After quite a few Hours I have solved the problem; it's all about the certificates & setting on your web server.
Here's the fix... (assuming apache...) download the initial webserver cert using the pin phrase used during the initial request; this should have been the third cert your issued during the ca setup (CA, Admin, webserver) (get it from /ra/ -display certs- If I recall correctly, [ you have exported/imported to the ra right?] although you could do it from the ca as well) The file contains two parts, a cert and a private key. put the cert portion into (/usr/local/apache/)conf/ssl.crt/server.crt file (new file) and the private key into ../conf/ssl.key/server.key (new file) Remove all (default) files other than Makefile & server.crt from the ssl.crt dir type make while in this dir.(if you get errors you haven't moved the (default) files out of the way (like ca-bundle.crt) in your httpd,conf file point the SSLCACertificateFile tag to (/usr/local/OpenCA)/var/crypto/cacerts/cacert.pem file (again, you have imported right?) With this setup, you can leave the apache defaults in place for the server.crt * key files. restart apache & POOF, everything works. This assumes that you only want your web server to recognize only your CA as the only acceptible CA (which is my setup) As a result of an all-nighter, I am now up and running completely; even full access control based on the client certificate O & OU values (thus my RA mgmnt functions are protected/restricted ...) I probably should have used the inital RA admin pair, but I'm planning on using it on the RA Server itself (think thats the purpose - still poking around) just have to fix that CRL-Serial number-non incrementing thing that I saw a post about sometime last week or so. ((Still have to test signing the approval from the RA yet, but I have hunch it'll work ok)) Best to you, & thanks for the initial reply. Ron Chris Covell wrote: > Ron, I get exactly the same error. > > My request was generated by Netscape 6.2.1 using SPKAC. I am also using the > same browser pointing to the RA screens to approve the certificate. > > I have checked the Request Data and I think all the fields are complete (the > last time I got an error like this was because the sub alt name was missing, > here is the data: > > Variable Value Request Version: 1 Serial Number: 4128 Request Type: > SPKAC Common Name: Chris Covell E-Mail: [EMAIL PROTECTED] Subject > Alternative Name: email:[EMAIL PROTECTED] Role: RA Operator Distinguished > Name: serialNumber=cert's serial, CN=Chris Covell, OU=Employees, O=Myorg, > C=GB Approved on: n/a Used Identification PIN: > f75ce18ca04ac0405a3b7b8b6ad75c1668c815b6 Modulus (key size): 1024 Public > Key Algorithm: rsaEncryption Public Key: -----BEGIN PUBLIC KEY----- > MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDdyxH2Py2/feBFbvKd27Hu6mhZ > YxM8gosSIMIU8t1tzfWk+mohnqxBk0c8cCbwDT5Or0Zvm9onPb4ElxiAe3ML41TM > xwQuvq8D1V+Qrq+x6QFntR7NQwd9Wr8rWIOViScQyms3tTwOMuUXbbvCJ2iJdgnn > 8FWmdOv2kn8y6lzn/QIDAQAB -----END PUBLIC KEY----- Signature Algorithm: > md5WithRSAEncryption > > Could it be anything to do with the DN with the serial number=cert serial > rather than a serial number, or is the number inserted later when the > certifciate is signed... > > I am at a loss. > > Chris... > >>I am still getting the same error: >> >>Can't call method "getRDNs" on an undefined value at >>/usr/lib/perl5/site_perl/5.6.1/OpenCA/REQ.pm line 543. >>Compilation failed in require at /home/httpd/cgi-ra/ra line 213 >> >>when trying to sign and approve a CSR created by a Netscape Client via an >>IE RA certificate. (w2k, IE 5.5 sp2, capicom.dll installed & registered) >> >>This is the only error, nothing is returned on the web interface, the CSR >>remains pending. >> >>Does anyone have a solution to this???? >> >>Thanks in advance >>Ron >> >>On Monday 09 September 2002 07:35 pm, Ron Gedye wrote: >> >>>I have nearly the same error using Netscape. (using 9.1 [RC4?]) >>> >>>Can't call method "getRDNs" on an undefined value at >>>/usr/lib/perl5/site_perl/5.6.1/OpenCA/REQ.pm line 543. >>>Compilation failed in require at /home/httpd/cgi-ra/ra line >>>213. >>> >>>Any pointers?? >>> >>>No problems with IE. >>> >>> >>> >>>----- Original Message ----- >>>From: "Chris Covell" <[EMAIL PROTECTED]> >>>To: "OpenCA" <[EMAIL PROTECTED]> >>>Sent: Monday, September 09, 2002 4:54 PM >>>Subject: [Openca-Users] Netscape and IE5 >>> >>> >>>Guys, >>> >>>two queries... >>> >>>Firstly, I am creating a certificate using the Netscape request. It all >>>seems >>>to go fine until as the RA I go to approve the request. I then get a >>>blank RA >>>screen and the web server error: >>> >>>Can't call method "getRDNs" on an undefined value at >>>/usr/local/openca.0.9.0/modules/perl5/OpenCA/REQ.pm line 538. >>>Compilation failed in require at /usr/local/httpd/cgi-bin/ra/RAServer >>>line 213. >>> >>>I have checked the request and all the fields are filled in (apart from >>>the "Approved on" field !). >>> >>>Any ideas ? >>> >>>Second, I am creating a certificate using IE5 on Windose98 using the IE >>>request. This does not get very far and I receive a "Error on Page" error >>>when submitting the request from the users browser. No errors in apache >>>error >>>log. >>> >>>Again, pointers would be helpful. >>> >>>Many thanks >>> >>>Chris... >>> >>> >>>------------------------------------------------------- >>>This sf.net email is sponsored by: OSDN - Tired of that same old >>>cell phone? Get a new here for FREE! >>>https://www.inphonic.com/r.asp?r=urceforge1&refcode1=3390 >>>_______________________________________________ >>>Openca-Users mailing list >>>[EMAIL PROTECTED] >>>https://lists.sourceforge.net/lists/listinfo/openca-users >>> >>> >>> >>> >>>------------------------------------------------------- >>>This sf.net email is sponsored by: OSDN - Tired of that same old >>>cell phone? Get a new here for FREE! >>>https://www.inphonic.com/r.asp?r=sourceforge1&refcode1=vs3390 >>>_______________________________________________ >>>Openca-Users mailing list >>>[EMAIL PROTECTED] >>>https://lists.sourceforge.net/lists/listinfo/openca-users >>> >>------------------------------------------------------- >>This sf.net email is sponsored by:ThinkGeek >>Welcome to geek heaven. >>http://thinkgeek.com/sf >>_______________________________________________ >>Openca-Users mailing list >>[EMAIL PROTECTED] >>https://lists.sourceforge.net/lists/listinfo/openca-users >> > > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Openca-Users mailing list > [EMAIL PROTECTED] > https://lists.sourceforge.net/lists/listinfo/openca-users > ------------------------------------------------------- This sf.net email is sponsored by:ThinkGeek Welcome to geek heaven. http://thinkgeek.com/sf _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
