Hi again, Yes, you can generate key pairs on tokens and request certificates for them with openCA. You have to use the pub interface and either Netscape or IE Request and select the device you want to use. You select the crypto device on the second page after clicking on continue, so you still have to input a pin but it wont be needed. e.g. when doing an IE request you select the installed CSP in the dropdown menu.
openCA doesn't care about the device you use and doesn't need any drivers, just the client which does the request needs the correct drivers for the token. I've done countless requests using GemPlus smartcards in IE 6 on win2000 and it alwys worked fine. The option you tried (Token Request) isn't used for client side token requests. Basic Requests are always CA side (software) key generation. We use that for encryption keys so we always have a private key backup on the ca in case the smartcard dies or is lost. -Robert -----Urspr�ngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Barbara Post Gesendet: Mittwoch, 10. Dezember 2003 11:02 An: [EMAIL PROTECTED] Betreff: RE : [Openca-Users] Download certificate onto token Thanks Robert, this helped. Now the question is : will I be able to generate the private key onto the token when generating a certificate request ? I use an USB token called ActivKey, but will use various ones in the future. I can access it with Netscape 7.1 I can import a PKCS#12 certificate through Netscape 7.1 (which has the right module installed) : I am prompted to enter PIN code to access the token, then certificate private key password. When I try, through /pub, to "Request a hardware token from the registration authority" I get "Error 690 - Configuration Error. Missing Configuration Keyword : DN_TYPE_token_KEYGEN_MODE." Indeed, in ca.conf, ra.conf and pub.conf I have only DN_TYPE_IE_KEYGEN_MODE, DN_TYPE_SPKAC_KEYGEN_MODE, DN_TYPE_BASIC_KEYGEN_MODE. So how do I configure this and what should the associated page designed by "DN_TYPE_TOKEN_KEYGEN_SHEET" contain ? Do I miss some module installation to be able to correctly "talk" to the token through standardized API ? Thank you again. Barbara Post -----Message d'origine----- De : [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] De la part de Robert Esterer Envoy� : mercredi 10 d�cembre 2003 09:38 � : [EMAIL PROTECTED] Objet : AW: [Openca-Users] Download certificate onto token Hi Barbara, As far as I know "download certificate onto token" only works with Netscape/Mozilla. I always use "Get Requested Certificate" in pub with IE. Did you generate the key on the token or on the ca? If you did the latern then just download it as pkcs#12 file and import key + certificate using mozilla. Debug for the CA can be activated in cgi-bin/ca/ca. just search for DEBUG and set it to 1, that'll activate all debug output for any CA activity. But beware, turning debug on prevents you from downloading files, or at least it did to me. Hope this helps, -Robert -----Urspr�ngliche Nachricht----- Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im Auftrag von Barbara Post Gesendet: Dienstag, 9. Dezember 2003 17:56 An: [EMAIL PROTECTED] Betreff: [Openca-Users] Download certificate onto token Hi, What configuration should I check to be able to make "download certificate onto token" work ? I use openca 0.9.1.3 on FreeBSD 5.1, and client-side Internet Explorer 6 SP1 which says "Internal Server Error The server encountered an internal error or misconfiguration and was unable to complete your request." but Apache's log doesn't help, Mozilla Firebird 0.7 which doesn't say anything, and an USB token, which drivers are installed onto my computer. The direct handling of generated certificate to the token is critical for my project. (I'll remove the option of direct download). Apache's SSL access log says : [09/Dec/2003:18:25:47 +0100] 192.168.1.38 - - "POST /cgi-bin/ca/ca?cmd=viewCert&dataType=VALID_CERTIFICATE&key=1 HTTP/1.1" 684 (with IE) [09/Dec/2003:18:45:05 +0100] 192.168.1.38 - - "POST /cgi-bin/ca/ca?cmd=viewCert&dataType=VALID_CERTIFICATE&key=1 HTTP/1.1" 1891 (with Firebird) How can I enable debug for openCA please ? (where in wich configuration file ?). I don't have any logs for openCA... Since I have installed CA and RA on the same machine, I have initialized CA but not RA, and am in the final step of producing CA operator certificate, which I want to put on a security token like every future certificate. I am not sure whether RA works ok, however. How to check it ? Thanks a lot for your help. Barbara Post ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users ------------------------------------------------------- This SF.net email is sponsored by: SF.net Giveback Program. Does SourceForge.net help you be more productive? Does it help you create better code? SHARE THE LOVE, and help us help YOU! Click Here: http://sourceforge.net/donate/ _______________________________________________ Openca-Users mailing list [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/openca-users
