----- Original Message ----- From: "Massimiliano Pala" <[EMAIL PROTECTED]> To: "OpenCA Users" <[EMAIL PROTECTED]> Sent: Friday, February 01, 2002 11:09 AM Subject: Re: [Openca-Users] Sign is needed to proceed...
> Christopher Crowley wrote:
>
> > But, if someone would be kind enough to post the procedure they used for
> > creating the certificate that they use to sign certificate requests, it
> > would be very useful to me. Perhaps that way I would be able to
generate a
> > certificate that would permit me to sign requests on the server.
Thanks!
>
> This procedure should be used together with the DB module, for DBI
> variants I let Michael to say what's needed to modify
Michael - Which scripts should I run for DBI?
> (it should be in your INSTALL file within the package too... ).
The install file says:
<SNIP>
3. Generating Certificates
==========================
Before being able to generate certificates through the full featured
process you need to install the CA web, RA server software and generate
RAs' browser importable certificates.
NOTE: To issue a certificate, you have to issue the
CA certificate first! So please take some time to
setup the CA web server and start from there!
To request and sign a certificate (generating either the public/private
keys pair and the signed certificate in PEM format) just use the script
provided (in the scripts directory $INSTALLED_OPENCA/bin) 'issue_certs':
$ cd bin
$ ./issue_certs.bin
</SNIP>
But that script isn't there.
>
> I know it is not so an easy procedure... we'll try to make it easier...
>
and I realize there are lots of details required to make this user friendly.
I appreciate the effort!
I have tried to do this using openssl to generate the certificates, but it
still failed.
> 1. Install the CA
> 2. Generate the CA certificate (priv key, request, etc... )
> 3. Use the script openca-newcert: this will issue a new certificate
I ran into this error which running openca-newcert
Available extensions:
1 - User Certificate
2 - Server Certificate
3 - CA Certificate
Enter Extensions to be used (def. 1) : 1
ERROR:
/usr/local/OpenCA/Test/test1/OpenCA/conf/openssl/extfiles/User_Certificate.e
xt does not exists!
I tried linking User_Certificate.ext to CA_Admin.ext just to see how that
would proceed, but it doesn't work out. Is this a result of the server being
configured using DBI?
# pwd
/root/src/openca-0.9
# grep -r "User_Certificate.ext" *
scripts/openca-newcert.in:
exts=$ca/conf/openssl/extfiles/User_Certificate.ext
scripts/openca-newcert.in:
exts=$ca/conf/openssl/extfiles/User_Certificate.ext
scripts/openca-newcert:
exts=$ca/conf/openssl/extfiles/User_Certificate.ext
scripts/openca-newcert:
exts=$ca/conf/openssl/extfiles/User_Certificate.ext
> 4. Use the script openca-browserexp: this generate a .p12 file in the
> outbound directory of the installed openca
> 5. Get the .p12 certificate and install it into Netscape.
>
> NOTE: remember to install the CA certificate into Netscape or the
> issued certificate will not get correctly verified and enabled for
> signing ( exoport the cacertificate from the CA to the RAServer/
Also, I got stuck here.
Importing valid ca_certificate ...
9075d41d1e8a95f83821a00355ebf41a.pem updated
4781e59f20767dd25b84c97b28a0e9c8.pem updated
Importing CA-Certificates into ldap ...
Cannot write CA-Certificate 9075d41d1e8a95f83821a00355ebf41a
to LDAP
Cannot write CA-Certificate 4781e59f20767dd25b84c97b28a0e9c8
to LDAP
Make CA-Certificate available on the server ...OK.
Re-Building CA Chain ... FAILED
The LDAP problem isn't a show stopper at the moment. But this Re-Buildling
CA Chain seems to be causing a serious problem. I can go to the directory,
and run make, but the webserver user doesn't seem to have permissions to do
so.
Thanks for the responses!
Chris
smime.p7s
Description: application/pkcs7-signature
