So my questions are:
Is the procedure to do this correct? Is there a bug in importCACert?What am I doing wrong??
You do nothing wrong. It looks like a bug in importCACert. I attached the version from the CVS HEAD. Perhaps we (or better I) forgot to backport it to openca_0_9_1. So please report the result.
Concerning Windows I did the same except that my request comes from a Windows CA. Here again I had no problems to issue the certificate, but the import of the cacert.pem file also fails (with a message telling that there was an error reading the file). I tried to convert the cacert .pem file to another format to make it importble by WIndows ( Windows expects a .crt or a pkcs7 file) but also this failed. Is it possible to do such conversions?
Is there someone who has a working hierarchy with openCA and windows?
Yes, we used it to test Microsoft Smartcardlogin with Usercertificates from OpenCA via a Citrix MetaFrame XP FR2. You need the MS CA because the domain controllers need a cert from a MS Enterprise CA. crt is pem, cer is der. You can use a trick:
- go to public interface with IE
- search the appropriate cert via certificates --> valid
- view the cert
- download it via a simple click
- export it from your IE in the format you need (so Microsoft does the conversion itself)
Greetings Michael -- ------------------------------------------------------------------- Michael Bell Email: [EMAIL PROTECTED] ZE Computer- und Medienservice Tel.: +49 (0)30-2093 2482 (Computing Centre) Fax: +49 (0)30-2093 2704 Humboldt-University of Berlin Unter den Linden 6 10099 Berlin Email (private): [EMAIL PROTECTED] Germany http://www.openca.org
## OpenCA - CA Command ## (c) 2001 by OpenCA Group ## ## File Name: importCACert ## Brief: Imports CA Certificate ## Description: Imports Signed CA Certificate from parent CA ## Parameters: none ## Cfg Keyword: UnpackArchive, ImportDev, opencadir
sub cmdImportCACert {
## To import the CA certificate we use the same import device as the
## one used for the certificates (is there any reason for not doing so ?)
## Get required parameters from the configuration file
my $cmd = getRequired( 'EXPORT_IMPORT_LOCAL_IMPORT' );
my $orig = getRequired( 'EXPORT_IMPORT_LOCAL_DEVICE' );
my $makeCmd = getRequired( 'MakePath');
## Other reserved variables
my $cacertFile = getRequired ( 'CACertificate' );
my $cacertDER = getRequired ( 'CACertificateDER' );
my $cacertCRT = getRequired ( 'CACertificateCRT' );
my $cacertTXT = getRequired ( 'CACertificateTXT' );
my $chainDir = getRequired ( 'ChainDir' );
my $certDir = getRequired ( 'CACertDir' );
print startLogPage("Importing CA Certificate");
$cmd = $query->subVar( $cmd, '@__DEVICE__@', $orig );
$cmd = $query->subVar( $cmd, '@__DEST__@', $certDir );
## If there is already a cacertfile, than we should move it to .old
if ( -e "$cacertFile" ) {
$tools->moveFiles( SRC=>$cacertFile,
DEST=>$cacertFile.".${$}_old");
$msg = i18nGettext ("Old certificate file is __FILE__.", "__FILE__",
"$cacertFile.${$}_old");
}
unlink( "$cacertDER" ) if ( -e "$cacertDER" );
unlink( "$cacertTXT" ) if ( -e "$cacertTXT" );
print addLogSection(gettext("Importing CA Certificate into filesystem ... "));
my $ret = `$cmd 2>&1`;
if( $? != 0 ) {
print addErrorLog(i18nGettext("Importing CA Certificate Failed from
__DEVICE__!", "__DEVICE__", $orig) );
closePage();
return undef;
}
print addLogLine(gettext("Ok."));
print addPreLogLine( $ret );
print closeLogSection();
print addLogSection(gettext("Importing CA Certificate to dB ... "));
$cryptoShell->dataConvert( DATATYPE=>CERTIFICATE,
INFILE=>$cacertFile,
OUTFILE=>$cacertDER,
OUTFORM=>"DER" );
configError( "<BR>".gettext("Error (1) while convertig certificate")."<BR>" ) if( $?
!= 0 );
$cryptoShell->dataConvert( DATATYPE=>CERTIFICATE,
INFILE=>$cacertFile,
OUTFILE=>$cacertTXT,
OUTFORM=>"TXT" );
configError( "<BR>".gettext("Error (2) while convertig certificate")."<BR>" ) if( $?
!= 0 );
$crt = new OpenCA::X509( SHELL=>$cryptoShell, INFILE=>"$cacertFile" );
if( not $crt ) {
configError( "<BR>".i18nGettext("Error while loading CA certificate
(__FILE__).",
"__FILE__", $cacertFile) );
} else {
##// Let's link to the chain dir
$tools->copyFiles ( SRC=>"$cacertFile",
DEST=>"$cacertCRT");
##// Let's make the links for chain verification
$ret = `cd ${chainDir}; $makeCmd`;
if ( not $db->storeItem( DATATYPE=>"VALID_CA_CERTIFICATE",
OBJECT=>$crt,
MODE=>"INSERT")) {
if ( not $db->storeItem( DATATYPE=>"VALID_CA_CERTIFICATE",
OBJECT=>$crt,
MODE=>"UPDATE")) {
configError (gettext("Error while storing CA cert to dB!"));
}
}
}
print addLogLine( gettext("Ok.") );
print addPreLogLine ( $crt->getTXT() );
print addPreLogLine ( $ret );
print closeLogSection();
closePage();
return 1;
}
1;
