I'd appreciate any comments or pointers about what might be wrong or unclear in this document.
Thanks
to install from source (actual commands marked with a "*") (We ran on Debian "unstable") (assumes an apache install using default options)
download new tarball from http://prdownloads.sourceforge.net/openca/openca-0.9.2-RC4.tar.gz?use_mirror=unc into a source directory Alternately, get the latest snapshot We are currently running a snapshot from a couple of weeks ago; RC4 actually gave me some problems. * gunzip openca-0.9.2-RC4.tar.gz * tar xvf openca-0.9.2-RC4.tar * make distclean first install the ra (may want to update the web-host value) * ./configure \ --prefix=/usr/local/openra \ --with-httpd-user=www-data \ --with-httpd-group=www-data \ --with-openca-prefix=/usr/local/openra/openca \ --with-etc-prefix=/usr/local/openra/openca/etc \ --with-httpd-fs-prefix=/usr/local/openra/httpd \ --with-module-prefix=/usr/local/openra/modules \ --with-node-prefix=ra-node \ --with-engine=no \ --with-web-host=localhost \ --enable-ocspd \ --enable-dbi \ --enable-rbac \ --with-hierarchy-level=ra \ * make * make install-online Now for the CA (may want to update the web-host value) * make distclean * ./configure \ --prefix=/usr/local/openca \ --with-httpd-user=www-data \ --with-httpd-group=www-data \ --with-openca-prefix=/usr/local/openca/openca \ --with-etc-prefix=/usr/local/openca/openca/etc \ --with-httpd-fs-prefix=/usr/local/openca/httpd \ --with-module-prefix=/usr/local/openca/modules \ --with-node-prefix=ca-node \ --with-engine=no \ --with-web-host=localhost \ --enable-ocspd \ --enable-dbi \ --enable-rbac \ --with-hierarchy-level=ca * make * make install-offline create the DB: *mysql -uroot -p mysql <password> create database openca; create database openra; grant all privileges on openca.* to [EMAIL PROTECTED] identified by "openca"; grant all privileges on openra.* to [EMAIL PROTECTED] identified by "openra"; test the DB * mysql -uopenca -p use openca show tables (should return empty set, as DB is empty) exit; * mysql -uopenra -p use openra show tables (should return empty set, as DB is empty) exit; edit the apache httpd.conf (location varies, but this is the apache config file) in the script aliases section, add: # OpenCA Mods # CA Aliases Alias /ca /usr/local/openca/httpd/htdocs/ca/ Alias /ca-node /usr/local/openca/httpd/htdocs/ca-node/ ScriptAlias /cgi-bin/ca/ /usr/local/openca/httpd/cgi-bin/ca/ ScriptAlias /cgi-bin/ca-node/ /usr/local/openca/httpd/cgi-bin/ca-node/ # OpenCA Mods # RA Aliases Alias /ra /usr/local/openra/httpd/htdocs/ra/ Alias /pub /usr/local/openra/httpd/htdocs/pub/ Alias /ra-node /usr/local/openra/httpd/htdocs/ra-node/ ScriptAlias /cgi-bin/ra/ /usr/local/openra/httpd/cgi-bin/ra/ ScriptAlias /cgi-bin/pub/ /usr/local/openra/httpd/cgi-bin/pub/ ScriptAlias /cgi-bin/ra-node/ /usr/local/openra/httpd/cgi-bin/ra-node/ # OpenCA Mods <Directory "/usr/local/openca/httpd/cgi-bin/"> AllowOverride None Options ExecCGI Order allow,deny Allow from all </Directory> <Directory "/usr/local/openra/httpd/cgi-bin/"> AllowOverride None Options ExecCGI Order allow,deny Allow from all </Directory> <Directory "/usr/local/openca/httpd/htdocs/"> AllowOverride None Options FollowSymLinks Indexes Order allow,deny Allow from all </Directory> <Directory "/usr/local/openra/httpd/htdocs/"> AllowOverride None Options FollowSymLinks Indexes Order allow,deny Allow from all </Directory> # OpenCA Mods # adding dir to symlinks following for cert retrieval # not totally clear WHY openca puts a symlink here, but it did. <Directory "/usr/local/openra/httpd/cgi-bin/pub"> AllowOverride None Options FollowSymLinks Indexes Order allow,deny Allow from all </Directory> modify the config.xml for the ra (located in /usr/local/openra/openca/etc) Now onto the config.xml, for the ca and the ra. for the CA: general options ca_organization ca_locality ca_country service_mail_account (set to [EMAIL PROTECTED]) dbmodule -> DBI for the mysql database db_type-> mysql db_name -> openca db_host -> localhost (or whatever) db_port -> 3306 (the mysql default port) db_user -> openca db_passwd -> XXX configuration of absolute paths (as needed. once again, looks like some of the work is already done) dataexchange configuration de-activate dfault, by adding comment <!-- --> brackets activate mode 1, node acts as CA only by removing comment brackets configuration of relative paths (as needed. Not done first time through due to error) <!-- these are the devices for the default dataexchange --> (these might not be in config.xml; if not, see below) <name>dataexchange_device_up</name> <value>/usr/local/openca/openca/var/tmp/ca-up</value> </option> <option> <name>dataexchange_device_down</name> <value>/usr/local/openca/openca/var/tmp/ca-down</value> </option> <option> <name>dataexchange_device_local</name> <value>/usr/local/openra/openca/var/tmp/ra-local</value> if the dataexchange device section is not in config.xml, go to /usr/local/openca/openca/servers and look at ca-node.conf.template and ca.conf.template (/usr/local/openca/openca/etc/servers/ca.conf.template) line EXPORT_IMPORT_DOWN_DEVICE "/dev/fd0" to EXPORT_IMPORT_DOWN_DEVICE "/usr/local/openca/openca/var/tmp/ca-down" line EXPORT_IMPORT_LOCAL_DEVICE "/dev/fd0" to EXPORT_IMPORT_LOCAL_DEVICE "/usr/local/openra/openca/var/tmp/ra-local" ra-node.conf.template needs similar updates, as well ra IMPORT UP DEVICE should be the exact same file as the CA IMPORT_DOWN_DEVICE also update items in /usr/local/openca/openca/etc/access_control (similar for RA) ca-node.xml.template <protocol> set to .* <symmetric> keylength 0 ca.xml.template <protocol> set to .* <symmetric> keylength 0 now return to the ra etc dir /usr/local/openra/openca/etc run the "magic script" configure_etc.sh that script makes configuration files from the template(s) then openca_start (the script to start the server is the same for the ra as the ca, hence openca_start rather than openra_start) use the browser to open a page on http://myhost.wherever.edu/openra and you should get a page. Also check http://myhost.wherever.edu/ra-node Also check http://myhost.wherever.edu/pub switch dir to /usr/local/openca/openca/etc run the "magic script" configure_etc.sh that script makes configuration files from the template(s) use the browser to open a page on http://myhost.wherever.edu/openca and you should get a page. Also check http://myhost.wherever.edu/ca-node if the pages work, you have installed openca. Now you need to initialize it. +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ ++++++++++++ The intialiazation of an Installed CA +++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ +++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Configure an installed/compiled OpenCA installation connect to the ca: http://myhost.wherever.edu/openca Series of tabs should be visible. Select General->Initialization Phase I Initialize the Certification Authority Initialize Database initialize-> intialize DB .(reports sucess, but a slurry of error messages about table not found may appear on the console) initalize -> initalize phase 1 -> generate new secret key: des3 rsa 1024 (enter the pwd to protect the key) initalize -> initalize phase 1 -> generate new cert request (args as appropriate)(I think you need to set the email to match the sender from the config file, but am not sure) initalize -> initalize phase 1 -> Self Signed CA Certificate (from altready generated request): 730 days initalize -> initalize phase 1 -> Rebuild CA Chain initalize -> initalize phase 2 -> new request: fields as appropriate. This is the cert for the ca admin initalize -> initalize phase 2 -> edit request: (submit)(issue) initalize -> initalize phase 2 -> handle request: export as p12 (pwd the PIN entered during request) save to disk, import into browser initalize -> initalize phase 3 -> new request: (RAOperator as role) initalize -> initalize phase 3 -> edit request: (submit)(issue) initalize -> initalize phase 3 -> handle request: export as p12 (pwd the PIN entered during request) save to disk, import into browser Now initialize the RA database http://myhost.wherever.edu/ra-node Admin->Server Init, initialize DB Admin->Server Init, Import Configuration Now move the Certs down to the RA http://myhost.wherever.edu/openca Now export info to the RA: General -> Node Management (brings you to CA-NODE urls) Administration->Dataexchange Enroll data to a lower level of the hierarchy->all General-> Registration Authority (to the ra) General-> node management (to the ra-node) Administration->Dataexchange Download data from a higher level of the hierarchy->All (errors getting CA certificate are ok and expected; it came from the import config above) Now to issue the first client certificate: http://myhost.wherever.edu/pub User->Request a Certificate->Request a certificate with automatic browserdetection (fill out fields as desired)(note the request serial number generated; use it to pick it up below) Now approve the request: http://myhost.wherever.edu/ra Active CSRs->New->(search) click on submit name/serial number (color link) (Approve Request without signing) Export the request from the RA http://myhost.wherever.edu/ra-node Admin->dataexchange->Upload data to a higher level of the hierarchy ->requests Import into CA http://myhost.wherever.edu/ca-node Admin->dataexchange->Receive data from a lower level of the hierarchy ->requests Approve the Cert http://myhost.wherever.edu/ca Usual Operations->Approved Certificate Requests -> click on serial number , issue the certificate button Export the cert from the CA http://myhost.wherever.edu/ca-node Admin->dataexchange->Enroll data to a lower level of the hierarchy ->Certificates Import the cert to the RA http://myhost.wherever.edu/ra-node Admin->dataexchange->Download data from a higher level of the hierarchy ->Certificates Pick up the certificate http://myhost.wherever.edu/pub User->Get Requested Certificate use the install button. If that fails, Certificates->valid has an install option, and download options that should get the certificate.
smime.p7s
Description: S/MIME Cryptographic Signature
