> Any ideas whats going wrong here?
No one can help me?
However, I download the source from sf, do a configure/make/make
install-online install-offline and set the company name in config.xml...
After "init.d/openca start" all I get is:
Starting OpenCA ... Bareword "ERR_USER_STATUS_UNKNOWN" not
Hi List,
I use debian 5 and openca from source.
After installing and doing a small initial setup (Organisation, User
PW, Database" and starting i get:
testca:/opt/openca/etc# ./init.d/openca start
Starting OpenCA ... Bareword "ERR_USER_STATUS_UNKNOWN" not allowed
while "strict subs" in use at
Regivaldo Gomes Costa wrote:
> Your tip solved the problem, but I had to convert from p12 to pem
> (with DES protect).
You can also download as PEM using SSLeay or pkcs8 Option insteed Pkcs12.
> The openvpn not read keys with p12 format.
Though...
Regards
Ralf
---
spea schreibte:
> Import Server Certificates:
> no idea :-(
you can import a previously created backup from your old ca.
See:
http://mm.cs.dartmouth.edu/wiki/index.php/How_to_upgrade
--
This SF.Net email is sponsored
I miss my patch that fixes LOA and its policy extensions I supplied one
year before:
http://www.mail-archive.com/openca-de...@lists.sourceforge.net/msg02984.html
Does this mean that it hasn't been committed yet??
John A. Sullivan III schrieb:
> On Tue, 2010-01-05 at 00:34 +0100, Marco Carcano w
David O'Callaghan wrote:
> This might be a silly answer, but are you sure you modified the right file?
>
> For example, on my system (based on OpenCA 1.x) if I want to alter the
> "days" parameter for the Web Server certificate profile I would need to
> edit /opt/openca/etc/openca/openssl/openssl
Hi,
I want to implement the ability to generate PKCS12 files using CSV based
CSR generation:
Name,email,role,loa,pin
--
Ralf Hornik,r...@domain.org,User,1,ba11aba||a
...
---
Then generate the requests as adv
Hi
Samuel Rios Carvalho schrieb:
>
> select status,dn,date(notafter),time(notafter) from certificate
> where status = 'EXPIRED';
>
> So cmdlistCerts doesn't seem to do the correct query.
> I will try to fix that on this weekend.
>
You can download the fixed version of OpenCA::DBI.p
Samuel Rios Carvalho wrote:
> I think that in status like should be REVOKED, but I don't know where I can
> change it.
The database shows EXPIERD in the status field of certificate:
select status,dn,date(notafter),time(notafter) from certificate where
status = 'EXPIRED';
So cmdlistCerts does
blain...@gdls.com wrote:
> My problem now is my root certificate LDAP CDP does not include the email
> address and I cannot reissue a new one. Any magic within LDAP I can do?
It depends on the SSL app. Some apps use subsearch and some not for
retrieving CRLs. Subsearch is also not recommended b
blain...@gdls.com wrote:
>
> ldap://host/cn=Root CA,ou=Trustcenter,dc=domain,dc=com
Is this the full DN or is there an emailAddess too?
Some Applications need the full DN to find the CRL:
ldap://host/emailadress=r...@domain.com, cn=Root
CA,ou=Trustcenter,dc=domain,dc=com
--
alles bleibt an
Hi Max,
Massimiliano Pala wrote:
> AFAIK, the upgrade should work.
Thank you for the quick answer. So I will try that and give a short
conclusion if necsessary.
Regards
Ralf
--
Let Crystal Reports handle the repor
Dear list,
Has anybody expieriences in upgrading openca 0.8 to 0.9 or 1.0? Are
there any issues?
I plan to do it as
http://mm.cs.dartmouth.edu/wiki/index.php/How_to_upgrade but I'm not
shure if that also works for 0.8.x.
If anybody encountered problems or went another way, please gieve me f
Have you tried to make the backup using the node interface?
Yildirim Zaynal wrote:
> I would also do that if possible. But its a production machine, and need to
> keep the old database and continue on that.
>
> 2009/10/29
>
>>
>> I would recommend a clean install.
>>
>>
>>
>> -
Hi,
when your HSM has an engine for Openssl you can attach the HSM in
tokens.xml like OpenSC token. Look for OpenSC in tokens.xml and create
one for your HSM as similar.
Regards
Ralf
Allen Liu wrote:
> No, it's not.
>
> OpenSSL ENGINE is a loadable module for talking to HSM (hardware Secu
Hi,
I also wrote a couple of patches to improve the usability.
One patch adds a role for an OCSP responder including its extension.
Another changes the cert retrieval by changing the link in the emails
and change the "get requested certificate" to point the search engine
to the cert detailes
Fu-Jyh Luo wrote:
> I don't see "PKI Init & Config / Initialization / DB, Key and Cert Init"
> It redirect to https://
> pki.mycompany.com/cgi-bin/pki/ca/ca?cmd=getStaticPage&name=homePage
>
> Do I need to add some thin gin httpd.conf file?
Which browser are you using? IE6 does not work properly
Mike Wiseman wrote:
> You're right. I guess what this boils down to is I don't know how to
> create a CSR that contains an email address that can be inserted
> into SAN at cert issue time (other than how I've done it). Do you
> have a suggestion?
I think this might work, but I haven't test
Mike Wiseman wrote:
Subj = CA=CA\...\emailAddress=my_email_address
The issued cert has:
Subj = CA=CA\...(no email address field)
So sscep fails to pick up the cert because of the difference.
Normally, the name of the certificate /should/ not differ from its
CSR. That is, why sscep fa
Mike Wiseman wrote:
> I can do this by including "email=my_email_address" in the DN of the CSR,
Try "emailAddress=my_email_address"
Ralf
--
This SF.net email is sponsored by:
SourcForge Community
SourceForge wants to t
Yildirim Zaynal wrote:
> trying to start the openca 1.0.2. i get this error:
> Starting OpenCA ... Logging is not initialized.
> Configuration error: Missing Configuration Keyword : CgiCmdsPath
CgiCmdsPath is actually set in node.conf(.template).
Please post how you did install openca (configure
Yildirim Zaynal wrote:
> Would it be worth to try to upgrade to 1.0.2? how would it comply with
> the current database used by 0.9.2.5? it just seems like to much
> work..
Upgrading to 1.0.2 fixes a lot of configuration issues. Additionally,
more features like stronger encryption, CRL extensio
Yildirim Zaynal wrote:
> What I would like to have is automatic email notification to the
> users or administrator that a specific certificate is going to
> expire within 1 month etc
With OpenCA 0.9.x its better you write your own application that warns
about expiring. This can then be sta
Yildirim Zaynal schreibte:
> I cannot compile openca in ubuntu 8.10 I get errors of missing files,
> make error:
> http://pastebin.com/m57ea5049
Seems like your ssl headers are missing.
Please install them:
# apt-get install libssl-dev
Ralf
-
Ralf Hornik Mailings wrote:
> Have you built the openca packages under 8.10, or did you upgrade from
> 8.04. (Hint: perl changed from 8.8 to 8.10).
> If upgraded, please recompile/install the openca modules.
...and then, please let the list know, if this solved your problem.
As we
Yildirim Zaynal schrieb:
> Installing OpenCa 1.0.2 binary for ubuntu 8.10 works fine, except for
> some perl related modules. example:
>
> z...@tengritag:/opt/openca/bin$ ./openca-digest
> /usr/bin/perl: symbol lookup error:
> /opt/openca/lib/openca/perl_modules/perl5/i486-linux-gnu-thread-multi/au
Can anybody reproduce this? I really need this extensions, I cannot
issue certificates without this!
:-(
Ralf Hornik Mailings schrieb:
> Hi List,
>
> as I figured out, all of my new certificates issued by OpenCA 1.0.2
> have neither, policy extension (OID's), nor the CPS e
Hi list,
when I create a subCA with OpenCA the (sub)CA certificate is shown as CA
certificate correctly but when I click on it, the web interface tells
me, that is ist not in the certificate table.
Even more confusing, when I issue an end user certificate by this subCA
with the same serial. The
owever, all works fine, when I use one Key for CA, BP, Key_Backup and
LOG so I think there is a problem when using different keys.
Can somebody reproduce this, or give me a hint, what I should try next?
Ralf
"Ralf Hornik Mailings" schreibte:
> Dear list,
>
> I want to
lampa wrote:
> I want to know the process of renewing the certificate , I want to
> understand not only the operation of RA operator and Users ,but
> also the OpenCA How to deal with the request.
OpenCA simply creates a copy of the archived request with a new serial
number. However this brea
Dear list,
I want to learn something about the BP module so I read the (little
to) short explantation in the OpenCA Documentation.
However I found some more information via google but I cannot collect
them usefully...
1. I created a separate bp/log/backup_key since my cakey is located on
a
Hi List,
an easy way to upgrade (worked for me):
1. make a backup using openca backup tool from your old ca
2. backup cacert.pem and cacrl.pem, cakey and openssl extfiles (if modified)
3. make a fresh install of OpenCA 1.x
3a create new databases if needed
4. configure the openca 1.x installation
Samuel Rios Carvalho schrieb:
Please, send us the complete file
Attached is the modified viewCRR.
I removed the "\r\n" at the end of line 116 and added it at the
beginning of "USER_CRR" at line 117.
Also I removed the "\r\n" at the end of line 117.
I think this could cause trouble as well...
R
> Massimiliano Pala schrieb:
>> Please let me know if this works...
Finally I got it!
Max, your idea with the newline was correct, but on the wrong location.
The data to be signed are evaluated in viewCRR and there has it to be changed.
Here is the corresponding diff:
--- viewCRR.orig20
Hi Max,
Massimiliano Pala schrieb:
> Please let me know if this works...
Unfortunately not. :-(
I changed the file and restarted openca. But the Error is still the same
with IE7 and Firefox 3
What Browser(s) have you tested? With Mozilla 1.x it works since 0.9.0.2
(or before may be...)
Thanks a
Hi,
already, there is no way to sign CRR's (except Mozilla 1.x).
When singing CRR's with IE[4567] the messege is:
Cannot build PKCS#7-object from extracted signature!
OpenCA::PKCS7 returns errorcode 7911031 (OpenCA::PKCS7->new: Cannot
initialize signature (7912021). OpenCA::PKCS7->initSignature:
Hi Folks,
works for me now...
Thanks
Ralf
"Massimiliano Pala" <[EMAIL PROTECTED]> schreibte:
> Hi Guys,
>
> I found the error --- it was in the approveCSR command -> the update
> dataType was wrongly set to "RENEW_APPROVED" instead of "APPROVED_REQUEST".
>
> I attach the new version of the comm
Hi Max,
Massimiliano Pala schrieb:
> Hi Ralf,
>
> with IE you need an extension because there is no support for IE
> to sign a PKCS#7 file. For Firefox/Mozilla you should:
I have installed the extension:
http://www.microsoft.com/downloads/details.aspx?FamilyID=860EE43A-A843-462F-ABB5-FF88EA5896F6
Now finally I stay on the same place. I estimate, this is a common issue...?
openca-sv is located inside the openca_prefix and correctly placed in
node.conf(.template).
Is anyone able to sign CSR/CRR with IE or Firefox yet on openca 1.0.2?
"Mark E." <[EMAIL PROTECTED]> schreibte:
>
> Hi Max,
Hi Max,
"Massimiliano Pala" <[EMAIL PROTECTED]> schreibte:
> and change the line:
>
> MENU_FILE = ${node_prefix}-menu.xml
>
> to:
>
> MENU_FILE = node-menu.xml
>
> This should fix your problem.
Thank you, but the problem goes on. configure_etc.sh breaks because:
Error wh
Dear List,
I get an error while "make install-offline":
+ /usr/bin/install -c -o root -g www-data -m 640 ca-node-menu.xml
/opt/openca-off/openca/etc/menus/ca-node-menu.xml.template
/usr/bin/install: cannot stat `ca-node-menu.xml': No such file or directory
my configure-args are:
./configure
!!
Regards
Ralf
> Ralf Hornik Mailings schrieb:
> Appendum:
>
> the public_key fields are both the same (old cert and new). Only the
> private key differs but is encrypted.
>
> However, the private key from the expired cert I can decrypt using my
> known PIN, but the new o
one, because I did
not generate a completely new keypair. I used the old request for the new
certificate.
> Ralf Hornik Mailings schrieb:
> Hi,
>
> after my RA (Registration Authority Administrator) certificate has been
> expired, I tried to renew it. Now, I cannot download the new R
Hi,
after my RA (Registration Authority Administrator) certificate has been
expired, I tried to renew it. Now, I cannot download the new RA
certificate using the known PIN.
In the Mysql database, the keys from the old cert and new are different.
Shouldn't they be equal?
Same happened with the CA
Hi Nicolas,
> Nicolas MASSÉ schrieb:
>> But my question is now: How can I revoke such a certificate without
>> knowing the CRIN code?
Certificates can be revoked without CRIN at the RA interface directly,
e.g. by calling the RA administrator to revoke it, or connect itself if
possible.
> If I r
Hi,
> Matthias Alsmann schrieb:
> Furthermore, the only thing I can do is to change the language of the
> ra node interface. Other actions like Administration -> Server Init
> also fail with exact the same error.
The Error occours in the AC.pm while compiling getAccess() so it is a role
based ac
Hi,
> Matthias Alsmann wrote:
> I can export and import data, but after the first restart of
> openca I get this problem.
Where do you export/import the data? Do you use a floppy, or some other
removable discs?
Have you left the role based access control unchanged? (Believing yes)
When using a
Good morning,
> Massimiliano Pala wrote:
>> certificate and in the ca cert (outlook or exchange owa e.g. gives a
>> failure while checking the crl).
>
> Is this due to the presence of the CDP (CRL Distribution Point) in both
> the CA and EE (End Entity) certificates ? What happens if you have the
> Zaki Akhmad wrote:
> I cannot find the "certificate and keypair" option.
The "keypair option" is only available, if the key is generated on the
openca server. Normally, a browser key is generated in the browsers
crypto store, eg. Mozillas "software security device", or IE's "private
certificate
> Zaki Akhmad schrieb:
> Finally, I succeed to encrypt my email using digital certificate. So
> the trick is we should have recipient certificate. I add "other
> people's certificate" to my Thunderbird.
Another way is using LDAP as addressbook (may be OpenCA with LDAP). If
there is deposited a ce
Hi,
> Zaki Akhmad schrieb:
> Then, I want to ask how to make our certificate which is issued by my
> own CA (using OpenCA, of course) trusted? For example trusted by
> Firefox, and Thunderbird.
Have you installed the Root certificate from your CA and trust it
explicitly in Firefox/Mozilla?
Ralf
> Zaki Akhmad wrote:
> Hi Ralf, thank you for your reply. I've done this, and it works at
> https protocol. Is it what I've done, didn't encrypt the message?
> Because the keylength is set to zero?
No. The keylength isn't set to zero. While the SSL Handshake some tasks
are done... RSA Authenticat
> Ralf Hornik Mailings wrote:
> There are exactly the same environment variables exported.
Sorry, I found an old document. Newer versions of mod_ssl have other
environment variables.
Apache-ssl: HTTPS_SECRETKEYSIZE
Mod_ssl: SSL_CIPHER_USEKEYSIZE
The easiest way to solve this problem is
> Zaki Akhmad wrote:
> But when I'm changing the access_control/*.template to
> protocol = ssl
> symmetric_keylenghth = 128
>
> The Error 6251043, General Error Aborting connection - you are using a
> too short symmetric keylength (), shows up.
Does your apache configtest complain about an unknown
Hi,
> Guillaume Tamboise wrote:
For enryption & authentication:
> Basically anything that accepts X509 certificates: IPSec Virtual Private
> Networks (VPN), SSL VPN, Kerberos (for instance, Active Directory),
> S/MIME (encrypted email), EAP (802.1x, i.e. authenticated LAN / wireless
> LAN), SMTP
> James Lever wrote:
> DN_TYPE_SPKAC_BASE
> DN_TYPE_SPKAC_ELEMENTS
> DN_TYPE_SPKAC_NAME "Basic User Request"
That worked for me. Thank you very much!
Bye
Ralf
-
Using Tomcat but need to do more? Need to support web se
Hi List,
I have a lot of requests to sign by my CA. But I cannot submit them
because the organisational name (O=) is different then the organisational
name by my CA.
Can I disable this in an esay way, so that i can use this requests?
Thanx and best regards
Ralf
---
Hi,
> Dmitrij Mironov wrote:
>This extension MUST appear in certificates that contain public keys
>that are used to validate digital signatures on other public key
>certificates or CRLs. When this extension appears, it SHOULD be
>marked critical.
It MUST appear but it SHOULD be
Dear itboi,
Sorry, but you have definitely no idea, what you are doing. I'm asking me,
why do you want to install OpenCA, when you don't know what it is??
You don't know about SSL and certificate validation, but this is one of
the the main purposes of Openca -> certificate validation
I recoment
Hi,
> Ralf Hornik Mailings wrote:
>
> does anybody read the list who developes or works with openca?
>
>> when I want to approve a CSR with digital signing using Internet
>> Explorer
>> 6 it works well but when I do the same with an CRR (same signing
>
Hello,
does anybody read the list who developes or works with openca?
> Ralf Hornik Mailings wrote:
> when I want to approve a CSR with digital signing using Internet Explorer
> 6 it works well but when I do the same with an CRR (same signing
> certificate)I get the following:
&g
Hi,
when I want to approve a CSR with digital signing using Internet Explorer
6 it works well but when I do the same with an CRR (same signing
certificate)I get the following:
Error 6206
General Error Cannot build PKCS#7-object from extracted signature!
OpenCA::PKCS7 returns errorcode 7911031 (Op
Hi Nicolas,
> Nicolas MASSE schrieb:
> It seems that OpenCA added serialNumber=20 to the cert's DN and SSCEP
> seems confused by that.
You are right. The Subject DN in the certificate MUST match the Subject DN
of the request.
The serial number is added by signing a request and thats why the sce
Hi,
> Nicolas MASSE schrieb:
> I do not have this command (OpenCA v0.9.2.5) while I made the "make
> install-scep".
You need openca-scep otherwise scep will not work, when you try to enroll
a cert.
You can postinstall it by going to $OPENCA_SRC_DIR/src/scep and do a
configure (like you configur
Hi,
> Nicolas MASSE wrote:
> I always have the same error :
> Error 723705 General Error Cannot extract the transaction ID from the
> SCEP message!
Please copy the P7 Message generated by your scep client to the RA Machine
by hand and try to print out the transid using:
/usr/local/openca/bin/op
nfiguration Keyword :
$name\n";
configError( i18nGettext ("Missing Configuration Keyword :
__KEY__", "__KEY__", $name) );
}
if there is a configuration error. Please test it. It works for me.
HTH and a nice Weekend
Ralf
Ralf Hornik Mailings schrieb:
> D
Hi,
what perl version have you installed? I remember with version 5.8.5 some
strange problems. I use 5.8.6.
Is your config.xml syntactically correct? Please parse it using this small
script:
#!/usr/bin/perl
use XML::Parser;
$file = $ARGV[0];
much time and nerves. ;-)
However, after fixing this and reading the other SCEP related mails SCEP
works now. And I had not to make the scep direktive seperately. I think on
OpenCA 0.9.2.5 this issue has been removed.
Thanks
Ralf
> Ralf Hornik Mailings schrieb:
> Hi Martin,
>
> Both d
Hi Martin,
Both debugging flags are enabled, there is no other output.
However, the openca-scep commands work, when I make it manually using the
shell.
I think, the problem is on the webinterface.
Regards
Ralf
> Martin Bartosch schrieb:
> Hi,
>
>> The exact error output with debugging enabled
Hi,
yes I did that what Pete was recommended, and openca-scep is present as
before.
The exact error output with debugging enabled is:
initServer: BrowserSupportedLanguage(s) []
initServer: BrowserSupportedCharset(s) []
initServer: setLanguage: setEncoding for log return utf-8
initServer: setLan
OA Support ] =
## USE_LOAS takes either YES or NO
USE_LOAS"yes"
## [ SCEP Section ] ==
## It is just an example, you should change the 03.pem and/or
## the path pointing to the right key/cert pair
ScepRACert&
Dear list,
I try to work with sscep (OpenBSD) and can successfully download the
ca-certificate using scep.
But when I try to enroll a certificate (sscep enroll -f /etc/sscep.conf -c
ca.crt -r local.csr) it fails and stderr.log shows:
OpenCA: General error trapped 700: The compilation of the comm
Hi *,
can anybody help me to add a special userNotice to different kind of
policies?
As example, for LOA=Test I would like to do something like:
---
certificatePolicies=ia5org, @policy_test
[ policy_test ]
policyIdentifier=1.2.3.3.4
CPS.1 = "http://www.ca.org/cps";
userNotic
Hi *,
yesterday I wrote this email, but it seems that it hasn't been reached
the list. So I'll try it again.
Can anybody help me to add a special userNotice to different kind of
policies?
As example, for LOA=Test I would like to do something like:
---
certificatePolicies=ia5org, @policy_test
74 matches
Mail list logo