Hi Ron, sorry for the delay but my time is really limited.
Ron Gedye wrote:
Ok, let's have a look into CHANGES. I see that there were several fixes for OpenCA::DB. So we should continue with the described problems.I'm Still using 0.9.1 RC4 with OpenCA::DB
We had no such problems since we moved away from hexadecimal numbers. So the best idea would be to update OpenCA by make a backup and a new installation on another computer to test it first.Question 1) Due to an issue on my end, I now have my CSR Req. numbers out of whack in the DB's (Long Story). Currently the last valid CSR Req. was # 4896. The numbers increment properly until I issue the highest CSR req. #, then a duplicate CSR Req. # is given for the next CSR Req. For example, I approved and issued serial number 21 cert for this req. (4896). Once I approved the CSR, the next CSR also has 4896 when it should be 5152. Any ideas on how to fix this? I really don't want to start my DB over again.
If we don't know the problem problem then it is really difficult to write a script to fix the database :) Ok, it's not funny for you ...<Beg & grovel> maybe those who understand perl and this DB would be willing to provide a quick script to update the db accordingly? </Beg & grovel>
I would recommend the follwing things:Question 2) I cannot get the CA system to properly backup and restore the DB. (Tar files are my friend) The RA Appears to work properly, but I'm a bit befuddled to know if it's because it actually is, or if I'm get getting the data from an import. (sometimes running in circles with not enough time to spend un-interrupted) Any insights?
1. You can look into the databases (DBM-files) with the attached script.
2. Create a backup.
3. Install an actual OpenCA on another box.
4. Please check that you use a 0.9.1.1 (because of some bugs in export-import.lib).
5. Create an empty database on the new machine.
6. Try to import the backup into the new machine.
7. Restore the OpenSSL files on the new machine.
8. Check the installation.
9. Copy the private key and CA cert to the new machine.
This is the way which I use
We changed some links so it is necessary to install the web pages again too. I know how much work you need to customize these pages. I must do it every by myself for our university :(Question 3) What's the easiest method of upgrading to a later release? Can I simply replace the cmds, functions and libs (relying on my current config files) or must I re-compile/make/make install? I don't want to overwrite the web pages unless it's necessary.
Normally you need the followings things:
- Perl-modules
- OPENCADIR/lib/
- sometimes you must update your configuration in OPENCADIR/etc/
If you read the file CHANGES in 0.9.1.1 then you get an idea what we changed in the last RCs.
There is a difference because we try to support the different browsers with links which they can use for an automatic installation of the certificates. You can download a PEM-formatted cert if you go on the public pages to the certificate list -> click on the needed certificate and press shift before you click on the download link or use your RIGHT mouse button.Question 4) Do later/latest releases allow for a download of server certs in .pem format rather than just .cer? The current mechanism sends an email with a link that attempts to load the cert into the browser. Wondering if now there's a distinction between Server and Browser/Email certs in the download process.
Question 5) [other questions about OpenCA & LDAP structure I'll just have to work through for now... ]
Ok, we will wait for your and our problems ;) Michael P.S. I send a copy to you directly too because the answer take some time. -- ------------------------------------------------------------------- Michael Bell Email (private): [EMAIL PROTECTED] Rechenzentrum - Datacenter Email: [EMAIL PROTECTED] Humboldt-University of Berlin Tel.: +49 (0)30-2093 2482 Unter den Linden 6 Fax: +49 (0)30-2093 2959 10099 Berlin Germany http://www.openca.org
show_data.pl
Description: Perl program
