Robert Hannemann wrote:
>
> Robert Hannemann wrote:
> > I use the DB module.
>
> What to do if i would change from the DB module to DBI in my running
> System ?
You cannot do this with a running system. You must decide what you want
before you start with OpenCA. If you decide to use OpenCA::DBI
you must give ./configure the rigth option (use ./configure --help) and
then install manually OpenCA::DBIS (because Massimiliano forgot it in
the actual snapshots you must download it from CVS).
Now is the time to configure the database. You must configure a database
for the CA and one for the RAserver/Public-GW. If the database is ready
please configure DBI.conf (like ca.conf or raserver.conf).
So that's all. If you are really interested I recommend you to use the
DBI from the CVS. (I can send it you via email but for a mailinglist
it's a little bit too big - so if you have problems with cvs ask
directly).
Cheers,
Michael
P.S. the attached doc is only a very early version.
----------------------------------------------------------------------------
Michael Bell Email: [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email (work):
[EMAIL PROTECTED]
Humboldt-University of Berlin Tel.(work): +49 (0)30-2093 2482
Unter den Linden 6 Fax.(work): +49 (0)30-2093 2959
10099 Berlin
Germany [OpenCA Core
Developer]
http://openca.sourceforge.net
1. Configure OpenCA::DBI on the CA
Please see "man OpenCA::DBI" and DBI.conf
2. Initialize the CA
2.1 Standard Initialization
Pleae follow the instructions on the web-interface of the CA.
2.1.1. Initialize database
2.1.2. Generate new private key
2.1.3. Generate new CA Certificate Request
2.1.4. Generate new Self-Signed CA-Certificate
2.1.5. Rebuild CA-Chain
2.2. Special Initialization
2.2.3. Use old private key
If you want to use an old private key yu have to copy the key
to the following positions:
(Please take in mind that I use here the default installation
path of OpenCA's CA.)
/usr/local/OpenCA/private/cakey.pem
2.2.4. Use old certificate
This is a very critical thing because there is no standard way
to handle the old certificates. You must have appropriate
serialfile and indexfile from OpenSSL. You must import the
certificates all manually to the database which means that you
must insert the certificates with a script or something else into
your database. Please check that the columns are all set!
If you want to use RBAC it is nearly impossible to use an old
infrastructure because the role of a certificate is initiated
during the process of issuing a certifcate. If you don't use
RBAC you must "only" manually import your certifcates into
the table "certificate" after you initialized the database.
2.2.5. Using another Root CA
Export the request via the link on the web-interface. Copy the
certificate which you receive from the Root CA into the CA.
This is very easy because you only have to create the following
files:
/usr/local/OpenCA/cacert.pem
/usr/local/OpenCA/cacert.der
/usr/local/OpenCA/stuff/cacert.pem
(I don't know why we have two positions with the same certificate
but perhaps we fix this in the future ;-D )
3. Create initial CA-Admin
3.1. Configure Public-GW on the CA
Install the Public-GW like at every time to /usr/local/RAServer
or something else but NEVER to the CA's path!
Copy the CA's DBI.conf to the Public-GW's DBI.conf. This is done
to force the Public-Gateway to use the CA's database.
Change in the Public-Gateway's public.conf the following variable:
CACert "/usr/local/OpenCA/cacert.der"
3.2. Request a certificate via Public-GW
3.3. Approve certificate Request with CA
3.4. Download certificate from Public-GW
3.5. Export certificate from browser
3.6. Import Certificate into external brwoser
That's all. Now you are the proud owner of a certificate of the role
"CA Admin" or whatever you choose at the web-interface of the
Public-GW.
WARNING: Please take in mind that the Public-GW on the CA should
only be used to create the first user. The request is
not seen on the CA!
S/MIME Cryptographic Signature
