Re: [Openca-Users] Suse installation problems

2010-07-09 Thread Dominique Lohez 
Hi,

Do the make and make test run correctly?

After the make step has  a file bp.xml  been created somewhere in the 
working directory ?

Sincerely

Dominique

Brad Dux a écrit :
 I have trying to install OpenCA from source on OpenSuse, but I am receiving 
 the following error message when I run make install-offline install-online:
 Done with Scripts...
 + MODE=755
 + /usr/bin/make -s __install_dir USER=apache GROUP=apache DIR=yes/etc/openca
 + /usr/bin/install -c -d -o apache -g apache -m 755 yes
 + /usr/bin/install -c -d -o apache -g apache -m 755 yes/etc
 + /usr/bin/install -c -d -o apache -g apache -m 755 yes/etc/openca
 + /usr/bin/make -s install-conf
 + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/access_control
 + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/bp/
 + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/database/
 + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/openssl/
 + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/openssl/openssl/
 + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/openssl/extfiles/
 + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/rbac/
 + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/rbac/cmds/
 + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/scep
 + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/agreements/
 + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/servers
 + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/contrib
 + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/includes/
 + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/contrib/apache
 + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/contrib/openldap
 + /usr/bin/install -c -d -o apache -g apache -m 755 yes/etc/init.d
 /usr/bin/install: cannot create regular file `yes/etc/openca/bp/bp.xml': No 
 such file or directory
 make[9]: *** [bp.xml] Error 1
 make[8]: *** [bp] Error 2
 make[7]: *** [install-conf] Error 2
 make[6]: *** [yes/etc/openca] Error 2
 make[5]: *** [etc] Error 2
 make[4]: *** [install] Error 2
 make[3]: *** [common] Error 2
 make[2]: *** [install-common] Error 2
 make[1]: *** [src] Error 2
 make: *** [install-common] Error 2



 I used the following configure command:
 ./configure --with-openca-user=OpenCA \
 --with-openca-group=OpenCA \
 --with-openssl-prefix=/usr \
 --with-httpd-fs-prefix=/usr/share/apache2 \
 --with-openca-prefix \
 --with-web-host=localhost \
 --with-db-type=pg \
 --with-db-name=openca_db \
 --with-db-host=localhost \
 --with-db-user=openca_user \
 --with-db-passwd= \
 --with-httpd-user=apache \
 --with-httpd-group=apache \
 --with-htdocs-fs-prefix=/srv/www/htdocs \
 --with-cgi-fs-prefix=/srv/www/cgi-bin \
 --prefix=/usr/local \
 --exec-prefix=/usr/local \
 --with-httpd-main-dir=pki

 Any help is greatly appreciated.
   Brad

 --
 This SF.net email is sponsored by Sprint
 What will you do first with EVO, the first 4G phone?
 Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
 ___
 Openca-Users mailing list
 Openca-Users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openca-users


   


-- 
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France

Phone : +33 (0)3 20 30 40 71
Email: dominique.lo...@isen.fr


--
This SF.net email is sponsored by Sprint
What will you do first with EVO, the first 4G phone?
Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] [Important] - Change of CA private key | use of 2 private keys at same time?

2009-10-06 Thread Dominique Lohez 
Yildirim Zaynal a e'crit :
 Dear all,

 Current situation;
 OpenCA version 0.9.2.5
 CA: using private key of 4096 bits..

 Issue: Some applications doesnt support 4096 bit keylenghts = want to
 sign certificates with 2048 bit CA key.

 Question: I dont want to install another openCA server, and i want to
 use the same database for the certificates so that everything is more
 clean an consistent. Is it possible to change the CA ( the public key
  private key ) without any problems?
   
The Certification Authority is the central pole of stability of any 
Public Key infrastructure
So it cannot be changed
Neither the public and private key can be changed
Even the self-signed certificate must be issued for the expected 
duration of the installation
So the only way to get the change you want is to erase the existing CA 
and build a new one from the scratch.
The solution is very severe !!!
In addition care must taken to how to deal with the already issued 
certificate

As an alternative you may imagine to create on the same a new sub-ca 
with a key of the right key length
However since the sub-ca certificate must be signed by the root ca the 
problem of key length then arise when checking the sub-ca certificate


IMHO you should check very carefully if yours applications cannot be 
parametrized so as it recognize the existing key


I hope this helps

Dominique
 Or is it possible to have 2 private keys and choose which one to sign
 with using openCA?

 Any comments/ideas are welcome.

 Kind regards,

 --
 Come build with us! The BlackBerryreg; Developer Conference in SF, CA
 is the only developer event you need to attend this year. Jumpstart your
 developing skills, take BlackBerry mobile applications to market and stay 
 ahead of the curve. Join us from November 9#45;12, 2009. Register now#33;
 http://p.sf.net/sfu/devconf
 ___
 Openca-Users mailing list
 Openca-Users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openca-users


   


-- 
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France

Phone : +33 (0)3 20 30 40 71
Email: dominique.lo...@isen.fr


--
Come build with us! The BlackBerryreg; Developer Conference in SF, CA
is the only developer event you need to attend this year. Jumpstart your
developing skills, take BlackBerry mobile applications to market and stay 
ahead of the curve. Join us from November 9#45;12, 2009. Register now#33;
http://p.sf.net/sfu/devconf
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Not getting mails from Openca Mailing list

2009-01-07 Thread Dominique Lohez 
I encountered a similar problem
I solve it by using an Imap protocol instead of a pop protocol to load 
the mails from  the local server

I hope this helps

Regards

Dominique LOHEZ

Anil Aliyan a écrit :
 I am not getting mail from openca mailing list.
  
 Regards,
  
 Anil Aliyan
 

 --
 Check out the new SourceForge.net Marketplace.
 It is the best place to buy or sell services for
 just about anything Open Source.
 http://p.sf.net/sfu/Xq1LFB
 

 ___
 Openca-Users mailing list
 Openca-Users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openca-users
   

-- 
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France

Phone : +33 (0)3 20 30 40 71
Email: dominique.lo...@isen.fr


--
Check out the new SourceForge.net Marketplace.
It is the best place to buy or sell services for
just about anything Open Source.
http://p.sf.net/sfu/Xq1LFB
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] CA-Initial admin creation failed.

2008-07-09 Thread Dominique Lohez 
This sounds to me as an error before the issuing trhe intial 
administrator certificate
So my question s are:

1) Did you suceesfully initialize the database

2) Dis you sucessfully create the request for the initial administrator 
certificate


Dominique LOHEZ

the Moonspeller a écrit :

 Hello all

 I did an install of OpenCA on a single machine for all roles. Backend 
 database is Postgresql . Initialization of CA went well,
 but when I tried to create initial admin, I got the following error 
 message:

 OpenCA: General error trapped 700: The compilation of the command 
 cmdIssueCertificate failed. Can't call method first_child on an 
 undefined value at /srv/OpenCA/CA/lib/functions/crypto-utils.lib line 955.

 Googled around a bit – no idea what’s going on. I did the same install 
 without the SQL backend and all went well ?!

 TIA


 -- 
 */M. /*


 
 Avec Windows Live Messenger restez en contact avec tous vos amis ! 
 Téléchargez Messenger, c'est gratuit ! 
 http://www.windowslive.fr/majmessenger.asp
 

 -
 Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
 Studies have shown that voting for your favorite open source project,
 along with a healthy diet, reduces your potential for chronic lameness
 and boredom. Vote Now at http://www.sourceforge.net/community/cca08
 

 ___
 Openca-Users mailing list
 Openca-Users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openca-users
   


-- 
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France

Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]


-
Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW!
Studies have shown that voting for your favorite open source project,
along with a healthy diet, reduces your potential for chronic lameness
and boredom. Vote Now at http://www.sourceforge.net/community/cca08
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] OpenCA and security vulnerability in Debian

2008-05-21 Thread Dominique Lohez 
Maciej Szuba a écrit :
 Hello!
 What should I have do? I use Debian for subca, rootca is working on
 Fedora. I generated 400 cert on subca and distributed to clients.
 Last week I saw message about openssl vulnerability in Debian:
 Luciano Bello discovered that the random number generator in Debian's
 openssl package is predictable.  This is caused by an incorrect
 Debian-specific change to the openssl package (CVE-2008-0166).  As a
 result, cryptographic key material may be guessable.  I check certs
 are Affected.  So in this way I must revoked all client 's certs and
 subca cert in rootca. But i have a questions what about crl, where
 client find crl if I revoced (and genetated new) subca cert. I would
 like ask developers about way to find solution??
   
here is a hint of answer
Normally   the things SHOULD work  that way
the  user's certs  are recognized  becuse they are issued by the trusted 
CA subca
subca is trusted because of certificate issued by rootCA
so revoking the subca certificate and issue the corresponding CRL from 
rhe unvulnerable root CA should be sufficient
Now you must be sure that the both check of  user and subca are   always 
effective

I hope this help

Dominique
 Macie

 -
 This SF.net email is sponsored by: Microsoft 
 Defy all challenges. Microsoft(R) Visual Studio 2008. 
 http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
 ___
 Openca-Users mailing list
 Openca-Users@lists.sourceforge.net
 https://lists.sourceforge.net/lists/listinfo/openca-users


   


-- 
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France

Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]


-
This SF.net email is sponsored by: Microsoft 
Defy all challenges. Microsoft(R) Visual Studio 2008. 
http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Prolong/Renew expired CA certificate

2007-07-05 Thread Dominique Lohez 
Krzysztof Ryba a e'crit :
 Hello

 Three months ago Nicolas Vahlas wrote, but there was no answer:
   
 I have an installation of OpenCA where the CA certificate has expired.
 This was a self-signed CA certificate.
 I would like to renew this certificate i.e. extend the expiration date
 without change the rest of the certificates data.

 Is there a way to do this ?

 What if I use the General  Initialization  Initialize the
 Certification Authority  Self Signed CA Certificate (from altready
 generated request) functionality of the OpenCA web interface ?

 If not, should I use OpenSSL directly ? How is this possible ?

   
 

 Now I have very similar problem: I have to issue certificate for user 
 which will be valid for next 24 months but unfortunately CA self-signed 
 certificate is going to be expired in 11 months so I have to f.e. extend 
 the expiration date of CA cert.

 Is is (and if) how to do this? Could anyone help and give me/us some hint.

 Regards,

   
Unfortunately a CA certificate should not be renewed before the pki 
infrastructure has became obsolete !!
Thus the CA certicate always have serial number 0.
Working around this problem could be done using openssl but this should 
not be recommended.

When i encountered a similar problem , i redifined a new pki 
infrastructure from the scratch and provide new certificate to all the 
old users.

Sorry,

Dominique

-
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
___
Openca-Users mailing list
Openca-Users@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] make test failed due to the missing perl module OpenCA::OpenSSL::Fast in the openca-0.9.3-rc1 distrib

2007-06-12 Thread Dominique Lohez 

Hi,

I am trying to upgrade to openca-0.9.3-rc1
Acording to the the advices of the installation manual, I use a minimal 
configuration ( see attached file )

then-
   1) The configuration command runs correctly
   2) Themake command runs correctly
   3) The make test command fails   ( see the attached file)


Thee failure arises from the the tests in the directory
/tmp/openca-0.9.3-rc1/src/modules/openca-openssl/
I retriy the by hand with the verbose command ( with tho 0 of the 
initial command replaced by 1 )
/usr/bin/perl -MExtUtils::Command::MM -e test_harness(*1,* 
'blib/lib', 'blib/arch') t/*.t


The result is shown on the third attached file

primarily the errors messages looks like the following

*# fail: Your vendor has not defined OpenCA::OpenSSL::Fast macro 
X509V3_F_S2I_S2I_SKEY_ID, used at (eval 129) line 1

*
I have checked that the effective version are posterior than the 
requirements for all the modules concerned


now i have some questions

   1) Am i missing something  ?
   2) This sounds to me as a bug of the distrib. Is this 
correct?
   3)   While the test failed , all the sub-tests succeed. 
Can the failure be  neglected?




thanks in advance

Dominique lohez

 



/   

--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France

Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]

#!/bin/sh

PREFIX=$1
VER=0.9.3

if [ -z ${PREFIX} ] ; then
PREFIX=/usr/local/openca.${VER}
fi

./configure \
  --prefix=${PREFIX} \
  --with-openca-user=pkiuser  \
  --with-openca-group=pkigroup \
  --with-openca-prefix=${PREFIX}/openca \
  --with-httpd-fs-prefix=${PREFIX}/httpd \
  --with-openssl-prefix=/usr\
  --with-engine=no \
  --with-web-host=..fr \
  --with-httpd-user=apache \
  --with-httpd-group=apache \
  --with-cgi-fs-prefix=${PREFIX}/openca/cgi   \
  --with-htdocs-fs-prefix=${PREFIX}/openca/htdocs   \
  --enable-ocspd \
  --enable-scep \
  --enable-db \
  --disable-dbi \
  --disable-rbac 
  #--enable-package-build \
  #--enable-external-modules 
make src docs SUBTARGET=test
make[1]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1 »
cd src  make test
make[2]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src »
make common modules ext-modules scripts web-interfaces SUBTARGET=test
make[3]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src »
cd common  make test
make[4]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src/common »
make etc lib var  SUBTARGET=test
make[5]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src/common »
cd etc  make test
make[6]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src/common/etc »
make[6]: Rien à faire pour « test ».
make[6]: quittant le répertoire « /tmp/openca-0.9.3-rc1/src/common/etc »
cd lib  make test
make[6]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src/common/lib »
make bp cmds functions locale mails stylesheets SUBTARGET=test
make[7]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src/common/lib »
cd bp  make test
make[8]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src/common/lib/bp »
backup_key.sub syntax OK
check_csr.sub syntax OK
check_csr_params.sub syntax OK
check_key.sub syntax OK
check_key_params.sub syntax OK
check_pin.sub syntax OK
complete_csr.sub syntax OK
create_cert.sub syntax OK
create_csr.sub syntax OK
create_key.sub syntax OK
create_pin.sub syntax OK
enroll_pkcs12.sub syntax OK
enroll_pin.sub syntax OK
make[8]: quittant le répertoire « /tmp/openca-0.9.3-rc1/src/common/lib/bp »
cd cmds  make test
make[8]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src/common/lib/cmds »
addCRR syntax OK
add_module syntax OK
add_right syntax OK
add_role syntax OK
approveCRR syntax OK
approveCRRnotSigned syntax OK
approveCSR syntax OK
approveCSRnotSigned syntax OK
basic_csr syntax OK
bpDoFunction syntax OK
bpDoStep syntax OK
bpExportPIN syntax OK
bpImportNewUser syntax OK
bpImportNewProcess syntax OK
bpImportProcessData syntax OK
bpImportProcessDataCompact syntax OK
bpIssueCertificate syntax OK
bpListProcess syntax OK
bpListUser syntax OK
bpRecoverCert syntax OK
bpRecoverKey syntax OK
bpRevokeCertificate syntax OK
bpSetState syntax OK
bpUnsetState syntax OK
bpViewProcess syntax OK
changeCRR syntax OK
changeCSR syntax OK
changePasswd syntax OK
cleanupSessions syntax OK
confirm_revreq syntax OK
crlList syntax OK
deleteCRR syntax OK
deleteCSR syntax OK
deletePasswd syntax OK
delete_module syntax OK
delete_right syntax OK
editCRR syntax OK
editCSR syntax OK
exportCAReqCert syntax OK
exportDB syntax OK
genCACert syntax OK
Global symbol $query requires explicit package name at genCAReq line 20.
Global symbol $crypto_layer requires explicit package name at genCAReq line 27.
Global symbol $cryptoShell requires explicit package name at genCAReq

Re: [Openca-Users] Batchprocessing - emailAddress in subject fails

2004-07-06 Thread Dominique Lohez 
[EMAIL PROTECTED] wrote:
Hi Michael
Hi people!
I am trying to enroll certificates using batchprocessing with cvs of 
end of last
week. All works smooth, BUT when I try to enhance the usual SUBJECT 
line in
batch_process_data.txt with emailAddress I fail. The certificate IS 
enrolled,
but the field emailAddress does not turn up in it. Example:

 ...
 ROLE User
 ...
 SUBJECT CN=Crashtest Dummy, 
[EMAIL PROTECTED],O=Ferrari, OU=Design, L=Turin, 
 C=it
 ... 
I think that the emailAddress should not be in the DN but in the SUBJECT 
ALT NAME

Dominique
--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]

---
This SF.Net email sponsored by Black Hat Briefings  Training.
Attend Black Hat Briefings  Training, Las Vegas July 24-29 - 
digital self defense, top technical experts, no vendor pitches, 
unmatched networking opportunities. Visit www.blackhat.com
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] RC4: batch processors and pkcs12

2004-06-01 Thread Dominique Lohez 
Michael Konietzka wrote:
Hi,
i am using RC4 and the batch processors for issuing certifactes and keys. 
Using OpenCA 0.9.1.x, and apache 2.0  When, one tries to issue more than 
6  certificates one gets messages corresponding to the first six 
certificates.
Do you observe a similar behaviour.

Bests regards
Dominique
--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]

---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] 0.9.1-7 batch processors (again !)

2004-06-01 Thread Dominique Lohez 
Chris Covell wrote:
I can see the openssl ca command when I do a ps at the command line.
If I kill the openssl ca command, I get the appropriate error on the
Waiting for  ~ the Apache Timeout ( default 300s ) the command is killed 
and the bathprocessor ends up correctly ( without displaying any messages)
When the Timeout is lowered to 100s the command in killed in ~ 100 s

Dominique


---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
 


--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]

---
This SF.Net email is sponsored by: Oracle 10g
Get certified on the hottest thing ever to hit the market... Oracle 10g. 
Take an Oracle 10g class now, and we'll give you the exam FREE.
http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] 0.9.1-7 batch processors (again !)

2004-05-19 Thread Dominique Lohez 
Chris Covell wrote:
Dominique,
On Mon, 2004-05-17 at 16:15, Dominique Lohez wrote:
 

   4) Once the process is blocked. walking through the Valid 
Certificates list using the previous( )  or  ()   next arrows ( but 
not   | or |  ) causes the process to become unblocked ) . And 
the It never becomes blocked again )

   

when you say this do you mean that you open up another browser to the CA
and view valid certificates ?
I do the trials with a single browser.
From the pending display  frame I can ask under information 
Certificates and then choose Valid Certificates
Two new threads ( process) are started and then ...

Chris...

---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
 


--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]

---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] 0.9.1-7 batch processors (again !)

2004-05-17 Thread Dominique Lohez 
Chris/Michael
Some constants of the batch problem
   1) It always arises on the
   the main signature process
   while openssl is used in a lot of process
   2) It always arises at the same iteration
   3) the process apears to do nothing. It does not consume CPU 
time. It seems to be waiting for something

   4) Once the process is blocked. walking through the Valid 
Certificates list using the previous( )  or  ()   next arrows ( but 
not   | or |  ) causes the process to become unblocked ) . And 
the It never becomes blocked again )

   Any idea is welcome
regards
Dominique
  

--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]

---
This SF.Net email is sponsored by: SourceForge.net Broadband
Sign-up now for SourceForge Broadband and get the fastest
6.0/768 connection for only $19.95/mo for the first 3 months!
http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] 0.9.1-7 batch processors (again !)

2004-05-12 Thread Dominique Lohez 
Chris/Michael

Chris Covell wrote:

I have just done a couple of new tests:

On Thu, 2004-05-06 at 15:03, Chris Covell wrote:
 

Dominique/Michael,
   



OpenCA 0.9.1-8 with Apache 1.3 BP work fine

OpenCA 0.9.1-8 with Apache 2.0 BP can't issue certificates.

Can you think of a way of describing this to the Apache guys so that I
can put a bug report in ?
Clearly it is an apache 2.0 problem
I encountered it using a PC with Linux red Hat 9 Kernel 2.4.20-8 on i686
The problem is at least Critical or even Blocking

I checked in the apache bugs database for  somewhat similar report

It is particularly difficult since the database is just being 
reorganized.   When you find some interesting
example if you do not write down all the classification then the example 
has disapeared from the database 
It seems to me the main problem stands in the fact que the openssl 
Thread does not end.
It sound to me as an overoptimization problem

I hope this can help

Regards

Dominique

Chris...



---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson  Lucent use to deliver
higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
 



--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]


---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson  Lucent use to deliver
higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] 0.9.1-7 batch processors (again !)

2004-05-12 Thread Dominique Lohez 
Michael Bell wrote:

Do you use pure Perl or mod_perl with Apache 2?

The mod_perl is loaded

 

Dominique

--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]


---
This SF.Net email is sponsored by Sleepycat Software
Learn developer strategies Cisco, Motorola, Ericsson  Lucent use to deliver
higher performing products faster, at low TCO.
http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] 0.9.1-7 batch processors (again !)

2004-04-26 Thread Dominique Lohez 
Chris Covell wrote:

Hello guys,

we have a project where I need to issue _lots_ of certificates, so I am
testing things out with the Batch Processors. Since I tested last time
(10,000 certs created using batch processors) I have moved up to OpenCA
0.9.1-7 and now run the system on Apache 2.0.48 and openssl 0.9.7a (as
provided by Fedora in RPM).
My problem is that I go through all the usual batch processes to create
keys pairs, approve etc. Then when I get to issue the certs (i.e. sign
them with the CA key) the BP completes 5 certs and then hangs. It is
always 5, no more no less !
I get the same with a limit of six

If I do a BP of less that 5 certs at a time, then the process works
perfectly.
Using the 0.9..1-8 version
I have tried to get 20 certificates
The Bp works correctly and display the correct messages for the six 
first certificates
and then it goes on silently without sending a message for ending the 
Batch processing

Looking at the list of approved request and valid certificates you can 
follow the evolution of the process

After completing the process the certificates can be exported.


Can anyone think what is going on ? I can't believe there is a limit on
OpenSSL, especially as is it being called per cert request.
Help please.

Chris...



---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
 



--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]


---
This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek
For a limited time only, get FREE Ground shipping on all orders of $35
or more. Hurry up and shop folks, this offer expires April 30th!
http://www.thinkgeek.com/freeshipping/?cpg=12297
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Problem issuing Cerficate with batch processors

2004-04-08 Thread Dominique Lohez 
Hello,
I tried to issue 20 certificates using batchprocessor
Only the six first messages indicating the success are posted
The rest of the work goes on silently
No messaage for the end of the batch processor is posted
Does anybody know how to get all the messages

Thanks for any help

Dominique LOHEZ

--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Problem with verify signatures in Sub-CA with batchproccesor.

2004-04-02 Thread Dominique Lohez 
Michael Bell wrote:


I have another problem, after completing all the previous steps, when i
going to issue the certificates (29 users), i get only 6 certificates
correctly and then the process stall. If I try again, the system issues
next 6 certificates and then stall again. I'll do it time after time, 
till
i get all the certificates. This is not the standard behaviour, no?


No, this is not the standard behaviour but it is the same problem like 
the first one. Both functionalities use the function getNextItem from 
DB.pm. It looks like this function has a problem. We changed the 
function a little bit for 0.9.2 but I don't know which sideeffects the 
new changes can have in 0.9.1. 
I have checked this.
Again only six certifcates can be issued


0.9.1:

if ( ($self-{dbms}-seq($key, $val, R_CURSOR) != 0) or
($keys-{KEY} != $key) ) {
## the key doesn't exist
$dbstat = $self-{dbms}-seq($key, $val, R_FIRST);
} else {
do {
$dbstat = $self-{dbms}-seq($key, $val, R_NEXT );
} while (($dbstat == 0) and ($key eq ELEMENTS));
}
return undef
if ($dbstat  0);
## Return object (if any)
return $self-getItem( DATATYPE=$dataType, MODE=$mode, KEY=$key, 
PARSE_MODE = $parse_mode);

0.9.2:

if ( ($self-{dbms}-seq($key, $val, R_CURSOR) != 0) or
not exists $keys-{KEY} or
($keys-{KEY} != $key) ) {
## the key does not exist
$dbstat = $self-{dbms}-seq($key, $val, R_FIRST);
} else {
do {
$dbstat = $self-{dbms}-seq($key, $val, R_NEXT );
} while (($dbstat == 0) and ($key eq ELEMENTS));
}
return undef if ($dbstat  0); ## real error
return undef if ($dbstat == 1); ## R_NEXT or R_FIRST does not exist
## Return object (if any)
return $self-getItem( DATATYPE=$dataType, MODE=$mode, KEY=$key);
The first if contains a more safe construction to detect a needed 
first element. Also there is a better error detection and we don't 
need a parse mode because the crypto object parser is now much faster 
and we completely parse every object.

Michael


--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Problem with verify signatures in Sub-CA with batchproccesor.

2004-04-02 Thread Dominique Lohez 
I have checked this.
Again only six certifcates can be issued 
Sorry , In fact I tried to issue 20 certificates and they are  are all 
generated
But during the batchprocessor execution only the first six messages are 
provided




Dominique

--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] UPN subjectAltName

2004-03-23 Thread Dominique Lohez 
Gio wrote:

Hi,
to be able to use the certificates for WindowsLogOn to have is necessary
UPN in the certificate.
Of default in alternative subject name there is the email.
In UPN  must be an unique value and also in LDAP as RDN need an unique 
value.
Therefore I have added UID as part of the SubjectDN.
And I wanted that automatically in alternative subject name there was 
this UID.
This way I have changed besides the sub crypto_get_csr_subject_alt_name
also
editCSR

## subject alternative name
if (  defined $req-getParsed()-{DN_HASH}-{UID}[0] ) {
$subjectAltName =  UID:.$req-getParsed()-{DN_HASH}-{UID}[0];
} elsif (  $parsed_req-{UID} ne  ) {
$subjectAltName = UID:.$parsed_req-{UID}[0];
} else {
$subjectAltName = ;
}
I am not gut in Perl and I have simply tried for trial and error until 
I have the result that I wanted.
Now however I fear that the changes from me done can have disagreeable 
consequences.
A Consequence to the changes in crypto_get_csr_subject_alt_name is 
taht I always have to have UPN in the certificate,
otherwise I receive an openSSL error since in __SUBJECT_ALT_NAME__
if it doesn't have othername openSSL wants a value with an equal.
For the User certificates there is no problem, but for the serers 
certificates I have to have
DNS (netscape) GUID and DNS of the Domain Controll of Windows.
There are these changes scheduled?
I will try to implement them, but ..
Thanks in advance

Giovanna



---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

A simple way to add LDAP attributes is to modify the conf File

from  the instalation directory you should edit the
files
openca/etc/openssl/openssl/User.conf

or
openca/etc/openssl/extfiles/User.conf
--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Error 6751

2004-03-19 Thread Dominique Lohez 
Andréa Cavallari wrote:

What this error means???
What can I do?
 
Error 6751: Error while issuing Certificate
 
Such a message is followed by complementary information you should first 
reads this information
Dominique Lohez

 
Andréa Cavallari
Suporte Técnico
Pamcary Sistemas de Gerenciamento de Riscos S/C Ltda.
PAMSIST - Unidade de Serviços, Informações, Sistemas e Tecnologia
(011) 3889-1478
[EMAIL PROTECTED] mailto:[EMAIL PROTECTED]


--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]


---
This SF.Net email is sponsored by: IBM Linux Tutorials
Free Linux tutorial presented by Daniel Robbins, President and CEO of
GenToo technologies. Learn everything from fundamentals to system
administration.http://ads.osdn.com/?ad_id70alloc_id638op=click
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Re: [Openca-Users] Problems revoking certificate

2004-02-04 Thread Dominique Lohez 
David W. Blaine wrote:

Hi all,

I have problems revoking some of my certificates. I am running openca 0.9.1. I 
had to rebuild my ca and I reloaded my previously issued certificates. The 
certificates that I reloaded cannot be revoked. Certificates issued after the 
reload can be revoked. The following error appears in apache.

Using configuration from /usr/local/openca.0.9.1/openca/etc/openssl/openssl.cnf
ERROR:name does not match /C=xx/O=yy/OU=zzz/CN=/serialNumber=238
unable to write 'random state'
--
David Blaine, GCIA
Network Engineer
CSC for GDLS
Desk: 586-825-7650
Cell: 810-217-8041
Email: [EMAIL PROTECTED]


---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
 

During a test phase of OpenCA
I encountered the same problem with certificates created vith the Batch 
procedure .
I suspect a problem in the config files of OpenCA .
The test of change is very heavy since it requires starting the 
reinitialization
of the CA, RA etc . So I am trying to build and test a sequence of  
OpenSSl commands to simulate the OpenSSl behaviour underlying to some 
OpenCa command without OpenCA

--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]


---
The SF.Net email is sponsored by EclipseCon 2004
Premiere Conference on Open Tools Development and Integration
See the breadth of Eclipse activity. February 3-5 in Anaheim, CA.
http://www.eclipsecon.org/osdn
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

[Openca-Users] Re Error 6841 of nicolaie@ly...

2003-09-22 Thread Dominique Lohez 
I encountered the same problem
Does anybody know the solution
Sincerly yours

Dominique
--
Dr Dominique LOHEZ
ISEN
41, Bd Vauban
F59046 LILLE
France
Phone : +33 (0)3 20 30 40 71
Email: [EMAIL PROTECTED]


---
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
___
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users