Re: [Openca-Users] Suse installation problems
Hi, Do the make and make test run correctly? After the make step has a file bp.xml been created somewhere in the working directory ? Sincerely Dominique Brad Dux a écrit : I have trying to install OpenCA from source on OpenSuse, but I am receiving the following error message when I run make install-offline install-online: Done with Scripts... + MODE=755 + /usr/bin/make -s __install_dir USER=apache GROUP=apache DIR=yes/etc/openca + /usr/bin/install -c -d -o apache -g apache -m 755 yes + /usr/bin/install -c -d -o apache -g apache -m 755 yes/etc + /usr/bin/install -c -d -o apache -g apache -m 755 yes/etc/openca + /usr/bin/make -s install-conf + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/access_control + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/bp/ + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/database/ + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/openssl/ + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/openssl/openssl/ + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/openssl/extfiles/ + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/rbac/ + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/rbac/cmds/ + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/scep + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/agreements/ + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/servers + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/contrib + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/includes/ + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/contrib/apache + /usr/bin/install -c -d -o apache -g apache yes/etc/openca/contrib/openldap + /usr/bin/install -c -d -o apache -g apache -m 755 yes/etc/init.d /usr/bin/install: cannot create regular file `yes/etc/openca/bp/bp.xml': No such file or directory make[9]: *** [bp.xml] Error 1 make[8]: *** [bp] Error 2 make[7]: *** [install-conf] Error 2 make[6]: *** [yes/etc/openca] Error 2 make[5]: *** [etc] Error 2 make[4]: *** [install] Error 2 make[3]: *** [common] Error 2 make[2]: *** [install-common] Error 2 make[1]: *** [src] Error 2 make: *** [install-common] Error 2 I used the following configure command: ./configure --with-openca-user=OpenCA \ --with-openca-group=OpenCA \ --with-openssl-prefix=/usr \ --with-httpd-fs-prefix=/usr/share/apache2 \ --with-openca-prefix \ --with-web-host=localhost \ --with-db-type=pg \ --with-db-name=openca_db \ --with-db-host=localhost \ --with-db-user=openca_user \ --with-db-passwd= \ --with-httpd-user=apache \ --with-httpd-group=apache \ --with-htdocs-fs-prefix=/srv/www/htdocs \ --with-cgi-fs-prefix=/srv/www/cgi-bin \ --prefix=/usr/local \ --exec-prefix=/usr/local \ --with-httpd-main-dir=pki Any help is greatly appreciated. Brad -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: dominique.lo...@isen.fr -- This SF.net email is sponsored by Sprint What will you do first with EVO, the first 4G phone? Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] [Important] - Change of CA private key | use of 2 private keys at same time?
Yildirim Zaynal a e'crit : Dear all, Current situation; OpenCA version 0.9.2.5 CA: using private key of 4096 bits.. Issue: Some applications doesnt support 4096 bit keylenghts = want to sign certificates with 2048 bit CA key. Question: I dont want to install another openCA server, and i want to use the same database for the certificates so that everything is more clean an consistent. Is it possible to change the CA ( the public key private key ) without any problems? The Certification Authority is the central pole of stability of any Public Key infrastructure So it cannot be changed Neither the public and private key can be changed Even the self-signed certificate must be issued for the expected duration of the installation So the only way to get the change you want is to erase the existing CA and build a new one from the scratch. The solution is very severe !!! In addition care must taken to how to deal with the already issued certificate As an alternative you may imagine to create on the same a new sub-ca with a key of the right key length However since the sub-ca certificate must be signed by the root ca the problem of key length then arise when checking the sub-ca certificate IMHO you should check very carefully if yours applications cannot be parametrized so as it recognize the existing key I hope this helps Dominique Or is it possible to have 2 private keys and choose which one to sign with using openCA? Any comments/ideas are welcome. Kind regards, -- Come build with us! The BlackBerryreg; Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9#45;12, 2009. Register now#33; http://p.sf.net/sfu/devconf ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: dominique.lo...@isen.fr -- Come build with us! The BlackBerryreg; Developer Conference in SF, CA is the only developer event you need to attend this year. Jumpstart your developing skills, take BlackBerry mobile applications to market and stay ahead of the curve. Join us from November 9#45;12, 2009. Register now#33; http://p.sf.net/sfu/devconf ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Not getting mails from Openca Mailing list
I encountered a similar problem I solve it by using an Imap protocol instead of a pop protocol to load the mails from the local server I hope this helps Regards Dominique LOHEZ Anil Aliyan a écrit : I am not getting mail from openca mailing list. Regards, Anil Aliyan -- Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: dominique.lo...@isen.fr -- Check out the new SourceForge.net Marketplace. It is the best place to buy or sell services for just about anything Open Source. http://p.sf.net/sfu/Xq1LFB ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] CA-Initial admin creation failed.
This sounds to me as an error before the issuing trhe intial administrator certificate So my question s are: 1) Did you suceesfully initialize the database 2) Dis you sucessfully create the request for the initial administrator certificate Dominique LOHEZ the Moonspeller a écrit : Hello all I did an install of OpenCA on a single machine for all roles. Backend database is Postgresql . Initialization of CA went well, but when I tried to create initial admin, I got the following error message: OpenCA: General error trapped 700: The compilation of the command cmdIssueCertificate failed. Can't call method first_child on an undefined value at /srv/OpenCA/CA/lib/functions/crypto-utils.lib line 955. Googled around a bit – no idea what’s going on. I did the same install without the SQL backend and all went well ?! TIA -- */M. /* Avec Windows Live Messenger restez en contact avec tous vos amis ! Téléchargez Messenger, c'est gratuit ! http://www.windowslive.fr/majmessenger.asp - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] - Sponsored by: SourceForge.net Community Choice Awards: VOTE NOW! Studies have shown that voting for your favorite open source project, along with a healthy diet, reduces your potential for chronic lameness and boredom. Vote Now at http://www.sourceforge.net/community/cca08 ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] OpenCA and security vulnerability in Debian
Maciej Szuba a écrit : Hello! What should I have do? I use Debian for subca, rootca is working on Fedora. I generated 400 cert on subca and distributed to clients. Last week I saw message about openssl vulnerability in Debian: Luciano Bello discovered that the random number generator in Debian's openssl package is predictable. This is caused by an incorrect Debian-specific change to the openssl package (CVE-2008-0166). As a result, cryptographic key material may be guessable. I check certs are Affected. So in this way I must revoked all client 's certs and subca cert in rootca. But i have a questions what about crl, where client find crl if I revoced (and genetated new) subca cert. I would like ask developers about way to find solution?? here is a hint of answer Normally the things SHOULD work that way the user's certs are recognized becuse they are issued by the trusted CA subca subca is trusted because of certificate issued by rootCA so revoking the subca certificate and issue the corresponding CRL from rhe unvulnerable root CA should be sufficient Now you must be sure that the both check of user and subca are always effective I hope this help Dominique Macie - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] - This SF.net email is sponsored by: Microsoft Defy all challenges. Microsoft(R) Visual Studio 2008. http://clk.atdmt.com/MRT/go/vse012070mrt/direct/01/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Prolong/Renew expired CA certificate
Krzysztof Ryba a e'crit : Hello Three months ago Nicolas Vahlas wrote, but there was no answer: I have an installation of OpenCA where the CA certificate has expired. This was a self-signed CA certificate. I would like to renew this certificate i.e. extend the expiration date without change the rest of the certificates data. Is there a way to do this ? What if I use the General Initialization Initialize the Certification Authority Self Signed CA Certificate (from altready generated request) functionality of the OpenCA web interface ? If not, should I use OpenSSL directly ? How is this possible ? Now I have very similar problem: I have to issue certificate for user which will be valid for next 24 months but unfortunately CA self-signed certificate is going to be expired in 11 months so I have to f.e. extend the expiration date of CA cert. Is is (and if) how to do this? Could anyone help and give me/us some hint. Regards, Unfortunately a CA certificate should not be renewed before the pki infrastructure has became obsolete !! Thus the CA certicate always have serial number 0. Working around this problem could be done using openssl but this should not be recommended. When i encountered a similar problem , i redifined a new pki infrastructure from the scratch and provide new certificate to all the old users. Sorry, Dominique - This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ ___ Openca-Users mailing list Openca-Users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] make test failed due to the missing perl module OpenCA::OpenSSL::Fast in the openca-0.9.3-rc1 distrib
Hi, I am trying to upgrade to openca-0.9.3-rc1 Acording to the the advices of the installation manual, I use a minimal configuration ( see attached file ) then- 1) The configuration command runs correctly 2) Themake command runs correctly 3) The make test command fails ( see the attached file) Thee failure arises from the the tests in the directory /tmp/openca-0.9.3-rc1/src/modules/openca-openssl/ I retriy the by hand with the verbose command ( with tho 0 of the initial command replaced by 1 ) /usr/bin/perl -MExtUtils::Command::MM -e test_harness(*1,* 'blib/lib', 'blib/arch') t/*.t The result is shown on the third attached file primarily the errors messages looks like the following *# fail: Your vendor has not defined OpenCA::OpenSSL::Fast macro X509V3_F_S2I_S2I_SKEY_ID, used at (eval 129) line 1 * I have checked that the effective version are posterior than the requirements for all the modules concerned now i have some questions 1) Am i missing something ? 2) This sounds to me as a bug of the distrib. Is this correct? 3) While the test failed , all the sub-tests succeed. Can the failure be neglected? thanks in advance Dominique lohez / -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] #!/bin/sh PREFIX=$1 VER=0.9.3 if [ -z ${PREFIX} ] ; then PREFIX=/usr/local/openca.${VER} fi ./configure \ --prefix=${PREFIX} \ --with-openca-user=pkiuser \ --with-openca-group=pkigroup \ --with-openca-prefix=${PREFIX}/openca \ --with-httpd-fs-prefix=${PREFIX}/httpd \ --with-openssl-prefix=/usr\ --with-engine=no \ --with-web-host=..fr \ --with-httpd-user=apache \ --with-httpd-group=apache \ --with-cgi-fs-prefix=${PREFIX}/openca/cgi \ --with-htdocs-fs-prefix=${PREFIX}/openca/htdocs \ --enable-ocspd \ --enable-scep \ --enable-db \ --disable-dbi \ --disable-rbac #--enable-package-build \ #--enable-external-modules make src docs SUBTARGET=test make[1]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1 » cd src make test make[2]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src » make common modules ext-modules scripts web-interfaces SUBTARGET=test make[3]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src » cd common make test make[4]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src/common » make etc lib var SUBTARGET=test make[5]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src/common » cd etc make test make[6]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src/common/etc » make[6]: Rien à faire pour « test ». make[6]: quittant le répertoire « /tmp/openca-0.9.3-rc1/src/common/etc » cd lib make test make[6]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src/common/lib » make bp cmds functions locale mails stylesheets SUBTARGET=test make[7]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src/common/lib » cd bp make test make[8]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src/common/lib/bp » backup_key.sub syntax OK check_csr.sub syntax OK check_csr_params.sub syntax OK check_key.sub syntax OK check_key_params.sub syntax OK check_pin.sub syntax OK complete_csr.sub syntax OK create_cert.sub syntax OK create_csr.sub syntax OK create_key.sub syntax OK create_pin.sub syntax OK enroll_pkcs12.sub syntax OK enroll_pin.sub syntax OK make[8]: quittant le répertoire « /tmp/openca-0.9.3-rc1/src/common/lib/bp » cd cmds make test make[8]: entrant dans le répertoire « /tmp/openca-0.9.3-rc1/src/common/lib/cmds » addCRR syntax OK add_module syntax OK add_right syntax OK add_role syntax OK approveCRR syntax OK approveCRRnotSigned syntax OK approveCSR syntax OK approveCSRnotSigned syntax OK basic_csr syntax OK bpDoFunction syntax OK bpDoStep syntax OK bpExportPIN syntax OK bpImportNewUser syntax OK bpImportNewProcess syntax OK bpImportProcessData syntax OK bpImportProcessDataCompact syntax OK bpIssueCertificate syntax OK bpListProcess syntax OK bpListUser syntax OK bpRecoverCert syntax OK bpRecoverKey syntax OK bpRevokeCertificate syntax OK bpSetState syntax OK bpUnsetState syntax OK bpViewProcess syntax OK changeCRR syntax OK changeCSR syntax OK changePasswd syntax OK cleanupSessions syntax OK confirm_revreq syntax OK crlList syntax OK deleteCRR syntax OK deleteCSR syntax OK deletePasswd syntax OK delete_module syntax OK delete_right syntax OK editCRR syntax OK editCSR syntax OK exportCAReqCert syntax OK exportDB syntax OK genCACert syntax OK Global symbol $query requires explicit package name at genCAReq line 20. Global symbol $crypto_layer requires explicit package name at genCAReq line 27. Global symbol $cryptoShell requires explicit package name at genCAReq
Re: [Openca-Users] Batchprocessing - emailAddress in subject fails
[EMAIL PROTECTED] wrote: Hi Michael Hi people! I am trying to enroll certificates using batchprocessing with cvs of end of last week. All works smooth, BUT when I try to enhance the usual SUBJECT line in batch_process_data.txt with emailAddress I fail. The certificate IS enrolled, but the field emailAddress does not turn up in it. Example: ... ROLE User ... SUBJECT CN=Crashtest Dummy, [EMAIL PROTECTED],O=Ferrari, OU=Design, L=Turin, C=it ... I think that the emailAddress should not be in the DN but in the SUBJECT ALT NAME Dominique -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] --- This SF.Net email sponsored by Black Hat Briefings Training. Attend Black Hat Briefings Training, Las Vegas July 24-29 - digital self defense, top technical experts, no vendor pitches, unmatched networking opportunities. Visit www.blackhat.com ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] RC4: batch processors and pkcs12
Michael Konietzka wrote: Hi, i am using RC4 and the batch processors for issuing certifactes and keys. Using OpenCA 0.9.1.x, and apache 2.0 When, one tries to issue more than 6 certificates one gets messages corresponding to the first six certificates. Do you observe a similar behaviour. Bests regards Dominique -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] 0.9.1-7 batch processors (again !)
Chris Covell wrote: I can see the openssl ca command when I do a ps at the command line. If I kill the openssl ca command, I get the appropriate error on the Waiting for ~ the Apache Timeout ( default 300s ) the command is killed and the bathprocessor ends up correctly ( without displaying any messages) When the Timeout is lowered to 100s the command in killed in ~ 100 s Dominique --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] --- This SF.Net email is sponsored by: Oracle 10g Get certified on the hottest thing ever to hit the market... Oracle 10g. Take an Oracle 10g class now, and we'll give you the exam FREE. http://ads.osdn.com/?ad_id=3149alloc_id=8166op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] 0.9.1-7 batch processors (again !)
Chris Covell wrote: Dominique, On Mon, 2004-05-17 at 16:15, Dominique Lohez wrote: 4) Once the process is blocked. walking through the Valid Certificates list using the previous( ) or () next arrows ( but not | or | ) causes the process to become unblocked ) . And the It never becomes blocked again ) when you say this do you mean that you open up another browser to the CA and view valid certificates ? I do the trials with a single browser. From the pending display frame I can ask under information Certificates and then choose Valid Certificates Two new threads ( process) are started and then ... Chris... --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] 0.9.1-7 batch processors (again !)
Chris/Michael Some constants of the batch problem 1) It always arises on the the main signature process while openssl is used in a lot of process 2) It always arises at the same iteration 3) the process apears to do nothing. It does not consume CPU time. It seems to be waiting for something 4) Once the process is blocked. walking through the Valid Certificates list using the previous( ) or () next arrows ( but not | or | ) causes the process to become unblocked ) . And the It never becomes blocked again ) Any idea is welcome regards Dominique -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] --- This SF.Net email is sponsored by: SourceForge.net Broadband Sign-up now for SourceForge Broadband and get the fastest 6.0/768 connection for only $19.95/mo for the first 3 months! http://ads.osdn.com/?ad_id=2562alloc_id=6184op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] 0.9.1-7 batch processors (again !)
Chris/Michael Chris Covell wrote: I have just done a couple of new tests: On Thu, 2004-05-06 at 15:03, Chris Covell wrote: Dominique/Michael, OpenCA 0.9.1-8 with Apache 1.3 BP work fine OpenCA 0.9.1-8 with Apache 2.0 BP can't issue certificates. Can you think of a way of describing this to the Apache guys so that I can put a bug report in ? Clearly it is an apache 2.0 problem I encountered it using a PC with Linux red Hat 9 Kernel 2.4.20-8 on i686 The problem is at least Critical or even Blocking I checked in the apache bugs database for somewhat similar report It is particularly difficult since the database is just being reorganized. When you find some interesting example if you do not write down all the classification then the example has disapeared from the database It seems to me the main problem stands in the fact que the openssl Thread does not end. It sound to me as an overoptimization problem I hope this can help Regards Dominique Chris... --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] 0.9.1-7 batch processors (again !)
Michael Bell wrote: Do you use pure Perl or mod_perl with Apache 2? The mod_perl is loaded Dominique -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] --- This SF.Net email is sponsored by Sleepycat Software Learn developer strategies Cisco, Motorola, Ericsson Lucent use to deliver higher performing products faster, at low TCO. http://www.sleepycat.com/telcomwpreg.php?From=osdnemail3 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] 0.9.1-7 batch processors (again !)
Chris Covell wrote: Hello guys, we have a project where I need to issue _lots_ of certificates, so I am testing things out with the Batch Processors. Since I tested last time (10,000 certs created using batch processors) I have moved up to OpenCA 0.9.1-7 and now run the system on Apache 2.0.48 and openssl 0.9.7a (as provided by Fedora in RPM). My problem is that I go through all the usual batch processes to create keys pairs, approve etc. Then when I get to issue the certs (i.e. sign them with the CA key) the BP completes 5 certs and then hangs. It is always 5, no more no less ! I get the same with a limit of six If I do a BP of less that 5 certs at a time, then the process works perfectly. Using the 0.9..1-8 version I have tried to get 20 certificates The Bp works correctly and display the correct messages for the six first certificates and then it goes on silently without sending a message for ending the Batch processing Looking at the list of approved request and valid certificates you can follow the evolution of the process After completing the process the certificates can be exported. Can anyone think what is going on ? I can't believe there is a limit on OpenSSL, especially as is it being called per cert request. Help please. Chris... --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] --- This SF.net email is sponsored by: The Robotic Monkeys at ThinkGeek For a limited time only, get FREE Ground shipping on all orders of $35 or more. Hurry up and shop folks, this offer expires April 30th! http://www.thinkgeek.com/freeshipping/?cpg=12297 ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Problem issuing Cerficate with batch processors
Hello, I tried to issue 20 certificates using batchprocessor Only the six first messages indicating the success are posted The rest of the work goes on silently No messaage for the end of the batch processor is posted Does anybody know how to get all the messages Thanks for any help Dominique LOHEZ -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Problem with verify signatures in Sub-CA with batchproccesor.
Michael Bell wrote: I have another problem, after completing all the previous steps, when i going to issue the certificates (29 users), i get only 6 certificates correctly and then the process stall. If I try again, the system issues next 6 certificates and then stall again. I'll do it time after time, till i get all the certificates. This is not the standard behaviour, no? No, this is not the standard behaviour but it is the same problem like the first one. Both functionalities use the function getNextItem from DB.pm. It looks like this function has a problem. We changed the function a little bit for 0.9.2 but I don't know which sideeffects the new changes can have in 0.9.1. I have checked this. Again only six certifcates can be issued 0.9.1: if ( ($self-{dbms}-seq($key, $val, R_CURSOR) != 0) or ($keys-{KEY} != $key) ) { ## the key doesn't exist $dbstat = $self-{dbms}-seq($key, $val, R_FIRST); } else { do { $dbstat = $self-{dbms}-seq($key, $val, R_NEXT ); } while (($dbstat == 0) and ($key eq ELEMENTS)); } return undef if ($dbstat 0); ## Return object (if any) return $self-getItem( DATATYPE=$dataType, MODE=$mode, KEY=$key, PARSE_MODE = $parse_mode); 0.9.2: if ( ($self-{dbms}-seq($key, $val, R_CURSOR) != 0) or not exists $keys-{KEY} or ($keys-{KEY} != $key) ) { ## the key does not exist $dbstat = $self-{dbms}-seq($key, $val, R_FIRST); } else { do { $dbstat = $self-{dbms}-seq($key, $val, R_NEXT ); } while (($dbstat == 0) and ($key eq ELEMENTS)); } return undef if ($dbstat 0); ## real error return undef if ($dbstat == 1); ## R_NEXT or R_FIRST does not exist ## Return object (if any) return $self-getItem( DATATYPE=$dataType, MODE=$mode, KEY=$key); The first if contains a more safe construction to detect a needed first element. Also there is a better error detection and we don't need a parse mode because the crypto object parser is now much faster and we completely parse every object. Michael -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Problem with verify signatures in Sub-CA with batchproccesor.
I have checked this. Again only six certifcates can be issued Sorry , In fact I tried to issue 20 certificates and they are are all generated But during the batchprocessor execution only the first six messages are provided Dominique -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] UPN subjectAltName
Gio wrote: Hi, to be able to use the certificates for WindowsLogOn to have is necessary UPN in the certificate. Of default in alternative subject name there is the email. In UPN must be an unique value and also in LDAP as RDN need an unique value. Therefore I have added UID as part of the SubjectDN. And I wanted that automatically in alternative subject name there was this UID. This way I have changed besides the sub crypto_get_csr_subject_alt_name also editCSR ## subject alternative name if ( defined $req-getParsed()-{DN_HASH}-{UID}[0] ) { $subjectAltName = UID:.$req-getParsed()-{DN_HASH}-{UID}[0]; } elsif ( $parsed_req-{UID} ne ) { $subjectAltName = UID:.$parsed_req-{UID}[0]; } else { $subjectAltName = ; } I am not gut in Perl and I have simply tried for trial and error until I have the result that I wanted. Now however I fear that the changes from me done can have disagreeable consequences. A Consequence to the changes in crypto_get_csr_subject_alt_name is taht I always have to have UPN in the certificate, otherwise I receive an openSSL error since in __SUBJECT_ALT_NAME__ if it doesn't have othername openSSL wants a value with an equal. For the User certificates there is no problem, but for the serers certificates I have to have DNS (netscape) GUID and DNS of the Domain Controll of Windows. There are these changes scheduled? I will try to implement them, but .. Thanks in advance Giovanna --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users A simple way to add LDAP attributes is to modify the conf File from the instalation directory you should edit the files openca/etc/openssl/openssl/User.conf or openca/etc/openssl/extfiles/User.conf -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id=1470alloc_id=3638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Error 6751
Andréa Cavallari wrote: What this error means??? What can I do? Error 6751: Error while issuing Certificate Such a message is followed by complementary information you should first reads this information Dominique Lohez Andréa Cavallari Suporte Técnico Pamcary Sistemas de Gerenciamento de Riscos S/C Ltda. PAMSIST - Unidade de Serviços, Informações, Sistemas e Tecnologia (011) 3889-1478 [EMAIL PROTECTED] mailto:[EMAIL PROTECTED] -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] --- This SF.Net email is sponsored by: IBM Linux Tutorials Free Linux tutorial presented by Daniel Robbins, President and CEO of GenToo technologies. Learn everything from fundamentals to system administration.http://ads.osdn.com/?ad_id70alloc_id638op=click ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
Re: [Openca-Users] Problems revoking certificate
David W. Blaine wrote: Hi all, I have problems revoking some of my certificates. I am running openca 0.9.1. I had to rebuild my ca and I reloaded my previously issued certificates. The certificates that I reloaded cannot be revoked. Certificates issued after the reload can be revoked. The following error appears in apache. Using configuration from /usr/local/openca.0.9.1/openca/etc/openssl/openssl.cnf ERROR:name does not match /C=xx/O=yy/OU=zzz/CN=/serialNumber=238 unable to write 'random state' -- David Blaine, GCIA Network Engineer CSC for GDLS Desk: 586-825-7650 Cell: 810-217-8041 Email: [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users During a test phase of OpenCA I encountered the same problem with certificates created vith the Batch procedure . I suspect a problem in the config files of OpenCA . The test of change is very heavy since it requires starting the reinitialization of the CA, RA etc . So I am trying to build and test a sequence of OpenSSl commands to simulate the OpenSSl behaviour underlying to some OpenCa command without OpenCA -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] --- The SF.Net email is sponsored by EclipseCon 2004 Premiere Conference on Open Tools Development and Integration See the breadth of Eclipse activity. February 3-5 in Anaheim, CA. http://www.eclipsecon.org/osdn ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
[Openca-Users] Re Error 6841 of nicolaie@ly...
I encountered the same problem Does anybody know the solution Sincerly yours Dominique -- Dr Dominique LOHEZ ISEN 41, Bd Vauban F59046 LILLE France Phone : +33 (0)3 20 30 40 71 Email: [EMAIL PROTECTED] --- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf ___ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users