Hi Shakeel, I don't understand exactly your question, but perhaps this is what you are looking for: Yes, you just have to install openca and configure your apache because the whole openca pki is managed over webinterfaces. Openca itself is a CA (with RA, public interface, scep interface and more...) and by installing for example one server with the ca part of openca and one server with the ra and public part of openca, then you get a pki. There are a lot of possibilities where you can use certificates created by this pki, for example to secure protocols like HTTP with SSL / TLS, you can authenticate ipsec connections by certificates, encrypt and decrypt mails, sign mails, ...
Hope this helped you a little bit. Kind regards, Matthias On 7/9/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > Hi Mathias > I really appreciate your detailed email. It is helpful for me. I have some > basic > knowledge of PKI. I have one question how openCA can help in PKI. I mean Does > it provide all corresponding functions, just install and play with?. > I mean should I activate httpd and install openCA some where in appachi > server. > Or build my own connection and develop my own secure protocol? > Thanks again > shakeel > -- > Shakeel Ahmad > > "Donate the Money to Earthquake Victims. > The average income in Pakistan is about 50$ per month. > It means you can give average life for only 50$ PM." > > > > Quoting Matthias Alsmann <[EMAIL PROTECTED]>: > > > Hi, > > first of all you should have lots of time to read through some books / > > internet pages / ... > > When I started with my PKI I ran over the "OpenSource PKI Book", but I > > did not read it because I already had some knowledge at that time, but > > perhaps it will help you: > > http://ospkibook.sourceforge.net/ > > > > Furthermore I would recommend to get some knowledge about the following > > topics: > > - hashing algorithms > > - symmetric encryption / asymmetric = public-private-key encryption > > - What are certificates? what is x509v3 ? difference of PGP to x509v3 > > certificates > > - How can I check the validity of a certificate? how can I trust in a > > certificate / ca? how can i check the integrity of a certificate? CRL > > vs. OCSP > > - some knowledge about crypto analysis could also be helpful if you > > have to decide which hashing and encrpytion algorithms to use (e.g. > > known attacks on md5, importance of the key length, ...) > > - you should also be familiar with Linux and Perl if you want to dig a > > little bit deeper into OpenCA > > - ... > > > > I used a very good book to get a lot of that knowledge but it is in > > german and i don't know if it is available in other languages: > > Wohlmacher, Petra: Digtale Signaturen und Sicherheitsinfrastrukturen > > - Grundlagen, Sicherheitsaspekte, Realisierungen, Anwendungen; > > Höhenkirchen: TT Verlag für Informationstechnik GmbH, 2001; ISBN: > > 3-936052-01-8 > > > > Here are some links that could be perhaps helpful for you: > > A glossary I used several times: > > http://www.dcoce.ox.ac.uk/glossary/ > > The SHA-1 standard: > > http://csrc.nist.gov/publications/fips/fips180-2/fips180-2withchangenotice.pdf > > The DES standard: > > http://csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf > > The draft for SCEP (please check if there is a newer one available): > > http://ietfreport.isoc.org/all-ids/draft-nourse-scep-13.txt > > Some information about hashing crypto analysis: > > http://cm.bell-labs.com/who/akl/hash.pdf > > The OpenCA documentation (also check if a newer one is available): > > http://albert.openca.org/openca/docs/ > > Usefull RFCs: > > 1321 -> MD5 > > 2401 - about 2412 -> IPSec ... > > 2527 -> X509 Certificate Policy and Certification Practice Statement > > 2560 -> X509 - OCSP (Online Certificate Status Protocol) > > 3280 -> X509 - CRL (Certificate Revocation List) > > Blog from Bruce Schneier about "SHA-1 broken": > > http://www.schneier.com/blog/archives/2005/02/sha1_broken.html > > A report about collisions for hash functions: > > http://eprint.iacr.org/2004/199.pdf > > And last but not least you should have a look at wikipedia in the > > beginning because it is sometimes easier to understand and get some > > basic knowledge before starting with the real details ;-) > > > > In the beginning its really hard to get into all that details but > > later it is real fun to work with PKIs and all the possible > > cryptographic scenarios. > > > > Kind regards and a nice weekend, > > > > Matthias > > > > > > On 7/6/07, [EMAIL PROTECTED] <[EMAIL PROTECTED]> wrote: > > > Hi > > > I want to develop PKI infrastructure formy organization but I am new in > > this > > > area. Can any body guide me from where I should start?. What should be my > > > starting point > > > > > > thanks > > > shakeel > > > -- > > > Shakeel Ahmad > > > > > > "Donate the Money to Earthquake Victims. > > > The average income in Pakistan is about 50$ per month. > > > It means you can give average life for only 50$ PM." > > > > > > > > > > > > Quoting Dominique Lohez <[EMAIL PROTECTED]>: > > > > > > > Krzysztof Ryba a e'crit : > > > > > Hello > > > > > > > > > > Three months ago Nicolas Vahlas wrote, but there was no answer: > > > > > > > > > >> I have an installation of OpenCA where the CA certificate has > > > > >> expired. > > > > >> This was a self-signed CA certificate. > > > > >> I would like to renew this certificate i.e. extend the expiration > > > > >> date > > > > >> without change the rest of the certificates data. > > > > >> > > > > >> Is there a way to do this ? > > > > >> > > > > >> What if I use the "General" > "Initialization" > "Initialize the > > > > >> Certification Authority" > "Self Signed CA Certificate (from altready > > > > >> generated request)" functionality of the OpenCA web interface ? > > > > >> > > > > >> If not, should I use OpenSSL directly ? How is this possible ? > > > > >> > > > > >> > > > > >> > > > > > > > > > > Now I have very similar problem: I have to issue certificate for user > > > > > which will be valid for next 24 months but unfortunately CA > > > > > self-signed > > > > > certificate is going to be expired in 11 months so I have to f.e. > > extend > > > > > the expiration date of CA cert. > > > > > > > > > > Is is (and if) how to do this? Could anyone help and give me/us some > > hint. > > > > > > > > > > Regards, > > > > > > > > > > > > > > Unfortunately a CA certificate should not be renewed before the pki > > > > infrastructure has became obsolete !! > > > > Thus the CA certicate always have serial number 0. > > > > Working around this problem could be done using openssl but this should > > > > not be recommended. > > > > > > > > When i encountered a similar problem , i redifined a new pki > > > > infrastructure from the scratch and provide new certificate to all the > > > > old users. > > > > > > > > Sorry, > > > > > > > > Dominique > > > > > > > > ------------------------------------------------------------------------- > > > > This SF.net email is sponsored by DB2 Express > > > > Download DB2 Express C - the FREE version of DB2 express and take > > > > control of your XML. No limits. Just data. Click to get it now. > > > > http://sourceforge.net/powerbar/db2/ > > > > _______________________________________________ > > > > Openca-Users mailing list > > > > [email protected] > > > > https://lists.sourceforge.net/lists/listinfo/openca-users > > > > > > > > > > > > > ------------------------------------------------------------------------- > > > This SF.net email is sponsored by DB2 Express > > > Download DB2 Express C - the FREE version of DB2 express and take > > > control of your XML. No limits. Just data. Click to get it now. > > > http://sourceforge.net/powerbar/db2/ > > > _______________________________________________ > > > Openca-Users mailing list > > > [email protected] > > > https://lists.sourceforge.net/lists/listinfo/openca-users > > > > > > > ------------------------------------------------------------------------- > > This SF.net email is sponsored by DB2 Express > > Download DB2 Express C - the FREE version of DB2 express and take > > control of your XML. No limits. Just data. Click to get it now. > > http://sourceforge.net/powerbar/db2/ > > _______________________________________________ > > Openca-Users mailing list > > [email protected] > > https://lists.sourceforge.net/lists/listinfo/openca-users > > > > > ------------------------------------------------------------------------- > This SF.net email is sponsored by DB2 Express > Download DB2 Express C - the FREE version of DB2 express and take > control of your XML. No limits. Just data. Click to get it now. > http://sourceforge.net/powerbar/db2/ > _______________________________________________ > Openca-Users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/openca-users > ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Openca-Users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/openca-users
