hello
regarding the LDAP problem (importing objects):
1 i've added 'schemacheck off' in slapd.conf
2 i've created CA certificate without email address.
now everything is imported to LDAP (CA certs, User certs, CRL's)
martin lizner
www.anect.com
czech rep.
---------- Forwarded message ----------
Date: Sun, 2 Jun 2002 14:06:02 +0200 (CEST)
From: Lizner Martin <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: openca-SNAP-20020530
hello
i've tested with ssl-0.9.7-stable-SNAP-20020507 and ssl-SNAP-20020528
openca-SNAP-20020601:
While creating initial administrator (requesting the certificate):
Error 690 Configuration Error. Missing Configuration Keyword :
DN_TYPE_basic_BODY.
apache log:
Error Trapped: Missing Configuration Keyword : DN_TYPE_basic_BODY at
/usr/local/openca_ca/lib/functions/misc-utils.lib line 20.
Compilation failed in require at /usr/local/apache/cgi-bin/ca/ca line 193.
openca-SNAP-20020530:
While creating initial administrator (issuing the certificate):
Error 700 General Error. Error while issuing Certificate to CA Operator
(file name: /usr/local/openca_ca/var/tmp/01.req ).
apache log:
organizationName :PRINTABLE:'Anect'
organizationalUnitName:PRINTABLE:'Internet'
commonName :PRINTABLE:'CA Operator'
serialNumber :PRINTABLE:'01'
ERROR: adding extensions in section default
30764:error:2206D06C:X509 V3 routines:X509V3_parse_list:invalid null
name:v3_utl.c:319:
30764:error:2206B069:X509 V3 routines:X509V3_EXT_conf:invalid extension
string:v3_conf.c:138:name=subjectAltName,section=
30764:error:2206B080:X509 V3 routines:X509V3_EXT_conf:error in
extension:v3_conf.c:92:name=subjectAltName, value=
General Error Trapped 700: Error while issuing Certificate to CA
Operator<BR><BR>(file name: /usr/local/openca_ca/var/tmp/01.req ) at
/usr/local/openca_ca/lib/functions/misc-utils.lib line 38.
Compilation failed in require at /usr/local/apache/cgi-bin/ca/ca line 193.
after commenting out #subjectAltName=${ENV::subjectAltName} in
/usr/local/openca_ca/etc/openssl/extfiles/CA_Operator.ext the certificate
is issued. this does not help with openca-SNAP-20020601.
the same has to be done with RA_Operator.ext and Web_Server.ext. is that a
correct behaviour ?
the rest is tested with openca-SNAP-20020530 only:
LDAP:
Checking for a special DN where to store CA-certificates ...
There is no special DN specified.
Adding valid CA-certificates to the LDAP server ...
Certificate 0 FAILED
debug listing:
update ldap - ca certificates
Checking for a special DN where to store CA-certificates ...
There is no special DN specified.
Adding valid CA-certificates to the LDAP server
...Information of the Object:
dn [EMAIL PROTECTED],CN=Anect CA,OU=PKI,O=Anect,C=CZ
cn Anect CA
serID 0
email [EMAIL PROTECTED]
ou ARRAY(0x8ac6dd0)
o Anect
l
st
c CZ
End of the information of the Object.
element of baseDN: o=Anect
element of baseDN: c=CZ
element of the inserted DN: [EMAIL PROTECTED]
element of the inserted DN: CN=Anect CA
element of the inserted DN: OU=PKI
element of the inserted DN: O=Anect
element of the inserted DN: C=CZ
Checking RootDN of Certificate ...
Inserted DN BaseDN
h_basedn: CZ
h_dn: CZ
h_basedn_attribute: c
h_dn_attribute: C
h_basedn: Anect
h_dn: Anect
h_basedn_attribute: o
h_dn_attribute: O
Checking the length of the DN of the Certificate ...
Building the missing nodes of the LDAP-tree ...
Try to add OU=PKI,o=Anect, c=CZ ...
LDAP Schema DN: OU=PKI,o=Anect, c=CZ
LDAP Schema -Code
node exists
Try to add CN=Anect CA,OU=PKI,o=Anect, c=CZ ...
LDAP Schema DN: CN=Anect CA,OU=PKI,o=Anect, c=CZ
LDAP Schema -Code
node exists
Try to add [EMAIL PROTECTED],CN=Anect
CA,OU=PKI,o=Anect, c=CZ ...
LDAP Schema DN: [EMAIL PROTECTED],CN=Anect
CA,OU=PKI,o=Anect, c=CZ
----
update ldap certificates
Exporting valid certificates to LDAP ...Information of the Object:
dn serialNumber=01,CN=Anect CA
Operator,OU=Trustcenter,O=Anect,C=CZ
cn Anect CA Operator
serID 1
email
ou ARRAY(0x8ae1420)
o Anect
l
st
c CZ
End of the information of the Object.
element of baseDN: o=Anect
element of baseDN: c=CZ
element of the inserted DN: serialNumber=01
element of the inserted DN: CN=Anect CA Operator
element of the inserted DN: OU=Trustcenter
element of the inserted DN: O=Anect
element of the inserted DN: C=CZ
Checking RootDN of Certificate ...
Inserted DN BaseDN
h_basedn: CZ
h_dn: CZ
h_basedn_attribute: c
h_dn_attribute: C
h_basedn: Anect
h_dn: Anect
h_basedn_attribute: o
h_dn_attribute: O
Checking the length of the DN of the Certificate ...
Building the missing nodes of the LDAP-tree ...
Try to add OU=Trustcenter,o=Anect, c=CZ ...
LDAP Schema DN: OU=Trustcenter,o=Anect, c=CZ
LDAP Schema -Code
node exists
Try to add CN=Anect CA Operator,OU=Trustcenter,o=Anect, c=CZ
...
LDAP Schema DN: CN=Anect CA Operator,OU=Trustcenter,o=Anect,
c=CZ
---
update ldap crl
Loading CRL ...ldap-utils.lib: LDAP_get_crl: try to determine the newest
CRL
ldap-utils.lib: LDAP_get_crl: check date 20020602103633
ldap-utils.lib: LDAP_get_crl: newer crl found
ldap-utils.lib: LDAP_get_crl: timestamp: 20020602103633
ldap-utils.lib: LDAP_get_crl: crl:
OpenCA::CRL=HASH(0x8ac3bb4)
ldap-utils.lib: LDAP_get_crl: return newest crl
loaded CRL ea2f5ff0acb3d9f996583a87430ca18d
Checking the configuration for a special issuer ...
No special issuer was specified!
Pushing CRL ea2f5ff0acb3d9f996583a87430ca18d to LDAP
...addLDAPattribute: DN= [EMAIL PROTECTED],cn=Anect
CA,ou=PKI,o=Anect,c=CZ
attr: certificateRevocationList;binary
LDAP Searchfilter: (certificateRevocationList;binary=*)
LDAP Search Mesg-Code 32
LDAP Search Mesg-Count 0
Search for the attribute failed.
---
used schema:
dn: o=Anect, c=CZ
objectClass: top
objectClass: organization
o: Anect
dn: OU=PKI,o=Anect, c=CZ
objectClass: top
objectClass: organizationalUnit
ou: PKI
dn: OU=Internet,o=Anect, c=CZ
objectClass: top
objectClass: organizationalUnit
ou: Internet
dn: OU=Trustcenter,o=Anect, c=CZ
objectClass: top
objectClass: organizationalUnit
ou: Trustcenter
dn: CN=Anect CA,OU=PKI,o=Anect, c=CZ
authorityRevocationList;binary:
certificateRevocationList;binary:
cACertificate;binary:
objectClass: top
objectClass: organization
objectClass: certificationAuthority
o: Anect
---
Email:
SMIME mails from RA (Link e-mail new users) cannot be read from
Outlook/Outlook Express (2000). they are decrypted only via netscape. are
the microsoft clients tested ? how can i inform the user about his CRIN ?
CRIN:
when entered correct CRIN the form asks for signing/approving. when
signed/approved it returns to original revocation form - the request is
not added to database. when signed/approved without the CRIN, the request
is added to database and the certificate is suspended.
Minor bugs:
Links in certificate/signature/other lists do not work - ie Common Name,
email etc...
Issuer Statement (CPS) in Certificate is missing...
Certificate Test (pub): variable's values are missing...
Certificates of others do not have the correct extension when downloaded
(ie certificate.crt)...
Option 'Email new users' emailed plain text informational message - now it
has to be done certificate by certificate on RA...
Probably sql/crl error: DBD::mysql::st execute failed: You have
an error in your SQL syntax near 'select MAX (submit_date) from crl)' at
line 1 at /usr/lib/perl5/site_perl/5.6.1/OpenCA/DBI.pm line 3079.
whenever the objects are exported/imported from ca/ra to floppy it deals
all objects - ie certificates - is it ok when dealing with many
certificates ?..
regards,
martin lizner
www.anect.com
czech rep.
_______________________________________________________________
Don't miss the 2002 Sprint PCS Application Developer's Conference
August 25-28 in Las Vegas -- http://devcon.sprintpcs.com/adp/index.cfm
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
