Craig McGregor wrote:
I slowly understand what the problem is ...Because, although the import and export procedures import the files into the appropriate directories in var/crypto/*, the web interface depends on the database to show any references to the certificate in order to issue them.
You want to test OpenCA on one machine but you want to simulate an Offline-CA and Online-RA/pub configuration which is the default configuration of OpenCA :)
The problem is that if you install the CA and the online components with the same configurae-option then they share all the common parts especially the databaseconfiguration in OPENCAIDR/etc/database/DB*.conf.
So what you need are two seperate installations on one machine. You must set at minimum two different --with-openca-prefix to have another DBI.conf or DB.conf for CA and online components.
e.g.
--with-openca-prefix=/usr/local/CA/ and only use "make install-ca"
--with-openca-prefix=/usr/local/Online/ and only use make" install-ext"
The certs in var/crypto/certs/ are only there because OpenSSL write the certs during the issuance of the certs to this directory. OpenCA ignores these directories. We only use our database(s). You can simply remove the certs in var/crypto/certs (not cacerts!) and nothing will happen.
How you do this!? I hope that you don't use var/crypto/reqs. This dircetory is only for internal use. Actually we use it only for the CA-request if we initialize OpenCA. Again - the database is the core of OpenCA.e.g. If I create the initial administrator on the CA and look at the SQL database:mysql> select req_key, cn, status from request; +---------+------------------------+---------+ | req_key | cn | status | +---------+------------------------+---------+ | 256 | Craig McGregor (CA Op) | PENDING | +---------+------------------------+---------+ 1 row in set (0.00 sec) So, I can issue the certificate through the web-interface. However, if I import some requests from the RA and they are not populated in the database,
using the web functions to issue the certificates is not possible
because it doesn't seem the certificates are there.
>
That's simply because OpenCA only know the data in this database but think you understand now our point of view.lib/cmds/listReqs for example has code in it that certainly depends on the information being contained in the database.
The sheets are the only difference between the RA and pub site. So I will check them again.Seems to be breaking when the RA Operator looks at the request and attempts to create the key-pair on the token, which will then create a request. For some reason, this works on the pub site, but not the ra site. I will look at it more closely, but it could be because I was not setup for signing an approval.
I think in this situation it is acceptable that the RA Operator go to the pub site and start a token request which must contain nothing.In some circumstances it might be useful to create the whole request as an RA Opearator with using the public site first. e.g. Signed e-mail to RA operator please create tokens for users A ([EMAIL PROTECTED]), B ([EMAIL PROTECTED]), C ([EMAIL PROTECTED]) ....
Michael
--
-------------------------------------------------------------------
Michael Bell Email (private): [EMAIL PROTECTED]
Rechenzentrum - Datacenter Email: [EMAIL PROTECTED]
Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482
Unter den Linden 6 Fax: +49 (0)30-2093 2959
10099 Berlin
Germany http://www.openca.org
-------------------------------------------------------
This sf.net email is sponsored by:ThinkGeek
Welcome to geek heaven.
http://thinkgeek.com/sf
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users
