the next rc... boundary checks for issuing days will be next improvement at this feature (min/max issuing time in relation to requested role, automatic checking and adaption of it @michael: i think i can encapsulate this also at the ra with quite little effort... so no big changes are required for this at the moment, since this can be easily included at the header-saving-routine for the days at the request and change code, so no changes at issuing code will be necessary to get this working and the ca will stay clean of this changes, imho..., but this is stuff for next week ;o) greetings dalini --- This SF.Net email is sponsored by the new InstallShield X. From Windows to Linux, servers to mobile, InstallShield X is the one installation-authoring solution that does it all. Learn more and evaluate today! http://www.installshield.com/Dev2Dev/0504 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] cvs tree
Laurent Mesuré wrote: hi, when i use the cvs tree what is the version of openca downloaded? 0.9.2 greetings dalini --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] cvs tree
dalini wrote: Laurent Mesuré wrote: hi, when i use the cvs tree what is the version of openca downloaded? 0.9.2 that means - if just call cvs - of course you can also fetch an older version... if you provide the right tag (i just don't have it in mind right now ;o) greetings dalini --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] mutliple eMail Adds in the certifiacte
Oliver Welter wrote: Hi Folks, I need more than one eMail Address in my certs - anyone successfully expanded the frontend to do this ?? what about: subject = primariy mail subject alt name = alternative emails... you can extend the number of attributes for the sub alt and subject for each interface... i think this should work, since it also possible to add more than one dns and so on thrugh the sub alt fields... hope this works... havn't tried this so far with emails ;o) greetings dalini --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] RC4: batch processors and pkcs12
Michael Konietzka wrote: Do you use a special printer for the PINs like a bank for the ec-card or credit-card PINs? Does anyone how those printers are named, because google with query pin printer isn't very successful. you don't need a special printer - there is special paper available i had this from my krankenkasse they used this for the online access you print with normal printer - but can't read it - just the recipient and he can see if it has been manipulated i'll try to find this peace of paper again - than i can tell you, how it's named... greetings dalini --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] bugzilla anywhere?
Michael Bell wrote: No, you are missing nothing. We deactivated the bugtracking system on sourceforge some time ago because there was only a small number of users. Today the load on the mailing lists is much higher. I would activate the BTS again but perhaps there are other comments from developers. So I will wait until monday and then ask Max to activate the BTS again. i think its a good idea ;o) - to activate it since i yesterday dicsovered some bugs in granting certs when using the + fields for subjects, when we traced down some problems with the scep and pix stuff... i'll put some hints for granting cisco-equipment certs next few days to the list... since the issue is closly related to this above mentioned prolbem datails follow up soon - yeah - i know... but its late, the birds are singing and i need some sleep... ;o) greetings dalini --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Still can't get the CISCO stuff to work...
dalini wrote: so i guess - this is just a small problem somewhere but a bit tricky to locate... since i have this running with pix 'without' problems - in early stages of scep-getting-ready-to-really-work i had some nightmares with this stuff... because some hints at cisco docu are easy to overread but importend to follow to get things work properly... yeah - we traced it down - and its kind of tricky but simple to solve ;o) - so short for all if you get a (scep) request from cisco hardware (this is for pix but other cisco equipment should be similar) - please EDIT it the following way: set subject alt name to: IP : ipaddress DNS: FQDN !!!IMPORTEND!!! change the subject if you have the bottom line with cn: fqdn + unstructured... + unstructered... or similar clean up all + fields! otherwise you end up like jörg with strange behavior and non issued certs and so on setup the subject as follows: first fild(top) and only fill the left sided files - no + filds at the bottom! since this seemes to be buggy and doesn't work right at the moment unstructuredAddress: IP unstructuredName: FQDN cn: FQDN ou, o, c or dc as needed by your organisation this should work i hope i did post something understandable *g* - kind of late so have a nice day - hehe greetings dalini --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Still can't get the CISCO stuff to work...
Jörg Bartz wrote: ..can anyone point me towards the email-adress of Micheal Weith - he seems to be the pioneer in this case... if i find some more time *g* - i can create a step by step guide (for 0.9.2 cvs version) which works with: - cisco pix 515 6.1 and up (verified - because i have it right here) including usage with cisco clients for vpn-auth - if necessary including aladdin etoken pro as cert stores but not all like aladdin *g* - sscep as an alternative linux client, also good for testing even if its a bit sensetive for changes in the subject line... (i used it during finalizing the scep interface and scep-code for openca, since the cisco pix and scep-client have really bad debugging features - for tracing down problems and there reasons with scep) but at the moment i have really limited time for those extra detailed step by step guides ;o(... but i'll see if i get some time... since i have to go through the whole process to document it carefully so i can be sure, it can be followed step by step and trace down some common errors - to tell them in advance... this is really time consuming and since my freetime is limited its not available right now... (if you really don't get it working and need it fast - contact me personal, and we will see how to get this working faster for you ;o) but in general the scep-code should do the necessary things and work just fine for this purposes with pix other clients like the cisco vpn client and ssh sentinel can also communicate through scep with the pki (i tested this too) so i guess - this is just a small problem somewhere but a bit tricky to locate... since i have this running with pix 'without' problems - in early stages of scep-getting-ready-to-really-work i had some nightmares with this stuff... because some hints at cisco docu are easy to overread but importend to follow to get things work properly... greetings dalini you can also call me but not before 10 a.m. ;o): +49-3677-78 72 23 --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Error 6251043.
Roberto Hoyle wrote: Given how often this error comes up, I have to ask, why is OpenCA checking this? Isn't this really part of the web server configuration? Instead of duplicating work that already exists in Apache, why not just make a document specifying how to configure it properly so that only the right symmetric keylength and/or protocol can access the server? the answer is given several time in this mailling list the standardconfiguration is set to https with a keylength of 128 bit you can disable this in the configuration files - see documentation and you have to tell apache to export sslvariables and certvars this is in the list... and since some days also in the documentation... (for sure at cvs version or latest snapshot but i'm not sure here...) so this is mainly just an setup problem... nothing else and it is documented in the latest cvs version - so just read the documentation... greetings dalini --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Aproved REQUEST HOW TO
Diego I. Rosso wrote: I have openca 0.9.1.7 ... i dont have xml config's files... I found the same in ca.conf archive? ups, ok, thats a problem ;o) - than my hint isn't the right one i hve to take a look into 0.9.1.7, there i don't have anough knowledge about greetings dalini --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] 6292010 strikes again!
Michael Portz wrote: ps: Is there any prefered installation sequence for the abovementioned config? I tried with either, ie make install-ca make install-ra make install-node and make install-node make install-ra make install-ca and noticed no difference, but one never knows... ok and afterwards you did the config.xml stuff and run ./configure_etc.sh - right? i never discovered this error - this is really strange ah yeah you can do (should do) make make install-offline or make install-online this will than install all necessary stuff usaly of course it is possible to run install-node, install-ra and so on seperate... if you have ra and ca at the same machine in the same install path, you usaly don't need node interface - since they use the same database yeah - so thats all i have in mind just right now... i will post a complete step by step guide - for installing a ca with node and a ra with node at the same machine for testing, but with complete separated installation directories, so its really like simulating two separeted systems (just the modules used will be the same, since they are it anyway ;o) but this will most probably not be the case before tomorrow... greetings dalini --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] problem starting openca
Kevin Mitcham wrote: I've checked and re-checked the Database part of the config.xml, and it all seems good to me. Any hints from the more experienced parts of the world? have you installed the correct perl-dbi module? looks like it couldn't be found greetings dalini --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Error 6251043
Christian Guenther wrote: Hi list, after successfully solving my problem with the logging (see thread problems with openca_rc start) I ran into the next error. I start my RA by issuing ./openca_rc start and everything works beautiful, but when I try to connect to the wesite (https://hostname/ra/) I receive this error message: Error Aborting connection - you are using a too short symmetric keylength (). General Error. 6251043. look - what your browser shows - as the used bitlength for the securing of https... i have disabled the low in apache - so usaly that means - your used symmetric key is shorter than 128bit or for testing - just set it to http ;o) - and the other parameters to zero instead of the default values you find this in etc/access_control/*.xml there is a section: channel typemod_ssl/type protocol.*/protocol source.*/source asymmetric_cipher.*/asymmetric_cipher asymmetric_keylength0/asymmetric_keylength symmetric_cipher.*/symmetric_cipher symmetric_keylength0/symmetric_keylength /channel it its like this - you can use it with anything (http/https) and so on... so set it for first steps to this - should avoid problems the type can still be mod_ssl shouldn't be a problem greetings dalini --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] General Error. 6251026.
silves wrote: Hello Michael I am using https and its the same thing ... zite from a nother mail of this list today :o): Please check your apache config for this: SSLOptions +StdEnvVars +ExportCertData greetings dalini --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] PIX won't import issued certificate
Jörg Bartz wrote: == Isuued Certificate: Description Certificate issued and Certificate Request archived. Logging Message Certificate: Data: Version: 3 (0x2) Serial Number: 12 (0xc) Signature Algorithm: sha1WithRSAEncryption Issuer: [EMAIL PROTECTED],CN=ComNet Certification Authority,OU=Trustcenter,O=ComNet GmbH,C=DE Validity Not Before: May 4 09:27:43 2004 GMT Not After : May 4 09:27:43 2005 GMT Subject: serialNumber=12 I think, this could be an problem - usaly i have the dns in the subject to... but i don't know - maybe you requested a serial in the cert, since the ca enroll command isn't included in your e-mail ;o) in general i have deactivated the writing of serials in the subject or something like this, since the serial is part of the certificate anyway X509v3 Subject Alternative Name: DNS:pix.*mydomain*.de, email:[EMAIL PROTECTED] this looks ok, as far as i see - i'm not sure if the pix maybe falls over the email in subject alternative name, but shouldn't be an problem have you tried - just to enroll egain? very often - the pix then just accepts the issued certificate - i havn't find out exactly why it can't successfully finish the first transaction but takes the cert in the second transaction... (this is for pix 515), usaly there is no interaction at the pki required - because the certificate is already issued, if the request stays the same greetings dalini --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] SCEP and PIX
Bert Koelewijn wrote: Yes OK. But is it possible to access /cgi-bin/scep/scep, without even running the openca server? regards, this is an interface script - you can't run this just like it is you have to modify it - to use it as an stand-alone aplication just take a look ;o) greetings dalini --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] SCEP and PIX
Bert Koelewijn wrote: Hello all, Is it possible to use SCEP stand-alone, without using openca? Can I get the PIX-request from SCEP, sign it and feed it back to SCEP? yes, call the scep-tool with --help ;o) - it has a interface similar to the openssl tools like pkcs## or req and so on... so just call the binary and look - how to call for usal operations you can see in the script scepPKIOperation greetings dalini --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] scep problem
pug wrote: Hi, while playing around with scep an a Cisco 836 I experienced, that certificate request does not appear in Certificate requests menu of OpenCA. After configuration of crypto pki trustpoint 836 requested the ca certificate. It was delivered by OpenCA and 836 installed it. After that 836 requested a certificate: how is your openca setup? did you generate some (web-server) certs for the scep-interface and set the path to the key and cert file at config.xml at the scep part? how many certs shows your trustpoint 836? one ca and one ra or only one ca? if you use - just an ca without extra ra-certs for the scep interface you have to set the ca key and cert at the path for scep at the config.xml file... otherwise the scep-interface can't use the right certs and keys for communication with an client and don't forget to rerun ./configure_etc.sh to update config files... but usally one doesn't use the ca-stuff directly Is there a way to get more debug output from scep ? no, not at the current state greetings dalini --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Problem reading CRIN-Mail
[EMAIL PROTECTED] wrote: To fix this bug, I replaced line 2576 in OpenSSL.pm $smime-encrypt(CERTIFICATE = $sign_x509) with $smime-encrypt(CERTIFICATE = $enc_x509) ah great - i will put this into cvs - so should be available to all tomorrow (since the public cvs is usaly around one day behind) greetings dalini --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] RA CSR upload problesm
lin leon wrote: Michael wrote: Did you correctly choose the appropriate configuration template for the dataexchange in config.xml before you are running configure_etc.sh on the RA and on the CA? OpenCA's dataexchange does not export or import anything if you don't change the used template in config.xml. We must do this for security reasons to avoid impacts into the infrastructure of the CA. Best regards Michael -- --- i want to know what is the mean to change the used template and how to do you go to: installdir/.../etc and look into file config.xml at the end - there is a section for configuring dataexchange there are 5 or 6 templates - from wich the first one ist activated, and this stands for - everything is at the same machine... you have to comment out this section and choose the apropriate one for the right node so for the ra - choose a template for ra, with ldap,public,scep whatever you have and for the ca activate the ca only template then you have to rerun ./configure_etc.sh to get the configfiles updated... greetings dalini --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Announcement: OpenCA-0.9.2 RC4
Release-Announcement: OpenCA 0.9.2 RC4 is finished. We land a lot of patches on the CVS and we hope this will solve several problems. There are so many fixes that I can only notice the most important ones. First the documentation. I know that it is not big enough and that there are many things which the people needs but now you can extend it by your own because it is fully compilable with Open Source tools. Second we added support for Microsoft Smartcard and Domain Controller certificates. You have to install OpenCA with OpenSSL 0.9.7. After this you must install an OpenSSL snapshot and change the reference to the new OpenSSL binary. Sounds complicated? Nothing is for free, but it is documented. BTW you have not to know such things like the OIDs from Microsoft. Third there are lot of fixes for the access control. Things like X.509 authentication works now for all interfaces. There are roles for normal accounts too and ACLs are activated by default. Fifth there are many enhancements for the new batchsystem. Yes, we develop a complete new one because of the poor performance and the complicated extension of the first one in 0.9.1. The new system is much more flexible and includes a simple state machine. Like the old system it includes a mechanism for key recovery. Every function is now in a seperate. This makes it really easy to customize checks or special behaviours. The last enhancement are the bugfixes and small new features. We added several new errormessages to give you more details if something fails. This should support you with more hints if the first startup of OpenCA fails. A feature which was requested for years but never implemented is the PIN verification on the RA. It is now possible that a user enters it's PIN on the RA to identify him. Several fixes try to make CRRs working but there is still an open issue with signed CRRs. I hope this summary helps a little bit to give you an idea why it takes so long. There will be definitely an RC5 to land the last patches for CRRs and to integrate a new language. The OpenCA Team Importend Notes: you will find the current RC4 at the moment at our sourceforge area: http://sourceforge.net/project/showfiles.php?group_id=20873package_id=17066 the offical dl openca-pages will be updated in the next days: http://www.openca.org/openca/downloads.shtml openca-homepage: http://www.openca.org --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] openca certificate error
lin leon wrote: yes i have to export the certificate from the CA to the floppy .and i've write permissions.in the way:chown xx /dev/fd0 xx should be the apache user... greetings dalini --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Unable to create serverside certs
Oliver Welter wrote: Hi All, I installed 0.9.2 RC3 and hava a problem creating the initial admin... When tryinig so, I get: Generating RSA private key, 1024 bit long modulus ..++ ..++ e is 65537 (0x10001) unable to write 'random state' problems making Certificate Request 28356:error:0D07A097:asn1 encoding routines:ASN1_mbstring_copy:string too long:a_mbstr.c:154:maxsize=2 yes - this looks like there is somewhere a - country string which is longer than two characters ;o) check your configuration... it think there is an typo or soemthing somewhere... becouse this remebers me to one thing we hat recently at the list, same problem and maxsize=2 looks like the country attribute greetings dalini --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Cannot initialize Crypto Shell
Mike Tech wrote: Hi Michael, I am using OpenCA-SNAP-20031219.tar.gz http://www.openca.org/cgi-bin/openca/downloads/getFile/OpenCA-SNAP-20031219.tar.gz?name=snapshots%2FOpenCA-SNAP-20031219.tar.gz dated 19 Dec 2003.Please suggest which version (date) I have to use ? at the moment it would be best to use cvs version - for the 0.9.2 tree - since there quite sime fixes which are not released as snapshot or cvs right now... the next rc is in the que but is waiting for some translations and fixup for some singing crr issues (which will be fixed soon i hope, will see when i take a look at this, since micha is a bit short on time at the moment) greetings dalini --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Gemplus, Alladdin UID Attribute
Gio wrote: Hallo, I try to store the certificates on the Chipcard (Gemplus) and e-token (Alladin). It works wonderfully as long I don't alter the Configuration-Files. I have to change the configuration to have the attribute uid Highly probably, I will have to use also attributes ST and L . The single mistake, that I have, come from IE: The generation of the request faild This happens as well as with Gemplus card also as with e-token Alladin. The private Key is generated, and I can see it on the Gemplus-Karte . What fails is the creation of the Request. As said, with the original Configuration, I don't have problem. Any Idea? Yes, that's not an OpenCA issue, this is a problem of the cards as far as i could verify this... since manual import of those certs with uids for example - works, but the card-software can't show them correct... (aladdin) (try to generate the keys not at the card and export the results as pkcs#12 - import it - you will see, what i mean... - the aladdin software can't interpret those uid attributes) i have mailed this issu to aladdin already and they are working on it, or at least checking this issues ;o) - for gemplus i can't say, since i don't have cards for evaluation maybe they do use siemens chips too (like aladdin)? with card os m4? i think this is a problem of the card-os or the drivers of the cards... so maybe you can contact gemplus - aladdin is already in the que ;o) greetings dalini --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Gemplus, Alladdin UID Attribute
Gio wrote: Hallo, and a little issue for this maillinglist - not just for you ;o): - PLEASE - if you start a NEW topic = write a NEW mail DONT reply to an old message and just change the topic! modern e-mail clients use the references-header of the mails to sort messages in threads - and the topic - also some imap servers directly support this so this will put messages in wrong threads and will make it more difficult for us to identify new issues on the list, if they are inside old threads... Thank you all! Greetings Dalini --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] openCa initialization
Guillaume Roger wrote: Michael Bell a écrit : Guillaume Roger wrote: Did you edit the request? Even if you don't change the request's data, please click ok at the edit page. This editing changes the state of the request from NEW to PENDING. The statechange is required to make the request visible for the issuing function. Yes, I did it more than one time, but it didn't change anything. I tried to approve the request from the RA; it worked, but only if I don't sign it in the same time. In other word, the request is now Approved, but I am always not able to sign it. this sound wired - maybe it would be a good idea to get at the same level of what we are talking ;o) the subject says: openca initialization you say: request from the ra - but i think you still at the ca? can you maybe give exact the steps you do - and where you crash? since this is a little confusing to me at least it would be best - for initialization to use the steps from the initilization page, than using the 'normal' interface greetings dalini --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70alloc_id638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Current Issues
CSRs: - works complete, with and without signing CRRs: - works without signing - signing doesn't work (will see what i can fix today) no workaround at the moment Login with Certs to Interfaces - works with ra interface - doesn't work for node and ldap (just an install issue) - will be fixed at RC4 and cvs soon ;o) = workaround: go to installdir/apache - cd node - ln -s ../ra/scripts scripts - cd .. - cd ldap - ln -s ../ra/scripts scripts otherwise at the node and ldap interface the necessary scripts can't be loaded at the webbrowser... greetings dalini --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Current Issues
dalini wrote: first the issues are for 0.9.2 cvs second: go to installdir/apache i mean: installdir/apache/htdocs for sure ;o) greetings dalini --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] setup two management interfaces on one server
Michael Portz wrote: Well..what helped me in the same situation was to STRICTLY keep those two versions apart. That means: different --prefix, --with-openca-prefix, --with-module-prefix and --with-httpd-fs-prefix. What me surprised was that you could use the same --with-web-host, but I guess that was just me... :) actually you don't nee to keep them strictly apart for example it doesn't make much sense to separate the module stuff... you can go for even more nodes on the same computer this way... and have the modules just one time there - this is also practical for personal code-changes, if you have special needs - you change it once and can test it will all nodes and interfaces, as far as its the general modules i attached two setups i usaly use to 'simulate' two separated installations at one system than you can work like you would have to separte installations so you can check the dataexchange processes are working properly and so on... for dataexchange i than just use a directory like: /usr/local/pki-new/operating/exchange/filename so in the exchange directory are different files for the different levels of the hirarchy like level-00 level-01 which than would for example be used: 00 for ca-sub-ca and 01 for sub-ca-ra and so on for final deploy you just put one - lets say the offline part at a different computer - change the exchange behavior - like the paths to point to fd0 or some usb-stick stuff or through scp... greetings dalini online configuration ./configure \ --prefix=/usr/local/pki-new/operating/ra \ --enable-ocspd \ --enable-scep \ --with-openca-user=pki \ --with-openca-group=pki \ --with-web-host=pki.somehost.de \ --with-httpd-url-prefix=/pki/ra/ \ --with-hierarchy-level=ra \ --with-httpd-user=apache \ --with-httpd-group=apache \ --with-module-prefix=/usr/local/pki-new/operating/modules offline configuration ./configure \ --prefix=/usr/local/pki-new/operating/ca \ --disable-ocspd \ --disable-scep \ --with-openca-user=pki \ --with-openca-group=pki \ --with-web-host=pki.somehost.de \ --with-httpd-url-prefix=/pki/ca \ --with-hierarchy-level=ca \ --with-httpd-user=apache \ --with-httpd-group=apache \ --with-module-prefix=/usr/local/pki-new/operating/modules --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] PIN Messages are not beeing sent
Tobias Glemser wrote: In config.xml sendmail is given as mailer (I tried the default value as wall as sendmail, sendmail -t, sendmail -n), and the sendmail command itself is working. The error logs in /var/log/mail are normal. Any suggestions? yes - this is fixed at cvs ;o), there are also some other issues fixed at cvs version - which are not working at rc3 - for example the revocation process and login auth with certificates isn't working properly at rc3... greetings dalini --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] change role to spanish language....
Pedro Jossi wrote: Hello to all! Is possible to change the names to Spanish language of the files user.conf, ca_operator. conf, mail_server. conf, etc the names of the files shouldn't be a problem - just take care of special chars ( this could rise some problems with the filesystems maybe - you have to try ) and don't forgett to adopt regarding configurations for the roles and so on... than it should work, so it reflects the changed names but i think this should work - but havn't tryed so far ;o) greetings dalini --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] OT: SCEP/CISCO CA(PKI)-Rollover
Hello all together, i just fell over this issue, when i was planing some CA/PKI-Rollover Scenario so - i come to the conclusion - this gone give some really havy problems and one day you have to do it... especially in a running environment this looks like it gonna give some real problems: situation: - usaly you have a ca signing certrequests so that the validity of the cert doesn't exceed the validity of the ca-cert - that means - if you have a maximum issuing time for certs of 1 year that this ca will issue tha last year of its existense only crls but no more certificates - so you do than a ca/pki-rollover - means, you do a new ca-cert and setup a new pki-structure for it to use BUT - now we get into trouble, maybe i oversaw something, i hope so really but at the moment i can't find the easy solution i'm actually looking for... which isn't that good - so we have TWO CA with TWO CRLs for the timespan when ca-old issues only crls and ca-new will do the new-certs and its own crl for that - but as far as i see this right now - the pix or lets say scep can just handle one ca - yeah and here we have a real problem right ahaed - so if we approve the new ca - we loose validity of certs for the old one, but they are still valid, actually - and we can't proof for crls of the old one two so that means, all client-certs of the old ca has to be reissued by the new one, afte the day this gets into, lets call it active state and the old one is in, lets call it passive state (means crl-signing only) but this means - a lot of work and maybe unneccessary troubles - but i see no other chance to handle this at the moment? but i think, since this shouldn't be a tooo knew issue - how does other handle this? set the lifetime of the vpn-ca to 10 years (or something around that) or what? so one just hopes - that scep or lets say the pix or other equipment by then can handle more than one ca in parallel, to get this really working? thanks for any suggestions ;o) - i mean this issue stays even with a more complex setup using maybe a long-term-root-ca this issue is still not solved - since i get a root-ca-rollover somewhere in the future greetings dalini --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA-0.9.2-RC3 and IE request
Artur Pyc wrote: Hi, Firstlly I'm sorry if the following subject was prewiouslly discussed on this list (I'm new here). I've just Installed openca version 0.9.2RC3 and I've problem with getting requested certificate. When I'm trying to Get the certificate IE shows the error with following details: Row: 9 Sign: 9 Error: Unknown definition 'cert' Code: 0 this should be fixed at cvs and at next rc comming soon ;o) greetings dalini --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] floppy disk?
Chimaw Lee wrote: Hello everybody.. I have a qustion about Openca. the question is the floppy disk the ca and ra server communcation with floppy disk Could I remove the floppy disk then the Openca can also work ? beacuase i think use the floppy disk is not convenient. Somebody can give me some advice? or any good idea? read the fine manual yes, you can: its simple, its online, its inlcuded at the distributions there are configuration files and there are fileds where you can setup the dataexchange there are examples inside the configuration files and at the documentation how to to this different than with fd0 go to .../etc/ and do: grep fd0 * -R -n this will show you the files where you can change this just a little hint: if you change things inside a .template file than a rerun of ./configure_etc.sh will keep those changes if you change things inside a .conf file then a rerun will overwrite those changes greetings dalini ps: next time it will be enough to ask at one mailling list - thx --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] SCEP requests failing
Andréa Cavallari wrote: Hi! In wich files I can set this configuration SET_CERTIFICATE_SERIAL_IN_DN NO go to .../etc do: grep SET_CERTIFICATE_SERIAL_IN_DN * -R -n ;o) but usaly it is in etc/servers/ca.conf or ra.conf and so on... greetings dalini --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70alloc_id638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] SCEP and Enterasys VPN Router
Teo Romera wrote: How about the SCEP thing? The SCEP-speaking router would contact the RA to obtain the CA cert and make a request for its own cert. So will the RA sign the cert for the router? and, can the RA just give out the CA's cert to the router? no, i don't know which kind of router you use, but usally you can tell them if they talk directly to an ca or an ra - so they know there is step between that means: the communication beetween the scep-interface and the router/clients whoever uses the scep functionality is secured with the cert for this interface, which is signed by the ca too the ca is always used to issue certificates - the ones for the ra, as for the route as for the clients - its always the ca who does this Globally i just need a cert for the SCEP-speaking router and a way to issue certs for the remote access users when they request them. Which should be the deployment view? I know I can handle installation and configuration issues, but I just don't see how it all would work altogether. usaly the whole administrativa is handeld at the ra-level, if one exists so there all the requests will get handeld by one ore more ra-operators even the request for the router - this works quite transparent actually the ra-operator will see a request, maybe change this an that - than approve it, usally sign with its own cert, so the ca (ca-operator) can later verify who approved the requests then those approved requests get exported (through an usb-stick, a tape, a disk, whatever) transported to the offline-ca - there you import the data through the node-interface (which actually handels the data export and import between the machines) and than the certificates gets issued there either manually or automatically through the batch system then all goes backwards - export certs from the ca - import at the ra when the certs are imported at the ra - they can be fetched by the users and also by the route through scep, of course it is possible that a user requests a cert through scep too - if his client supports this and so on, there are a lot of options, depending on your environment and needs and so on... ;o) and don't forgett to issue a crl - i think the router at least will need one for proper operation - otherwise it could be difficult for him to decide if a certificate is really still valid or not of course it is possible that this gets handeld all by one person ;o) in larger szenarios this gets usaly devided, as there are technicans and people who decide who is allowed to use something - like the vpn-access - are different greetings dalini --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Mail sending problem
Guillaume Roger wrote: Hi all, When I try to send mail to users (node-utilities-send a crin mail or email new user), nothing is send, with OpenCA 0.92RC3, on fedora 1. i think this should have been fixed at cvs version ;o) dalini --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] SCEP and PIX Firewall
Bernd Probst wrote: The certs are marked as active, but i can see no serial number at the ca certificate in the pix. Is this correct?? yes this correct, since the ca-cert has a serial number of zero ;o) which pix interpretes as not available... I tried to edit the request with the correct DN. Then OpenCA was able to issue the certificate, but nevertheless the PIX was not able to show this certificate with show ca cert. But the pending request (Pending 102) at PIX trace was changed to granted (Granted 100). I thought this is it. But NO!!! The PIX shows only the ra and the ca certificate !!! Has anyone an idea what went wrong ??? yeah - i have some ideas ;o) first - the granted cert will be shown on top of ca and ra cert as the first one - it its there second - it is importend to keep some special attributes in the dn that means: unstructeredAddress and unstructuredName if available otherwise the pix will not accept the issued certificate if you do a request (ca enroll pki-name pwd ipadress) than it musst be included - but at least the unstructuredName should be inlcuded and as mentioned before - you have to set the equivalent subject-alternative name - for unstructuredName this is DNS and there have to be the same string - for unstructuredAddress it is IP (this is mentioned somewhere at the cisco-vpn-documentation for pix) i add both usally greetings dalini --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users