Re: [Openca-Users] RA node Interface issues

Tue, 26 Apr 2005 08:20:13 -0700 

On Mon, Apr 25, 2005 at 05:02:13PM +0200, pierre lhostis wrote:
> Date: Mon, 25 Apr 2005 17:02:13 +0200
> From: pierre lhostis <[EMAIL PROTECTED]>
> To: [email protected]
> Reply-To: [email protected]
> Subject: [Openca-Users] RA node Interface issues
> 
> Me again again,
> 2 problems on the RA node interface :
> 
> 1. 
> Using Administration/Backup and Recovery/Recovery/Rebuild OpenSSL's
> database and next serialnumber, I have got the following error message:
> 
> "Cr�ez des sauvegardes de index.txt et du num�ro de s�rie ...
>       /usr/local/openra921/openca/var/crypto/index.txt
>       /usr/local/openra921/openca/var/crypto/serial
> Chargement des Objets ...
>       CERTIFICAT_AC_VALIDE: 7FFFFFFF
>     Erreur 700
>      Erreur G�n�rale The compilation of the command
> cmdRebuildOpenSSLindexDB failed. panic: array extend
> at /usr/local/openra921/openca/lib/functions/crypto-utils.lib line 369."
> 
> I only got this message with the RA of the Root CA and not with RAs
> linked with subCAs. This makes me think that there is a problem with the
> Root CA certificate. I noticed that for the self-signed Root CA
  The cause is Serial number of selfsignet root CA. The problem is using
of sprintf/hex functions wich are overflowed by really big ints. 
 
> certificate, the serial number is always 0 (first certificate signed by
> the CA) and this may be the problem because, for a subCA, the serial
> number of the subCA is never 0 but at least 1. I do not see how to avoid
> the 0 serial number to prove that it is my problem (except modifying the
> code but I am not a perl guru to say the least...).
  As there're no signs of anyone else experiencing same problem, it make
me thinks that this is debian related. In short, debian's openssl
generates self-signed certificate with very long serial (is it random?).
"Rebuild OpenSSL's database and next serialnumber" search max. serial
number, increment it and writes to file named "serial". Number from "serial"
will be used for next signed cert. But, as sprintf is 4 bytes wide, very
long serials cause errors.

So you have two options:
1. apply big-int patch, see openca-devel for more details, (want to be a
beta tester :)
2. Use serial 0 for the selfsigned root ca, you need to change function
genCert in openca-0.9.2.2/src/modules/openca-openssl/OpenSSL.pm, around
line 569 change from:
my $command = "req -x509 ";
to:
my $command = "req -x509 -set_serial 0 ";

3rd. Leave it alone. Could anybody explain me for what index.txt file is
needed on CA node?

  Best wishes

--
Alexei Chetroi

Smile... Tomorrow will be worse. (c) Murphy's Law


-------------------------------------------------------
SF email is sponsored by - The IT Product Guide
Read honest & candid reviews on hundreds of IT Products from real users.
Discover which products truly live up to the hype. Start reading now.
http://ads.osdn.com/?ad_ide95&alloc_id396&op=click
_______________________________________________
Openca-Users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to