Hi,
I think I should tell the issue more clearly.
We issued certs for grid use, so the CN may be in the format of
'host/host.domain.com', I found OpenCA doesn't support it, so I revised the
module REQ.pm in 0.9.1 version to solve the problem. but when I recovery dbm
in 0.9.2v from archival done by 0.9.1v, the process was OK, but I can't view
the request, it returns
-----------------------------------------------------------------------------------------------
Error 700
General Error The compilation of the command cmdViewCSR failed. Can't
use an undefined value as a HASH reference at
/usr/local/ca/OpenCA/lib/functions/crypto-utils.lib line 1163.
----------------------------------------------------------------------------------------------
I still can view the request whose CN didn't include '/' , but the signature
error appeared, which said
-----------------------------------------------------------------------------------------------
Error 560
General Error Signature Object not returned, check the
openca-verify command. Cannot build PKCS#7-object from extracted signature!
OpenCA::PKCS7 returns errorcode 7911031 (OpenCA::PKCS7->new:
Cannot initialize signature (7912021). OpenCA::PKCS7->initSignature: Cannot
parse signature (7921021). OpenCA::PKCS7->getParsed: The crypto-backend cannot
verify the signature (7742075). OpenCA::OpenSSL->verify: openca-sv failed.
[Error]: error:04077068:rsa routines:RSA_verify:bad signature
[Info]: Input file intialized.
[Info]: Signaturefile initialized.
[Info]: Reading Certificate file.
[Info]: PKCS#7 object loaded.
[Info]: Data is ready for verification.
[Info]: Signature Informations (PKCS#7):
depth:0 serial:0D subject:CN=raoperator,OU=IHEP,O=HEP,C=CN
error:20:unable to get local issuer certificate
[Info]: Signature is corrupt. Errorcode -1.
signature:error:-1
).
------------------------------------------------------------------------------------------------
On Tue, 17 Jan 2006 16:15:28 +0800, FAN HuaXiang wrote
> Hi,
>
> The first problem I encountered when upgrading is that
> when I restore the database, the new system couldn't recognize the
> signatrue of the request, by the way I use dbm.
>
> I will report when I do more.
>
> Thanks a lot !
>
> On Fri, 13 Jan 2006 15:31:20 +0100, Michael Bell wrote
> > Hi,
> >
> > > Recently, I notice some new feature for openca 0.9.2, specially on the
> > > security aspect, but I also find out that some problem with
> compatibility,
> > > so I want to ask is it possible to upgrade openca.
> >
> > The most important question is what do you find for problems with the
> > compatibility? After this there is a very short description how you can
> > upgrade but please test this on a seperate machine before you do
> > this on the production system. Sometimes there are heavy problems
> > with old OpenCA installations. An upgrade is not trivial.
> > Nevertheless the dataexchange stuff which we used to backup for a
> > 0.9.2 upgrade is partly compatible with 0.9.1.
> >
> > http://www.openxpki.org/docs/guide/html_chunked/apes04.html#id2560367
> >
> > Best regards
> >
> > Michael
> > --
> > _______________________________________________________________
> >
> > Michael Bell Humboldt-Universitaet zu Berlin
> >
> > Tel.: +49 (0)30-2093 2482 ZE Computer- und Medienservice
> > Fax: +49 (0)30-2093 2704 Unter den Linden 6
> > [EMAIL PROTECTED] D-10099 Berlin
> > _______________________________________________________________
>
> Kind Regards,
>
> FAN HuaXiang
> Computing Centre
> Institute of High Energy Physics
> Chinese Academy of Sciences
> Beijing,P.R.China
>
> -------------------------------------------------------
> This SF.net email is sponsored by: Splunk Inc. Do you grep through
> log files for problems? Stop! Download the new AJAX search engine
> that makes searching your log files as easy as surfing the web.
> DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
> _______________________________________________
> OpenCA-Devel mailing list
> OpenCA-Devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openca-devel
Kind Regards,
FAN HuaXiang
Computing Centre
Institute of High Energy Physics
Chinese Academy of Sciences
Beijing,P.R.China
-------------------------------------------------------
This SF.net email is sponsored by: Splunk Inc. Do you grep through log files
for problems? Stop! Download the new AJAX search engine that makes
searching your log files as easy as surfing the web. DOWNLOAD SPLUNK!
http://sel.as-us.falkag.net/sel?cmd=lnk&kid=103432&bid=230486&dat=121642
_______________________________________________
OpenCA-Devel mailing list
OpenCA-Devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/openca-devel
