Hi,
I cc'd you directly because all discussion now takes place on
the SF lists.
yes but on [EMAIL PROTECTED] or?
I am terribly sorry, please excuse my mistake.
(Autocompletion of my mail client inserted the list address after
typing 'devel' and I did not notice that it was the wrong list
Hi Bahaa,
I cc'd you directly because all discussion now takes place on the SF
lists.
Thanks for the follow up. This is the same architecture I have been
working on, however there is no examples on how to hook up to the
workflow or add new function that do crypto operations in the server
API
Hi,
I am new in this list and mainly a OpenCA user who needs some
changes in OpenCA.
After requesting a certificate using the "Token Request" link from
the PUB interface, and then opening this request from the RA
Interface, there is a "Generate Key" button at the bottom of the
form. I was
Hi,
martin i still have a little doubt about how the
openssl command is wrapped with with-nfast -M, could
you give me some hints please? maybe the openssl
command is wrapped with:
/opt/nfast/bin/with-nfast openssl ca
am i wrong?
yes, correct. Add the -M flag to make sure that you are not
Hi,
in order to signing certificates it is necessary to
open the hsm with its operator card set
(/opt/nfast/bin/with-nfast pause) before executing the
openssl ca command.
i would like to know how does openca get the hsm
password to load the private key to sign the
certificate? (for example how
Hi Til,
whats the sense of the logging in var/log/xml/time/?
That fills gigabyte over the time. Can that be turned off?
I use the following shell script fragment to move logs that are older
than x days to an archive. If you call this daily with a different
name you will get a nice arch
Hi,
true, I observed the same behaviour. The session cookies are
not that big, so they do not disturb me very much (but this
is my personal opinion).
Hmm they will disturb you, if you have no more inodes left...
I have 20.000 Accounts here, which will get a certificate in
future. Maybe the dae
Hi,
do i have to delete all the old session files
by hand, for example per cronjob? It seems, that the
daemon does not take care of this files.
true, I observed the same behaviour. The session cookies are not that
big, so they do not disturb me very much (but this is my personal
opinion).
Hi,
perhaps Martin forgets your fix. Nevertheless I commited your patch
and fixed the release tag.
I am quite sure that I applied the whole fix that was attached to
the bug report. The patch applied cleanly, compile was OK (at least
my package build). I plead not guilty... :-)
Did you ask Ma
Hi Sergei,
2) SCEP does not compile with OpenSSL-8. Looks like Martin
neglected the most vital section of the old Julia's patch aimed
exactly on this.
would you please be so kind and either point me to the right location
or provide this information here?
I applied Julias patch (see bug 1
Hi,
scep_asn1.c:19: error: conflicting types for
`d2i_SCEP_ISSUER_AND_SUBJECT'
scep_asn1.h:15: error: previous declaration of
`d2i_SCEP_ISSUER_AND_SUBJECT'
make[5]: *** [scep_asn1.o] Fehler 1
make[5]: Leaving directory `/usr/src/openca/openca-0.9/src/scep/src'
make[4]: *** [all-recursive] Fe
Hi,
I have checked in and tested my submissions for 0.9.2.5:
* added LDAP authentication (Peter Gietz)
* fixed bug #1378831 (Julia Dubenskaya)
* fixed bug #1339236 (Julia Dubenskaya)
* fixed bug #1254337
* SCEP server improvements:
* added getCert function to SCEP server (submitted by Radu Gaj
Hi,
just wanted to remind you that you promissed to include the LDAP
authentication stuff into 0.9.2.5. Is this still the plan?
yes, of course.
cheers
Martin
---
This SF.net email is sponsored by: Splunk Inc. Do you grep through log fil
Hi Til,
I can do this next week, so I'd propose setting a deadline for code
submission to the next release around friday next week.
hmm a mail from you at 9.11. comes into my mind, saying you will
do that until end of november ;)
please excuse I did not meet my own deadline. Reason is in my
Hi Oli,
Martin: I think you are still waiting for my patch for the
checkboxes for Multi-Approval, right :)
I missed it again, but think we should include this in the next
release too. The patch was from one of the german universities
(dont exectly remember who sent it) and it works fine for
Hi,
there are some requests for an official 0.9.2.5 release. Some
people would like to have an official release with the final utf8
stuff. Does there be any known serious problem which avoid a new
release with the utf8 changes from Sergei?
there are some changes to the SCEP server (Julias
Hi,
> http://prdownloads.sourceforge.net/openca/openca-0.9.2.4.tar.gz?download
>> is there a .tar.gz of the version 0.9.2.4+?
I think he meant a snapshot version that includes the latest UTF8
additions. I am afraid there is no such version right now.
I'd like to add some improvements to the SCE
Hi,
> Done. I commited the fix. Can somebody close the bug please? I have no
> permissions for this.
I closed the bug. It's really annoying that you cannot access the
bug database anymore.
cheers
Martin
---
This SF.Net email is sponsored by
Hi Julia,
> Attached please find a patch for 0.9.2 branch which allows for
> to compile scep related part of OpenCA with openssl-0.9.8.
> It also solves all known to me utf8-related problems in scep.
> Could you please test if this patch violates scep operation
> in your environments. Would be ve
Hi,
> On Aug 17 (Revision 1.47.2.5) michaelbell committed my patch for file
> initServer about autoescaping of UTF8 text:
>
> http://cvs.sourceforge.net/viewcvs.py/openca/openca-0.9/src/common/lib/functions/initServer?rev=1.55&view=log
>
> which is needed for correct presentation of UTF text on sc
Massimiliano,
first of all please excuse that I post with a different email address
now, for some reason I am no longer able to post to the Users and Devel
Mailing Lists with my old email account.
>> this is to announce that with immediate effect I will be
>> discontinuing work on the OpenCA deve
Dear OpenCA users and fellow developers,
I'd like to let you know that I will join Michael in development for
the new OpenXPKI project (see http://www.openxpki.org).
In the OpenXPKI project I will continue to work on the Core system
(crypto stack, nCipher HSM support, Oracle DB support).
Other t
Hi,
> Have any of you ever seen this in the stderr.log ?
>
> Integer overflow in hexadecimal number at
> /usr/local/ca001_pki/modules/perl5/OpenCA/PKCS7.pm line 392.
nope. But I think the reason might be that a request you have been
processing was signed by a "rogue" certificate with a serial num
Hi Johnny,
> I'm trying to switch my openssl version to 0.9.8 to
> see if this affects positively in the solution of the
> problems I having with the nCipher.
personally I don't think it will help with your problem,
but it is of course worth a try.
(I hope I'll be able to perform some tests with
> Might it be possible to create a kind of "dependancy" checker that will
> check for the existance (and perhaps version) of required perl Modules
> and outputs a list or bash script for cpan to fetch the missing modules ??
find src/modules/ -type f | xargs grep "^use " | sed -e 's/;$//' | awk '{
Hi,
> btw: is it possible to see/get those sscep improvements already somewhere?
yes, on CVS head, src/common/lib/cmds/scepPKIOperation
> i think u may talking about the batch processor ;)
> there we have/had some havy requirements of high amount issuing of certs
> and speedproblems when it come
Hi,
> I see no problems to include both scripts and activate the new one if it
> behaves like the old one.
OK, so I'll improve the script to a point where the default configuration
results in exactly the same behaviour as the previous version.
>> I guess practically, but I haven't performed benc
Hi,
> so if I see this correctly the new scep script adds new functionality
> AND does everything it has done before - meens it is a drop in
> replacement for the old script ?
umm, yes, if it is configured to work so, it will work just like
the old script.
BTW: an older version of this script has
Hi,
> I started a small discussion with Oli about our branch management but it
> is perhaps no good idea to make it more complicated. The idea was to
> introduce feature and minor release branches on the 0.9.2 branch. The
> problem is that this is perhaps to complicated for the most people.
>
> We
Hi,
>> The "automatic approval" mode implements a method for request approval
>> defined in later versions of the SCEP draft. Use this mode only if
>> you have met the prerequisites:
>>
>> - CVS head versions of OpenCA::OpenSSL and OpenCA::PKCS7 (will be
>> included in 0.9.2.3)
>
> Do you mean w
Hi,
> As SCEP is imho one of the most requested features in the near past, I
> think we should put it in head and perhaps even into branch, perhaps
> with a config switch to give the user the choice...
I decided to check it in in order to allow others to have a look at
it. It's available in CVS h
Hi,
I have a local and substantially improved variant of scepPKIOperation
that works quite well in my environment (including production use,
see bug #1080695).
Because the new code is somewhat slower than the existing code,
I don't want to check in this code in the openca_0_9_2 branch.
But as the
Hi,
if I instantiate an OpenCA::PKCS7 object in order to verify a signature,
the object can return a number of error codes that indicate that something
went wrong.
Now I *do* expect a certain error, "unsupported certificate purpose",
during verification(*), i. e. the key usage bit for Digital Sig
Hi,
> Follwowing dates are available for discussion (all October 2005):
>
> Week 4 to 7 Oct. (Monday 3. is a german holiday, Octoberfest is until
> Monday, Bundesgartenschau is until 9. Oct, so you can have some fun :P )
> I would prefer NOT to make Friday the second day, so Tue/Wed or Wed/Thur
>
Hi,
I am trying to verify a PKCS#7 SignedData object using
OpenCA::OpenSSL::verify().
My proglem is that the method requires the specification of DATA or
DATA_FILE and that it does not seem to support PKCS#7 that also
contain the data to be signed.
So from the current semantics I'd like to call t
Hi,
I was just browsing the bug database and to me it seems most major
issues have been addressed for the stable branch.
Some time ago Michael mentioned it might be time to tag the 0.9.2
branch and release 0.9.2.3, I think there are no serious show stoppers
right now for this. What do you think?
Hi,
>> Consequently, the certificate status should be set to REVOKED
>> immediately
>> after final approval in the RA, I think.
>>
> hmm, i don't know - a certificat isn't issued just becouse someone at
> the ra approved it - only the ca can do this - so for removal
>
> but removing may be conside
Hi,
> there is another problem with CRL. We have a state problem. If a CRR is
> approved then it is archived too because we need no CA cert for this
> operation. Should we remove the state archived or approved for CRRs? If
> we set the state of the certificate to the state REVOKED then the job is
Hi,
>> If you change the association of EXTERNAL_CA and INTERNAL_CA in the
>> table above, all previously created entries are changed implicitly.
>> Of course, this association *should* never be changed, an INTERNAL_CA
>> is not supposed to be "changing" to another EXTERNAL_CA.
>>
>> If we keep th
Hi,
I forgot:
>>> - introduce a new table, e. g. CA
>>> Purpose:
>>> - identification and reference of CA certificate for internal CAs
>>> - mapping between internal and external CAs
>>> Attributes:
>>> INTERNAL_CA: internal CA
>>> EXTERNAL_CA: external CA this CA belongs to
>>> CA_
Hi,
discussion split from the CRL serial thread:
>> Other thoughts:
>> We need some way to express certificate chains. An entry in the
>> CERTIFICATE table could include a reference to the issuer certificate
>> in the same table. Selfsigned certificates could point to themselves.
>> This also mea
Hi,
following up our discussion in the CRL serial thread:
>> - remove the CA_CERTIFICATE table
>> Reason: CA certificates are just ordinary certificates, see below
>
> Nice idea - usually the table only includes one certificate which means
> that there is a design bug.
And it's even not very u
Hi,
>> I'd prefer to have no holes in CRL serials, because it might be required
>> in certain environments that you are able to provide a complete track
>> of CRLs.
>> So I think we should consider extending the CRL table to include
>> a CRLNUMBER attribute (then possibly use max(crlnumber)+1 and
Hi,
> I'm working on the CRL generation of the CVS HEAD. Some mails sound like
> the most people think that we should include a CRL serial into the CRL
> by default which is no problem. Question, does it be important that the
> sequence of CRL serials has no holes?
>
> Any ideas and arguments are
Hi,
> The correct way of searching a CRR is REVOKE_CERTIFICATE_SERIAL and not
> REVOKE_CERTIFICATE_DN. Serials are much more robust.
>
>> Is there a preferred way to fix it? I'd volunteer to do it, but I
>> cannot assign the bug to me...
>
> Please use the serials of the certs. Subjects are nice b
> Hi,
>
> when rebuilding the index.txt file in the node interface, revoked
> certificates are marked with an incorrect revocation date in the
> index.txt files. This leads to incorrect data in CRLs.
>
> I found the cause for the bug, but I am not sure how to fix it (0.9.2):
don't bother, I found
Hi,
when rebuilding the index.txt file in the node interface, revoked
certificates are marked with an incorrect revocation date in the
index.txt files. This leads to incorrect data in CRLs.
I found the cause for the bug, but I am not sure how to fix it (0.9.2):
In common/lib/functions/crypto-uti
Hi,
> do you manage the patch for 0.9.2 and the fix of CVS HEAD?
yes, I'll do it, but not before end of this week. I am busy with
Johnny's problem... :-)
cu
Martin
---
This SF.Net email is sponsored by the 'Do More With Dual!' webinar happe
Hi,
>> I am reading the comments of you both and try to understand - whats
>> about creating another conference call (eiter by phone or in an online
>> chat) and discuss a little bit on the topic ?
>> I think this will bring us a little bit further in a shorter time...
>
> happy either way.
>
> Do
Hi,
I'm back from vacation (and of course something went wrong in production
during my absence...)
As far as I can see we have had a race condition between two certificate
issuance operations.
Setting:
1 User A requested a certificate via a "Basic Request"
2 User B requested a certificate via a
Hi,
I am trying to fix Johnnys problem with long certificate issuance
duration when using the nCipher token module.
I have implemented a caching mechanism that stores a successful
infrastructure and key-online check of the HSM, but this is
basically useless because a new instance seems to be crea
Hi,
> Anyway I have a problem when it comes to the CA/RA Operator's certificates
> and KeyPairs. I would like not to use the HSM partition (i.e. generate the
> Key within the HSM) for RA/CA because due to configuration options, it
> could be impossible to export them. Therefore I need a way to use
one ourselves (haven't
done this yet).
cu
Martin
--
Cynops GmbH Dipl.-Ing. Martin Bartosch http://www.cynops.de
Kirchgasse 10c mobile: +49 (0)172 6614304 mail: [EMAIL PROTECTED]
61449 Steinbach/Ts. fon:+49 (0)6171 6981803 fax: +49 (0)6171 69
Hi Michael,
> I think you use a 0.9.2.x. If you use this then please look into
> src/common/lib/functions/initServer. There you must add it to the
> commands which have a different MIME type from text/html. You can search
> for sendContentType in this file to find the position.
great, thanks!
Ma
Hi,
as I do not have direct access to some of our PKI machines, I tried
to add a simple "Log file download" option that helps me identify
problems that arise in production. It's a quick hack, but it
would save me some time in the future.
I basically copied the behaviour from lib/cmds/send_cert*,
Hi Michael,
> I'm back :)
hope you had a great holiday!
> You can commit it for the 0.9.2 version but please don't commit it to
> the CVS HEAD release because the HEAD checks the query before it caches
> the query.
fixed in CVS 0.9.2 branch & closed bug.
Martin
-
Hi,
we were having DB problems when recreating the OpenSSL index.txt file,
Oracle would complain about "too many open cursors".
After looking at the code I found out that the DBI module caches
the STH handles for DB connections in a private array, but only the
last value of this array is actually
Hi,
I am way behind schedule with a web frontend prototype for the new CVS
version of OpenCA, but this also gave me time to think about the
architecture.
I have summarized my thoughts on the following Wiki page, I'd appreciate
comments on my ideas!
http://openca.cynops.de/openca/WebFrontend
che
Hi,
just for your information, I just checked in an updated nCipher Token
module that can access OpenSSL via dynamic engine support.
(OpenSSL 0.9.8 will remove static engine support, so for future
versions of OpenSSL this will be the way to go. One of the reasons
to use the new version might be is
Hi,
>> Does anybody know how to use engine support in 0.9.8? I did not
>> find anything useful in the docs or in the OpenSSL mailing list
>> archives.
with Michael's help and the OpenSC module I figured out how to
use the nCipher module with OpenSSL 0.9.8. For anyone with the
same problem here is
Hi,
>> RFC 2510 defines PKI Certificate Management Protocols. It can be used
>> for
>> developping software that update transparently user certificates before
>> their end of validity. PKI messages can be sent over FTP or HTTP.
>>
> I have read about this, but so far nobody has implemented this fo
Hi Michael,
> Better question - who knows how dynamic engine support works (0.9.7
> support the same stuff). Best ressource: OpenCA::Token::OpenSC ;-D
OK, thanks - I'll try it on Monday...
>> However, with 0.9.8:
>> # /usr/local/openssl-snap/bin/openssl genrsa -engine chil 1024
>
> openssl genrs
Hi Chris,
> OK but I still need to start the openca server in order to get a socket
> (?). If I just run the CLI Client.pm (from OpenCA/UI/Shell) it asks me
> for a socket file, but I can only get a socket if I have started the
> OpenCA server using openca_start. This is true isn't it ?
yes, you
Hi,
I am currently struggling with setting up OpenSSL 0.9.8 (CVS head)
as CA token in OpenCA. (I need 0.9.8 because of the lately added
features that allow generation of Domain Controller certificates.)
I've successfully compiled OpenSSL but cannot enable engine support.
In particular I'd like to
Hi Chris,
> what does the error "unblessed reference" mean ? Any ideas ?
uh, sorry, I should have read your message a bit more thoroughly AND given
it second thought! :-)
OpenCA CVS head does NOT have a working frontend yet, the one included
does not work at all, hence the 'unblessed reference'
Hi,
> 71set_language ($self->{api}->get_required ('DEFAULT_LANGUAGE'));
looks like you have to add the DEFAULT_LANGUAGE setting to your
etc/servers/*.conf files.
In config.xml make sure that
default_language
C
or similar is set.
Check for
## General Section
## ===
UserI
This is a test to check if the mailing list is still processing mails.
---
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hyp
Hi,
> I would like to add an HSM status indicator so my operators will know if
> the HSM has a logged in stutus or logged out status. I was wondering
> were in the code should I add this, would it be a good idea to add it to
> the genMenu command? or should I add it some were else?
a general "sta
Hi,
>> - use a VARCHAR() of at least 20 digit length for storing the
>> serial number
>
> How about 49 or 48 characters? We don't need varchar if we only support
> 20 numbers.
VARCHAR instead of CHAR also allows for shorter and easier to
read/process serials, e. g. '105' instead of
'
Hi Michael,
>> I also wondered about the NUMBER() data type (and used it in another
>> application for serial number storage as well).
>> I think NUMBER(31) is perfectly OK for storing cert serials:
>>
>> log_16 10^31 = 25.74
>>
>> So we can store 25 hexadecimal digit serial numbers in this data t
Hi,
> I was a little bit sceptical about the DBI fixes and therefore it take a
> little bit more time than usual to check the patch. I found some problems:
>
> Oracle: it support number(49) but only with a precision of 38 numbers
> IBM:it support numeric(49) but only with a precision of 31 num
Hi,
> I've submitted a bug id for the MD5/X509 cert collision reported by
> Lenstra, Wang and Weger.
> The PDF files is attached to the bug report.
>
> Using SHA instead of MD5 avoids the collision.
>
> Recommend we only use SHA to sign certs.
>
> any comments?
yes, see RFE 1012849.
Martin
--
Hi,
> Do we really need serial numbers of 20 octets? On the other hand, I
> still remember Billy saying: "640KB is plenty of RAM and we won't ever
> need more than that" :)
I'd say yes, because it makes OpenCA standard compliant. In addition,
"concealed" serial numbers (see RFE 1012849) would mak
Oops:
> C:
> #include "gmp.h"
> mpz_t t;
> mpz_init (t);
> mpz_set_str (t, "01234567890123456789", 0);
> mpz_out_str (stdout, 16, t);
this will interpret the string as octal (because of the 'autodetect'
base 0). Better:
> mpz_set_str (t, "01234567890123456789", 10);
or
> mpz_set_str (t, "1234567
Hi Michael,
[X509 serial number; converting long decimals to hex]
> Yes, but (char *) can handle it now.
>
>> If we change RETVAL to char *, does it mean that we shouldn't use
>> sprintf in crypto-utils.lib?
>
> The "problem" is that OpenSSL returns decimal encoded serial numbers. I
> use sprintf
Hi,
a User just noticed that an Underscore character is not part of the
LATIN1_LETTERS character class. I wondered if we should include it
there and probably elsewhere (LATIN1)?
Martin
---
SF email is sponsored by - The IT Product Guide
Read
Hi,
> I am thinking about the next code cleanup. We mixed table/objecttype and
> state together and called it datatype. I would like to see clean
> interfaces and therefore I want to see two options for this. The
> question now is, can we agree on this issue and if yes how we should
> name the two
Hi,
consider an incoming PKCS#10 request (doesn't matter if via web frontend
or via SCEP).
This request can contain one or more subjectAltName attributes.
OpenCA currently silently drops the SubjectAltNames from the
request. Depending on CA policy it may be desired to retain
the SubjectAltName(s)
Hi,
[XML stuff]
> I recommend to throw away this stuff an replace it by a simpler
> solution. The commands are always loaded. So why do we do not using
> them? I have the following idea:
>
> Example: OpenCA::Server::Command::insert_csr.pm
>
> $AC::operation = "csr insertion";
> $AC::owner = "REQUE
Hi Michael,
> I would like to implement a function sign_object. Everyone can sign a
> object to signal that he verified the object. This has nothing to do
> with the state APPROVED. This way of using signatures allows the old
> style management (only issuing certs from approved and signed requests
Hi,
> I think it is a good idea. I would like to see it be in the 0.9.2
> branch.
Me too...
> I have a local modification to this function where it will enforce the
> attribute type but not the value. For example I want my users to have a
> dn with this kind of structure DN: CN=someName, OU=some
Hi,
some time ago I added a feature to basic_csr that creates a PIN on
the OpenCA system and displays it to the user who has to enter
it for verification in the request form.
So far this works great, but some users complain about sometimes not
being able to get their requested certificates. Verif
Hi,
the function checkPkcs10_req in pkcs10_req performs some checks on the
DN of an incoming PKCS#10 request.
I would like to add an additional check that compares the keysize of
an incoming request against a configurable minimum keylength (in order
to prevent 512 Bit requests).
This would requi
Hi Oli,
> We have to set some fields on the request manually and want to automate
> this. The modificatiosn are:
>
> Setting
> unstructuredName=ipsec-test.test.corp+unstructuredAddress=1.1.1.1,OU=...
>
> to
> unstructuredAddress=1.1.1.1,unstructuredName=ipsec-test.test.corp,OU=...
>
> So just crea
Hi Michael,
thanks for digging in... :-)
>> in our tests (0.9.2.1) we are experiencing some weird behaviour with
>> regard to expired certificates.
>> Sometimes the status displayed does not reflect the true certificate
>> status (e. g. cert is reported to be "Not expired" but in fact it is).
>
>
Hi Oli,
> I thought about the problems before posting - but I think that the
> status flag in the DB can not be used for such a time-critical or
> high-security application - you have a similar problem with just the
> "runtime" of a revoke action. I think that an application should verifiy
> the t
Hi Oli,
> My proposal:
> We agreed to implement a kind of "batch" daemon for background processes
> like CRL renewal that runs always. So I would prefer to implement a kind
> of "at-Job" Handling that sets the certificate state in the case of a
> "scheduled" state change (expiration). Otherwise yo
Hi,
in our tests (0.9.2.1) we are experiencing some weird behaviour with
regard to expired certificates.
Sometimes the status displayed does not reflect the true certificate
status (e. g. cert is reported to be "Not expired" but in fact it is).
After reading the corresponding code I am pretty sur
Hi,
> I posted this message on the users list, but I had no replies till
> now.
>
> If I have a Self-signed CA Certificate with a valid period of 365
> days.
>
> I know the procedure to renew user certificates but:
> how can I renew the CA-Certificate before the expiration
Hi,
quick update: I have a local version of scepPKIOperation that
implements a lot of the stuff I mentioned in the post and works
fine for me. It also includes some debugging code and I cleaned
it up a bit.
I won't commit it to CVS yet, because I am not yet done with it.
I attach the current vers
Hi Oli,
> Me too, as I think I was one of the guys who made this suggestion and I
> did some similar stuff in the past - I can contribute here or take the
> lead in that direction. As semester is over in 2 weeks my schedule is
> much more relaxed now.
I have started to give an experimental new fr
Hi,
in our test system I used the "Rebuild OpenSSL database and next serial
number" function to recreate the index.txt file.
After this was successfully performed, I noticed that the revocation date
in index.txt was destroyed, leading to errorneous CRLs:
Revoked Certificates:
Serial Number:
Hi Michael,
> BTW. I forget the guy from nCipher completely. I hope he is not totally
> frustrated.
whom did you forget - Andrew? If yes, maybe it's not too late to ask... :-)
Martin
---
This SF.Net email is sponsored by: IntelliVIEW -- Inte
Hi,
I'd like to discuss some extensions to the SCEP interface that I
am planning for our local environment that might be useful for
submission back to the project.
New SCEP requests are currently always inserted into the database
with a fixed role of "VPN_SERVER". In addition the RA is not set
fo
Hi Michael,
> I start porting the commands to the new OpenCA API. Before I port the
> functions for the initialization of a CA to the new API does it make
> sense to put the init stuff into the web interface? Does it be perhaps
> better to initialize the CA via the commandline (only with OpenCA an
Hi,
we just noticed that no "download" option is presented when displaying
a revoked certificate. Don't know if this is a bug, though.
The corresponding code (0.9.2 branch):
lib/cmds/viewCert, L205ff:
## download certs in different formats
if ( $allow->{SENDCERT} and
($dataType
Hi,
> I am currently working on a "High Availability Installation" of OpenCA...
sounds familiar... :-)
> Scenario: Two identical Server, both running Linux and OpenCA with
> identical config on both. MySQL Server with native replication
>
> Is it necessary to keep the disks in sync to run a
Hi,
during the past days I have been busy trying to get a command line
interface SCEP client to work with OpenCA.
I tried the current versions of sscep (C) and scepclient (Java).
(I did not try autoscep yet partly because I think it will suffer
from the same problems as sscep)
My question is: has
Hi Michael,
>> # Private methods
>> $self->{PRIVATE}->{bar} =
>> sub {
>>...
>> };
> This looks really ugly. Usually I use functions to give the code a
> better structure. If we use this way to define functions then we can
> forget about the function and simply write one big f
Hi Michael,
> Perl has no real object oriented features today. So it is not possible
> to declare private and public functions within the server.
first, it is common practice to begin functions that are meant to
be private with an underscore. A caller could, of course, call such
a function, but i
1 - 100 of 210 matches
Mail list logo
